10/24/15

Adobe Flash Player Zero Day Attacks Found In Hacking Team Data Leaked

adobe-addresses-latest-flash-player-zero-day-vulnerability

Hacking Team is a Milan-based information technology company that sells offensive intrusion and surveillance capabilities to governments, law enforcement agencies and corporations.Its “Remote Control Systems” enable governments and corporations to monitor the communications of internet users, decipher their encrypted files and emails, record Skype and other Voice over IP communications,  and remotely activate microphones and camera on target computers.Hacking Team states that they have the ability to disable their software if it is used unethically.

The Recent Cyber Attack that exposed 400GB of data belonging to Hacking Team has following  Zero Day vulnerability in Adobe Flash Player in their data.

  • CVE-2015-5119                                                                                                                             
  • CVE-2015-5122
  • CVE-2015-5123                                                                                                                      

Let us see in detail , How these vulnerability affects the adobe flash player.

This Flash-based vulnerability, dubbed the “most beautiful Flash bug for the last four years” in Hacking Team’s internal notes,

Use-after-free vulnerability present in the ByteArray class located in the ActionScript 3 (AS3) implementation in Adobe Flash Player 13.x through 13.0.0.296 and 14.x through 18.0.0.194 on Windows and OS X and 11.x through 11.2.202.468 on Linux allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via crafted Flash content that overrides a valueOf function, as exploited in the wild in July 2015.

The critical zero-day vulnerability in Adobe Flash is a Use-After-Free() programming flaw (CVE-2015-5122) which is similar to the CVE-2015-5119.

Use-after-free vulnerability present  in the DisplayObject class located  in the ActionScript 3 (AS3) implementation in Adobe Flash Player 13.x on Windows and OS X, 14.x through 18.0.0.203 on Windows and OS X, 11.x through 11.2.202.481 on Linux, and 12.x through 18.0.0.204 on Linux Chrome installations allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via crafted Flash content that leverages improper handling of the opaqueBackground property.

Successful exploitation [of CVE-2015-5122 flaw] could cause a crash and potentially allow an attacker to take control of the affected system,” Adobe said.

Adobe credited FireEye researcher Dhanesh Kizhakkinan for reporting the vulnerability found  in stolen data leaked from Hacking Team.

The flaw can be exploited by freeing a TextLine object within the valueOf function of a custom class when setting the TextLine’s opaqueBackground. As explained by FireEye researchers:

“Once the TextLine object is freed, a Vector object is allocated in its place. Returning from valueOf will overwrite the length field of Vector object with a value of 106. (Initial length is 98).

Exploitation continues by finding the corrupted Vector object by its length, which will be greater than 100.

This enables the object to change an adjacent Vector object’s length to 0x40000000.

Once exploit achieves this, it follows the same mechanism that was used in CVE-2015-5119 PoC.”

This, in turn, allows for attackers to execute shellcode, which pops up a calculator

Use-after-free vulnerability present  in the BitmapData class located  in the ActionScript 3 (AS3) implementation in Adobe Flash Player 13.x through 13.0.0.302 on Windows and OS X, 14.x through 18.0.0.203 on Windows and OS X, 11.x through 11.2.202.481 on Linux, and 12.x through 18.0.0.204 on Linux Chrome installations allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via crafted Flash content that overrides a valueOf function, as exploited in the wild in July 2015.

The vulnerability can be triggered by the following steps:

1)  From a new BitmapData object, prepare 2 Array objects, new 2 MyClass objects, and assign the MyClass object to each Array objects.

2 )  Once the valueOf function of MyClass is override, it calls the BitmapData.paletteMap with the 2 Array objects as parameters. The BitmapData.paletteMap will trigger the valueOf function.

3)   In the valueOf function, it will call BitmapData.dispose() to dispose the underlying memory of BitmapData object, thus causing Flash Player to crash.

Steps to exploit flash zero day vulnerability with metasploit :

Note: This tutorial is for informational purposes only.

  1. First download the exploit code by creating an empty document and name it:

Adobe_Flash_HackingTeam_exploit.rb

image1Figure 1:Download the Exploit                                 

  1. download the payload from here: https://github.com/rapid7/metasploit-framework/tree/master/data/exploits/CVE-2015-5122

image2

      Figure 2:Download the Exploit

  1. Add it to the following directory:

/usr/share/metasploit-framework/data/exploits/CVE-2015-5119/msf.swf

 

