Web auditing: Jump on the bandwagon! (or not)

Usually, whenever we are auditing a web application with a poorly programmed backend, we might  find SQL Injection vulnerabilities. We will mainly encounter Blind, Error-based or -if we get lucky- Union-based injections. However, it is not quite usual to find an SQLi out-of-band vulnerability.

These do not only rely on a vulnerable application, but also on being able to exfiltrate information from a different band than the website.

The fact that the results are sent through a completely different way, along with the variety of shapes that these may take; makes it quite difficult to use automated tools to exploit these kinds of vulnerabilities. Even so, in situations where the server responses are not stable or  are too unreliable, it might be worth trying to exfiltrate information this way.

As an example, lets take a look at an injection found in an audit I performed recently.

This time, the vulnerability was quite weird, as the name of the parameter was sql*** –which shouted injection from miles away- but the website itself wasn’t either returning any errors nor  being affected by time-based techniques. Yet, our best friend Burp active scan seemed convinced that an SQLi was going on at that specific parameter.
[Read more…]

The GDPR is not a one-day thing

The 25th of May has finally arrived. The D day where all personal data is protected. Where security incidents will no longer occur. Where all the processing of personal data becomes legitimate. Where the data will no longer be stored sine die. Where users have full control over their data. Where the right to forget is a reality. Where everyone has been informed that all the privacy policies of the planet have been updated (yes, ours too). The most awaited day has arrived. And once you have reached this point of rejoicing, what then?

Well, I’m sorry to tell you that the GDPR is not a one-day thing. Today, 25 May 2018, the General Data Protection Regulation, known as GDPR, comes into effect. But just because it comes into effect today (it has been in force since 2016) does not mean that everything we have not done does not need to be done, or that if we have already made an adaptation we do not have to do anything else. Why?
[Read more…]

CSIRT.es (in English)

Yesterday, CCN-CERT published the communiqué related to the re-launch of the CSIRT.es group, a forum that brings together the response teams to Spanish incidents or areas of action in Spain, and whose objective is to centralize the exchange of information and facilitate coordination between these very teams.

CSIRT.es  currently consists of more than twenty teams and, as indicated in the press release, public and private actors from different sectors are represented, with different objectives … but they have many points in common; the main one, by definition, to provide a response capability to a given community. And that capability today cannot work if it is intended to operate independently and isolated from other teams: it necessarily requires direct collaboration with third parties. Beyond forums such as FIRST or TF-CSIRT, we believe that a point that enables collaboration between CSIRT and areas of action in Spain is more than interesting and necessary. [Read more…]

Restricted Zone: Geopositioning not allowed

The tendency to “be permanently connected” places at our disposal a series of tools with which to “make our lives more comfortable” but this, in turn, exposes us to multiple threats that may negatively affect us as individuals or in our organizations. It is possible to think that this question is too internalized by those who dedicate themselves directly or indirectly to the world of security. However, the reality leads us to discover that the number of anecdotes and news related to security incidents continues to grow and, in many cases, the protagonists are precisely those who dedicate themselves to security.

In today’s post we put the focus on the impact that the information collected and published through the Strava tool has caused.
[Read more…]

Exchange forensics: The mysterious case of ghost mail (I)

(Note: This is a fiction story, the characters and situations are not real, the only real thing is the technical part, which is based on a mixture of work done, experiences of other colleagues and research carried out. If you want a version with the same technical dose but with less narrative, you can consult the video of the talk that the author gave at the 11th STIC Conference of the CCN-CERT here).

Another day in the office, with a list of pending tasks to plan longer than the beard of Richard Stallman and none of them entertaining: reports, documentation of a couple of projects and the preparation of a meeting is what the menu of the day offers for almost the entire week.
Luckily, the saying that “no plan survives contact with the enemy” in this case works in our favor. The phone rings, and my boss goes straight to the point: “A YARA rule has been triggered from the ATD group in CARMEN of [Redacted] (entity whose identity we are going to leave anonymously, calling it “the Organization” from now on). Take your stuff and rush over there.”

The adrenaline rush at the thrill of the hunt is instantaneous: ATD is our internal name of a group of attackers that we hunted a few months ago on another client, and our reversers ripped the malware open from top to bottom without mercy. The analysis allowed us to detect a series of particular “irregularities” in their way of acting, which allowed us to generate a series of high fidelity YARA rules (that is, false positives practically null). If it was triggered on CARMEN (our advanced intrusion detection tool), then 99% sure to be infected”.
[Read more…]

The tools of the gods

Today at SAW we are not going to talk about security but about religion. About the true religion, the good one: about Unix. And about its gods: Kernighan, Ritchie, Thompson … we could cite a few. And about the tools that, in the seventies, these gods sent to us poor mortals, like the manna fallen from heaven for the chosen people.

