Oracle EBS Security auditing

So this is my attempt to improve on this post I wrote last year and other tests that I find helpful. Whatever is outlined here really is a tip of the iceberg and further tests should definitely be done depending on scope, objectives…

Application testing:

Controls to test:

  • Default application account credentials
  • Weak application password controls
  • Poor patching policies
  • Directory listing / sensitive information exposure
  • Segregation of duties / roles and responsibilities
  • Etc

Default application account credentials:

I have created a list of common default accounts on the application and uploaded on github, feel free to add to the list / ping me on twitter. TBH, this issue is quite common among most instances I have the pleasure of auditing and mostly gives you system administrator privileges on the portal.

Other tests to perform on the application to perhaps gain access are here.

Solution:  disable the default app accounts;

Weak application password controls

Over and above the normal password complexity settings on the application, I found that if the passwords are not hashed and you have the APPS password, one could decrypt ALL the application user passwords!!

no hashed

Lack of patching:

Simple select statement to view patch levels:

SELECT
patch_name
, patch_type
, maint_pack_level
, creation_date
FROM applsys.ad_applied_patches
ORDER BY creation_date DESC

Lack of patching on the app leads to many  OWASP Top 10 vulnerabilities including but not limited to XSS, SQLis – most discovered by the guys below. A common example is the reflected XSS on the jtfLOVInProcess.jsp. Many other jsps on the EBS suffer from these issues.

XSS

Solution: Patch. Patch. Patch.

Directory listing / sensitive information exposure

See post here

Solution: Reduce the attack surface by removing the JSPs not in use.

Big shoutout to the guys below for being ready to help the community in this ERP space:

  • David Litchfield
  • Integrigy
  • Onapsis

< Post in progress/>

Advertisements

Blackhat Europe 2017 – conference notes

I had the pleasure to attend the Blackhat Europe 2017 in London – and it was enlightening! In this post, I shall provide links to the slide decks, videos and tools shared during the demonstrations, briefings and various talks. The abstracts for the briefings can be found on the official Blackhat Europe website.

 

1.Black Hat Europe 2017 youtube playlist (continuously being updated):

 

2. Presentation slide decks:

LOST IN TRANSACTION: PROCESS DOPPELGÄNGING:https://www.blackhat.com/docs/eu-17/materials/eu-17-Liberman-Lost-In-Transaction-Process-Doppelganging.pdf

HOW TO HACK A TURNED-OFF COMPUTER, OR RUNNING UNSIGNED CODE IN INTEL MANAGEMENT ENGINE:https://www.blackhat.com/docs/eu-17/materials/eu-17-Goryachy-How-To-Hack-A-Turned-Off-Computer-Or-Running-Unsigned-Code-In-Intel-Management-Engine.pdf

EXPOSING HIDDEN EXPLOITABLE BEHAVIORS IN PROGRAMMING LANGUAGES USING DIFFERENTIAL FUZZING:https://www.blackhat.com/docs/eu-17/materials/eu-17-Arnaboldi-Exposing-Hidden-Exploitable-Behaviors-In-Programming-Languages-Using-Differential-Fuzzing-wp.pdf

ATTACKING NEXTGEN ROAMING NETWORKS:https://www.blackhat.com/docs/eu-17/materials/eu-17-Schmidt-Attacking-Next-Gen-Roaming-Networks.pdf

BLUEBORNE – A NEW CLASS OF AIRBORNE ATTACKS THAT CAN REMOTELY COMPROMISE ANY LINUX/IOT DEVICE:https://www.blackhat.com/docs/eu-17/materials/eu-17-Seri-BlueBorne-A-New-Class-Of-Airborne-Attacks-Compromising-Any-Bluetooth-Enabled-Linux-IoT-Device.pdf

NATION-STATE MONEYMULE’S HUNTING SEASON – APT ATTACKS TARGETING FINANCIAL INSTITUTIONS:https://www.blackhat.com/docs/eu-17/materials/eu-17-Shen-Nation-State%20Moneymules-Hunting-Season-APT-Attacks-Targeting-Financial-Institutions.pdf

