Tuesday 22 October 2013

Playing with Facebook Pages

Back in July I took a look at Facebook Pages. With most of the Facebook CSRF/XSS already fixed I instead focused on abusing the features and permissions at a high level just playing around with the legitimate functionality.

Today I'll talk about two issues that caught my eye.


Ban Your Manager

The first issue I found was a permissions hole in the "ban" feature. For Facebook pages the power hierarchy looks like this: 

Manager -> Content Creator -> Moderator ->  Advertiser -> Insights Analyst  

With the Manager role having the most control and Insight Analyst the least. I created two users Mike (the manager) and Mark (the moderator). While logged in as Mark I tried to delete one of Mike's posts.



Much to my surprise I was given the option of banning the manager...


It turned out if you were a Manager/Content Creator/Moderator you could ban anyone with Manager/Content Creator/Moderator effectively going against the intended power hierarchy.


Also when you get banned there is no information to indicate who banned you, not even in the page activity log. Manager's can unban themselves but there's nothing stopping our attacker from re-banning them. So if you have a rogue moderator or a moderator account that got hacked, an attacker could silently perform a ban DOS. Cool.


Wana be a featured admin?

Probably the most fun issue I found involved the "add a featured admin" functionality. By default, pages don't display the admin but you can set a "featured admin" who will show up publicly on the "about" page. To do this you first need to add the user as a page role, let's go with the lowest permissions:
Now we go to the featured admin page.
And add our admin:



Once added he'll be publicly visible as the page admin.



So where's the security flaw I hear you ask? Well in the above steps did you notice that not once did we ask the user's permission to perform any of these actions? Facebook pages by design do not ask a user's permission before making them an admin or featured admin. The only prerequisite was that the user either liked the page or was a friend of ours.

So with malicious intentions in mind how could we abuse this? Well one possible attack would be to make someone a featured admin then change the content of the page to something malicious and publicize the fact they are the admin.

For example, our page starts out as a normal Breaking Bad fan club, nothing suspicious here...


The manager makes you featured admin, cool, but then changes the content and leaves the page, not cool!



JUSTIN BIEBER!!! NOOOOOOOOOOOOOOOOOO!!!!! So now all your friends see you're the admin of a Justin Bieber fan club and proceed to make fun of you for the next few years :)

I assumed Facebook would notify users when changes like this were made, but that's not always the case. You are notified if you're made an admin for the page, but not notified if you are made the 
publicly visible featured admin! Uh oh.


Final Thoughts

Were these serious issues involving account compromise, data loss or blowing up Facebook servers? Nope. But they were/are features that could be abused for malicious purposes.

It can be easy to class such issues as low severity and dismiss them but targeted exploitation could cause some real damage. Imagine if instead of Justin Bieber, our page was focused on a sensitive political issue and constructed to appear legitimate. What happens if a celebrity or political figure is tricked into being the featured admin? Watch as chaos ensues :)

Pwndizzle out.

Saturday 5 October 2013

Notes from Derbycon 2013 - Day #3

After another late night partying on the streets of Kentucky I arrived home at 5am and had to get some sleep. I missed the first two talks of the day but did make it in for the afternoon sessions and there were some cool talks.


#########################################################
Title: Sandboxes from a pentester's view
Link: http://labs.bromium.com/2013/07/23/application-sandboxes-a-pen-testers-perspective/
What was it about:
Rahul took us on a journey through the concepts of application sandboxes and how to escape them. He started by explaining how most third party software sandboxes can be bypassed simply because they don't properly control access to the kernel. The products are basically badly designed. He then went on to talk about the sandboxes for Chrome and Adobe Reader which are a lot more secure.

The high privilege "broker" and low privilege "target" process architecture and the fact Google have spent millions on development has made the Chrome sandbox very secure. However Chrome and the sandbox run on top of the Windows kernel. So to escape the sandbox all we need to do is exploit the kernel. With such a large attack surface, all of user land and RPC services, there are a lot of potential targets.

Rahul showed a demo exploit for ms11-063 which he had reversed from the patch. csrss.exe didn't properly enforce access permissions so by connecting to csrss.exe over RPC from Chrome he was able to execute arbitrary commands.

Lessons learned:
Forget about exploiting the browser, attack the Windows kernel instead, there's a gold mine of potential vulnerabilities yet to be found.


#########################################################
Title: Exploiting the zeroth_hour; Developing your advanced persistant threat to pwn the network
Link: https://github.com/splinterbotnet
What was it about:
Solomon and Nick talked about how they created their own botnet agent and backend C&C. Although botnets are nothing new, what they had built was the first open source botnet framework, cool. In the demo they showed off some of the features like beaconing, information gathering and file transfers, all pretty fun.

The full source code should be appearing on github sometime soon.

