BLOG

22 Feburary 2018

XML External Entity (XXE) Processing

Introduction

If you've taken a look at the 2017 OWASP Top 10, updated for the first time since 2013, you might be wondering what in the world XML External Entity (XXE) processing is and how it pulled the number four spot of most critical web application security risks. Also, according to OWASP it’s an issue that is "not commonly tested as of 2017." Don't panic – here's a quick rundown of what it is and why you should care.

Continue reading ›
05 Feburary 2018

It's tax season, safeguard your organization's W-2s

Introduction

It’s tax season in the United States and many organizations have just prepared their employee's W-2s. You may have recently received the form in an electronic or paper format and are prepared for the opening day of tax filing on January 29th. Tax season also provides an opportunity for cyber criminals to attack your organization with a social engineering technique commonly referred to as phishing. Criminals are interested in collecting W-2s as the information on the form enables them to file many fraudulent tax returns, claim refunds and in many cases, avoid detection for months until the legitimate tax return is filed.

Continue reading ›
24 January 2018

Exploiting vypervpn for macos

Introduction

In 2017, VerSprite released an advisory for a privilege escalation vulnerabiliy in the VyprVPN macOS application. In this blog post, we'll dive into the process of finding this vulnerability and writing a simple exploit for it.

When performing attack surface enumeration for any macOS application, I typically search for XPC (Cross Process Communication) API usage. I've found that rarely do I see XPC services in third-party applications being secured, so it tends to always be a focal point for my bug hunting efforts. I'm not going to deep dive XPC internals in this blog, so I would highly suggest reading Ian Beer's slides, which cover this topic in depth. For now all we need to know is that XPC is a form of inter-process communication and XPC message typically take the form of a dictionary which can contain various types such as arrays, strings, etc. Observing the output from nm on the VyprVPN binary, it looks like the application is indeed utilizing various XPC functions.

Continue reading ›
14 December 2017

Exploiting the Dolphin Browser for Android’s Backup & Restore Feature

Introduction

In this blog post we will cover the vulnerability's technical details and how to exploit the Dolphin Browser for Android's Backup and Restore feature.

Attack Surface Analysis

I've always been really interested in alternative Android Browsers because of their feature sets. These features introduce additional attack surfaces that in some cases can result in crushing vulnerabilities. In the case of the Dolphin Browser for Android, it has plenty of features to go around, giving it a large attack surface.

Continue reading ›
28 November 2017

Frida Engage Part Two | Shellcoding an Arm64 In-Memory Reverse TCP Shell with Frida

Introduction

In the first installment of the Frida Engage blog series, we explored the ways in which we could use Frida's Memory, NativeFunction, and Module API(s) to build a simple ELF parser. In part two of the series we are going to explore and leverage Frida's new Arm64Writer API to build an in-memory reverse TCP shell.

Continue reading ›
20 October 2017

Frida Engage Part One | Building an ELF Parser with Frida

Introduction

In this blog series we will be covering the endless possibilities and power of Frida. For those of you who have never heard of Frida, it is a dynamic instrumentation toolkit that allows you to inject Javascript or your own libraries into native apps across multiple platforms. Frida is commonly used for hooking and manipulating functions. If you search the internet for tutorials on Frida, you will find many resources on how to use Frida’s Interceptor API, which gives you the ability to ‘intercept’ target function calls. In this series I would like to explore beyond just hooking functions, and into all of the crazy and cool things you can do when the control of a process is at your fingertips.

Continue reading ›
20 October 2017

Swimming in the deep end - Taking a closer look at the use cases of jea

Introduction

Reintroducing JEA We are revisiting JEA to take a closer look at some key points of use and to go over areas I feel are disadvantages. You can review my previous post, but here are a few key points: Just Enough Administration, part of the Windows Management Framework 5.0—is a technology that helps enforce information security protections by restricting IT administrative rights. JEA can be used to allocate Administrative privileges to special users and user groups (via a session) to perform tasks and special commands via PowerShell as specified by an Administrator. A main issue that JEA usage faces in the workplace is that many administrators are still accustomed to using GUIs rather than the Windows PowerShell command-line shell and scripting environment. PowerShell uses cmdlets to perform common system administration tasks, such as managing the registry, services, processes, and event logs. Learning these commands to run the proper cmdlets may pose a learning challenge.