SECURITY THROUGH DISTRUSTING:https://www.blackhat.com/docs/eu-17/materials/eu-17-Rutkowska-Security-Through-Distrusting.pdf

EXFILTRATING RECONNAISSANCE DATA FROM AIR-GAPPED ICS/SCADA NETWORKS:https://www.blackhat.com/docs/eu-17/materials/eu-17-Atch-Exfiltrating-Reconnaissance-Data-From-Air-Gapped-Ics-Scada-Networks.pdf

THE GREAT ESCAPES OF VMWARE: A RETROSPECTIVE CASE STUDY OF VMWARE G2H ESCAPE VULNERABILITIES:https://www.blackhat.com/docs/eu-17/materials/eu-17-Mandal-The-Great-Escapes-Of-Vmware-A-Retrospective-Case-Study-Of-Vmware-G2H-Escape-Vulnerabilities.pdf
A PROCESS IS NO ONE: HUNTING FOR TOKEN MANIPULATION:https://www.blackhat.com/docs/eu-17/materials/eu-17-Atkinson-A-Process-Is-No-One-Hunting-For-Token-Manipulation.pdf

A UNIVERSAL CONTROLLER TO TAKE OVER A Z-WAVE NETWORK:https://www.blackhat.com/docs/eu-17/materials/eu-17-Rouch-A-Universal-Controller-To-Take-Over-A-Z-Wave-Network.pdf

ATTACKS AGAINST GSMA’S M2M REMOTE PROVISIONING:https://www.blackhat.com/docs/eu-17/materials/eu-17-Meyer-Attacks-Against-GSMAS-M2M-Remote-Provisioning.pdf

AUTOMATIC DISCOVERY OF EVASION VULNERABILITIES USING TARGETED PROTOCOL FUZZING:https://www.blackhat.com/docs/eu-17/materials/eu-17-Levomaki-Automatic-Discovery-Of-Evasion-Vulnerabilities-Using-Targeted-Protocol-Fuzzing.pdf
BECOMING YOU: A GLIMPSE INTO CREDENTIAL ABUSE:https://www.blackhat.com/docs/eu-17/materials/eu-17-Burney-Becoming-You-A-Glimpse-Into-Credential-Abuse.pdf

BREAKING BAD: STEALING PATIENT DATA THROUGH MEDICAL DEVICES:https://www.blackhat.com/docs/eu-17/materials/eu-17-Harit-Breaking-Bad-Stealing-Patient-Data-Through-Medical-Devices.pdf

BREAKING OUT HSTS (AND HPKP) ON FIREFOX IE/EDGE AND (POSSIBLY) CHROME:https://www.blackhat.com/docs/eu-17/materials/eu-17-Berta-Breaking-Out-HSTS-And-HPKP-On-Firefox-IE-Edge-And-Possibly-Chrome.pdf

BY-DESIGN BACKDOORING OF ENCRYPTION SYSTEM – CAN WE TRUST FOREIGN ENCRYPTION ALGORITHMS:https://www.blackhat.com/docs/eu-17/materials/eu-17-Filiol-By-Design-Backdooring-Of-Encryption-System-Can-We-Trust-Foreign-Encryption-Algorithms.pdf

CALDERA: AUTOMATING ADVERSARY EMULATION:https://www.blackhat.com/docs/eu-17/materials/eu-17-Miller-CALDERA-Automating-Adversary-Emulation.pdf

CLKSCREW: EXPOSING THE PERILS OF SECURITY-OBLIVIOUS ENERGY MANAGEMENT:https://www.blackhat.com/docs/eu-17/materials/eu-17-Tang-Clkscrew-Exposing-The-Perils-Of-Security-Oblivious-Energy-Management.pdf