Lessons learned:
Man + dog will now be running a botnet?


#########################################################
Title: Stop making excuses it's time to own your HIV (high impact vulnerabilities)
Link: http://www.youtube.com/watch?v=BbkwzhU1_4A
What was it about:
As a defender one of the biggest challenges I've encountered is deciding what to prioritize. There's simply too much to do and too little time. In this talk Jack presented his experiences developing and implementing an effective security program. He used a four step process: identify (what problem areas you have), align (decide on solutions and create a project schedule), communicate (let users know what's gona happen) and report (provide metrics to management). I liked that. Also he suggested when reporting, think like a CFO. Keep reports simple and show the return on investment.

Lessons learned:
Take a step back. Look at the big picture, the risks facing your organisation, what can you do to address those risks and create a plan with clear projects and schedule.


#########################################################


After two days of full time corelanc0d3r training, three days of conference talks and two heavy nights out I was ready to sleep for a week. Overall I had an amazing time, learnt so much and met so many cool people. Would definitely recommend you check it out and will be doing my very best to return next year. 

Questions/comments/corrections - leave a message below.

Pwndizzle out!   

Notes from Derbycon 2013 - Day #2

After drinking late into the night with Casey from Bugcrowd I wasn't feeling too sharp Saturday morning and missed the first two talks. *cough* But ummm, in the afternoon though there was plenty to see!


#########################################################
Title: Burning the Enterprise with BYOD
Link: https://github.com/georgiaw/Smartphone-Pentest-Framework
What was it about:
Pwning companies using mobile phone based attacks. Georgia highlighted multiple ways to exploit phones e.g. malicious apps, OS/app vulns and social engineering. After a funny 40 minute semi-drunk ramble through mobile problems, we got to the demo and it was awesome. Using the smartphone pentest framework she'd built, Georgia showed how easy it is to compile a malicious app and trick a user into installing it by sending a link via SMS. User opens link, installs app and now you've compromised the phone.


From there you can pivot into the internal network fire, off your ms08-067 exploit and get shell. What's more, because it's mobile all the data runs over the cell network and is impossible to detect or stop. Pwned.

Lessons learned:
There is no way to prevent phones from being compromised. Solution, don't allow BYOD? :)


#########################################################
Title: Malware Management Framework - a process you can use to find advanced malware 
Link: http://sniperforensicstoolkit.squarespace.com/malwaremanagementframework
What was it about:
Finding malware can be like finding a needle in a haystack. So how do you find the needle? Well one approach is to remove the hay. The guys presenting achieved this by hashing all the files in sensitive folders (e.g. %temp%, windows, system32, wbem) and building a repository of known good hashes. Remove the good and you're left with the bad, essentially a form of whitelisting. Although it takes some time to build the repository, once you have it, you have a hell of a monitoring solution (and it's free!).

These guys had built a cloud platform that would receive and analyse hashes sent from an agent. This agent would be deployed on workstations and would regularly send back any new hashes. It was awesome but closed source!

Lessons learned:
Building a hash repository and using it to analyse files on your system is one of the silver bullets out there that people don't use enough.


#########################################################
Title: Browser Pivoting (FU2FA)
Link: http://blog.strategiccyber.com/2013/09/26/browser-pivoting-get-past-two-factor-auth/
What was it about:
Raphael Mudge presented an impressive new browser pivoting module for Armitage that allows you to browse from your own machine as if you were browsing from the target's machine. Compromise your target, run the post module which will inject a dll into IE, configure your local proxy settings and your local requests will be tunneled through the target's browser.

While it's always been possible to access internal sites using some port forwarding, by injecting into the browser you inherit all of the session data. E.g. If the user is logged into Facebook, when you browse you will be logged in on their account, awesome! It's a great tool for demonstrating to management how easily an attacker can access all your internal sites.

Lessons learned:
If you're an attacker, use browser pivoting. If you're a defender pray your boxes don't get popped! Also if you use single sign on you're making life a lot easier for the attacker.


#########################################################
Title: Taking the BDSM out of PCI-DSS Through Open Source Solutions
Link: http://urbanesecurity.com/research/openpci/
What was it about:
This was an interesting talk that highlighted the areas of PCI that people most commonly have problems with and how to fix them. The things people commonly do badly included:
  • AV on servers
  • Patching systems
  • Two Factor Authentication
  • Logging <- a lot of people fail here
  • Policies 
The presenters gave a few recommendations for each. For example you don't need AV if you do some kind of whitelisting. For logging they recommended a number of interesting open source solutions Fluentd, Logstash, Flume, I've never used them myself but looking over the sites got me interested. Also for file integrity monitoring they mentioned OSSEC.

The talk was quite funny as whenever Zack said "it depends" he had to drink, yeah he drank quite a lot, but hey that's Derbycon!