The thing is that these gods created a real operating system, with some technically wonderful tools and a very simple philosophy: simple capabilities that combined make complex tasks. Perfection. Life is Unix running a script. More than forty years have gone by and we, poor mortals who were the chosen people, what have we done all this time? Trying to dishonor that divine legacy with artificial and useless layers (“of abstraction”, they call them, to try to make sense of them) that introduce two unnecessary problems in any “modern” technological environment: complexity, and therefore probability of error, and slowness.

Exemplary is the “true” executable, in line with the story recently commented by Rob Pike on Twitter:


$ >mytrue;chmod +x mytrue
$ ./mytrue
$ echo $?
0
$

A program whose only purpose is to always return 0. An empty executable. EMPTY. There can be nothing simpler that works, and has been for forty years … well, that’s where we mortals come in. Year 2018:

[Read more…]

‘Reversing’ of malware network protocols with ‘angr’

One of the most difficult objectives to obtain in the analysis of a malicious binary is usually discovering all of the functionalities that it has. If in addition, these functions are only executed at the discretion of the attackers through its control center, things get complicated. For various reasons, many times we cannot carry out a full dynamic analysis, such as the fall of the malware infrastructure or the isolation of the sample to avoid contact with the C&C. In these cases the analysis of the interaction between the server of the attacker and the sample is usually slower, since you have to create a fictitious server or be continually patching/deceiving the sample, to take it through all the different paths that we want to investigate. Depending on the size and complexity of the analyzed code or the objective of the analysis, this task can vary its difficulty and extension over time.

I am going to propose a study example of the functionalities of a fictitious RAT that can be executed according to the orders received from your C&C panel. Our goal would be to create a server that simulates the attacker’s. For this we have to understand the communication protocol between the server and the sample installed on the victim’s device.

[Read more…]

Security of blockchain-based smart contracts II – Known Vulnerabilities and Pitfalls

In the previous part of this series on blockchain security we looked at the risks associated with deploying autonomously executing smart contracts on a public blockchain. We also introduced some high-profile examples of attacks on smart contracts that have caused the loss of large sums of money and changed the way we look at business interactions on the blockchain.

In this episode we will review some known issues and vulnerabilities.

Private Key Leakage

Using unsafe private keys is really a case of user error, rather than a vulnerability. However, we mention this nevertheless, as it happens surprisingly often, and certain players have specialized in stealing funds from unsafe addresses.

What usually happens is that development addresses (such as those used by testing tools, such as Ganache/TestPRC) are used in production. These are addresses generated from publicly known private keys. Some users have even unknowingly imported these keys into wallet software, by using the original seed words used in private key generation.

Attackers are monitoring these addresses and any amount transferred to such an address on the main Ethereum network tends to disappear immediately (within 2 blocks).
[Read more…]

Analysis of Linux.Okiru

In keeping with our campaign of detection and documentation of IoT botnets, a few days ago we found another threat not classified before. It was first uploaded to the VirusTotal platform on November 3 and is only detected as malicious by 4 antiviruses.

During the article, two variants of the malware will be analyzed, which differ fundamentally in their propagation. The first one was detected in our honeypot systems (specifically for the SPARC architecture). The second one is a variant of the first, which was found under the Intel x86_64 architecture, and which the Netlab360 malware lab echoed a few days ago.

As no records of its identification were found, we decided to classify it as Linux.Okiru, due to the name of its binaries.
[Read more…]

Publication of the NIS Implementation Regulation (for digital service providers)

(This entry has been prepared in collaboration with Ana Marzo, from Equipo Marzo, which provided a good part of the information).

Just a couple of weeks ago Ana March, from Equipo Marzo, an attorney for whom I have great professional respect, contacted me to tell me about the publication, not expected (at least by me), of a new regulation of the Commission related to the NIS Directive, which I have called in a display of originality NIS implementation regulation.

In fact, on 30 January, the Implementing Regulation (EU) 2018/151 of the Commission from 30 January 2018 was published, laying down rules for the application of the Directive (EU) 2016/1148 of the European Parliament and of the Council with regard to the specification of the elements to be taken into account by digital service providers in order to manage the existing risks for the security of networks and information systems, as well as the parameters for determining whether an incident has a significant impact..

At least it caught me by surprise (and I am sure that some of our readers will see the same thing), since I expected a transposition of the directive, not a regulation emanating directly from the Commission (which does not mean, of course, that we will not enjoy our own NIS-compliant legislation, as the legislator must be kept busy…). Given that, although in different areas, we had both coincided at the same client that fitted into the concept of digital services provider and could therefore be affected, we asked ourselves about the applicability of the regulation to this specific client. For example, is an online newspaper affected? And an online sales website? An online bingo? And the purchase-sale between individuals? Deriving the answer to these questions is the subject of this entry.
[Read more…]