Simple & crazy covert channels (I): Asciinema (en)

In the preparation of our audits, we often waste a lot of time developing tools that require a lot of work and, in many cases, do not go unnoticed by those users with a more technical profile.
However, there are other simpler (and equally effective) methods to carry out the exfiltration of information, such as through tools that were not initially designed for this purpose and which, with relatively simple adjustments, allow us to carry it out.

Thus, in the following article the analysis of the asciinema tool will be carried out, as well as the different possibilities of use and how it can be integrated with an attack vector.

Asciinema is a very nice tool that I usually use for demos whose sole function is to register the user’s session and to provide a URL that allows us to easily share the user’s activity. Very valuable information that can be used in a malicious way.

Below, we will see if we could use it as a Linux keylogger and what modifications would be necessary to apply.
[Read more…]

Evading AV with Shellter. I also have Sysmon & Wazuh III. GAME OVER

After the first two posts of the story [1] [2] where we told you about Johnny’s intentions and John’s security, in this post we are going to tell you the outcome, and give you an idea of the two characters in the story.

Johnny:

“Here I am, waiting for my boss to execute the “program” that he has asked me for and that I have prepared for him with special affection”. [Read more…]

Evading AV with Shellter. I also have Sysmon and Wazuh II

After what was seen in the first post of this story in this one we will keep telling you what happens and we will meet the boss. Put yourselves again in that situation that Johnny told us about in the first part.

“Hello, allow me to introduce myself. I’m John, Johnny’s boss. I am aware that I have many enemies among which are surely my competitors or even my own employees. Physically, no one can touch me, I always go with my bodyguards. But technologically, anyone could try to attack my team with the objective of stealing valuable information”.

That’s why, in addition to the corporate antivirus, I decided to add one more layer of security on my computer with Sysmon & Wazuh. [Read more…]

Evading AV with Shellter. I also have Sysmon and Wazuh I

I suggest imagining the following fictitious situation:

I am Johnny, a disgruntled employee. My boss has exploited me, he does not stop sending me tasks, he does not pay me the extra hours and, in addition, he never thanks me for the work I do … One day, fed up with the situation, I said to myself: “he’s going to find out what’s what”. And I started planning: I’m going to hack his computer and steal all the sensitive information he has. But how? After thinking the matter over: I know! I’m going to see if in the results of the internal vulnerability audits, to which I have access, his computer has some security flaw that can be exploited.
Darn! He has everything patched … and I don’t have any money for a 0 day. What I can do?

One day my boss asked me if I knew of any free program to decompress files in Windows operating systems and… [Read more…]

Web auditing: Jump on the bandwagon! (or not)

Usually, whenever we are auditing a web application with a poorly programmed backend, we might  find SQL Injection vulnerabilities. We will mainly encounter Blind, Error-based or -if we get lucky- Union-based injections. However, it is not quite usual to find an SQLi out-of-band vulnerability.

These do not only rely on a vulnerable application, but also on being able to exfiltrate information from a different band than the website.

The fact that the results are sent through a completely different way, along with the variety of shapes that these may take; makes it quite difficult to use automated tools to exploit these kinds of vulnerabilities. Even so, in situations where the server responses are not stable or  are too unreliable, it might be worth trying to exfiltrate information this way.

As an example, lets take a look at an injection found in an audit I performed recently.

This time, the vulnerability was quite weird, as the name of the parameter was sql*** –which shouted injection from miles away- but the website itself wasn’t either returning any errors nor  being affected by time-based techniques. Yet, our best friend Burp active scan seemed convinced that an SQLi was going on at that specific parameter.
[Read more…]

CSIRT.es (in English)

Yesterday, CCN-CERT published the communiqué related to the re-launch of the CSIRT.es group, a forum that brings together the response teams to Spanish incidents or areas of action in Spain, and whose objective is to centralize the exchange of information and facilitate coordination between these very teams.

CSIRT.es  currently consists of more than twenty teams and, as indicated in the press release, public and private actors from different sectors are represented, with different objectives … but they have many points in common; the main one, by definition, to provide a response capability to a given community. And that capability today cannot work if it is intended to operate independently and isolated from other teams: it necessarily requires direct collaboration with third parties. Beyond forums such as FIRST or TF-CSIRT, we believe that a point that enables collaboration between CSIRT and areas of action in Spain is more than interesting and necessary. [Read more…]

Restricted Zone: Geopositioning not allowed

The tendency to “be permanently connected” places at our disposal a series of tools with which to “make our lives more comfortable” but this, in turn, exposes us to multiple threats that may negatively affect us as individuals or in our organizations. It is possible to think that this question is too internalized by those who dedicate themselves directly or indirectly to the world of security. However, the reality leads us to discover that the number of anecdotes and news related to security incidents continues to grow and, in many cases, the protagonists are precisely those who dedicate themselves to security.

In today’s post we put the focus on the impact that the information collected and published through the Strava tool has caused.
[Read more…]

The tools of the gods

Today at SAW we are not going to talk about security but about religion. About the true religion, the good one: about Unix. And about its gods: Kernighan, Ritchie, Thompson … we could cite a few. And about the tools that, in the seventies, these gods sent to us poor mortals, like the manna fallen from heaven for the chosen people.

The thing is that these gods created a real operating system, with some technically wonderful tools and a very simple philosophy: simple capabilities that combined make complex tasks. Perfection. Life is Unix running a script. More than forty years have gone by and we, poor mortals who were the chosen people, what have we done all this time? Trying to dishonor that divine legacy with artificial and useless layers (“of abstraction”, they call them, to try to make sense of them) that introduce two unnecessary problems in any “modern” technological environment: complexity, and therefore probability of error, and slowness.

Exemplary is the “true” executable, in line with the story recently commented by Rob Pike on Twitter:


$ >mytrue;chmod +x mytrue
$ ./mytrue
$ echo $?
0
$

A program whose only purpose is to always return 0. An empty executable. EMPTY. There can be nothing simpler that works, and has been for forty years … well, that’s where we mortals come in. Year 2018:

[Read more…]

Security of blockchain-based smart contracts II – Known Vulnerabilities and Pitfalls

In the previous part of this series on blockchain security we looked at the risks associated with deploying autonomously executing smart contracts on a public blockchain. We also introduced some high-profile examples of attacks on smart contracts that have caused the loss of large sums of money and changed the way we look at business interactions on the blockchain.

In this episode we will review some known issues and vulnerabilities.

Private Key Leakage

Using unsafe private keys is really a case of user error, rather than a vulnerability. However, we mention this nevertheless, as it happens surprisingly often, and certain players have specialized in stealing funds from unsafe addresses.

What usually happens is that development addresses (such as those used by testing tools, such as Ganache/TestPRC) are used in production. These are addresses generated from publicly known private keys. Some users have even unknowingly imported these keys into wallet software, by using the original seed words used in private key generation.

Attackers are monitoring these addresses and any amount transferred to such an address on the main Ethereum network tends to disappear immediately (within 2 blocks).
[Read more…]

Analysis of Linux.Okiru

In keeping with our campaign of detection and documentation of IoT botnets, a few days ago we found another threat not classified before. It was first uploaded to the VirusTotal platform on November 3 and is only detected as malicious by 4 antiviruses.

During the article, two variants of the malware will be analyzed, which differ fundamentally in their propagation. The first one was detected in our honeypot systems (specifically for the SPARC architecture). The second one is a variant of the first, which was found under the Intel x86_64 architecture, and which the Netlab360 malware lab echoed a few days ago.

As no records of its identification were found, we decided to classify it as Linux.Okiru, due to the name of its binaries.
[Read more…]