  1. Now copy the exploit code and paste it into the empty document.

Use the following command to copy the file from the root/desktop to the Metasploit framework modules folder (create the flash folder if it is not here):

mv /root/Desktop/Adobe_Flash_HackingTeam_exploit.rb /usr/share/metasploit-framework/modules/exploits/windows/flash/

image3

 Figure 3: Move the Exploit in exploit-Modules

  1. You can use the following command to check whether the file has been actually copied to the destination folder:

ls  /usr/share/metasploit-framework/modules/exploits/windows/flash/

image4

 Figure 4: Confirm the destination folder

  1. open a new terminal and start Metasploit (and following services if not already started) using the following command(s):

service postgresql start

service metasploit start

msfconsole

                                  

image5

 Figure 5: Start msfconsole

  1. Now we have got Metasploit started and running with our newly imported exploit in it, we can use the following command to search for it:

search hackingteam

After this use the following command to use the newly added exploit module:

use exploit/windows/flash/Adobe_Flash_HackingTeam_Exploit

Let’s check the options for Metasploit CVE-2015-5122 module with the     following command:

show options

image6                                                        Figure 6: Trigger the Exploit                                                            

  1. We will keep the default options and type “exploit” to trigger our exploit:

Exploit

  1. Let’s open the link from a Windows 7 virtual machine with a vulnerable browser (Firefox) and a vulnerable version of Flash Player (< 18.0.0.203) installed.

image7

 Figure 7: Send the Link to the victim

CounterMeasures:

How to avoid getting infected by these exploits…

– Update Flash Player and make sure that  it is up-to-date: https://get.adobe.com/flashplayer/

If you’re unsure whether your browser has Flash installed or what version it is running, you can browse to this link : https://www.adobe.com/software/flash/about/

– Install security patches if any and keep your OS updated.

– Keep your browser updated.

References:

https://cve.mitre.org/cgi-bin/cvename.cgi

https://github.com/hackedteam

https://www.adobe.com/software/flash/about/

http://blog.trendmicro.com/

https://www.fireeye.com

 

Author

Attack & PenTest Team,

Varutra Consulting

09/10/13

Mobile Application Security Assessment – Proxying for IOS (iPhone & iPad)

After an oversight on how to set up Proxying on Android devices and emulators for Application security assessment, let us shed some light on doing the same for iOS devices.

Setting up proxy on an iPhone and iPad is fairly simple. We will follow this simple algorithm:

  1. Install proxy certificate on the device
  2. Specify proxy settings on the device
  3. Start the HTTP proxy

Now to actually get this done, do the following on your device:

Generate SSL certificate of Proxy

Steps to configure Firefox to use Burp as proxy:

1. In Firefox, go to Tools->Options->Advanced.

2. Click on “Network Tab” and then on the first button that says “Settings”

3. Set up proxy IP and Port as shown in the image

4. Start Burp Proxy and make sure it is listening on port 8080

1

5. Now, visit any HTTPS site, e.g. https://facebook.com on Firefox

3

6. You will be displayed with an “Untrusted Connection” page

7. Click on “I Understand the Risks” -> “Add Exception”

8. On the “Add Security Exception” window, click on “View”

4

9. On Next Window, Click on : “Details” tab and then on “Export”

10. Save the certificate as “Burp_Suite.crt” and rename to “Burp_Suite.cer”

For CharlesProxy, download the certificate from http://charlesproxy.com/charles.crt

Installing Proxy Certificate on device

Just transfer the certificate from workstation to device (via email, ftp, ssh etc.)

Once transferred, navigate to the transfer location and tap on the certificate file. The device will prompt to trust the certificate. Just allow the installation, and device will trust the certificate for any future connections.

Setting up device to proxy traffic

1. On iPhone/iPad, navigate to Settings->Wifi

2. Tap on the “>” sign to the right end of the WiFi network to which we wish to connect

3. Under HTTP Proxy, click on “Manual”

5

4. Enter Proxy IP and Port  (e.g. xxx.xxx.xxx.xxx:8080)

The application/browser Http/Https traffic can now be intercepted with ease.

5

07/29/13

Proxying HTTP/HTTPS traffic on android

Brief:

There are several stages to perform thorough penetration testing on android based application including but not limited to Authentication, Authorization, session management, parameter manipulation, to name a few. One of the important steps to perform testing of an android application is intercepting, analyzing and modifying the traffic. In case of plain text (HTTP) traffic, the configuration to intercept the traffic is easy, but for the SSL enabled application, there are few challenges. Here, we shall be discussing about how to intercept HTTP (plain text) & HTTPS (encrypted) traffic through the proxy tools.

Pre-requisites:
Android SDK (in case of Emulator based testing)
A proxy tool (Charles proxy, Burp, etc)

Steps to Execute:

Proxying on emulator is fairly simple technique. If the proxy (such as Burp, Charles proxy, Paros etc.) is configured at 10.1.1.109 on port 8080, then entering the following command into the console will configure a HTTP proxy on the android virtual device (AVD)

# emulator -avd <Your AVD Name> -http-proxy 10.1.1.109:8080

The –http-proxy setting used for the emulator tends to only work for the browser; other applications generally ignore this setting.

