11/21/17

Thick Client Penetration Testing – Exploiting JAVA Deserialization Vulnerability for Remote Code Execution

Thick Client? What do you mean by that?

Thick client is the kind of application which is installed on the client side and major of its processing is done at the client side only which is independent of the server. Like we installed some players or .EXE files in our windows system.

Main difference between Thin Client and Thick Client

Thin client is the browser based application which is having database (server) only in the back end & there is no need to install thin client applications at the client side. Also they are lightweight and do not occupy more space at the client system, whereas Thick client needs more storage space in order to install it on client side.

What is Java Serialization?

Java serialization offers an object to convert itself into a stream of bytes that includes object data to store it into the file systems or to transfer it to another remote system.

After serialize input (stream of bytes) is written to a file, it can be read from the file after deserialization process like stream of bytes then converted to the object again into the memory.

Classes ObjectInputStream and ObjectOutputStream are high level streams that contain the methods of serialization and deserialization.

Why it is vulnerable?

The Apache Commons Collection (ACC) Library is the main reason behind the successful RCE attack. This library has the dangerous class InvokerTransformer which an attacker abused to gain access to remote system.

The InvokerTransformer’s goal is to transform objects in a collection by invoking a method. Attackers take advantage of this functionality and manage to call any method they want.

To create malicious method attacker uses readily available tool called ysoserial

Here is the link to the tool: https://github.com/frohoff/ysoserial

The attack can be summarized as:

A vulnerable application(Thick Client) accepts user supplied serialized objects
An attacker creates malicious payload into stream of bytes (serialization process) to invoke any class/method they want and sends it to application.
Then the application reads the stream of bytes and tries to construct the object from it(Deserialization process)
During deserialization the malicious payload gets executed on target system resulting into compromised system.

How to Perform this Attack?

Step 1: First we should know what is the IP and Port the Thick client is communicating to, in order to intercept the request/response using burp suite.

In cmd ping the thick client URL to know the IP.

In our case lets the assume the URL for thick client is http://thickclient:8081 and after pinging this URL we got the IP 192.168.0.1 and port is 8081

Make the changes in the burp proxy

Step 2: Edit the host file in your system so that the server host (http://thickclient:8081 in our case) points to local host and our burp proxy can intercept the request.

Step 3: Run the thick client and intercept the request in burp

Step 4: Now, we will replace this serialized data with our malicious serialized data, which will be de serialized server side and our command will be executed. For this purpose we will use a tool called ysoserial (download: https://github.com/frohoff/ysoserial)

Run this tool with following syntax and create our malicious serialized payload (the IP should be your system IP and port I am using here is 4444)

The output will be somewhat like below

Step 5: Now on another side listen to incoming connection from server where our malicious data will get execute. We are using netcat tool for this. You can get this tool here: https://nmap.org/download.html

Step 6: Now our payload is created in a file (test.out in my case), we will use Burps ‘paste from file’ option to paste our malicious payload in the intercepted login request as follows and will then execute our malicious data.

Step 7: Now to check whether our command got executed or not on the server, netcat to the connection and you can see in below screenshot that we got incoming connection form the server, meaning our malicious code get executed on the server.

What Makes Penetration Testing Impactful – Post Exploitation

As a penetration tester, we often come across this riddle – What Makes Penetration Testing Really Impactful. As per penetration testing methodology – we identify vulnerability, prioritize the vulnerability considering the criticality of impacted assets, we obtain/modify/create an exploit, compromise the target system and we are all excited and happy. BUT, ‘whoami’ command output in a black screen may not mean anything to C-Suite executives, who have never opened the command prompt, or rather not need to.

So how do you explain C-suite executives the consequences/impact of the exploit which you just performed?

Here comes a skillset to our rescue – Relevant Post Exploitation.

First understand your client, their nature of the business, their clients and criticality of data etc.
Prioritize identified vulnerabilities and exploits to target important assets
Obtain/ex-filtrate the information which matters to them most
And they will be like WOW

To explain my point, I will walk you through some of my personal experiences in my journey as a penetration tester.

Example 1.

TL;DR: Test Server -> Apache Exploit -> In-House App -> Hardcoded DB Credentials -> Central Database Compromise

In one of my earlier engagement, automated scanner identified an instance of open apache manager console and I tried Metasploit for exploitation but observed that anti-virus installed in target machine was deleting Metasploit payload. So I switched to manual method and successfully compromised the server. Hence concluded that engagement is successful, until, client destroyed my enthusiasm saying that it’s a test machine with not much of IMPORTANCE.

Open Apache Tomcat Manager Console

Upload Of Backdoor JSP File

Code for Backdoor JSP

Proof-of-Concept of Exploitation

I had no intention of letting that issue go, so I attacked that machine again with a very definitive purpose – Obtain something critical and/or sensitive.

