I AM HAXOR, ASK ME ANYTHING

[Pæs]

In this thread, y'all spags can post questions about techy things and I'll try to explain them. If anyone doesn't quite grok that explanation, ask for more! Other tech types are totally invited to jump in with supplementary informations.

Background: I'm not a security researcher or a penetration tester (someone who breaks systems for a living to prepare businesses for real attackers) but I do work tangentially to information security, spend a lot of time at work documenting vulnerabilities in our software and socialise with these types of ne'er-do-wells. I'm looking at moving into this area professionally in the future.

WHAT DO YOU WANT TO KNOW ABOUT HAX?

[Pæs]

So I'm just going to tiredly ramble about stuffs until people have questions.

Vulnerabilities in web applications are typically introduced by accepting user input. Showing people a website isn't too hard but as soon as you start caring about what users have to say, you open yourself up to all sorts of trouble. One example of this is the cross site scripting attack.

When the internet gives you browser a page, it sends something like the following.

Code Select Expand

<html>
<head>
A bunch of meta stuff like the title for the top of the browser, information about how to format the document.
</head>
<body>
Actual content of the page. Pictures and text and all sorts of buttons and shit.
<script>References to scripts that run on the page are also in here between tags like this.
These might be bits of code to tell the page how to animate the dropdown menu or do cool dynamic shit.
It can be as simple as sorting a list of items or as complex as the rules of a browser-based game.</script>
</body>
</html>


The browser hides the head and the script and uses them as instructions.

Now, take a page which has a single name change box for text input on it. It wants to know your name and will then display that name to other users. The developer has an issue here because they've designed the box with the expected input in mind. They haven't considered that the user isn't bound by their expectations. If the user tells the box that their name is "Steve", that's what will appear on the next page. If the user says their name is "<img>link to an image</img>" there's going to be an image on the next page because the browser reads those tags as instructions to display an image.

The real trouble comes when the user says their name is "<script> some malicious code </script>" and this data is dropped into the next page and then interpreted as code to execute. If this is setting your name for a blog or a forum, all users who can see your name have this code executed by their browsers all.

Sometimes the buttons on a blog which tell it to post are coded in JavaScript. If the user can execute script in your browser, they can tell your browser to activate these buttons.

Sometimes the buttons on a blog which tell it to reset your password are coded in JavaScript and suddenly everyone who visits the forum has their password reset.

[Faust]

So is cross site scripting the new sql injection now that a lot of people have a handle on that?

[Pæs]

I think cross site scripting has hit enough blogs and forums that developers are pretty aware of it, even if they're not entirely aware of every way the issue can emerge from their code. There are a lot of noble attempts to sanitise input to remove anything that might be interpreted as instructions for the browser, but Pratchett said it best with "Ninety percent of most magic merely consists of knowing one extra fact" which is all an attacker needs to have to thwart your defences.

It's starting to become understood that perfect defence of a system is not possible and all over infosec people are assuming compromise has occurred and putting their focus into detection and mitigation.

I think the new SQL injection is XPath injection, which seems to be becoming more popular and is basically a variation on the same concept.

A bit of background:

XPath is a query language for retrieving data from XML. XML to store login information might be structured  like this:



So to check whether login input (the stuff you provide in the login form) matches anyone the site knows about, you might supply the following

Code Select Expand

"//user[name/text()='" + request.get("username") + "' And password/text()='" + request.get("password") + "']";

This looks at every user in the database and checks whether the user supplied input matches both the username and the password for any valid user. The addition symbols in this query concatenate terms, so what we wind up with is name/text()="whatever you supplied as username" and password/text()="whatever you gave as your password". Each of these will come back as either true or false depending on whether the supplied values match what's in the database.

"And" is a logical operator which makes the entire statement true only if both expressions are true.

You have a login form using this code to authenticate users. The user gives "Alice" as their username as "password123" as their password. This code will iterate through the database and come up "false" for every entry because none of them match. One of them has the right username but the password is different, so the query as a whole doesn't match. It's asking each of the entries on record whether name="Alice" AND password="password123"

However, if you supply this query with username "Whateveryoulike" and password "fakepassword' or 'a'='a" you automatically get in. This is because when you add this to the original query what you wind up with is:

Code Select Expand

//user[name/text()='Whateveryoulike' And password/text()='fakepassword' or 'a'='a'];
First it will check whether the username matches. It doesn't, so you've got FALSE AND password/text()='fakepassword' or 'a'='a'].

It's going to use a shortcut here and not check the password because it knows that the AND operator won't ever pass if one of the values is false, so that entire "username matches AND password matches" expression evaluates to false, so now we have:

FALSE OR 'a' = 'a'.

OR is another logical operator but this one will pass if either side evaluates to true. 'a' does equal 'a', so the expression as a whole passes. Essentially what you've done is injected your own query into the existing one and redefined the test for whether a user is valid or not to say that a user is valid if either of the following is true:

a) Username and password match
b) 'a' is the same as 'a'.

A lot of people assume that serialised data (data formatted to be easier to transport between systems, basically) is totally safe to work with and because XML is a fairly simple expression of data, they don't protect it as well as they would a more serious looking database.

XPath 2 is a less used but more modern standard which is actually advanced enough that you can inject into it instructions to open files on the server, which can lead to passwords to the machine being disclosed and the machine itself being totally compromised.

Tech stuff in this post got fairly heavy in some places, so I'm happy to go into things further if anyone wants.

