Tuesday, August 9, 2016

Trane ComfortLink XL850 thermostats running firmware version 3.1 or lower are vulnerable to information disclosure and remote access due to a weak authentication mechanism and hardcoded credentials. The device uses a custom protocol and a predictable port number to administer remote access to virtually all of the device functions. When you combine hardcoded credentials with a network accessible port, you have a device ripe for attack from the network or even an attack from the Internet if the thermostat is exposed through the router.

Once an attacker has gained access they can quickly extract all information from the device including the home heating and cooling schedule, current operation mode, current temperature, chat and alarm history, serial number, active socket connections, trusted URLs, secret IDs, software version info and detailed address and installer information. These will allow attackers to perform a number of dangerous operations. This includes forcing the device to maintain the maximum heating setting or disabling the device continuously thereby overriding user input. Attackers can also remove and create trusted server connections permanently disconnecting the device from the corporate command and control servers.

Below shows the exploit that affect the device. The "Get Connected" banner at the top of the screen is a marketing prompt indicating that the device is not enrolled in any remote services or special features.

Tuesday, June 7, 2016

Hacking of Facebook Messenger

Recently Check Point disclosed a vulnerability found in Facebook Messenger, it allows an attacker to change conversation thread in the Facebook messenger.

Hacker can manipulate message history of a conversation to claim he had reached a falsified agreement with the victim, or simply change its terms.

Hackers can tamper, alter or hide important information in Facebook chat communications which can have legal repercussions. These chats can be admitted as evidence in legal investigations and this vulnerability opened the door for an attacker to hide evidence of a crime or even incriminate an innocent person.

This vulnerability can also be used as a malware distribution. An attacker can change a legitimate link or file into a malicious one, and easily persuade the user to open it. The attacker can use this method later on to update the link to contain the latest C&C address.

Below is the demo of the hack

Monday, June 6, 2016

Hijack and Impersonate Whatsapp account

Attacker are able to hijack a Whatsapp account and impersonate as the legitimate user.
How they do it?  There is actually a vulnerability in Signaling System 7 (SS7), a global network of carriers that acts as a central hub to connect the world. The attack is done by tricking the telecom network into believing the attacker’s phone has the same number as the target’s.

The attacker would now create a new WhatsApp account and receive the secret code that authenticates their phone as the legitimate account holder.Once complete, the attacker now controls the account, including the ability to send and receive messages.

Below is a demo of the attack.

You can find my previous post on extracting messages from Whatsapp in "Can you extract message and photo from Whatsapp?"

Saturday, June 4, 2016

Hacking of LG handphone

Check Point disclosed today two vulnerabilities (CVE-2016-3117, CVE-2016-2035) which can be used to elevate privileges on LG mobile devices to attack them remotely at the LayerOne 2016 conference in Los Angeles.

The first vulnerability allows a malicious app installed on an LG device to abuse the lack of bind permissions in an LG service and to elevate its privileges, allowing additional control of the device.
The second vulnerability allows a remote attacker to delete or modify SMS messages received on a device. Attacker could use it to conduct credential theft or to fool a user into installing a malicious app. The attacker could modify a user’s unread SMS messages and add a malicious URL to redirect the user to download a malicious app or to a fake overlay to steal credentials.

Steps to mitigate the risk of this attack:
- Verify any app installation request before accepting it to make sure it is legitimate.
- Use a personal mobile security solution that monitors your device for any malicious behavior.
- Lookout for LG latest update on these vulnerabilities and patch it immediately

Below is the video demo of the remote attack.

For more details of these vulnerabilities, visit "OEMs Have Flaws Too: Exposing Two New LG Vulnerabilities"

Saturday, December 20, 2014

Misfortune Cookies Vulnerability

As everybody was focusing on the Sony hacking incident, there was a vulnerability that is affecting over 12 million Internet routers located in 189 countries across the globe been announced. At least over 200 different models of the devices are vulnerable. These lists of vulnerable devices consist of companies such as ASUS, D-Link, Edimax, Huawei, TP-Link, ZTE, and ZyXEL.

This vulnerability, which is discovered by the researchers from Check Point’s Malware and Vulnerability Research Group, called it "Misfortune Cookie vulnerability". It is exploitable due to an error within the HTTP cookie management mechanism in the affected software. It allows an attacker to determine the ‘fortune’ (critical information) of a request by manipulating cookies. Attackers can then send specially crafted HTTP cookies that exploit the vulnerability to corrupt memory and alter the application state, which will trick the device’s web server to treat the current session with administrative privileges.

The actual vulnerability lies on the software that is the embedded web server RomPager from AllegroSoft. Devices running RomPager services with versions before 4.34 are vulnerable.

So what can you do with the exploit of this vulnerability? With administrative access to your device, an attacker could take control over your wired and/or wireless network infrastructure. Depending on your gateway device, there may be risk of Man-in-The-Middle attacks, provide a possible attack vector for LAN-side vulnerabilities, and also gave the attacker the ability to extract useful information from the network connections from your devices.

With information extracted from your network, it also provide the stage for further attacks, such as installing malware on devices and making permanent configuration changes the bypassing gateway protection just as firewall or network isolation of your local network.

Since this is one of the most widespread vulnerabilities revealed in recent years, how can we mitigate it? There is actually a patch to the vulnerable software. AllegroSoft issued a fixed version to address this “Misfortune Cookie vulnerability” in 2005. It is advice to check with the device vendor if the patched firmware is already available.