I created a dummy user with LOCAL ADMINISTRATIVE privileges, started the RDP and logged in using RDP just to make my life easy, relatively

Creation of Dummy User – TestUser

RDP Connection To Target System

I realised there is an in-house application in documents directory (.jar file). Out of curiosity, I just ran it, and it seemed to be data entry application. While I was doing a blind exploration in the application, a message box popped up stating that ‘Read all the entries from database successfully’. Interestingly, the application didn’t ask for any DB credentials at all.

Then, naturally, I opened the application in jd-gui and DB credentials were hard-coded in the application and to my utmost surprise, it was the credentials for central DB of the organization.

Hard-Coded DB Credentials

I used that credentials to login into DB and I was able to access almost all (read all) information about the organization, details of which I can’t mention here for obvious reasons.

Bottom line – Engagement become successful then, from client point-of-view and it made the life of developer of mentioned application [very] difficult.

Example 2.

TL;DR: Kiosk Device ->Windows XP -> MS08-067 -> Pass-the-Hash -> Entire Network -> (Very) Important Person Desktop Screenshot

In another one of my engagement, automated scanner identified that Windows XP machine is running in client environment and our favourite MS08-067 popped me a reverse Meterpreter shell with relative ease, but again, it turns out to be Kiosk Device and client were not very interested in the compromise

Proof-of-Concept of Exploitation

This time I explored the entire system but didn’t identify anything significant. Then I took a different route – Pass-the-Hash attack. I dumped the password hashes using Meterpreter and used smbexec (awesome tool) to escalate/replicate my attack to the entire network.

Identification of Domain Admin User

Replicate of Attack to Entire Network

Example 3.

TL;DR: McAfee ePO Server -> JBoss JMX Console Deployer Upload and Execute -> Combined with McAfee Weak Encryption Vulnerability -> McAfee ePO Server Password Compromised

This compromise was relatively simple. First automated scanner identified an open JBoss JMX console and then, I was able to obtain a Meterpreter reverse shell using the Metasploit exploit module – JBoss JMX Deployer Upload and Execute.

Proof-of-Concept of Exploitation

After a bit of reconnaissance, I realized it was an ePO server installed with vulnerable version – ePO 4.6. A ready to use post exploitation module of Metasploit – epo_sql, fetched the ePO server credentials for me.

epo_sql Metasploit Module in Action

So, in above scenarios, by aligning post-exploitation techniques to client requirement and with a ‘dig deeper’ approach, I represented technical vulnerabilities into the form of business risk. Effective post exploitation makes the client understand the implications from the business perspective and helps them to prioritize the mitigation strategy.

In conclusion, I would like to say that relevant post exploitation is very crucial for a penetration testing engagement, especially when the client is more emphasizing on measuring the risk not counting the vulnerabilities. There are numerous other ways and tools for making post exploitation a real fun.

Further reading

Author
Pramod Rana

Attack & PenTest Team,

Varutra Consulting

05/18/17

Buffer Overflow Attacks

Introduction

Buffer is a storage place in memory where data can be stored. It’s mostly bound in a conditional statements to check the value given by the user and enter it in to the buffer and if the value entered by user is more than the actual size of the buffer then it should not accept it and should throw an error. But what most of the times happens is buffer fail to recognise its actual size and continue to accept the input from user beyond its limit and that result in overflow which causes application to behave improperly and this would lead to overflow attacks.

In this article we will demonstrate buffer overflow attack on the Minishare 1.4.1 application which is vulnerable to buffer overflow attack.

Download link: https://sourceforge.net/projects/minishare/files/OldFiles/minishare-1.4.1-fin.exe/download?use_mirror=master&download=&failedmirror=kent.dl.sourceforge.net

And install it in windows XP (VM) to have better results.

I am using Kali Linux as an attacker machine and also install Immunity Debugger on your windows XP machine to debug the application that we are going to exploit.

Step 1: Install Minishare 1.4.1 on Windows XP machine and check the port on which it is running. In my case its running on port 80.

Step 2: Now we will create one python script. We are sending 2000 A’s to the target to see whether it’s getting crashed or not.

Step 3: But before that we need to give permission to our file so in my case its 1.py and IP 192.168.230.131 is of my Windows XP machine.

Step 4: Now the Minishare should be running on your Windows XP machine and after running above python script the application should get crashed and check the offset by clicking on to Click here and it should be hex value of A which 41.Now from this we can conclude that the application is not able to handle this much (2000 A’s) and get crashed. In short EIP (Instruction Pointer) is overwritten with AAAA leading to crash

Step 5: To check which offset value of buffer overwrites EIP we will use the ruby script which is readily available in our metasploit modules. As shown in below screen shot go to path in usr->share->metasploit-framework->tools->exploit.

Step 6: Copy the pattern generated into python script as below.

