vulnerability

security October 27, 2016

Vulnerability analysis: how “HTTPoxy” allows redirect of web applications http-queries

This is a guest post written by Alex Bod, Information Security Researcher and the founder of the Gods Hackers Team.   The information about a set of vulnerabilities called HTTPoxy was published on July 18. Using this, attackers can replace the HTTP_PROXY environment variable that allows them to redirect http-queries to the Web applications on their resources. The vulnerability was identified in partnership with the developer Dominic Scheirlinck, who in his blog talked about how the vulnerability was discovered by his colleagues in the analysis of one of the tickets, received in support.   How it works   Scheirlinck explains in detail the principle of the HTTPoxy work. A typical attack using this vulnerability set is as follows: The attacker creates a specially crafted HTTP-request, which contains the Proxy header; CGI receives the request and saves the header value in the HTTP_PROXY environment variable; CGI application runs its own web client that uses the HTTP_PROXY environment variable for the proxy settings; The client sends the request that instead of the destination address is proxied through the attacker’s server.   For instance, the exploitation code in several popular languages could look like this: PHP: $client = new GuzzleHttp\Client(); $client->get(‘http://api.internal/?secret=foo’)   Python: from…

automotive September 28, 2016

Chinese Researchers Remotely Hack Tesla Model S (Update)

Security researchers from China-based tech company Tencent have identified a series of vulnerabilities that can be exploited to remotely hack an unmodified Tesla Model S while it’s parked or on the move. The researchers managed to perform various actions. While the vehicle was parked, the experts demonstrated that they could: control the sunroof, the turn signals, the position of the seats, all the displays, the door locking system. While the car was on the move, the white hat hackers showed that they could activate the windshield wipers, fold the side view mirrors, and open the trunk. They also demonstrated that a remote hacker can activate the brakes from a long distance (e.g. 12 miles, as shown in the experiment). WOW… this can be deadly!   But wait, after “several months of in-depth research” ? This means that they spent several months to search for vulnerabilities to exploit ? This is what I mean by being insistent. The most interesting part is the UPDATE. Tesla told SecurityWeek that it addressed the vulnerabilities found by Keen Lab within 10 days after learning of their existence. The company pointed out that the attacks are not “fully” remote and they are not as easy…

automotive, security, security breach July 11, 2016

BMW and cybersecurity

Not a month passes without seeing some major car manufacturer that has cybersecurity issues. This month we have seen made public a report from February 2016 related to BMW. The short story   The BMW ConnectedDrive Web portal was found to contain a vulnerability that could result in a compromise of registered or valid vehicle identification numbers, Vulnerability Lab warns. The security bug, affecting the BMW ConnectedDrive online service web-application, is a VIN (Vehicle Identification Number) session vulnerability, security researcher Benjamin Kunz Mejri reveals. VIN, also known as chassis number, is a unique code used in the automotive industry to identify individual vehicles. The security flaw was discovered in February this year, when the researcher also found a client-side cross site scripting vulnerability in the official BMW online service web-application. By exploiting this issue, an attacker could inject malicious script codes to the client-side of the affected module context, the researcher says. The longer story In February 2016, when the ADAC’s security researchers were able to simulate the existence of a fake phone network, which BMW cars attempted to access, allowing hackers to manipulate functions activated by a SIM card. BMW said it had taken steps to eliminate possible breaches by…

Educational, security March 18, 2016

What is Pentesting, Vulnerability Scanning, which one do you need?

I get very often asked about these two concepts and I noticed that there is a lot of unclarity around these topics. At the end, I will tell you my own opinion and give you some advices.   Vulnerability scan Also known as Vulnerability Assessment, looks for known vulnerabilities in your systems and reports potential exposures. Vulnerability assessments are performed by using an off-the-shelf software package, such as Nessus or OpenVas to scan an IP address or range of IP addresses for known vulnerabilities. For example, the software has signatures for the Heartbleed bug or missing Apache web server patches and will alert if found. The software then produces a report that lists out found vulnerabilities and (depending on the software and options selected) will give an indication of the severity of the vulnerability and basic remediation steps. It’s important to keep in mind that these scanners use a list of known vulnerabilities, meaning they are already known to the security community, hackers and the software vendors. There are vulnerabilities that are unknown to the public at large and these scanners will not find them.   Penetration test (aka “pentest”) Designed to actually exploit weaknesses in the architecture of your…

quoted, security January 20, 2016

More on the hype behind OpenSSH flaw that could leak crypto keys

Richard Adhikari wrote a good overview about the “OpenSSH Flaw Could Leak Crypto Keys” in the LinuxInsider.com website. I got quoted : The flaws are not dangerous, security consultant Sorin Mustaca said. “In order to exploit this vulnerability, an attacker must convince its target OpenSSH client to connect to a malicious server — an unlikely scenario — or compromise a trusted server and install a special build of the OpenSSH server having roaming activated,” he told LinuxInsider. The second option “is possible but also unlikely to happen.” If hackers compromise a server to the degree that they can replace OpenSSH, for which they need root access, “it would be better for them to insert their own private keys and have access to the server directly rather than stealing someone else’s private key,” Mustaca remarked. Even if a private key is stolen, the thief has to figure out where else it’s being used. “OpenSSH did very well by fixing these issues,” Mustaca observed.   This news is an example of how to create FUD – Fear Uncertainty and Doubt. The marketing department of Qualys, which is a very respected company, exaggerated the effects of the vulnerability they found. I am pretty sure that…

