Welcome back in Amsterdam! This is the second edition of the Hack In The Box (HITB) security conference in Europe. Let’s go for a quick wrap-up! I woke up too early (04:00AM) to drive to Amsterdam and arrived without any traffic jams (rare in Amsterdam)! Enough time to perform the registration tasks and grab some 0xC0FFEE! The event started with a keynote presented by Joe Sullivan, the CSO of Facebook. “Facebook” and “Security” are two terms that are often present at the same time in information security news. Joe explained how Facebook implemented new security controls to raise the security of the social network users. Interesting statistic: the average Facebook user created ninety pieces of information each month! The main security innovation is the implementation of the “real name” culture. It is proven that, in public online places like forums, people are less aggressive if real names are used. Facebook also implemented tools to protect users from rogue profiles and to authenticate them in a better way. Some of those features are:
- Social reporting: You can report abuses of private data using by non authorized people.
- Social verification: Facebook might ask you to authenticate people shown on pictures.
- Account management: HTTPS support, login notifications and approvals, recognized devices and recent activity log.
It’s also more easy to report false information using the “Report” links available on almost all pages. The security policy of Facebook is clear: “Sometimes the best defense is good offense“. Facebook don’t hesitate:
- To escalate security issues to law enforcement.
- To coordinate with industry on technical take-downs
- To work with legal on lawsuits
- To perform investigations using a “formal escalation program” with authorities like the FBI, Interpol, DOJ, ICE, Secret Services.
The message passed by Facebook was clear: they take security into account. As said Joe:
“Innovation is essential on the internet. Security teams cannot say no to opportunities, must show how to do it safely and constantly adapt“.
I totally agree but, hélas, Facebook has to deal with the most difficult stuff to protect: people! Even by deploying new security features, they won’t prevent people to share and disclose sensitive stuff publicly. Then the real presentation started. HITB is based on two main tracks at the same time, some workshops (track #3) and lighting talks during coffee breaks. As usual, you’ve to make choice between concurrent talks.
My first choice went to Laurent Oudot, a French security researcher about the extraction of sensitive data from iPhone devices. The talks was talked “iNception” because could extract lot of information from the devices memory and they liked the movie 🙂 The goal was to review some offensive concepts around iOS devices and to share the findings. Laurent already presented some security stuff around iOS devices last year. He first came back to the previous issues and reviewed what changed. Some actors reacted properly and fixed the security holes (Thalys), others did not ever respond (HTC). First topic, how to find vulnerabilities in the smartphone world? There are multiple ways:
- Reverse engineering
- Behavior analysis (log, sniffer, memory, file system)
To fuzz the device, some URL schemes can be used like: “<a href=’sms:” or “<a href=’tel:“. Audits may reveal interesting stuffs like the one present in the iOS 4.3. This versions proposes a new feature called “personal hotspot“. Nice but the WPA key is displayed in clear text on the console… Pentests may use “regular” applications available on the AppStore (read: “approved by Apple“). Those applications could be dangerous if not properly used (Example: AirContact). Then Laurent came back on the “location issue” disclosed soon and fixed in the iOS 4.3.3. He explained how to get rid of the data stored in the “consolidated.db” file:
- Using a jailbroken device, there is a Cydia application available. But it requires a running daemon on the device consuming some CPU cycles & battery.
- For an official device: backup, change the file and restore. Be the file will constantly be fed with new data, the operation mist be performed on a recurrent way.
- Upgrade to iOS 4.3.3
But there is another way (if you can’t or don’t wan to upgrade). The consolidated.db is a regular SQlite file and triggers can be added to SQL commands like “INSERT“. An “auto-delete” trigger can be implemented. More amazing, the iOS has many SQlite files to store sms, contacts, calls. By adding more triggers, it’s possible to implement an anti-forensic protection (auto-deleted, injection of fake information) or to backdoor to data by copying then to hidden tables! The next demo was a phishing attack against an iPhone by hijacking a local application (no exploit!). Just prepare a fake loging page and access your victim device physically. Very easy! Who’ll refuse to help a nice lady asking “May I use your mobile 30 seconds to call my boss?“. She could replace your regular Facebook application icon (moved to another screen) but a webapp linked to your rogue access page. More funny, the iOs has many URL schemes even not documented like:
Finally, Laurent gave a tip to detect jailbroken remotely. A very interesting talk. The conclusion is that mobile users require more security awareness. A modern mobile is a very nice target and is as vulnerable as a regular computer. The next talk focussed on XSS vulnerabilities. Well know and easy to reproduce by displayed nice “Pwn3d” alerts, Claudio Criscione explained how to go deeper and really use them during pentests. First Claudio explained that XSS are easy to find but using “alert” alone is irrelevant! Why not use the XSS for more malicious purposes? How to bridge the gap between MetaSploit & XSS attacks? Don’t forget that XSS are still relevant vulnerabilities! According to Claudio: “Using an alert today vs actively exploiting the XSS is closer to running Nessus than using Metasploit“. Then he explained the idea he had and how he build a new MetaSploit module to really take advantages of XSS holes in web applications.