Lessons learned:
Check out Fluentd/Logstash/Flume for SIEM.


#########################################################
Title: Hacking Back Active Defense and Internet Tough Guys
Link: https://bitbucket.org/LaNMaSteR53/honeybadger
Link: https://github.com/trustedsec/artillery/
What was it about:
This talk was focused on the use of honey pages and honey files to trick an attacker into disclosing their location. Simply including an iframe on a hidden page that shouldn't usually be accessed, e.g. a fake /login.html, can transmit the attacker's ip as soon as they load the page. Even if the attacker is being extra sneaky using TOR for browsing you can try including a booby trapped doc or jar file that when run locally will grab wifi data and call back to you usually bypassing TOR.

And this is all legal as none of the activity involves illegally compromising the attackers machine. It was funny hearing that when the presenter had contacted law enforcement they didn't know how to respond and often wouldn't arrest the individual despite all the evidence.

Another defensive tool called Artillery was also mentioned, that does automatic host blacklisting and file integrity monitoring.

Lessons learned:
Internally and externally honey pots/pages/files can provide some great intel, "Honey Badger" is definitely worth checking out.


#########################################################
Title: Everything you ever wanted to know on how to start a credit union
Link: http://www.irongeek.com/i.php?page=videos/derbycon3/4208-everything-you-ever-wanted-to-know-on-how-to-start-a-credit-union-but-were-afraid-to-ask-jordan-modell
What was it about:
This talk was about one man's experiences setting up a credit union in the US. Although not security related it was interesting to hear about all the various hoops he had to jump through and the layer after layer of bureaucracy he had to deal with. His stay positive and shear determination was really impressive.

Lessons learned:
Don't be afraid to get out there and create something.


#########################################################
Title: Living Off the Land: A Minimalist's Guide to Windows Post Exploitation
Link: https://github.com/mattifestation/PowerSploit
Link: http://pen-testing.sans.org/blog/2013/07/12/anti-virus-evasion-a-peek-under-the-veil
What was it about:
The final talk of the day was about Powersploit and specifically in-memory only modules. The presenters talked about how nearly every single task from extraction of data, to lateral movement, to exfiltration can all be performed in memory using powershell/wmi/netsh.

I was particularly impressed by the lateral movement and how easy it was to connect to a target using powershell, execute the invoke-shellcode command which will connect back to you, pull meterpreter shellcode then execute it in memory.

Another tit-bit the guys mentioned was Veil. I'd not heard of it before but it's essentially an AV evasion framework that can compile some bad-ass python and powershell payloads.

Lessons learned:
If you're a pentester you should be using Powersploit and Veil if you aren't already.


#########################################################


Questions/comments/corrections - leave a message below.

Derbycon day #3
http://pwndizzle.blogspot.com/2013/10/notes-from-derbycon-2013-day-3.html

Friday 4 October 2013

Notes from Derbycon 2013 - Day #1


It was my first time attending Derbycon and I gota say, what a conference! The atmosphere was a lot different to Blackhat/Defcon, less suits, less vendors and more real security guys direct from the trenches.

I found the talks a lot more interactive and most provided great practical advice for the everyday security admin. Along with the free beer my favorite bit was speaking to fellow attendees/speakers. Exchanging ideas, discussing problems and just meeting new people was awesome.

So I don't forget what I learnt (and cause I thought you guys might find it useful) I thought I'd do a quick write-up for each day. This is my own version of events and I've probably incorrectly described some talks, apologies in advance!

Also recordings of most talks can be found here: http://www.irongeek.com/i.php?page=videos/derbycon3/mainlist


#########################################################
Title: Pigs don't fly - Why owning a typical network is so easy and how to build a secure one
Link: http://www.scriptjunkie.us/
Link: http://ambuships.com/
What was it about:
Scriptjunkie provided an overview of some of the most effective ways to secure a network. He started off by describing common kill chains from initial compromise to exfiltration and how we can break them.

Defensive techniques included:
- Air gap as much as possible
- Prevent USB
- Prevent direct connections out (force traffic through a proxy)
- Prevent outbound DNS (force machines to use internal DNS)
- Block social networking
- Block inter-workstation access
- Don't allow outbound traffic from admins
- Lock down admin workstations
- Prevent Java/Office writing files to most locations
- Don't use file shares, use a CMS
- Use Ambush ips for monitoring

Silver bullets:
- Don't use passwords, switch to hardware tokens/smartcards
- Deny all NTLM logins

Getting rid of passwords and NTLM sounded nuts, but he had a valid point, by getting rid of passwords/hashes and using one time codes from hardware tokens/kerberos instead, it's going to be a lot harder for attackers to move around your network using pass-the-hash or password reuse. Microsoft already provide support for hardware token based authentication so implementation isn't as hard as people think. Legacy applications that don't support kerberos can have some issues though. Definitely something I'm going to look into further.