DEALING THE PERFECT HAND – SHUFFLING MEMORY BLOCKS ON Z/OS:https://www.blackhat.com/docs/eu-17/materials/eu-17-Elaassal-Dealing-The-Perfect-Hand-Shuffling-Memory-Blocks-On-ZOS.pdf

DIFUZZING ANDROID KERNEL DRIVERS:https://www.blackhat.com/docs/eu-17/materials/eu-17-Corina-Difuzzing-Android-Kernel-Drivers.pdf

ENRAPTURED MINDS: STRATEGIC GAMING OF COGNITIVE MINDHACKShttps://www.blackhat.com/docs/eu-17/materials/eu-17-Kropotov-Enraptured-Minds-Strategic-Gaming-Of-Cognitive-Mindhacks.pdf

FED UP GETTING SHATTERED AND LOG JAMMED? A NEW GENERATION OF CRYPTO IS COMINGhttps://www.blackhat.com/docs/eu-17/materials/eu-17-Wong-Fed-Up-Getting-Shattered-And-Log-Jammed-A-New-Generation-Of-Crypto-Is-Coming.pdf

GDPR AND THIRD PARTY JS – CAN IT BE DONE?:https://www.blackhat.com/docs/eu-17/materials/eu-17-Grushcovski-GDPR-And-Third-Party-JS-Can-It-Be-Done.pdf

HEAP LAYOUT OPTIMISATION FOR EXPLOITATION:https://www.blackhat.com/docs/eu-17/materials/eu-17-Heelan-Heap-Layout-Optimisation-For-Exploitation.pdf

HIDING PIN’S ARTIFACTS TO DEFEAT EVASIVE MALWARE:https://www.blackhat.com/docs/eu-17/materials/eu-17-Polino-Hiding-Pins-Artifacts-To-Defeat-Evasive-Malware.pdf

HOW SAMSUNG SECURES YOUR WALLET AND HOW TO BREAK IT:https://www.blackhat.com/docs/eu-17/materials/eu-17-Ma-How-Samsung-Secures-Your-Wallet-And-How-To-Break-It.pdf

HOW TO ROB A BANK OVER THE PHONE – LESSONS LEARNED AND REAL AUDIO FROM AN ACTUAL SOCIAL ENGINEERING ENGAGEMENT:https://www.blackhat.com/docs/eu-17/materials/eu17-Crumbaugh-How-To-Rob-A-Bank-Over-The-Phone.pdf

I TRUST MY ZOMBIES: A TRUST-ENABLED BOTNET: https://www.blackhat.com/docs/eu-17/materials/eu-17-Vasilomanolakis-I-Trust-My-Zombies-A-Trust-Enabled-Botnet.pdf

INSIDE ANDROID’S SAFETYNET ATTESTATION:https://www.blackhat.com/docs/eu-17/materials/eu-17-Mulliner-Inside-Androids-SafetyNet-Attestation.pdf

INTEL ME: FLASH FILE SYSTEM EXPLAINED:https://www.blackhat.com/docs/eu-17/materials/eu-17-Sklyarov-Intel-ME-Flash-File-System-Explained.pdf
JAILBREAKING APPLE WATCH:https://www.blackhat.com/docs/eu-17/materials/eu-17-Bazaliy-Jailbreaking-Apple-Watch.pdf

KEY REINSTALLATION ATTACKS: BREAKING THE WPA2 PROTOCOL:https://www.blackhat.com/docs/eu-17/materials/eu-17-Vanhoef-Key-Reinstallation-Attacks-Breaking-The-WPA2-Protocol.pdf

PASSIVE FINGERPRINTING OF HTTP/2 CLIENTS:https://www.blackhat.com/docs/eu-17/materials/eu-17-Shuster-Passive-Fingerprinting-Of-HTTP2-Clients.pdf