Continue reading ›
06 June 2017

Being a Benevolent Dictator with Admin Rights

Introduction

Imagine this scenario: You are a systems engineer. You are tasked with managing user and group access controls. Your company’s two person NOC team has admin rights to perform triage work. Eventually, you discover that your company is compromised and has been for an unknown length of time. Forensic analysis identifies that one of the NOC admin accounts was used to create a rogue domain admin account. The attackers have admin rights over the domain and have been running rampant.

Continue reading ›
22 Sep 2015

Medical Record Retention Across States (HIPAA / HITECH)

Introduction

The retention of medical records is, unfortunately, not a cut and dry sentence highlighted in the opening paragraph of HIPAA. There are several factors to consider when determining what documents need to be stored and for how long. It is important to realize that HIPAA makes no firm assertion as to medical records retention leaving the long-term storage of medical records to state and other federal laws. These laws vary from state to state and federal laws vary based on the type of medical record.

Continue reading ›
16 Sep 2015

Command Injection in the WD My Cloud NAS

Introduction

The Western Digital My Cloud ("Personal Cloud Storage"), or WD My Cloud for short, is a consumer NAS product. The idea behind this device is for a household, team, or small-organization to have full and complete control over their data in a private cloud environment without having to trust their data storage to multi-tenanted services hosted by other companies. Their data can be accessed from a desktop behind a private LAN or a smartphone located on the other side of the world. Given frequent news stories of major hacks and database leaks and the exposure of private information, personal NAS devices are ideal solutions for many looking for more privacy.

Continue reading ›

Anti-Nausea Medicine for Last Pass, Password Management FUD

I woke up this morning with a severe case of 140 character malaise all over my Twitter feed. It all centered around LastPass, password managers, and the usual InfoSec hatorade that usually comes free with the purchase of a CISSP (not a ding to the cert, more to the certified). After tearing my morning cloak in two and wailing in a cloud of incense, I evaluated my post-rage options and elected to write this blog.

Continue reading ›
08 May 2015

SSL/ TLS Security 2015 - A Simplified, Quick Guide

Intro

Much of the following may be common knowledge to most but many in IT and beyond misuse the term 'SSL' so a refresher can’t hurt.

Continue reading ›
27 Apr 2015

Into The Jar | jsonpickle Exploitation

Overview

Python’s pickle module is its primary mechanism for the serialization and deserialization of Python object structures. This module has also been the target for exploitation when it used insecurely by loading malicious ‘pickle’ streams and reconstructing objects from them. The dangers are so prevalent in fact that the pickle documentation explicitly states that it is not intended to be secure against erroneous or malicious constructed data.

Continue reading ›
26 Apr 2015

Assessing Emerging JavaScript Platforms - What to Look For

Overview

Node.js is known as one of the most important emerging technologies. It is an event driven open source runtime to create server side applications. It is highly customizable server engine that is popular amongst JavaScript coders to create real time web APIs. It processes in a loop and sets up to respond to the requests.

Continue reading ›
17 Apr 2015

Android Titan SMS Trojan Analysis Part One

Analysis

As the title states, this Android malware utilizes Trojan functionality in order to steal SMS and exfiltrate them off of the target user's device. It attempts to mask itself as a "SmartCard Service" on installed on the device, but is hardly such. The bulk of Titan is code, using natively, which have method declarations within the Android components:

Continue reading ›
06 Apr 2015

Security Metrics Rehab - Part I

In this two part security governance series, we'll take a look at the broader picture of security metrics and how to derive them from security activities.  The drug-like fervor around its discovery and cultivation across security and compliance groups has led no where fast; largely due to the same causal factors related to InfoSec group unable to associate operational impact from technical and process related {flaws|vulnerabilities|control gaps|weaknesses}. This has created a fog of ineptness from which many groups in the Fortune 500 stand today.  This first part aims to level-set on how metrics should be applied in InfoSec and what frameworks to leverage in order to subsequently define a suite of security activities that produce performance indicators that matter.

Continue reading ›
25 Mar 2015

Android Infostealer - Godwon - Analysis

Analysis

From the description on contagio mobile this piece of malware is used by an online criminal group for 'sextortion'. Honestly, I had never heard of this term before, but apparently it is a form of sexual exploitation that employs non-physical forms of coercion to extort sexual favors from the victim (Wikipedia).

Continue reading ›
25 Mar 2015

Multiple Vulnerabilities in Mercury Browser for Android Version 2.2.2 & 3.0.0

Insecure Intent URL Implementation

An insecure implementation of the intent URL scheme revolves around the Intent.parseUri() method, which allows you to create an intent from an URI. The first thing we did when reversing the Mercury Browser was search for that specific method within the target packages.

