October 21, 2013

A Story about XSS on Facebook

One day, browsing Facebook I discovered an interesting tool – Graph API Explorer. It's a tool designed to work with Facebook Graph API. It allows reading or posting data on Facebook, testing permissions, etc. So what can it actually do?

September 30, 2013

Inside Mobile Internet Security

The mobile Internet has truly gone global. An estimated 6.8 billion mobile subscriptions were reported globally at the end of 2012 [1]. That’s the equivalent of 96 percent of the world’s population being connected via a mobile device. And it represents a huge increase on the 6.0 billion subscribers reported just 12 months prior [2].

As cellular networks grow, so do the number and frequency of mobile internet connections; posing a new set of challenges for the IT Security community. While many of us are familiar with the architecture of the regular Internet – twisted pairs, Ethernet, TCP/IP – the architecture behind the mobile Internet is less widely understood, leaving users vulnerable to the actions of hackers with only a slightly better level of knowledge.

In this post, Positive Research, the research division of Positive Technologies, will demystify the mobile internet by explaining its general principles, take a deeper look at the General Packet Radio Service (GPRS) Tunneling Protocol, discuss the GPRS Roaming Exchange (GRX) Network and demonstrate some practical issues that arise when attempting to secure a mobile network.

August 8, 2013

SAP's Backdoor

SAP security research is one of my basic duties in Positive Technologies. Moreover, I had to think of what I would speak about to the participants of our PHDays III forum. Thus, I came to the following subject of research: how to hide a user with the SAP_ALL profile (i.e. all possible authorizations) in the system. If a malicious user manages to log in to the system and get the authorization to create users and assign privileges to them, then his next most probable step is to create a new account for himself, of course with all authorizations in the system. However, this user is listed in the results of internal checks and external audits, and there is zero chance that a user with SAP_ALL authorizations will not arouse any interest.

July 18, 2013

Can You Trust What Your Eyes See?

The team at Positive Research, the research division of Positive Technologies, has recently discovered a large number of alarming vulnerabilities in digital video recorder (DVR) software used with closed-circuit TV systems. By exploiting these weaknesses, an intruder can remotely take control of an entire system; giving them the ability to watch, substitute or delete recorded video, illegally access a company network, broadcast spam or carry out a host of other malicious activities.

July 15, 2013

Non-Standard Way to Get Inaccessible Data from iOS

In the wake of my speech at Positive Hack Days, I would like to share information I got exploring a daemon configd on iOS 6 MACH. As you know, iOS gives little information about Wi-Fi connection status. Basically, Public API allows getting SSID, BSSID, adapter network settings and that's all. And what about encryption mode? Signal power? You can look under the cut for more information on how to get such data without Private API and jailbreaking.

Now I must apologize for posting so many source codes. To begin with, let us recall how it was earlier, in iOS 5.*. Then you could use Apple System Log facility to get the system messages that are displayed when connecting to a network. The encryption mode and signal power data appeared in the messages. And you could get them this way:

June 17, 2013

"Best Reverser" at PHDays III — Developer's Overview

When we put hand to the contest, we wanted to make it interesting, difficult and feasible at the same time.

We believe that a good reverser should be able to read computer code, convert it to a clear algorithm, find mistakes and flaws of this algorithm, and, if possible, to exploit them. Besides the code provided for analysis should be close to true software code.

The 64-bit Windows version was chosen as a platform, because Hex-Rays Decompiler for x86 makes everything easier and there are no decompilers for x64. And 64-bit applications have become common anyway.

So a small program with Qt (and static libraries) was developed. And the executable file was almost 10 MB. But is it unbearable for a talented reverser? Though, according to feedback, the file size scared some participants. On the other hand, Qt leaves a lot of useful information, and a reverser must know how to separate the wheat from the chaff...

June 4, 2013

The NetHack Challenge Detailed Review

During the Positive Hack Days III forum, the NetHack competition for experts in network security was held. The participants were to obtain access to five network devices and capture flags stored in the devices during 50 minutes. The game network included typical network infrastructure vulnerabilities discovered by the Positive Technologies experts during security analysis and penetration tests. Today we would like to bring to you attention a detailed review of the contest tasks.

April 19, 2013

Positive Technologies Experts Win HITBSecConf CTF 2013

The [TechnoPandas] team, which consists of the Positive Technologies specialists, took first place at the CTF contests, which were held during HITBSecConf in Amsterdam.

During the whole two days (they stopped just for a nap break), the teams competed in task-based CTF. The organizer of the contests was a well-known Dutch team named Eindbazen, which took part in PHDays 2012 and has been invited to PHDays III.