In case of SSL traffic proxying, the challenge is to make the Android device/emulator “trust” the SSL certificate issued by proxy. The simple solution would be to install the proxy’s certificate on the device/emulator.

Setting up Proxy for Android < 4.0

Prior to Android version 4.0, the way in which Android handled certificates is different than the latest android OS. To install certificates, perform below mentioned steps:

1. Launch the emulator with read-write permission for system partition
2. Pull out the “cacerts.bks” file from the filesystem located at /system/etc/security/
3. Add the SSL certificate of proxy into it using keytool (keytool is a utility that comes with java sdk and jre)
4. Push the updated “cacerts.bks” file back onto the device in the same folder
5. Make it persistent (so this works when the AVD reboots)

Adding Certificate
The procedure is same for all proxy tools.Em1

1. To start the AVD, open the command prompt/terminal and navigate to android sdk. Go to tools directory and run ‘emulator’ executable with “-partition-size 128” argument. This argument instructs the AVD to mount “/system” partition with read-write permission, which is not possible with remounting it.

# emulator –avd <avd name> -partition-size 128

2. Next, to pull cacerts.bks file from the emulator:

# adb pull /system/etc/security/cacerts.bks cacerts.bks

3. Now, to add the certificate of the proxy tools into the “cacerts.bks” file, pulled from the device:

# keytool -keystore cacerts.bks -storetype BKS -provider org.bouncycastle.jce.provider.BouncyCastleProvider -storepass changeit -importcert -trustcacerts -alias somealias -file <your_proxy_certificate.crt> -noprompt

Obtain Charles proxy’s certificate from http://charlesproxy.com/charles.crt or for any other proxy, we can export the certificate by configuring proxy on the web browser on laptop/desktop.

Alternatively, we can use Portecle. Portecle is a user friendly GUI application for creating, managing and examining keystores, keys, certificates, certificate requests, certificate revocation lists and more.

Note: On the Mac, we may get an error about keytool not being able to find bouncycastle, which can be fixed by getting the latest provider from here and putting it in $JAVA_HOME/jre/lib/ext/. (On the Mac OSX Mountain Lion, the path is “/System/Library/Frameworks/JavaVM.framework/Home/lib/ext/”)

4. Now push the “cacerts.bks” file back to the device/emulator using adb

# adb remount
# adb shell rm /system/etc/security/cacerts.bks
# adb push cacerts.bks /system/etc/security/

5. e4In case of emulator, make this change persistent with the help of a new system.img file. This is done with a tool called, `mkfs.yaffs2.arm`. Download it here

6. To push the mkfs.yaffs2.arm tool to our android instance.

# adb push mkfs.yaffs2.arm /data/data/temp/mkfs.yaffs2
# adb shell chmod 777 /data/data/temp/mkfs.yaffs2

 

7. We will now make new system.img on sdcard

# adb shell
# /data/data/temp/mkfs.yaffs2 /system /sdcard/system.img

8. Quit the shell and download the newly generated system.img.

# adb pull /sdcard/system.img system.img

9. Close the emulator and boot the new system.img. Paste the new system.img in “path/to/.android/avd/<avdname>.avd/”

10. Boot your avd
# emulator -avd <avd name> -http-proxy <ip:port>

11. In case of actual rooted device, steps 5 to 10 will be skipped

Configure Charles proxy for SSL Proxying from here : http://www.charlesproxy.com/documentation/proxying/ssl-proxying/

Setup Proxy after Android 4.0
Proxying Application traffic changed significantly after Android 4.0 (Ice Cream Sandwich or “ICS”) was released.p1

Contrary to iOS, Android < 4.0 had no setting for proxying traffic.
Android 4.0 (ICS) Proxying could be done by long press on the currently-connected Wi-Fi network and then a check box for advanced options as seen below.

Even with this, Proxying application SSL traffic is not possible.

There are multiple solutions to this problem, one of them being installation of “ProxyDroid” app directly on a rooted ICS phone. This allows an analyst to easily forward all traffic from the real application through a proxy; the only problem becomes SSL certificates, since the proxy will need to use its own SSL certificate, which Android will not recognize as valid.

Next step would be to install FS CERT Installer app.

FS CERT Installer is an Android app by Foundstone used to install CA and site certificate when proxying Android applications.

Screenshot_2013-07-27-14-09-29 Installation and Usage Instructions:

1. Install the FS Cert Installer (Download:FS CERT Installer)

2. Push the certificates into the device sdcard:
# adb push PortSwiggerCA.cer /sdcard/

3. Change the certificate on Burp to generate a certificate with a specific hostname.

4. Install certificate by Settings -> Security -> Install from SD card.

5. Open Proxy and set intercept to off

6. Launch FS Cert Installer and test the certificate installations

7. Test Proxying of the target application.

After the process is complete, we are all set to start intercepting app SSL traffic on Android ICS.