Tuesday, April 8, 2014

Exploiting the Heartbleed vulnerability CVE-2014-0160

     Heartbleed is a vulnerability in OpenSSL versions prior to 1.0.1g. Only the 1.0.1 version of OpenSSL prior to 1.0.1f are affected by this vulnerability. The problem exists in a heartbeat extension that when exploited causes random blocks of memory to be disclosed. The content that may be disclosed that is of particular interest include SSL private keys, session cookies, etc. The CVE assigned to this vulnerability is CVE-2014-0160. To understand how this exploit works I have included a Creative Commons licensed comic created by the folks at xkcd.com.

In order to exploit this vulnerability you're going to want to grab a copy of ssltest.py. For simplicity's sake you can execute the following command to grab the file:
wget https://gist.githubusercontent.com/sh1n0b1/10100394/raw/4f24ff250124a03ad2d3d6010b6402c3a483d2f3/ssltest.py
This file requires Python 2.7 to run, it will not work in Python 3. To execute the program on the command line first:
chmod +x ssltest.py
Simply supply the hostname or IP address of the server you wish to test for the vulnerability. By default the application does target port 443 if you do not specify a port. Once run the application will either return "No heartbeat response received, server likely not vulnerable" or it will dump the contents of the memory with the message "Warning: server returned more data then it should - server is vulnerable!" You may or may not find any interesting data in the dump the first time you run the application, this obviously depends upon whether or not anyone else is interacting with the server when you attemp the exploit, and which chunk of memory the server spits back to you. The exploit can be run continuously until you get the data you are looking for, whether it is session information or the private key of the SSL server. The interesting part is that none of these attacks are logged at the server level, because a complete connection is never made to the server. Thus these type of attacks are hard to see from the perspective of the host itself. There are some ways to detect these attacks using network protocol analysis and IDS/IPS may detect these if there is a signature for the attack.

A Metasploit module has been released to exploit heartbleed. It can be found in metasploit's auxiliary/scanner/ssl/openssl_heartbleed.

URL: http://www.rapid7.com/db/modules/auxiliary/scanner/ssl/openssl_heartbleed

Addition URL's for further info:

Thursday, June 21, 2012

Backtrack 5 on Android

A new addition to the Backtrack 5 Linux penetration testing distribution has been released on the ARM platform. This distribution was created for the Motorola Xoom Android tablet. However with some simple modifications I was able to install and run it on my Samsung Galaxy S (Captivate). This should work on most android devices that have a decent amount of processing power. There are a few prerequisites to be able to use this distribution.
First of all you have to have rooted your device and busybox. Secondly you need a terminal emulator and a VNC client. The last thing that you will need is a microSD card big enough to fit the image (8 GB). When preparing the microSD card it does need to be formatted in the ext2 format in order to support the 4+ GB image file. Once you have those items and prepared your microSD card it’s ready to be inserted into your device, it will not be recognized as the ext2 file system is not natively supported by Android devices. So we enter our terminal and mount the memory card using the -t ext2 option. The scripts that are included with Backtrack need to be slightly modified to work with the mount points on your specific device. Once you call the bootbt shell script the device creates a chrooted environment where Backtrack is loaded into memory. Before launching the VNC connection it is also necessary to change a couple environmental variables namely USER has to be set to root and TMPDIR has now changed to /tmp. At this point it the startvnc command can be ran using a modified geometry option to make the desktop display properly on the small screen. I found 800×480 to work rather well. There are two different free VNC clients in the Android marketplace AndroidVNC and PocketCloud. AndroidVNC did not perform as well for me in my tests.
So now that we have the setup out of the way you may be wondering what tools you are capable of using once this setup has been configured. Some of the more well known utilities included with the ARM distribution of Backtrack 5 are as follows:
  • Metasploit Framework
  • Social Engineers Toolkit
  • Nmap scanner
Other high level tool categories include:
  • Information Gathering
  • Vulnerability Assessment
  • Exploitation Tools
  • Priviledge Escalation
  • Maintaining Access
  • Stress Testing
  • