Saturday, May 17, 2014

Perl script fail

I really don't understand why people keep trying to reinvent the wheel, especially when it comes to web development.
This national supplier has so many bugs in their website, that I keep asking myself, why? why don't you get out of the hole and start listening when white hackers warn you? Are you waiting for a harmful attack?
Or, better yet, use a damn open-source CMS with security updates and reviewed code by hundreds of developers. Yes, it can also fail, but the probability is very low.
So I was minding my own business, and looking for some driver and manual for my electronic scale and bumped in something strange... a Perl script to download the files, that's cute, but is it secure?
No.
"Directory traversal attack". Mr. Sérgio, this is what you should read about.
I've sent an e-mail on 22, November, 2013 and until today, at the time of writing I haven't got a response, and worse than that, the script is still insecure.
As a proof of concept, here goes your own script Mr. Sérgio:
 #!/usr/bin/perl  
 use CGI;  
 $q = new CGI;  
 $fileid=$q->param("file");  
 @var = split(/\//,$fileid);  
 $filename = pop(@var);  
 $filename =~ s/\'//g;  
 print "Content-disposition: attachment; filename=$filename \n";  
 print "Content-type: application/pdf \n\n";  
 $filepath=$fileid;;  
 binmode STDOUT;  
 open(A,"$filepath") or print "can't open file located at $filepath";  
 binmode A;  
 while(read A,$buf,1024)  
 {  
    print STDOUT $buf;  
 }  
 close(A);  

I'm not much a Perl guy, but it doesn't take to much to see what's wrong here.
What I don't really understand, is that 6 months later, after giving you a warning you haven't done anything.
And yes, I've got the right e-mail, a colleague of yours gave it to me.
Don't worry, I won't spread your company's URL or do anything that might damage your website, but please, fix that before someone with bad intentions messes with your work.

Monday, May 12, 2014

Where did my license go?

Customers, we'll never predict what kind of weird stuff they do with their computers.
On September, 2012 (yes, this time I have a date record), a customer called us to help him with a software that I didn't knew.
It was Meteonorm, by Meteotest (Swiss company).
Mr. X, my customer, whose name won't be revealed, told me that they've bought a new computer and needed to transfer Meteonorm to the new machine.
He also showed us a valid license. So if you think I was about to do something illegal, don't bother to criticize me, there is a valid license for the customers company.
First things first, installed the software and checked what it was needed. A license, of course.
However, he couldn't find the file/serial in time, and there was a urgent need to use the software.
Meteonorm validates the serial against the server, so it was time to install Burp on the machine.
Inspected the JSON traffic and voilá, what the hell, is this so simple?!
Let me see the traffic again (when trying to apply the serial) and observe the server response:
{ isValid: false } (field name may be different, I don't really remember all) Really?!?!?!?
So, set this to "true" using BurpSuite and say goodbye to our customer. It's working, pay :)

This is a good thing that my company has, we are allowed to use this kind of knowledge to help the customers. Is it ethical? to hack their own licensed software? well... yes and no...
Yes, because he did have a valid document proving the acquisition of Meteonorm.
No, because he should have contacted the supplier and ask for the serial again.
This last option, would require time that we didn't have, so reversing the protocol was faster.
Customer satisfaction is always our first concern, it doesn't matter how we fix it, or how we do it behind the scenes as long as it works.

Sunday, May 11, 2014

Registration loophole

I use software XPTO on a regular basis, XPTO as being a fake name to protect the innocents :)
XPTO has a very nice design and protection scheme, I really admire the original developer(s) (he's gone to Germany by now).
However, when testing features at home I need a valid license for the extra modules.
XPTO company provided a trial, limited date, serial number for me, which is nice, but I need to use XPTO everyday and can't be always asking for such codes.
So I've visited the partners website, and searched for a customer serial number that has all the modules included.
This is where the loophole is found.
You see, XPTO doesn't generate a serial like most of the softwares do. Instead, XPTO checks for the serial number of the hardware and matches it against the provided serial in software.
This last serial will activate the modules and number of records.
In practice, you can have as many valid serials as modules available on XPTO, plus, if it has a time limit, there's an unlimited number of serials possible.
Is this a bad scheme? well... it seems so, but I couldn't crack it so far, and XPTO company doesn't deserve because their such nice guys with us.
Well, back to the loophole.
XPTO can have many hardware pieces registrated. And each one of them has a distinct serial number.
Also, XPTO has two kinds of hardware: master and slave.
Master's serial number will determine what kind of modules will activate on start.
But... what if we have 2 master serials? Which will prevail?
Let's find out, fire up SQL Management Studio and quickly write a SQL query to insert a new, fictitious hardware piece, plus a valid serial number (with all modules included).
Start XPTO again, success, all modules are working fine.

