Posts Tagged ‘attack’

Pivot Mercilessly!

Wednesday, March 17th, 2010

I just returned from a great trip to SANS 2010, in Orlando, where I was taking SEC 560 – Penetration Testing.  Our instructor, Ed Skoudis (an amazing guy, by the way), repeatedly hammered into our brains the mantra “Pivot Mercilessly!”

This concept is something that a penetration tester or vulnerability assessor needs to always keep in mind – look for the easy toehold into a system, and then see where you can go from there.  “Pivot” throughout the environment using the weak link as a starting point.

I was performing an assessment recently on a Solaris system that demonstrated this concept very effectively.  One of the boxes was vulnerable to a relatively old telnet vulnerability , which we exploited with pleasure – granting us root access to the machine.  From there, we examined the trust relationships inside the network and noticed that this box had “r service” trust relationships set up with many other machines in the network.  So, we used rsh to connect to numerous other boxes, all with root level access, and from those boxes to others… quickly we had the entire system PWNED.

All of this was made possible by a single box with one weak spot.  This is likely the case with most systems out there – maybe you’ll have one or two boxes vulnerable to exploits, especially in a well-managed corporate network.  From there, it’s up to you to pivot your way through the rest of the system!

Tags: , ,
Posted in Attacks, methods | No Comments »

Information Leakage via Delicious

Friday, July 10th, 2009

By now, the concept of “google hacking” is pretty commonly understood.  People may not be preventing it very well, but it’s moved beyond a new thing.

For the uninitiated, though, here’s a brief summary: using Google (or any other search engine – but really, is there any other?) to find vulnerable web apps, personal information, mp3s in public directories, etc etc.  It’s great fun, and a pretty fundamental initial step of profiling an attack target.

Johnny Long was one of the main evangelists of this method and has a great database of search terms.  It’s no longer actively maintained, but you can still find plenty of good information with this as a starting point!

So Google hacking is great, but it only gets you to the public internet.  What if I wanted to profile the inside of a company, from the outside?  And passively – without hitting their servers myself?  Wouldn’t it be great if I could look for public information shared by company insiders?

Delicious seems almost perfectly designed to do this kind of activity.  For the unfamiliar, delicious is an online bookmarking site, designed around the idea that sharing bookmarks is a great way to learn about new sites.  Which is an alright idea…  but don’t people also bookmark a lot of private information?  I sure do!

Making matters worse, delicious encourages users to get started by uploading their browser bookmarks.  Essentially uploading gobs of potentially personal data to a public site.  This is a classic case of information leakage.  A dedicated attacker can use this public information to get all sorts of juicy tidbits about a company.

Let’s do some examples.  This all works great in theory, but, like Google, there is a LOT of data to sort through.  Say I’m a bad guy interested in insider information about a company.  I can start looking for the basics – say… “intranet”.  Delicious makes this easier by encouraging users to tag their posts for easy categorization:

http://delicious.com/tag/intranet

So that gives me everything that users have tagged with ‘intranet’.   Lots of sites about intranet design, usability, etc.  But also sites tagged by users to manage their own bookmarks!  So I’ll start digging into an individual company… how about AMD?

http://delicious.com/search?p=amd&u=&chk=&context=recent&tag=intranet

intranet_amd

The first result doesn’t look interesting, but the second and third, well those sound like intranet sites!  This is confirmed by trying to follow them through and the DNS not resolving.  Nice!  Now let’s see what else this presumed AMD employee has bookmarked…

links_1

Wow, lots of development related links!  Interesting.  And what’s that link on page 2 about “AMD Manager Toolkit” ??  This fellow looks like he’s a technical manager at AMD!

Dig a little deeper, and it looks like we have another intranet site – mentioning the (presumably internal) code name of a project.  Interesting!  Go further into the links, and you see even further links to internal project Wiki pages.

links_2

Surfing around to a few of the non-intranet sites gives me an even better profile of this person.  They work with unit testing.  They use UML, C++, and Ruby, and read a lot about circuit design.  They live in India.  They’re learning guitar, and are interested in martial arts.

This may seem like innocent information to an outsider, but if I was doing this for espionage purposes, I just learned a lot about the internal operations of a project – and this is with 10 minutes of work on one webpage.  What else could I find if I dug through the internet further?

Web 2.0 is a lot of fun, and can be really useful.  But what’s often overlooked are the implications of sharing all this information.  Unless you make it a point to protect your privacy, that privacy probably doesn’t exist.  And for businesses, this can be a major potential risk.

Delicious certainly doesn’t help stop this – according to the FAQ, you cannot make your links private by default, but instead must manually edit them to make them private.  And also, the TOS leaves responsibility entirely in the hands of the users.  Very laissez-faire!

Should companies ban employees from using sites like delicious?  Probably not.  But I think that this demonstrates that employees need to be more educated on what they are exposing themselves and their employer to when using social networking sites.

Tags: , , , ,
Posted in Attacks, How-to | 3 Comments »

Symbian S60 SMS Exploit ‘Curse of Silence’

Saturday, January 3rd, 2009

A lot of very interesting research was presented at this year’s Chaos Computer Club meeting. One very interesting piece of research involved the mobile Symbian S60 operating system and a DOS vulnerability involving a maliciously (or unfortunately long legitimately) crafted SMS message. The original advisory released by Tobias Engel can be found here.

Executing the exploit is trivial and can be performed directly on most SMS capable mobile phones or SMS gateway services. The attacker simply creates an SMS message prefaced with an email address greater than or equal to 32 characters in length followed by a space (ex. “123456789@123456789.1234567890123 DOSed!”). After receiving the malicious message, the target’s phone’s SMS service will either die silently (preventing new messages from being received) or fail to receive new SMS messages after a certain number of malicious messages have been received. This is effectively an SMS DOS.

The problem would appear to be in the way that the S60 OS parses the prefaced email address of the received SMS message. There is a little used SMS standard (3GPP TS 23.040 section 3.8) for sending SMS messages to email targets and this parsing is likely related to the displaying of these messages. Typically when an error like this kills a service it could become a vector for a buffer overflow attack, but because of the hard message length limit on SMS messages, this is most likely not possible.

Symbian is a mobile operating system used mostly by Nokia phones (although some other manufacturers use Symbian; including Sony, and Motorola). According to the advisory any Symbian phone running the below software versions is vulnerable:

  • S60 2nd Edition, Feature Pack 2 (S60 2.6)
  • S60 2nd Edition, Feature Pack 3 (S60 2.8)
  • S60 3rd Edition, initial release (S60 3.0)
  • S60 3rd Edition, Feature Pack 1 (S60 3.1)

You can identify what phones have vulnerable versions by referencing the S60 product page.

The f-secure mobile security product is advertising protection for this exploit. Other than upgrading the operating system of a device (a process which must be vendor/provider supported) or disabling the SMS feature of your calling plan,  a software solution appears to be the only way to mitigate this problem device.

Tags: , ,
Posted in Attacks | No Comments »