Continue reading ›
23 Mar 2015

Android Emulator Detection

Overview

I wanted to explore all the ways that an Android application or malware could go about detecting whether or not it was being run in an emulator. After some researching (Google), I found that there were two common ways that one could go about accomplishing this programmatically. The post will explore each of these techniques implemented in a Proof-of-Concept application, and detection through reverse engineering. My setup for this experiment was running the application on top of Genymotion, which leverages VirtualBox to create Android virtual machines.

Continue reading ›
01 Feb 2015

Baidu Browser for Android | Vulnerable Handling of Intent URL Scheme

Overview

The VerSprite Research & Development Team discovered that the Baidu Browser for Android insecurely handles the intent url scheme, allowing attackers to arbitrarily read local files. This vulnerability was discovered in VerSprite's effort to explore systemic vulnerability patterns in browsers for Android offered on the Google Play Store. The vulnerability is leveraged by minimal user interaction and the targeting of specific Baidu Browser components. This vulnerability was discovered in version 4.5.0.6.

Continue reading ›
23 Oct 2014

iOS Reverse Engineering Part Two Debugging and Tracing with LLDB

Overview

In our previous post - https://versprite.com/og/ios-reverse-engineering-part-one-configuring-lldb/ - we learned how to configure and setup debugserver and LLDB on your iOS device. In this post we will demonstrate how to use LLDB to perform basic debugging and message tracing.

Continue reading ›
05 Oct 2014

iOS Reverse Engineering Part One - Configuring LLDB

Overview

This is the first part in a series where we will show you how to configure an environment and learn the basics for reverse engineering iOS applications. In this series we are using a jailbroken iPhone 4, running iOS 7.1.2.

Continue reading ›
15 Aug 2014

Experiments with json-io, Serialization, Mass Assignment, and General Java Object Wizardry

Overview

So before I even begin, I want to immediately layout that this is purely experimental research, and that conceptually it was hard to build a working abuse case around the ideas I will be presenting. It was also difficult for me to find real word examples representing any of the issues around the technologies and design I think are potentially relevant. That being said, this is the beauty of research and using it to lay a foundation of forward thinking to address the possibilities of new problems.

Continue reading ›
05 Aug 2014

Liffy v.1.2

Overview

Liffy v.1.2 is out with built-in web serving functionality for all techniques using staged approaches for payload delivery. Check it out!

Continue reading ›
16 Jul 2014

Quick and Dirty Web Services Testing with Suds and Burp Suite

Overview

This is a really simply example of using the Python Suds library to consume and inspect SOAP web services with integration into Burp Suite. I decided once upon a time that I didn't think SoapUI was efficient for what I needed when it came testing web services and getting that data into Burp Suite, so I began searching for a simple Python library that could help me out. I will caveat that statement with, I always enjoy trying to write my own implementation of things, even if they aren't the best, it helps with my overall objective -> Learning!

Continue reading ›
07 Jul 2014

LFI Exploitation with Liffy

Exploiting LFI's with Liffy's Data Technique

27 Jun 2014

Unsafe Application State Restoration (iOS)

Overview

So what does Unsafe Application State Restoration actually mean?  Despite the fancy title, it essentially means that a mobile application saves the state of a view location that is only presented to an authenticated user, or that contains sensitive data.  Within the event of the application being unexpectedly terminated, the state is restored and loaded back into the UI without first validating or re-authenticating the current user.

Continue reading ›
19 Jun 2014

Liffy v1.1 Release

Overview

Since releasing the first version of Liffy I have had the pleasure of working with Dan 'unicornFurnace' Crowley on bug fixes and feature enhancements for the tool. We have made some serious progress in the last month or so, and to Dan's credit, he really helped round out the tool with existing LFI exploitation techniques and overall code quality.

Continue reading ›
28 Mar 2014

Exploiting XML Serialization in Python

Overview

Lately I have been really interested in XML serialization vulnerabilities. There has already been some eye opening research into the vulnerabilities that exist within implementations of Java.

Continue reading ›
25 Mar 2014

Force Feeding Enterprise Security Failures

Metaphorically speaking, force-feeding security solutions translates to the industry's persistent push of the latest security products and solutions down the throat of the enterprise. Continuing with this metaphor, a company becomes unable to properly digest the newly adopted solution into their overall security program. Ironically, this usually takes place on the heels of a fairly new security process or technology that has been recently adopted.

Continue reading ›