Saturday, December 20, 2014

Misfortune Cookies Vulnerability

As everybody was focusing on the Sony hacking incident, there was a vulnerability that is affecting over 12 million Internet routers located in 189 countries across the globe been announced. At least over 200 different models of the devices are vulnerable. These lists of vulnerable devices consist of companies such as ASUS, D-Link, Edimax, Huawei, TP-Link, ZTE, and ZyXEL.

This vulnerability, which is discovered by the researchers from Check Point’s Malware and Vulnerability Research Group, called it "Misfortune Cookie vulnerability". It is exploitable due to an error within the HTTP cookie management mechanism in the affected software. It allows an attacker to determine the ‘fortune’ (critical information) of a request by manipulating cookies. Attackers can then send specially crafted HTTP cookies that exploit the vulnerability to corrupt memory and alter the application state, which will trick the device’s web server to treat the current session with administrative privileges.

The actual vulnerability lies on the software that is the embedded web server RomPager from AllegroSoft. Devices running RomPager services with versions before 4.34 are vulnerable.

So what can you do with the exploit of this vulnerability? With administrative access to your device, an attacker could take control over your wired and/or wireless network infrastructure. Depending on your gateway device, there may be risk of Man-in-The-Middle attacks, provide a possible attack vector for LAN-side vulnerabilities, and also gave the attacker the ability to extract useful information from the network connections from your devices.

With information extracted from your network, it also provide the stage for further attacks, such as installing malware on devices and making permanent configuration changes the bypassing gateway protection just as firewall or network isolation of your local network.

Since this is one of the most widespread vulnerabilities revealed in recent years, how can we mitigate it? There is actually a patch to the vulnerable software. AllegroSoft issued a fixed version to address this “Misfortune Cookie vulnerability” in 2005. It is advice to check with the device vendor if the patched firmware is already available.

But there is always this common issue of device vendors taking too long to patch up their firmware. Even if the patch of the vulnerable software available, they need to integrate this patch into their device firmware, test to make sure nothing breaks and then make it available which normally takes a long time.

Other mitigation that can be considered will be to deploy Intrusion Prevention Systems (IPS) in front of your device. There are IPS signatures available for this vulnerability (CVE-2014-9222 and CVE-2014-9223). 

Misfortune Cookie

Saturday, October 19, 2013

Information Leakage and Improper Error Handling

Information leakage and improper error handling used to be in the OWASP Top 10 2004 and 2007. But they have rename to "Security Misconfiguration" since 2010 and with a wider scope.

While doing my online shopping today, I accidentally triggered an SQL query timeout error. The error page review quite a number of information, which can be useful for the programmer to carry out troubleshooting. But best of all, it also provide the hacker with information to carry out the next level of "attack" to the server.

The error page provides table information, file paths that helps in launching SQL injections and XSS attacks.

The error page also shows the application that the server is using and its version number. Based on the information, the Microsoft .NET framework version is not the latest. It may contains critical vulnerability that allows elevation of privileges and remote code execution.

Planning to inform the Site administrator on this issues and nobody hacked it yet.

Thursday, October 25, 2012

IPv6 InSecurity. Is your company ready for IPv6?

Everybody is announcing that IPv4 addresses are running out. Countries and major IT companies (such as Google) are encouraging others to move into IPv6. IPv6 have always been portrayed to be more secured than IPv4.

Image from Google

But in the recent talk by van Hauser on "IPv6 Insecurity" in HITB, he share that there are huge grow in the number of vulnerabilities found related to IPv6 in recent years. Several times more than IPv4.

So is IPv6 mature/stable enough? Do you think companies are ready for the change to IPv6? Should we be encouraging our companies to make the change now? These are the questions that I think we need to ask ourselves as a security professional.