Lessons learned:
Test disabling NTLM and switching to purely kerberos. Long term enforce token only authentication. Implement as many of the defensive techniques as possible.


#########################################################
Title: IOC Aware - Actively collect compromise indicators and test your entire enterprise
Link: http://www.youtube.com/watch?v=NhOhfNrXIDI
What was it about:
IOC's (indicators of compromise) are an open xml format introduced by Mandiant to provide a way to detect malware using a combination of information including filenames, hashes, signature, paths. At the moment it's hard to find IOC's online and producing them is usually a manual process. Wouldn't it be great if we could automatically create and then search for IOCs? Well the guys in this talk had done just that.

They had used a honeypot (Dionaea) to collect samples which would be automatically submitted to an internal Cuckoo instance. They had created a custom plugin for Cuckoo that would generate IOC's from the Cuckoo analysis.
The generated IOC's were added to a master list that was then sent to software agents that had been deployed on workstations. The agent would search the workstation for the IOCs and report back results. If an attacker had used similar techniques on both the honeypot and workstations he'd be detected. Cool. For me the only issue with this system is that if the attackers don't attack the honeypot you don't get any IOCs.

Lessons learned:
Deploy a honeypot if you haven't already. Make sure you have a way to search your organisation for IOCs.


#########################################################
Title: Cash is King: Who's Wearing Your Crown?
Link: http://www.youtube.com/watch?v=k-qaAeXUBac
What was it about:
The guys presenting talked about how its possible to inject a dll into the Microsoft Dynamics GP product and proxy requests to the backend database. So if an attacker compromises one of the workstations belonging to your accounting staff they can remotely issue commands to the backend database when that staff member is logged in. Money transfers and account modifications all performed as the compromised user, awesome.

They mentioned that in many cases accounting reconciliation isn't completed often enough meaning fraudulent payments can go undetected for months. Also once one payment is detected as incorrect how do you know the rest of the payments/account information haven't been modified?

It was worrying to hear that the payment processing systems for online games have better controls than most ERP and financial systems.

Lessons learned:
Third party financial systems don't provide tight enough audit and change control.


#########################################################
Title: Windows Owned by Default
Link: http://www.youtube.com/watch?v=SVqiDdVS7Wo
Link: http://technet.microsoft.com/en-us/magazine/2009.06.act.aspx
What was it about:
This was an interesting talk about the Windows Application Compatibility Toolkit and how it can be used to change how commands and programs execute. The toolkit is offered by Microsoft and helps old software work on newer versions of windows. It appears to use some kind of dll injection or rootkit functionality to intercept system calls and redirect execution. So instead of loading for example the default modern version of a dll or registry key you create whats called a "shim" and this shim will redirect the program to the old version of the dll or registry key.

An attacker can abuse this to load and hide his own malicious files and because child processes inherit parent settings if you create a shim targeting explorer.exe any program running in windows will inherit the settings and run with modified settings.

You do need to be admin on the box to install the toolkit so it's more of a post exploitation tool but used correctly it can hide malware really well and drive incident responders nuts. Or vice versa if you create a honeypot with Application Compatibility Toolkit installed the attackers will waste time going round in circles instead of attacking your other systems.

Lessons learned:
Look out for malware abusing Windows Application Compatibility Toolkit. Also setup a honeypot using this.


#########################################################
Title: RAWR - Rapid Assessment of Web Resources
Link: http://sourceforge.net/projects/rawr-webenum/
What was it about:
Awesome new tool to scan a network and grab screenshots from websites. There are a few scripts out there that do this but I've not seen anything that worked this well. RAWR provides a command line to issue search commands, give it an ip+port and it'll run nmap, Bing reverse DNS and SSL checks against your ip range.

All screenshots are viewable and searchable through a nice web interface. The tool is still under active development with new features on the way. Overall a great tool for attackers and defenders alike.

Lessons learned:
Grab a copy of RAWR and scan your internal/external network you may be surprised by what you find :)


#########################################################
Title: Decoding Bug Bounty Programs
Link: http://www.youtube.com/watch?v=ur1azUTgmvU
What was it about:
Jon presented a great interactive talk about how/why bug bounties operate. I found the Paypal stats quite interesting, for example, did you know 44% of bugs are the submitter's one and only submission and 80% of bug submissions are sent in by researchers who submit less than 10 bugs.

Also we were lucky enough to have the folks who run Microsoft's bounty program, the head of Firefox's program and the Bugcrowd guys in attendance who all had interesting things to say.

Lessons learned:
Bug bounties are the future!


#########################################################



Questions/comments/corrections - leave a message below.

Derbycon day #2
http://pwndizzle.blogspot.com/2013/10/notes-from-derbycon-2013-day-2.html