RED TEAM TECHNIQUES FOR EVADING BYPASSING AND DISABLING MS ADVANCED THREAT PROTECTION AND ADVANCED THREAT ANALYTICS:https://www.blackhat.com/docs/eu-17/materials/eu-17-Thompson-Red-Team-Techniques-For-Evading-Bypassing-And-Disabling-MS-Advanced-Threat-Protection-And-Advanced-Threat-Analytics.pdf

RO(O)TTEN APPLES: VULNERABILITY HEAVEN IN THE IOS SANDBOX:https://www.blackhat.com/docs/eu-17/materials/eu-17-Donenfeld-Rooten-Apples-Vulnerability-Heaven-In-The-IOS-Sandbox.pdf

SELF-VERIFYING AUTHENTICATION – A FRAMEWORK FOR SAFER INTEGRATIONS OF SINGLE-SIGN-ON SERVICES:https://www.blackhat.com/docs/eu-17/materials/eu-17-Chen-Self-Verifying-Authentication-A-Framework-For-Safer-Integrations-Of-Single-Sign-On-Services.pdf

THE APPLE OF YOUR EFI: AN UPDATED ANALYSIS OF THE STATE OF APPLE’S EFI SECURITY SUPPORT:https://www.blackhat.com/docs/eu-17/materials/eu-17-Smith-The-Apple-Of-Your-EFI-An-Updated-Analysis-Of-The-State-Of-Apples-EFI-Security-Support.pdf

THE SPEAR TO BREAK THE SECURITY WALL OF S7COMMPLUS:https://www.blackhat.com/docs/eu-17/materials/eu-17-Lei-The-Spear-To-Break%20-The-Security-Wall-Of-S7CommPlus.pdf

WI-FI DIRECT TO HELL: ATTACKING WI-FI DIRECT PROTOCOL IMPLEMENTATIONS:https://www.blackhat.com/docs/eu-17/materials/eu-17-Blanco-WI-FI-Direct-To-Hell-Attacking-WI-FI-Direct-Protocol-Implementations.pdf

ZERO DAYS THOUSANDS OF NIGHTS: THE LIFE AND TIMES OF ZERO-DAY VULNERABILITIES AND THEIR EXPLOITS:https://www.blackhat.com/docs/eu-17/materials/eu-17-Ablon-Zero-Days-Thousands-Of-Nights-The-Life-And-Times-Of-Zero-Day-Vulnerabilities-And-Their-Exploits.pdf

SAMBAry save us!!

Remember linux users laughing at Windows users because of the now all too famous Wannacry? Karma.

According to Samba, “All versions of Samba from 3.5.0 onwards are vulnerable to a remote code execution vulnerability, allowing a malicious client to upload a shared library to a writable share, and then cause the server to load and execute it.” Might appear not to be serious,but a quick look at our beloved Shodan we see roughly half a million companies with publicly exposed samba (shares.) – not to say all are exploitable but narrowing down and just by viewing the versions, more than half are!!!

shodan_

Exploitation:

Various exploits have been released, I explored the exploit by HD Moore and it works pretty well; At the time of writing it had not been ported to metasploit, port it manually as below, fire up msf.

exploit msf_

msf exploit_

We would all appreciate a Check module in the msf exploit, since it is not there, I decided to do a manual grep – tedious if you a have a large estate to check but better safe than sorry.

 

How to check:

Download either of these files, which show open ports 139 and 445 for public IPs globally as at May 24th and search for your IP of interest :-)..am sure programmers have an easier way?

grep_

 

Remediation:

As usual PATCH! Samba have already released a patch for versions 4.4 onwards. There are workarounds for the other versions, though they could break functionality – the workaround is to add the parameter “nt pipe support = no” to the smb.conf global section and restart smbd service.

 

On a light note 😀

WhatsApp Image 2017-05-26 at 7.33.22 AM

Post title inspired by Remy Zero’s Save me

 

From Shodan to Remote Code Execution #2 – hacking OpenDreambox 2.0.0

A sequel to the last post of what is now becoming a series of “From Shodan to remote code execution”, we now take a look at how to hack misconfigured Dreambox installations. Dreambox is a company which offers Digital TV set top boxes and other related services.

