Termine & News

Exploitation of a Vanilla Buffer Overflow in the o2 HomeBox 6441 Router (unauthenticated) – A Step by Step Abuse Guide

Introduction We regularly investigate the security of Customer Premises Equipment (CPEs), also known as SOHO routers. One important aspect of these investigations is to check for memory corruption vulnerabilities like buffer overflows. While these types of bugs were discovered in 1996[1] and secure coding practices as well as exploitation mitigation techniques should render these issues to a vanishing phenomenon, we still encounter them on today’s devices. In August 2018, NSIDE investigated the O2 HomeBox 6441 in terms of memory corruption vulnerabilities and discovered a buffer overflow in the embedded webserver. Most of the time NSIDE doesn't publish such findings, because we are bound by NDAs The Vulnerability Usually all parameters that are accepted by the webserver get sanitized and their…
mehr lesen

Erweiterte Zustandsverfolgung für SQLMAP

Während eines Red Team Assessments bei eines unserer Kunden stand der Autor des Artikels zuletzt vor einer prinzipiell recht angenehmen Situation: in einer internen Webanwendung konnte er eine SQL Injection identifizieren, die ausnutzbar schien. Die Anwendung war relativ klein und nur für einen eingeschränkten Benutzerkreis zugänglich, aber laut Aussagen interner Dokumentation zusammen mit anderen, größeren Anwendungen für die Verwaltung unternehmenskritischer Daten zuständig. Also ein äußerst interessantes Angriffsziel für jemanden, der genau auf diese Daten aus wäre. Um nun das Ziel des Tests zu erfüllen und an die sensiblen Daten zu kommen, musste die Schwachstelle ausgenutzt werden. Das beste Tool hierfür ist zweifelsohne sqlmap [1]. Es gab allerdings mehrere Herausforderungen beim Ausnutzen der Schwachstelle für sqlmap: zunächst handelte es sich um…
mehr lesen

SPI-Flash-Memory von Embedded-Devices ausgeben

Introduction While auditing the security of embedded devices we often face situations where the firmware of the system under test is either not publicly available or the vendor can’t provide it due to legal issues. Accessing the firmware gives a lot of insight on how the device actually works. Even in assessments, where scope is limited to Web Application Testing only, helpful information can be gathered by having access to the firmware. This blog post depicts the general approach for retrieving the firmware from such devices by accessing the flash memory chip directly. Please note the provided information in this example is limited to the flash memory chip only, as the tested system cannot be disclosed due to legal constraints.…
mehr lesen

Android Apps: From Simple Vulnerabilities to Permanent Malware Infection

Introduction Many people underestimate the possibilities a remote attacker has who managed to exploit a remote code execution vulnerability on Android devices. On Windows systems, it is widely accepted that a vulnerability in one software can lead to the compromise of other software and, ultimately, to the infection of the whole system. The same is, in fact, also possible for Android, even though many people believe the attacker would be confined to the vulnerable app's context (in the Android file system and UID/GID sandboxing sense). In this blog post we will show how a vulnerability in one single app can lead to the permanent (and virtually irreversible) infection of an Android device with malware. To this end we will walk…
mehr lesen

Burp and TCP Connection Reuse / TCP Streaming

Recently we were working on an engagement to test a fat client using a web service and ran into a problem with Burp. Surprisingly enough, there was not a single resource on the Internet to help us out. Hoping that others dealing with the same issue won't lose their sanity like we almost did, I am writing this blog post now ;) We were trying to test a web application, or rather a client application (a binary!) communicating with a web service built on top of an HTTP REST API, with Burp as a transparent/invisible proxy in between. For some completely unknown reason, when Burp was between the client software and the server, the client application just refused to log…
mehr lesen

[CVE-2014-5335] CSRF in Innovaphone PBX

Innovaphone PBX Admin-GUI CSRF Impact: High CVSS2 Score: 7.8 (AV:N/AC:M/Au:S/C:P/I:C/A:C/E:F/RL:U/RC:C) Announced: August 21, 2014 Reporter: Rainer Giedat (NSIDE ATTACK LOGIC GmbH, https://www.nsideattacklogic.de/) Products: Innovaphone PBX Administration GUI Affected Versions: all known versions (tested 10.00 sr11) CVE-id: CVE-2014-5335 Summary The innovaphone PBX is a powerful and sophisticated VoIP telephone system for use in professional business environments. In addition to a wide range of IP telephony functionalities, the innovaphone PBX is also equipped with a perfectly integrated Unified Communications solution that can be enabled as needed at any time and at any workspace. The innovaphone PBX uses a web-based user interface. This UI is vulnerable to cross-site request forgery attacks (CSRF). Description The UI does not check if a request was sent…
mehr lesen