So, what happened here!?
The protection scheme is great, but this little detail was left out.
Ok, so I can't generate working serials, but only one is needed. XPTO will assume the one that has more features enabled.

Saturday, May 10, 2014

I need to study at home.

John is studying. he's an almost-Electronics Engineer with great experience and knowledge that would put on shame most of my old teachers.
John teached me a lot and knew that I like to reverse software protection schemes.
He's more a hardware guy and doesn't mess a lot with software, only when needed or if it has some PLC's in the way :)
So John called and showed me WinProp Suite, by AWE Communications, which I didn't knew.
And John had a big problem, he couldn't afford the paid version, and his school doesn't have many machines with WinProp installed. Also, we wants to study at home. How did we do it?
Yes, we could have downloaded some torrent + crack, but that would be illegal and wouldn't teach us anything.
Also, the available versions online aren't the same that John uses at school. And he's kind of picky when something changes in the way he works.
So, let's fire up OllyDbg and see what we can find. A few breakpoints ahead and I've found out that some DLL was taking care of the registration process.
Later that night, WinProp was working, fully ...cough, cough... licensed, DLL patched and John happier than ever.
I did warned John: "DO NOT DISTRIBUTE THE DLL", which he replied: "Of course not, I need it only for myself this semester, to study for the final exam."
This little advantage that now John had, would be enough to have a better score.
And he did, the greatest score in the class, only because a few bytes, JMP's and NOP's :)
Congratulations John!

Now what? There's already plenty of cracked versions and patches available online. Yet, I felt obligated to warn AWE, which I did next day, by e-mail.
I've explained the technical details about the patch, and how it could be fixed or at least how to make it harder for crackers to figure it out.
Did I received a reply? NO. Did they care? NO. So I don't care either. You go ahead and search for WinProp, there's lots of keygens/cracks, but you won't find my patched DLL.
I've compromised in that e-mail that would not distribute the patch.
Did they deserve my honesty? NO, but at least I sleep quietly without having to worry about ethics.

Pentest - Unexpected invitation

July, 2011, reading one portuguese blog like I always do, I've found a special invitation.
Chuck, let's name it that way, had a website.
Chuck also believed that homemade CMS code was better than opensource CMS, whose source code is available for everyone to study.
Chuck made a little mistake, he openly invited everyone on the blog to test his website security.
So I did, but not before wandering around Google searching for his nickname on developer forums.
And Chuck's posts came along with some questions about PHP and MySQL.
Based on some questions content, I knew Chuck wasn't so sure about the security of his code.
I've registered on the website and started to study it, minutes later already had SQL injection points among admin access.
Time to ring Chuck. Chuck is a very friendly guy, and after this "incident" we started to chat on a regular basis.
He did great changes in the code and the website itself.
Later, Chuck asked me again to pentest the newer version. Oooops, here it goes again, SQLi.
Fixed and solved in a question of minutes. I now believe Chuck's website is more secure than it was ever.
Also, we became online friends helping each other when needed.

So, there are two things that wannabe-hackers should learn from this story.

  • Always have permission from the owner/developer to test some website.
  • Always report what you have found and don't take advantage of it without giving the needed time for the developer to fix the bug.

Which brings us to another portuguese website... Will write about that later.

Robei - Visual Chip Design Software (RE)

Ahhh, FPGA, the ultimate toy and challenge for electronics hobbyists.
I've been learning about Verilog and VHDL (thanks J.Pereira) in my spare times.
Sometime ago, I've came across Robei - Visual Chip Design Software.
It's a nice piece of software for the FPGA newbie like me, it allows you to skip the code writing and draw directly your logic circuits, and then, study the generated code.
Robei, has a fair price and I strongly advise that you should buy it if needed.
Although, that night I had nothing special to do, and started to reverse Robei.
Found a simple way to subvert the registration system using the tools of the trade (OllyDbg, IDA, among others).
I've contacted the developer and explained the situation, also sent a patched version of the main executable.
He, being such a nice and comprehensive person, replied that it wasn't good enough, on big projects it would be spitting out errors because the lack of a valid registration.
So I fixed it and sent a new patch with the promise that wouldn't be distributed online.
Guosheng Wu, a big thank you for your understanding.
I did the crack/keygen for learning purposes only, code won't be distributed ever and I believe that you already fixed it in newer versions.

Wouldn't be nice if all the developers were understanding persons like Guosheng?

I know it's flawed...

Some other day, after seeing Keypic, I've also found scr.im
scr.im is a service to protect e-mails beyond a captcha so that people can share e-mails on Twitter and avoid spammers.
Well... not really, captcha is flawed, javascript uses old tricks that don't protect anything anymore.
So, not only the e-mail is not protected, spammers can also download their entire database.
My bad, for not reading their FAQ first.
Admin knows it's flawed, however, this is to keep a minimal security and to keep it simple for users.
This is what happens when you're online late at night instead of sleeping.
We can't always win, right?!

Seems that I don't spam the right way?

Some night, I was browsing random stuff when I encountered someone talking about Keypic.
Keypic has a mission, to let CAPTCHAS disappear from the web.
I can relate to that, ReCAPTCHA is the most annoying thing that came across someone who just wants to post/reply something.
However, we do need something to stop those pesky spammers, but don't rely too much on Keypic to this.
I've broken it and made a PoC script. It was refused by the admins because, and check this:
"You don't spam in the regular way"
Oh, I'm so sorry, I didn't knew spammers had a "regular way".
I did however posted dozens of spam/links/text/pub on their demo blog. So, you go figure WTF is a regular way...
My brother did the same thing, we post all over the blog until the admins shut down the comments section.
I'm not aware of Keypic current state, like I've said before, I'm writing this way too long after writing the PoC script.
Hope that someday it works fine. It's a nice concept despite all the initial problems(?) or the admins arrogance to admit that the system has been defeated (on that day at least).
No, I won't post any kind of PoC code, you figure it out, it's really easy.

Sorry telemarketing people :)

Like thousands of people in Portugal, I have a landline phone because we don't have any option to have Internet access without forcing us to have a damn(dumb) phone.
It was everything running fine until I started to receive annoying calls. Those pesky ISP people trying to increase my monthly bill with stupid promotions that neither I need or like (Stupid M4O).
Also, I don't even use the number on that PSTN line, just VoIP.
Why you may ask? Because my provider offers free landline calls between 9pm and 9am, however, on VoIP (their own service) don't have this kind of limitation, go figure...
You may say: "Just disconnect the phone", well, ok, but this wouldn't be a smart option.
Having a spare Raspberry the work began.

  • Purchased a Linksys SPA-3102 and attached it to the landline
  • Setup and configured FreePBX @ Raspberry Pi
  • Setup inbound and outbound rules like this:

All the calls incoming from the landline (SPA) will receive music on hold as long as the call lasts.
Add an exception to my own number, so that I can call home in case of emergency.
Add outbound route to direct all the outgoing calls via VoIP provider.
Add rule (with prefix) to allow outgoing via PSTN in case of VoIP failure.
Add rule to emergency calls (112); It will terminate any call in progress and route it through PSTN.

So, now I can eat, sleep and be with my family without having to answer dumb telemarketers.
It took about half an hour to accomplish this and another half to put everything in place.
Sorry MEO guys, but your promotions suck...

Lazy me...

I had this blog for a while, it's still missing a lot of posts.
I'm kind of lazy to publish my "works" and findings, although I work every single day as a sysadmin, and at night reversing miscellaneous software and pentesting websites.
So, here it goes, some of my old and recent work. Please ignore the dates as they're not accurate.
Also ignore some English mistakes and grammar errors :)
Please note that this is private/personal work, it does not always reflect my employer point of view or values.
Thank you.