Shodan search:

Perform a shodan search as below:

shodan search_

Go through the portals in the search results. The indicator of a vulnerable dreambox installation is the presence of webadmin plugin as below:

webadmin-plugin_.png

From the address bar run linux commands using the syntax: http://IP/PORT/webadmin/script?command=|”linux_command” as shown below:

id _

etc passwd_

etc shadow_

whoami_

cat issue_

 

Credits:  Jonatas Fil, the discoverer of the vulnerability.

Exploiting Windows with Eternalblue and Doublepulsar with Metasploit!

Most of us got hold of the NSA exploits recently released to the public and there was so much hype and public statements around it. A lot has been said, and most vendors came out to defend their products and to release patches to downplay/mitigate the impact of these exploits.

In the exploits, we came to learn about Fuzzbunch, NSA’s exploit framework – “NSA’s metasploit”. I know a few people who have tried to use it and fail due to lack of knowledge/ familiarity with the dependencies that Fuzzbunch demands…fret no more. We can exploit the same vulnerabilities using our beloved Metasploit :-). Currently Metasploit has the MS17-010 SMB RCE Detection module which “uses information disclosure to determine if MS17-010 has been patched or not. Specifically, it connects to the IPC$ tree and attempts a transaction on FID 0. If the status returned is “STATUS_INSUFF_SERVER_RESOURCES”, the machine does not have the MS17-010 patch. If the machine is missing the MS17-010 patch, the module will check for an existing DoublePulsar (ring 0 shellcode/malware) infection. This module does not require valid SMB credentials in default server configurations. It can log on as the user “\” and connect to IPC$.” It is a scanner module and just informs you that you need to patch your windows boxes – extremely useful for blue teamers.

If you are interested to exploit, read on…

Our friends at Eleven Paths, created a Metasploit module that we can add to our MSF and get a nice meterpreter session.

Steps:

  1. Download the file from https://github.com/ElevenPaths/Eternalblue-Doublepulsar-Metasploit
  2. Copy the eternalblue_doublepulsar.rb file to the metasploit windows smb exploits path (/usr/share/metasploit-framework/modules/exploits/windows/smb)
  3. Load msf and select the eternalblue_doublepulsar module

msf use eternalblue_

At this point it is important to remind ourselves what the two exploits really do:

Description

and the parameters we need to input:

basic options

And with that,we are set. Fire up the exploit…and voila! Meterpreter session as SYSTEM – we do not even need to elevate privileges :-O

meterpreter session_

Though Microsoft has released patches for this issue, there are millions if not billions of servers, workstations still vulnerable for various reasons. And worse, it is now easier to exploit, as we have seen.

UPDATE!

I should have updated this ages ago! So, a metasploit module was developed for the above exploit and makes exploiting this vulnerability a breeze. Surprisingly, this vulnerability is still not being patched..see video below:

Auditing linux , unix OS..in 120 seconds flat

Well, most of us have seen the movie Gone in 60 seconds, so I decided to write a baseline script for auditing linux and most unix operating systems in well under 2 mins – averages about  130 seconds on my test Centos and Red hat distributions.

The script is modeled around most of the operating system controls as recommended by the Center of Internet Security.

What I really like about the script is the ease of downloading, using it and customizing it to fit your security risk appetite, and operating system flavour.

Below is a readme of the tool:

Readme

Below is a screen grab of how it looks like as it starts auditing your operating system:

start1

Enough with screenshots, go have a look for yourself here.

Always happy to hear your feedback, issues and ofcourse pull requests 🙂

Update!

Nix – Auditor 2.0:

Change Log:

Added color variables BLUE, RED, NC (NO COLOR) and GREEN on lines 210 – 213 Applied color variables to “passed” and “failed” results in function func_wrapper on lines 1171 and – 1173