Sunday, September 12, 2010

Attacking Java serialization protocol

Hi Guys

My colleague Manish from A&D Labs has posted and released DSer for attacking Java Serialization protocol, using the JVMITM approach check it out here

Monday, August 9, 2010

Abusing serialization protocol using JVMITM (JVM in the middle)

A friend of mine asked me to clarify about Belch usage in serialization manipulating, so here goes:

When a serialization channel is created between client and server, all traffic switches from basic http to serialization over http. This makes tracing, manipulating and testing more difficult due to the binary content of the serialization protocol.

This in mind, what you need is a decrytor-encryptor utility to stick in the middle of communication channel, so you can get a better understanding and control over the communication between the client and server. You need it to be very efficient and very fast: enters JVMITM - JVM in the middle.

If you could divert the communication to an Java VM, you could utilize java to translate the serialization protocol into a somewhat better understandable format -say XML. Once in XML format, you abuse it at your will and then redirect it to JVM back. JVM convert it back to serialization protocol and send it down the communication channel.

JVMITM approach support any serialization protocol that Java understand, such as Flash, Java-serialization and more. The only thing you have to do in order to decrypt the protocol, is to include the proper library in your JVMITM classpath

Belch can help you utilize JVMITM by enabling you to redirect the communication to your chosen application (hex-editor ,batch wrapper of a JVM or other self written tool)

Stay tuned as I will publish some example of using Belch to JVMITM against Flash AMF serialization protocol

Wednesday, June 23, 2010

SQLmap 0.8 and SOAP based Web-Services

I Love SQLmap , it's clean, fast, super efficient, fully automated and get's the job done when a POC is needed.

Lately I was pen-testing SOAP Web-Services, and I came to learn that SQLmap wasn't aware of SOAP syntax.

Being the lazy hacker I am the thought of manually testing the entire application using SOAPUI and some tweaking gave me a chill ,So, I have fired up my Python and patched a small mod to let SQLmap do it's magic on SOAP request too.

Basically, the mod instructs SQLmap to parse XML input into parameter-value map in the same manner that SQLmap was parsing GET/POST parameters.

In the same manner of looking for &parametera=valueA&paramB=valueB.. etc. SQLmap now looks into the XML request and parse it to Child and Value (current mod omit the attributes)

That said, if you wanna get some serious injection and SOAP'n dirty (Ha!) try this patch and let me know ;)

There are three files to patch for version 0.8: agent.py, common.py and traget.py
Happy Hunting ;)

--- /Users/osx/Downloads/sqlmap/./lib/core/agent.py 2010-03-05 11:14:36.000000000 +0200
+++ ./lib/core/agent.py 2010-06-20 13:08:35.000000000 +0300
@@ -32,7 +32,7 @@ from lib.core.data import kb
from lib.core.data import queries
from lib.core.data import temp
from lib.core.exception import sqlmapNoneDataException
-
+from xml.etree import ElementTree as ET

class Agent:
"""
@@ -77,7 +77,15 @@ class Agent:
retValue = value.replace(value, newValue)
else:
paramString = conf.parameters[place]
- retValue = paramString.replace("%s=%s" % (parameter, value),
+ if conf.paramDict["POSTxml"]:
+ root = ET.XML(paramString)
+ iterator = root.getiterator(parameter)
+ for child in iterator:
+ child.text =newValue
+ retValue=ET.tostring(root)
+
+ else:
+ retValue = paramString.replace("%s=%s" % (parameter, value),
"%s=%s" % (parameter, newValue))

return retValue
--- /Users/osx/Downloads/sqlmap/./lib/core/common.py 2010-03-05 11:14:36.000000000 +0200
+++ ./lib/core/common.py 2010-06-20 13:54:01.000000000 +0300
@@ -53,6 +53,7 @@ from lib.core.settings import IS_WIN
from lib.core.settings import SITE
from lib.core.settings import SQL_STATEMENTS
from lib.core.settings import VERSION_STRING
+from xml.etree import ElementTree as ET

def paramToDict(place, parameters=None):
"""
@@ -81,9 +82,9 @@ def paramToDict(place, parameters=None):
splitParams = parameters.split(";")
else:
splitParams = parameters.split("&")
-
- for element in splitParams:
- elem = element.split("=")
+ if place is not "POSTxml":
+ for element in splitParams:
+ elem = element.split("=")

if len(elem) == 2:
parameter = elem[0].replace(" ", "")
@@ -94,6 +95,12 @@ def paramToDict(place, parameters=None):
if condition:
value = elem[1]
testableParameters[parameter] = value
+ else:
+
+ root = ET.XML(parameters)
+ iterator = root.getiterator()
+ for child in iterator:
+ testableParameters[child.tag] =child.text