But there is always this common issue of device vendors taking too long to patch up their firmware. Even if the patch of the vulnerable software available, they need to integrate this patch into their device firmware, test to make sure nothing breaks and then make it available which normally takes a long time.

Other mitigation that can be considered will be to deploy Intrusion Prevention Systems (IPS) in front of your device. There are IPS signatures available for this vulnerability (CVE-2014-9222 and CVE-2014-9223). 

Misfortune Cookie

Saturday, October 19, 2013

Information Leakage and Improper Error Handling

Information leakage and improper error handling used to be in the OWASP Top 10 2004 and 2007. But they have rename to "Security Misconfiguration" since 2010 and with a wider scope.

While doing my online shopping today, I accidentally triggered an SQL query timeout error. The error page review quite a number of information, which can be useful for the programmer to carry out troubleshooting. But best of all, it also provide the hacker with information to carry out the next level of "attack" to the server.

The error page provides table information, file paths that helps in launching SQL injections and XSS attacks.

The error page also shows the application that the server is using and its version number. Based on the information, the Microsoft .NET framework version is not the latest. It may contains critical vulnerability that allows elevation of privileges and remote code execution.

Planning to inform the Site administrator on this issues and nobody hacked it yet.

Thursday, October 25, 2012

IPv6 InSecurity. Is your company ready for IPv6?

Everybody is announcing that IPv4 addresses are running out. Countries and major IT companies (such as Google) are encouraging others to move into IPv6. IPv6 have always been portrayed to be more secured than IPv4.

Image from Google

But in the recent talk by van Hauser on "IPv6 Insecurity" in HITB, he share that there are huge grow in the number of vulnerabilities found related to IPv6 in recent years. Several times more than IPv4.

So is IPv6 mature/stable enough? Do you think companies are ready for the change to IPv6? Should we be encouraging our companies to make the change now? These are the questions that I think we need to ask ourselves as a security professional.

Beside worrying about the readiness of IPv6, van Hauser also highlighted the importance for companies (even those in pure IPv4 environment) to be aware and understand the threats from IPv6. Desktop and network devices these days may already support IPv6 and may enabled by default. Attackers may use these "channel" to target companies in IPv4 environment and bypass their network protection (e.g IPS), which is not IPv6 aware.

Related articles:
- HITB slides: Marc Heuse - IPv6 Insecurity Revolutions.pdf

Tuesday, October 16, 2012

HITB playing AC/DC concert

While waiting for the next speaker during the HITB (Hack In The Box) Conference in Kuala Lumpur, the screen in the conference hall starts to play the song "ThunderStruck" by AC/DC (shown in the video below).

The music video is actually part of the introduction for the presentation titled "Behind Enemy Lines" by Mikko Hypponen of F-Secure. His speech talks about the various cyber "enemy" (Types of hackers) and their motives. He also share with us some of the ways to defend against this "enemy" and avoid being the target.

You can download the slides from HITB website here

Sunday, September 23, 2012

USB hacking obsolete?

With Windows autorun feature disabled by default, USB hacking method such as Pod slurping and tronjanized flash drive no longer possible?

I have recently wrote an article "Pentesting with Teensy" for PenTest Magazine that describes how you can emulate a device as a HID (Human Interface Device) and inject attack codes and execute commands in the system.

For those who have not read the article, I have make a short video to demostrate how you can still carry out the USB hacking using Teensy.

Besides using teensy as a pentesting or hacking tool, it can also be useful for auditors to verify system hardening and configuration with system commands pre-set into the device.

More information about my article, refer to my previous post "Pentesting with Teensy".

Tuesday, September 4, 2012

Command Your Windows

System these days does not really require users to use command line. Windows, Mac, Linux and even traditionally command-based UNIX also come with GUI (Graphical User Interface) such as KDE. Command line may seem to be obsolete for many. But it is still very useful to hackers and pen-testers when GUI is not available such as using remote shell.

I have wrote an article titled "Command your Windows", which is published in this month PenTest magazine (September). In this article, I will be sharing on some of the useful windows commands that a hacker or pen-tester can use when obtaining a remote shell to the system.

This magazine can be purchase on-line from PenTest Magazine website.

Please post your comments regarding this article here.
If you are interested in this article, I will happy to share it with you. Just drop me an email.

Friday, August 3, 2012

Pentesting with Teensy

Windows autorun feature is disabled by default these days. Is it still possible to launch code automatically from a USB drive? What if there is a USB drive that could execute code automatically when plugged in and yet not able to be identify as USB drive by the system?

Teensy, USB-based micro-controller development board, which can be programmed to emulate as any device and store programming code. I have wrote an article that describes how you can emulate the device as a HID (Human Interface Device) and inject attack codes and execute commands in the system.

This article titled "Pentesting with Teensy" can be found in the July issue of PenTest (Web App) Magazine.

This magazine can be purchase on-line from PenTest Magazine website.

Please post your comments regarding this article here.
If you are interested in this article, I will happy to share it with you. Just drop me an email.

Thursday, August 2, 2012

WhatsApp InSecurity

The ownership of smartphones and tablets has grown enormously over the past few years. WhatsApp has gained popularity as the cross-platform application to replace traditional messaging services such as Instant Messaging and SMS. How safe is it to use for personal communication?

I have written an article that talks about how you can extract the message and photo that were send via WhatsApp.

This magazine can be purchase on-line from Hakin9 Magazine website.

Please post your comments regarding this article here.
If you are interested in this article, I will happy to share it with you. Just drop me an email.

There is a video on the related demonstration, which I previously posted in "Can you extract message and photo from WhatsApp"