Beside worrying about the readiness of IPv6, van Hauser also highlighted the importance for companies (even those in pure IPv4 environment) to be aware and understand the threats from IPv6. Desktop and network devices these days may already support IPv6 and may enabled by default. Attackers may use these "channel" to target companies in IPv4 environment and bypass their network protection (e.g IPS), which is not IPv6 aware.

Related articles:
- HITB slides: Marc Heuse - IPv6 Insecurity Revolutions.pdf

Tuesday, October 16, 2012

HITB playing AC/DC concert

While waiting for the next speaker during the HITB (Hack In The Box) Conference in Kuala Lumpur, the screen in the conference hall starts to play the song "ThunderStruck" by AC/DC (shown in the video below).

The music video is actually part of the introduction for the presentation titled "Behind Enemy Lines" by Mikko Hypponen of F-Secure. His speech talks about the various cyber "enemy" (Types of hackers) and their motives. He also share with us some of the ways to defend against this "enemy" and avoid being the target.

You can download the slides from HITB website here

Sunday, September 23, 2012

USB hacking obsolete?

With Windows autorun feature disabled by default, USB hacking method such as Pod slurping and tronjanized flash drive no longer possible?

I have recently wrote an article "Pentesting with Teensy" for PenTest Magazine that describes how you can emulate a device as a HID (Human Interface Device) and inject attack codes and execute commands in the system.

For those who have not read the article, I have make a short video to demostrate how you can still carry out the USB hacking using Teensy.

Besides using teensy as a pentesting or hacking tool, it can also be useful for auditors to verify system hardening and configuration with system commands pre-set into the device.

More information about my article, refer to my previous post "Pentesting with Teensy".

Tuesday, September 4, 2012

Command Your Windows

System these days does not really require users to use command line. Windows, Mac, Linux and even traditionally command-based UNIX also come with GUI (Graphical User Interface) such as KDE. Command line may seem to be obsolete for many. But it is still very useful to hackers and pen-testers when GUI is not available such as using remote shell.

I have wrote an article titled "Command your Windows", which is published in this month PenTest magazine (September). In this article, I will be sharing on some of the useful windows commands that a hacker or pen-tester can use when obtaining a remote shell to the system.

This magazine can be purchase on-line from PenTest Magazine website.

Please post your comments regarding this article here.
If you are interested in this article, I will happy to share it with you. Just drop me an email.

Friday, August 3, 2012

Pentesting with Teensy

Windows autorun feature is disabled by default these days. Is it still possible to launch code automatically from a USB drive? What if there is a USB drive that could execute code automatically when plugged in and yet not able to be identify as USB drive by the system?

Teensy, USB-based micro-controller development board, which can be programmed to emulate as any device and store programming code. I have wrote an article that describes how you can emulate the device as a HID (Human Interface Device) and inject attack codes and execute commands in the system.

This article titled "Pentesting with Teensy" can be found in the July issue of PenTest (Web App) Magazine.

This magazine can be purchase on-line from PenTest Magazine website.

Please post your comments regarding this article here.
If you are interested in this article, I will happy to share it with you. Just drop me an email.

Thursday, August 2, 2012

WhatsApp InSecurity

The ownership of smartphones and tablets has grown enormously over the past few years. WhatsApp has gained popularity as the cross-platform application to replace traditional messaging services such as Instant Messaging and SMS. How safe is it to use for personal communication?

I have written an article that talks about how you can extract the message and photo that were send via WhatsApp.

This magazine can be purchase on-line from Hakin9 Magazine website.

Please post your comments regarding this article here.
If you are interested in this article, I will happy to share it with you. Just drop me an email.

There is a video on the related demonstration, which I previously posted in "Can you extract message and photo from WhatsApp"

Friday, July 13, 2012

Security Guideline for Mobile Devices in Enterprise

This week, NIST (National Institute of Standards and Technology) has release the guidelines for managing and securing of mobile devices in the enterprise (Guidelines for Managing and Securing Mobile Devices in the Enterprise - SP 800-124 Revision 1). The purpose of this publication is to provide recommendation to help organizations centrally manage and secure their mobile devices against various threats.