After the lunch break, I attended another talk related to pentesting. Elena Kropochkina and Joffrey Czarny explained how to use “webshells“. What’s a webshell? It’s a piece of malicious code running on a victim host and which help the pentester to perform lot of interesting tasks like:
- File management, upload, download
- Execute system commands
- List ports, process
- Send e-mail,
They are webshells available on all common web platform (PHP, ASP, Java). Well known names are C99, FaTaLisTicq, NFM, R57, PHPJackal, Zehir, JspSpy. But most of them are detected by antivirus. To bypass them, obfuscation techniques are mandatory. Elena & Joffrey reviewed common techniques to obfuscate code. Example on PHP, hash the function and variable names, remove spaces, newlines etc. The problem with webshells: they have been developed for malicious activities and are not oriented to pentesting. That’s why Elena wrote a new webshell with more features:
- A unique framework (PHP ASP JSP)
- Protection (encryption of executable code)
- Client-agent architecture
- Integrity verification
- Key encryption locking on the pentester IP address
- Bypass ID(P)S and WAF’s
- Source code encryption
- Encrypted commands between the agent and server
- Protection against malicious re-use (unique password for each agent)
- Modular structure (based on modules)
Some demos were performed. Nice project still under development. There is no plan to distribute the tool but it could be really a “plus”. Nice job! After webshells, we focused on SAP with Mariano Nunez Di Croce. Why is SAP? Here are some facts:
- 140K implementations worldwide
- 90K customer, 120 countries
- Business critical (govern, military, etc…)
Enough to make SAP a nice target! Last year, Mariano already presented some cool stuff about SAP. He was back with more funny demos! His topic focused on the security of standard SAP web applications (not custom). SAP traditional security is based on “separation of duties” but it’s not enough. The forgotten layer is the business runtime which involves much higher risks! Did you know that the number of “security bulletin” published by SAP exploded? 900 by end of 2010! SAP also implemented a “security day” like Microsoft. They also released some white papers related to security. The biggest issue remains the visibility of SAP on untrusted networks or directly on the Internet. SAP instances are easily detectable via Shodan or Google. SAP can be reached via different architectures:
- SAP ITS (Internet Transaction Server)
- SAP ICM (Internet Communication Manager)
- SAP EP (Enterprise Portal)
SAP instances can be easily identified via server banners, error messages, some components versions are even available in the HTTP source code. A typical SAP ECC install contains 1500 standard ICF services! Some are public and reveal interesting information (Example: /sab/public/info). Many SAP system are shipped with default password: SAP*, DDIC, EARLYWATCH, SAPCPIC and TMSADM. Mariano made several demos using SOAP RFC service. He also bypassed the authentication process using BurpSuite. Nice! What to conclude? SAP systems are connected to the Internet, SAP has different web technologies: understand them and how to secure them. Hopefully, SAP is working on security: The demo works only if not following SAP security recommend.
To close the first day, I planed to follow the track about the reverse engineering technique of the ticketing system of public transport systems. But for legal reasons, it was canceled (more details here). My alternative choice was to follow a presentation about ASLR in iOS or Silverlight/.Net issues. Definitively not my cup of tea. I skipped them. Second talk cancelled today: the one about OpenLeaks by Daniel Domscheit (absent due to illness).
In parallel to the talks, the CTF contest is ongoing as well as the Lego robot challenge day for HackerSpaces. The HITB team releases material after each presentation, keep an eye here! Stay tuned for the second day!