Step 7: Now open the Minishare in Immunity Debugger to check the value of EIP (Instruction Pointer) and ESP (Stack Pointer) register. You can see that the EIP is overwritten with ‘36684335’ and ESP is overwritten with ‘Ch7Ch’.

Step 8: To check the offset between EIP and ESP we have tool in metasploit framework.Just go to path as shown below.

Step 9: We can conclude that EIP start from 1787 and contain four characters and ESP starts from 1791.

Now we will over write 4 bytes after 1787 with character B, in order to check that our calculation of EIP is correct. In order to that the changes has been made in the script as below:

Step 10: As seen below our calculation is correct as EIP is overwritten with 424242 i.e. BBB (hex) and ESP is overwritten with CCC.

Step 11: Now here comes the dreaded part of finding bad characters. Bad character are \r\n (\x0a\x0d in hex) which also called Carriage return (\r) and Next Line (\n).If the \x0d and \x0a are present anywhere in the buffer then it get terminated and rest of the remaining buffer will not be taken into consideration. Most of the time \x00 is bad character.

Now we will add the series of characters from \x01 to \xff into my buffer and check it in debugger to check for bad characters.

Step 12: From the below screenshot we can see that 4141 and then 01,02….0C then after that 0D is expected but the buffer breaks which means bad character is present. So remove the bad character which \x0d and re run the code above and check whether the sequence gets completed or not.

Step 13: The series is now get completed.After that we will search for JMP instruction.

So basically when the crash occurs we want the content of ESP to be executed by EIP.

This means we have to make EIP jump to ESP. This can be achieved by executing JMP ESP instruction.

We will open the server and look for the executable modules in Immunity Debugger that contains JMP ESP instruction and then we will overwrite memory address of that instruction on EIP.

From below screenshot we can see that USER32 has JMP ESP Instruction

Note the JMP ESP address 77D8AF0A and make it reverse \x0a\xaf\x8a\xd8\x77.

Step 14: Now we need to create payload using msfvenom by entering below command to get the reverse shell.

Step 15: Now our final script will look like this which will also include code generated from msfvenom command.

Step 16: Run the exploit and on kali machine listen to incoming connection like below. We got reverse shell on our Windows XP machine.

Conclusion: Minishare is vulnerable to buffer overflow attack and this vulnerable application is already installed on windows xp. Due to exploitation of Minishare application we got the reverse shell on the target system.Kindly do not install the applications which are already having such vulnerabilities which may cause a huge damage to your system.

AUTHOR:

Pranav J.

Attack & PenTest Team,

Varutra Consulting

10/27/15

External Penetration Testing – Case Study

ABSTRACT

External Penetration Testing consists of a reviewing and assessing the vulnerabilities that could be exploited by external users/Hacker without any credentials or without having any access to target system.

The assessment basically plays vital role in ensuring perimeter security, infrastructure security of the organization which may or can leads to the impact of business as Sensitive information present. Also it will ensure about possibilities of external threats/attackers & behavior of them as well, to minimize risk and threat ratio External Network Security Assessment has taken into consideration.

If External Network Security is not taken seriously, will leads to information/data theft which will be damage to the image of the company/organization’s brand and ultimately it will affect whole business of the organization. This will show whether there has been a Return on Investment (ROI) of existing implemented security controls, such as firewalls, intrusion detection and prevention systems, or implemented application defenses.

The role of a pentester is to perform penetration testing of the internet facing network, find vulnerabilities and try to exploit vulnerable systems/network to obtain confidential and sensitive information which can or may compromise the network perimeter and suggest measures to remediate the security issues to secure the network.

Varutra’s penetration testing methodology is in accordance with best standards and follows guidelines from OSSTMM, OSINT, NIST and OWASP. It makes use of our extensive experience in penetration testing and security assessment to discover previously missed vulnerabilities providing an impact level of security assurance.

This is a case study of an external network penetration test that Varutra performed on one of the overeas client organization proving egovernance. Some of the information has been changed or modified to maintain confidentiality.

BACKGROUND

The client network was consisting of various technologies such as firewall, routers, IPS, web servers etc. The goal was to understand the current level of external risks which may compromise the sensitive data of the customer as well as the organization. Mainly we had to understand about infrastructure of client network & based on it we started the Penetration Testing. Client commissioned Varutra to carry out an external penetration testing and supplied Varutra with the external IP address ranges to be tested. No other information given such as live IP addresses, name, type, nature of systems along with the underlined services running on them.

APPROACH AND METHODOLOGY

Varutra consultants then proceeded with the following stages of the penetration test:

Information gathering (Active & Passive)

– Attacking on DNS

– Discovering Firewall & IPS

– Scanning for External IP’s and associated systems, services.