This document is intended for technical staffs such as security engineers and those who are responsible in planning, implementing and maintaining the security of the mobile devices.

It covers the type of mobile devices that are applicable such as smart phone and tablets. Basic cell phones and laptops are out of scope as their threat level and security control options are different.

It also talks about the different high-level threats and vulnerabilities related to these devices, as they are generally higher risk exposure that other client devices such as desktop and laptop. These threats are,
  • Lack of physical security controls 
  • Use of untrusted mobile devices 
  • Use of untrusted networks 
  • Use of applications created by unknown parties 
  • Interaction with other systems 
  • Use of untrusted content 
  • Use of location services 
The next section of the document provides an overview of the current state of the MDM (Mobile Device Management) technologies, which mainly comprise of the components, the architectures and the capabilities. For components, it talks about the type of MDM solution between the solution from same vendor of the mobile device and using third party product that can manage one or more types of mobile devices. The architectures deal with the different consideration and the use of other enterprise services based on business requirement. As for the capabilities of the MDM, it should provide the following security services, 
  • General policy that can enforce enterprise security policies on the mobile device. 
  • Data communication and storage that provide strong data encryption during communication and on storage. It should also have the ability to remotely wipe the device. 
  • User and device authentication, which includes account and device lockout and remotely locking of the device. 
  • Application. It should be able to restrict the installing and removal of applications. Prevent access to enterprise resources based on devices OS (Operating System) version and status (rooted or jailbroken). 
Lastly, it talks about the security for the life cycle of the enterprise mobile device solution, which covers from policy down to operations. This life cycle consist of 5 main phases. 
  • Phase 1: Initiation. This phase include identifying needs for mobile devices, creating a high-level strategy for implementing mobile device solutions, developing a mobile device security policy, and specifying business and functional requirements for the solution. 
  • Phase 2: Development. In this phase, it covers technical characteristics of the mobile device solution and related components. These include the type of authentication methods, cryptographic mechanisms and the type of mobile device clients to be used. 
  • Phase 3: Implementation. This phase involve equipment configuration to meet operational and security requirements. Ensuring the integration with other security controls such as security event logging and authentication servers. 
  • Phase 4: Operations and Maintenance. This phase will cover security related tasks that should be performed on an on-going basis such as log review and attack detection. 
  • Phase 5: Disposal. This phase will cover the tasks for retiring of components and the mobile device solutions, including preserving of information to meet legal requirements, sanitizing and disposing of equipment properly. 
For more details on this NIST publication, visit the following link:
This post is also available in Seczine, an online Security magazine.

Tuesday, May 1, 2012

Can you extract message and photo from Whatsapp?

One day while messaging to my friend using Whatsapp, he ask me if the traffic is secure? I did a bit of read up and found out that Whatsapp message was actually not encrypted unlike iMessage.

So I decided to do a simple video to show how you can extract message and photo that were send via Whatsapp.

Wednesday, April 11, 2012

HP ProCurve Switch comes with FREE malware

HP had announced in their Security bulletin yesterday (10 Apr) that they have shipped malware-infected compact flash card with their HP ProCurve switches.

In their official bulletin, "
A potential security vulnerability has been identified with certain HP ProCurve 5400 zl switches containing compact flash cards which may be infected with a virus. Reuse of an infected compact flash card in a personal computer could result in a compromise of that system's integrity."

They have not disclosed how those malware managed to infected the Flash cards but it is likely that it had infected the systems of the third-party manufacturer that supply those flash cards.

It is not the first time that renown companies are shipping malware in their products. Seagate and Apple also have reported cases. (See my previous blog "Battery not included ... but Malware is...)

Related Reports:

Monday, October 24, 2011

Android vs iOS security

A interesting video on well-known security researcher Dr Charlie Miller, which discuss the security postures of Android and iOS