[Pæs]

As a reminder to myself, things I am intending to post in this thread in future include:

Information about baseband hacking. Phone operating systems like Android and iOS are pretty advanced. They're good at drawing pretty menus on the screen and handling a whole lot of connected but separate functions like your contacts and clock and snapchat but they're too far away from being binary instructions to efficiently manage communication over radio. Communicating with a cell tower is a very precise interaction and so has to be controlled at a very low level by an entirely separate operating system which is effectively a little black box inside your phone. Android and iOS send signals to it and it sends signals back but very few people know what happens inside it.

Recent research indicates that way down deep in your phone is a mysterious bug-ridden operating system, unexploited because it only listens to cell towers and the source code has only been seen by a select few... but dropping hardware costs and open source cell tower software is starting to make it possible to interact with this part of the phone, using undocumented and poorly understood protocols to tell every cellphone in the area to turn on its microphone, forward all calls, send SMS or execute arbitrary code at a very low level.

Also, more stuff about serialisation formats. JSON, XML, YAML. All designed to make data portable but the parsers and readers which take them and turn them into usable data are much too clever. These parsers contain little known features which mean they're all too happy to execute code supplied to them by users in ways that most developers don't know to be possible.

[Q. G. Pennyworth]

Can you talk a little about man in the middle attacks on cell phone data? I know that they're a thing but I'd like a little more detail.

[PopeSlag]

Why is our utility and security infrastructure ("our" in my case being the United States) accessible through the Internet at all? Has humankind forgotten that computers can be built to work without being accessible to four billion random humans over a wild west frontier network where no one has ever had a good intention ever?

It honestly strikes me as collusion with hackers in a new world order way, which sucks because all that is nonsense and is not what's going on, meaning I actually have no clue as to why this is so.

[Pæs]

Can you talk a little about man in the middle attacks on cell phone data? I know that they're a thing but I'd like a little more detail.

Do you mean man in the middle attacks targeting a cell phone's connection to the internet or its connection to anything? Typically if comyou want to intercept a phone's connection to its provider, you need to make an unauthorised cell tower with a stronger signal to the legitimate one. Phones are designed to connect to the strongest signal, so if a local cell tower is set up, it'll connect to that giving an attacker the opportunity to view/modify that communication before forwarding it on to the real tower.

[Faust]

From what I've seen, most phones carrier check consists of nothing more than a simplified vpn style connection back to the mast.

Creating something people could connect to would be relatively simple, getting it to seamlessly forward and spoof that traffic came from that person, and then to receive and return the responses would be the hard part. I'm not sure how easy it is to spoof a sim, I can't imagine it's that bad though.

[Q. G. Pennyworth]

Can you talk a little about man in the middle attacks on cell phone data? I know that they're a thing but I'd like a little more detail.

Do you mean man in the middle attacks targeting a cell phone's connection to the internet or its connection to anything? Typically if comyou want to intercept a phone's connection to its provider, you need to make an unauthorised cell tower with a stronger signal to the legitimate one. Phones are designed to connect to the strongest signal, so if a local cell tower is set up, it'll connect to that giving an attacker the opportunity to view/modify that communication before forwarding it on to the real tower.

The local tower thing. What could theoretically be done with that traffic and how hard would it be?

[Pæs]

I've got no practical experience in messing with cellular phone networks, mainly because it's difficult to play around there without detection or disrupting normal communications for people but as I understand the main roadblock to exploiting there has historically been the lack of documentation around how the network works and the high cost to buy the equipment required. Both of these roadblocks are being steadily broken through.

Mobile communication standards are something I'm looking to understand better at the moment, but I haven't seen any practical attacks yet. We're getting pretty close, though, and the impact of such an attack would be pretty severe because most of the attack vectors hit entire areas where suddenly EVERYONE has a compromised device.

[Pæs]

Can you talk a little about man in the middle attacks on cell phone data? I know that they're a thing but I'd like a little more detail.

Do you mean man in the middle attacks targeting a cell phone's connection to the internet or its connection to anything? Typically if comyou want to intercept a phone's connection to its provider, you need to make an unauthorised cell tower with a stronger signal to the legitimate one. Phones are designed to connect to the strongest signal, so if a local cell tower is set up, it'll connect to that giving an attacker the opportunity to view/modify that communication before forwarding it on to the real tower.

The local tower thing. What could theoretically be done with that traffic and how hard would it be?

There are open source packages now which can be used to create a base station on about $2000 worth of equipment: http://openbts.org/

Basically if it's closer to you than your local cell tower, your phone can be convinced to use it instead. This is your calls and SMS and internet connection compromised but the baseband stuff I mentioned earlier makes this much more severe because the part of your phone that knows how to talk to the local tower will actually take all sorts of ridiculous instructions from it.

If the tower says "yo, turn on your microphone and tell me what's going on nearby", your phone is like "LOL K". If the tower says "Send an SMS to this expensive number" your phone is all "sure thing bro."

[Q. G. Pennyworth]

Would the SMS and phone calls and whatever be easily decoded by whoever's got the tower? I assume copying the data is a no-brainer, but is there any kind of encryption in place or is that shit floating plaintext in the ether?

[Pæs]

As I understand, there's encryption in place for the radio link but the tower is the intended recipient, so it can read the message. The strength of the encryption differs between countries, some few countries require no encryption in this connection, while others are using crypto which is strong enough for this purpose. There's a limited amount of data being transmitted which makes attacking the encryption less viable.

If you're the base station, I believe you can require the phone to use no encryption, so it's game over at that point in any case.

[Remington]

With recent NSA/Snowden leaks about the NSA potentially compromising Internet encryption standards, is SSL/TLS still considered to be safe/not backdoored? If there are backdoors, how likely would it be that they would be in the implementing application vs in the SSL/TLS standard itself?

Basically, is SSL still theoretically secure against an organization like the NSA?