Attacking WordPress application

Attacking Joomla application

Attacking Web Servers

– Attacking Web Applications

– User Account Bruteforcing

Attacking Network Layer

– Attacking Web Servers

– Attacking Email Server

– Firewall Evasion

Producing a detailed report of issues and recommendations with proof of concepts screenshots

Varutra has followed scenario based assessment approach for the Penetration Testing Phases.

During an External Penetration Test, Varutra can take the perspective of a known or unknown external threat to the organization. Varutra has started footprinting of the organization using Open Source Intelligence (OSINT), Domain Name System (DNS) reconnaissance, NSLookup and other techniques to identify all information that belongs to the client’s network & infrastructure. Varutra started identifying and discovering ports with respect to its services on each workstation and identified vulnerabilities associated with them.

During the attack phase, Varutra attempts to find all possible ways which can breach client’s network using the combinations of tools and techniques employed by hackers in real world attacks. Mainly targets includes web applications/web servers, email system, firewalls and personal information through techniques of Social Engineering attacks.

Figure: External Penetration Testing Methodology

KEY FINDINGS/OBSERVATIONS

Varutra identified and analysed network perimeter based on the scanning techniques and responses getting from the target. Identified firewall IP which was giving wrong information regarding ports i.e. firewall was misconfigured showing closed ports as well. While doing web server assessment we came across web-server running with outdated version of Apache which leads us conducting Denial of Service attack on the web-server. The attack was successfully achieved. On the web application layer Varutra found multiple critical vulnerabilities such as SQL Injection, XSS, HTML Injection, and Improper Session Management as well as some low and informational level vulnerabilities. This all assessment done with the automated testing using commercial and open source tools as well as extensive manual testing for verification and validation. This was the most important phase of a penetration test because it effectively demonstrates the impact of breach for the concern organization. Main targets in this phase were security credentials and other personal information, web-server/website credentials and sensitive proprietary information of organization (such as source code, or internal methodologies and formulas).

In the final deliverable, Varutra has provided in detailed information for each and every vulnerability which was discovered and exploited, including suggested recommendation or mitigation steps. Finally, Varutra has provided a detailed step-by-step impact of the breach to target organization which explains how several low severe vulnerabilities also can be linked together to achieve a complete and successful compromise.

KEY HIGHLIGHTS

Varutra consultants completed Penetration Testing process with scenario based. Main key highlights of the testing are listed below:

1. Initial scoping of the network was conducted to map and identify the current network, sensitive assets, entry points, existing security mechanisms etc.

2. Conducted penetration testing on the target network devices and systems.

3. Exploit tests carried out, such as mail spoofing and DNS zone transfer.

4. Consultants leveraged on the known vulnerabilities to further penetrate the network and identify the impact of the vulnerabilities if getting exploited.

5. Technical, in depth list of issues listed and recommendations on reducing the risk starting with the most critical.

DELIVERABLES

The reports and remediation information provided by Varutra were customized to match the Client’s operational environment and requirement. The following reports were submitted to the client:

1. Executive Report: Overview of the entire engagement, the vulnerabilities statistics and the roadmap for the recommendations made to mitigate the threats identified.

2. Technical Report: Comprehensive information, proof of concept examples and detailed exploitation instructions of all the threats/vulnerabilities identified and remediation for the same.

3. Mitigation Tracker: Simple and comprehensive vulnerability tracker aimed at helping the IT asset owner/administrator to keep track of the vulnerabilities, remediation status, action items, etc.

BENEFITS

Our Penetration Test helped the client to identify the potential threats / vulnerability that could have compromised their network and its components. We also assisted them in assessing percentage of potential business and operational impacts of successful attacks/exploitation.

Additionally, the client gained the following benefits:

* Risk Benefits: Varutra minimized security risks by assessing and analysing the client’s infrastructure vulnerabilities and recommended solutions and remediation with proven methods to enhance security of organization.

* Cost Savings: Varutra suggested cost-effective risk-mitigation measures based on the client’s business requirements that would ensure security and continuity of the business.

* Customer Satisfaction: Penetration testing was conducted with minimum interruption and damage across client systems/workstations to identify security vulnerabilities, their impacts and potential risks.

* Compliance: As an added bonus, the client was able to utilize the information gained from this Penetration Test to easily gain industry certifications and provide a higher level of service to its customers.

REFERENCES

https://www.dionach.com/library/network-penetration-test-case-study

http://www.testlab.com.au/images/pentest.png

AUTHOR:

Omkar Joshi & Chetan Gulhane

Security Consultant, Varutra Consulting Pvt. Ltd.

Varutra MVD

Category Archives: Network Pentest

Thick Client Penetration Testing – Exploiting JAVA Deserialization Vulnerability for Remote Code Execution

What Makes Penetration Testing Impactful – Post Exploitation

Buffer Overflow Attacks

External Penetration Testing – Case Study