April 9, 2013

PHDays III — Ticket Sale Has Started

Ticket sale for the international forum on practical security PHDays III started on Monday, April 8. Registration and tickets are available here. A ticket bought until May 1 will cost 9,600 rubles per two days and 7,100 rubles per a day.

After May 1 the price of a ticket will increase up to 13,700 rubles per two days and 9,600 rubles per a day.It is worth reminding that there are other ways to join the forum beside the ticket purchase — just prove yourself in any of the contests (keep up with the news on the official website) or become a speaker registering via Call for Papers until April 14.

March 25, 2013

Siemens Fixes Vulnerabilities Detected by Positive Technologies

Siemens has issued several patches for a series of critical vulnerabilities in its products. Security problems were detected in ICS components — development tools and HMI. More than ten vulnerabilities were eliminated. Insecure password storage, buffer overflow, and possibility of creating bookmarks in the SCADA project files were among them.

March 6, 2013

Stars aligner’s how-to: kernel pool spraying and VMware CVE-2013-1406

If you deal with Windows kernel vulnerabilities, it is likely that you’ll have to deal with a kernel pool in order to develop an exploit. I guess it is useful to learn how to keep the behavior of this kernel entity under your control.

In this article I will try to give a high level overview of kernel pool internals. This object has already been deeply researched several times, so if you need more technical information, please google it or use the references at the end of this article.

Kernel pool structure overview
Kernel pool is a common place for mining memory in the operating system kernel. Remember that there are very small stacks in the kernel environment. They are suitable only for a small bunch of local non-array variables. Once a driver needs to create a large data structure or a string, it will certainly use the pool memory.

There are different types of pools, but all of them have the same structure (except of the driver verifier’s special pool). Every pool has a special control structure called a pool descriptor. Among the other purposes, it maintains lists of free pool chunks, which represent a free pool space. A pool itself consists of memory pages. They can be standard 4 KB or large 1 MB in size. The number of pages used for the pool is dynamically adjusted.

Kernel pool pages are then split into chunks. These are the exact chunks that drivers are given when requesting memory from the pool.

Pool chunk on x86 systems

February 22, 2013

SAP Unknown Default Password for TMSADM

Authors: Dmitry Gutsko, Positive Research
SAP default passwords are nothing new. The top five default passwords are presented in many books and articles on security issues. One would hardly find anything new on this topic.
Carrying out SAP security audit for a client, we came across an unknown password of the user TMSADM. The password was displayed by the system itself: during the default accounts analysis, the following results were obtained in the known report RSUSR003.

The default password for TMSADM — PASSWORD — really is well known, but this is the first time I have seen the password $1Pawd2&. Let's sort it out...
The first thing that comes to your mind is to search on the Internet. Google gives two references. The SAP website, six. None of them clarifies the matter: the mysterious password is mainly discovered in published fragments of the ABAP code.

February 11, 2013

Surprise for Network Resources from kernel32 (MS12-081, Detailed Analysis of Vulnerability in Microsoft File Handling Component)

Microsoft issued a bulletin related to a vulnerability in Microsoft File Handling Component on December 11, 2012. The vulnerability was rated critical and assigned the category Remote Code Execution. Remote code execution is carried out, when a user opens a shared network resource with specially crafted contents. This report provides exploitation details.

The results are based on Windows XP SP3 x86. The vulnerability itself is contained in the functions FindFirstFileExW and FindNextFileExW of the library kernel32.dll, which copy data received from the native function NtQueryDirectoryFile with the help of memmove. The problem is that a number received from NtQueryDirectoryFile is used as the size of a source buffer for the copy function, however, it may happen that the size of a destination buffer can be smaller than the result of NtQueryDirectoryFile.

January 28, 2013

ICS Security Analysis — New Pentest Tools

Industrial system (ICS/SCADA) security is a modern trend in information security. However, there is always a shortage of specialized tools for pentest or audit of ICS security. This article covers the latest publications, utilities, and presentations of Positive Technologies experts — all this will help you to ensure industrial system security..

January 17, 2013

Positive Technologies Experts Took Part in Chaos Communication Congress in Hamburg

Chaos Communication Congress organized by Chaos Computer Club is one of the oldest (since 1984) and largest events of the hacker world in Europe. The latest twenty ninth in succession meeting (29С3 as called by the organizers) brought together 6,000 participants including representatives of our company — Sergey Gordeychik, Gleb Gritsay, and Yury Goltsev.

The Congress scenario included multiple reports and workshops focused on various information security aspects.