if conf.testParameter and not testableParameters:
paramStr = ", ".join(test for test in conf.testParameter)
--- /Users/osx/Downloads/sqlmap/./lib/core/target.py 2010-03-05 11:14:36.000000000 +0200
+++ ./lib/core/target.py 2010-06-21 12:47:53.000000000 +0300
@@ -24,6 +24,8 @@ Franklin St, Fifth Floor, Boston, MA 02

import os
import time
+"""for RegEx identification of partterns in POST data"""
+import re

from lib.core.common import dataToSessionFile
from lib.core.common import paramToDict
@@ -44,7 +46,7 @@ def __setRequestParams():
"""

__testableParameters = False
-
+ __paramDict = list()
# Perform checks on GET parameters
if conf.parameters.has_key("GET") and conf.parameters["GET"]:
parameters = conf.parameters["GET"]
@@ -60,14 +62,19 @@ def __setRequestParams():
raise sqlmapSyntaxException, errMsg

if conf.data:
- conf.parameters["POST"] = conf.data
- __paramDict = paramToDict("POST", conf.data)
-
- if __paramDict:
- conf.paramDict["POST"] = __paramDict
- __testableParameters = True
+ conf.parameters["POST"] = conf.data
+ """Search the POST data for tags if found - treat as XML"""
+ if re.match(".*<.*>.*", conf.data):
+ conf.paramDict["POSTxml"] = True
+ __paramDict = paramToDict("POSTxml",conf.data)
+ else:
+ __paramDict = paramToDict("POST", conf.data)
+
+ if __paramDict:
+ conf.paramDict["POST"] = __paramDict
+ __testableParameters = True

- conf.method = "POST"
+ conf.method = "POST"

# Perform checks on Cookie parameters
if conf.cookie:

Monday, May 3, 2010

Pentesting Adobe Flex AMF with Belch

Hi all, long time no post,
I had to do some developing, got a flex/BlazeDS application to attack.

The AMF architecture is very straight forward, the flash client communicate to BlazeDS server using adobe AMF binary protocol.
Yep, those words Binary-Protocol means some playing around when trying to manipulate in the middle.

So, got myself busy and wrote a new external library for good old Belch. It handles all the decoding-manipulating-encoding on the fly and makes my life easier.

Stay put for sources, I will publish as soon as they are stable

Monday, March 8, 2010

Full disclosure:
Security vulnerability in Lenovo™ Laptops
(Hotkey™ Driver and Access Connections™ v5.33) - Fix availble

Subject:
Security vulnerability in Lenovo™ Hotkey™ Driver and Access Connections™ v5.33

Impact:
A privilege escalation attack can be used as a backdoor to bypass login and run arbitrary code as a System user on Lenovo™ or Thinkpad™ laptops running Access Connection™ v5.33 and earlier versions (tracked back to version 4)


Technical details:

  • The Hotkey™ Driver is an Lenovo™ application that monitors the Lenovo™ special Hotkeys (Fn keys) and execute Lenovo™ specified applications upon their invocation.
  • The default installation of the Hotkey™ Driver is as a service and runs under NT Authority\System privileges.
  • Upon hot key detection, the Hotkey™ driver checks the registry key for the specified file to lunch and evokes that file, as example When the Fn + F5 key combination is pressed the Hotkey™ driver checks the registry key named File at HKEY_LOCAL_MACHINE\SOFTWARE\IBM\TPHOTKEY\CLASS\01\05 for its value and then launches the specified application (by default, Tp/AcFnF5.exe).
  • The Hotkey™ driver is available even prior to Windows login due to its installation configuration.
  • The value of the registry key to be lunched is not verified at invocation time.
  • This key is not monitored by the operating system and any change to this key is undetected.
  • An attacker with restricted access to the registry can use this information to launch a targeted attack on Lenovo™ or Thinkpad™ users that changes this key into an arbitrary application that runs with System permission.

Reproduce:

1. Using the target laptop change the File registry key value at HKEY_LOCAL_MACHINE\SOFTWARE\IBM\TPHOTKEY\CLASS\01\05 from 'Tp/AcFnF5.exe' to 'cmd.exe'.

2. Lock the station ('Windows' + 'L').

3. Press 'Fn'+'F5' and a windows command prompt opens with System privilege.

Mitigation:

Please update Hotkey Driver and Access connection™ to the most updated version (link here) at Lenovo™ website