News September 30, 2015

WinRAR: The wrong way of answering to a critical vulnerability

With over 500 million users worldwide, WinRAR is by far the most popular compression program. An independent security lab found a remote code execution vulnerability in the official WInRAR SFX v5.21 software. The vulnerability allows remote attackers to unauthorized execute system specific code to compromise a target system. The issue is located in the Text and Icon function of the Text to display in SFX window module.  Remote attackers are able to generate own compressed archives with malicious payloads to execute system specific codes for compromise. The security risk of the code execution vulnerability is estimated as critical with a CVSS(common vulnerability scoring system) count of 9.2. Exploitation of the code execution vulnerability requires low user interaction (open file) without privilege system or restricted user accounts. Successful exploitation of the remote code execution vulnerability in the WinRAR SFX software results in system, network or device compromise. Simple words: Basically, the attack uses the option to write HTML code in the text display window when creating a SFX archive.   ZDNet contacted the creators of the software, Rar Labs and the answer left me baffled when they explained ZDNet that as SFX archives can run contained executable files — and is required by installers —…

No Image

security April 9, 2015

Massive security update for all Apple devices: iOS 8.3

39 fixes are supposed to be delivered via iOS 8.3. Areas like KeyStore, Drivers, Backup, Kernel, Certificate Trust Policy, Networking, Lock Screen, Safari and the WebKit,  and many more are being fixed. Apple doesn’t provide how critical the issues were, but from what I see there, at least a dozen or so made me raise my eyebrows.   This release includes improved performance, bug fixes, and a redesigned Emoji keyboard. Changes include improved performance for: App launch App responsiveness Messages Wi-Fi Control Center Safari tabs 3rd-party keyboards Keyboard shortcuts Simplified Chinese keyboard Please update … NOW.    

No Image

published-external March 19, 2015

OpenSSL: Patch for secret “high severity” vulnerability

After Heartbleed, Poodle and FREAK which turned the IT world upside down, numerous companies have asked to have a though review of the most used SSL implementation in the world: OpenSSL. And indeed, in order to avoid being again in the news, the OpenSSL Foundation is set to release later this week several patches for OpenSSL, fixing undisclosed security vulnerabilities, including one that has been rated “high” severity. Matt Caswell of the OpenSSL Project Team announced that OpenSSL versions 1.0.2a, 1.0.1m, 1.0.0r, and 0.9.8zf will be released Thursday. “These releases will be made available on 19th March,” Caswell wrote. “They will fix a number of security defects. The highest severity defect fixed by these releases is classified as “high” severity.” OpenSSL has been hit hard and the trust in it and in open source in general has been severely shaken in the last 12 months. Last year in April, Heartbleed (CVE-2014-0160) was discovered in older versions of OpenSSL, but still highly used, which allowed hackers to read the sensitive contents of users’ encrypted data, such as financial transactions, instant messages and even steal SSL keys from Internet servers or client software that were running the affected versions of OpenSSL. Two…

No Image

General, News March 6, 2015

FREAK: All Windows versions are affected too

UPDATE on the FREAK vulnerability in SSL: it affects not only Android and iOS but all Windows versions too.   I wrote about the new SSL vulnerability called FREAK – Factoring RSA Export Keys – affects around 36% of all sites trusted by browsers and around 10% of the Alexa top one million domains, according to computer scientists at the University of Michigan. Android, iOS and a lot of embedded devices that make use of the affected SSL clients (including Open) are in danger of having their connections to vulnerable websites intercepted. The two most used operating systems for smartphones, tablets, laptops and embedded devices  are in good company. Yesterday, Microsoft made known that all its supported Windows versions are also affected due to the presence of the vulnerability in the Windows Secure Channel (SChannel) – the Microsoft own implementation of SSL/TLS: Windows Server 2003 Windows Vista Windows Server 2008 Windows 7 Windows 8 and 8.1 Windows Server 2012 Windows RT Microsoft published an TechCenter an advisory where the problem is analyzed and solutions are offered. Also a patch is promised to fix all supported operating systems. What does it mean for the user? It means that if you are in Windows…

No Image

General, News, security March 6, 2015

Security experts are FREAKing out again because of a new OpenSSL vulnerability

After Heartbleed, a new security vulnerability in SSL is making headlines and producing again headaches for security experts. As any good and mind blowing (for most people) vulnerability, it has a nice name – FREAK, a CVE number – CVE-2015-0204 and a dedicated website https://freakattack.com/ . FREAK – Factoring RSA Export Keys – affects around 36% of all sites trusted by browsers and around 10% of the Alexa top one million domains, according to computer scientists at the University of Michigan. This time, the vulnerability can allow hackers to perform a Man In The Middle(MITM) attack on traffic routed between a device that uses the affected version of OpenSSL and many websites, by downgrading the encryption to an easy to crack 512 bits (64KB). A connection is vulnerable if the server accepts RSA_EXPORT cipher suites and the client either offers an RSA_EXPORT suite or is using a version of OpenSSL that is vulnerable to CVE-2015-0204. To be affected, devices must use the vulnerable version of OpenSSL. The problem is that OpenSSL is embedded sometimes in the firmware of the device like those running Apple’s iOS, Google’s Android. This makes the patching anything else than trivial. IfApple and Google will hurry…

%d bloggers like this: