Secfence Lab

vBulletin Exploit in the wild

Prashant Uniyal — Thu, 29 Aug 2013 08:49:22 +0000

VBulletin is a popular CMS for online forum and communities. It has got a good popularity amongst the online communities and forum organizers. Previously, many exploits and CVEs have been released for it. Since its a web application, its on a constant targets of cyber crooks. Two days back, the vBulletin team posted on their announcements forum about a possible exploit in versions 4.1+ and 5+ of vBulletin. They didn’t provided further details, thus couldn’t put up a firm PoC or the attack vector behind the exploit. The message from the post read:

“A potential exploit vector has been found in the vBulletin 4.1+ and 5+ installation directories. Our developers are investigating this issue at this time. If deemed necessary we will release the necessary patches. In order to prevent this issue on your vBulletin sites, it is recommended that you delete the install directory for your installation. The directories that should be deleted are:

4.X – /install/
5.X – /core/install

After deleting these directories your sites can not be affected by the issues that we’re currently investigating.

vBulletin 3.X and pre-4.1 would not be affected by these issues. However if you want the best security precautions, you can delete your install directory as well.”

For preliminary view, it seems to some an issue related to installation directly. However version 3.X and pre-4.1 are safe, but are advised to delete their installation directory as well. Once the developers come up with patch, the reason behind the attack may be revealed. Concerned about security of your web assets, try our Web Application Penetration Testing Service today.

With love, from Blackhat!

admin — Fri, 23 Aug 2013 08:17:23 +0000

The Black Hat, the god of security conferences missing few years to complete a decade, took place in Las Vegas this year from July 27 to August 1. The conference as usual had some fireworks in the form of researchs and talks. The one that spread like forest fire was breaking down SSL. Security researchers were able to crack HTTPS encrypted web in 30 seconds. The hacking technique named as BREACH can extract login tokens, session ID numbers and other sensitive information from SSL/TLS encrypted web traffic. According to security researchers,BREACH attacks the common Deflate data compression algorithm used to save bandwidth in web communications. The exploit is a development of the earlier Compression Ratio Info-leak Made Easy (CRIME) exploit, which also involved turning compression of encrypted web requests against users. All versions of TLS/SSL are at risk from this technique as told by the trio of security researchers Angelo Prado, Neal Harris and Yoel Gluck.The attacker just has to continually eavesdrop on the encrypted traffic between a victim and a web server before tricking marks into visiting a website under the miscreant’s control.The attacker’s booby-trapped website hosts a script that runs the second phase of the attack: this forces the victim’s browser to visit the targeted website thousands of times, over and over, each time appending a different combination of extra data. When the attacker-controlled bytes match any bytes originally encrypted in the stream, the browser’s compression kicks in and reduces the size of the transmission, a subtle change the eavesdropper can detect.
Another firework made web browsers universally vulnerable. Paul Stone,a security researcher has developed a new technique that uses a combination of JavaScript-based timing attacks and other tactics to read any information he wants from a targeted user’s browser and sites the victim is logged into. The attack works on all of the major browsers and researchers say there’s no simple fix to prevent it.The technique uses some known problems with browsers and JavaScript. Using the technique, an attacker can get access to a victim’s browsing history, Stone said. He found that using Scalable Vector Graphics filters on certain parts of a given Web page allowed him to see exactly what a user was looking at in a browser window. Stone discovered that by applying one specific filter, he could tell which pixels are white and which are black. Using JavaScript, he found that he can apply this technique to every pixel in a given iframe and reconstruct what’s in the iframe. Using JavaScript code he also can force the browser to show the source code of the page that the user is on, using the view-source method. Depending upon the page that the user is visiting, that code could include a user ID or other sensitive data. In a demo of the technique, Stone showed the source of a target Google+ page that included a phone number, Google ID and other information. Though Firefox has released a patch to fir this, Chrome is still vulnerable.

Performing Android malware analysis

admin — Thu, 22 Aug 2013 15:20:12 +0000

In the past few years, malware and Trojans have moved with a rapid pace when it comes to mobile portability. Many famous Trojans and malwares have been detected and analyzed in the past. Android being the latest and a popular mobile platform has become all time famous target of cyber crooks and malware authors. Android application package file or APK is the file format used to distribute and install application software and middle-ware into Android operating system.To make an APK file, a program for Android is first compiled, and then all of its parts are packaged into one file. This holds all of that program’s code such as (.dex files), resources, assets, certificates, and manifest file.These files have .apk extension, but they are just ZIP files. They can be extracted using win-rar or win-zip.

Today we will look into analysis of malicious Android application. As usual in a malware analysis, the analysis is basically of two types: Static Analysis and Dynamic Analysis. Many free tools are available over the internet for malware analysis. Let me tell you a few that would help you in the analysis of malicious Android application.

Static Analysis:
Mobile Sandbox: It provides static analysis of malware images with an easy accessible web interface for submission.

IDA pro: It is a well known and most common among reverse engineers disassembler and debugger. It is supporting Android bytecode from the professional versions 6.1 and above.

APKInspector: APKinspector is a powerful GUI tool for analysts to analyze the Android applications.

Dex2jar: It is a tool for converting Android’s .dex format to Java’s .class format

JD-GUI: JD-GUI is a standalone graphical utility that displays Java source codes of .class files. You can browse the reconstructed source code with the JD-GUI for instant access to methods and fields.

Androguard: An Android reverse engineering toolkit

Dexdump: It is a Java .dex file format decompiler

Dynamic Analysis:
Droidbox: An Android Application Sandbox for Dynamic Analysis,the sandbox will utilize static pre-check, dynamic taint analysis and API monitoring. Data leaks can be detected by tainting sensitive data and placing taint sinks throughout the API. Additionally, by logging relevant API function parameters and return values, a potential malware can be discovered and reported for further analysis.

The Android SDK: A software development kit that enables developers to create applications for the Android platform. The Android SDK includes sample projects with source code, development tools, an emulator, and required libraries to build Android applications. Applications are written using the Java programming language and run on Dalvik, a custom virtual machine designed for embedded use which runs on top of a Linux kernel.Using the Android SDK we can create a virtual android device almost identical in functionality and capabilities of an android telephone and using that virtual device as secure environment we can execute the malware and observe the behavior of it.

Let us quickly perform a static analysis of an Android malware. Contagion has always been the top choice when it comes to grab some malware sample. Contagion Mini is the new place where you can get mobile malware samples. We have iMatch, a malicious Android application. A malicious Android application, we will try to look into the internals of the file and try to detect the malicious code. The very first step would be to extract the iMatch.apk file. It can be done easily using win-rar or win-zip.

Now to get a better overview of the source code, we will convert .dex file into .jar file. We will use dex2jar tool kit that will perform the function.

JD-GUI will help us view the readable format of the class file.

Thereafter, we can perform thorough analysis of the file and check for the malicious codes and the unwanted things.

While going through the classes IMatch and MJReciver, we noticed few unwanted numbers. On reading the code, we analyzed a function was made to send SMS to some numbers. Usually, Android applications access contacts, network extra as a part of application features.

Doing a quick search on Google resulted that those number where premium rate SMS numbers. This means that this malicious application sends premium SMS from the users mobile, thus making cyber crooks cheat people and earn money. The chain is simple: Malicious application downloaded —> Installed on the phone —> Once application runs, it sends premium rate SMS. So this was a quick malware analysis that can be practiced to perform and analyze malicious Android application.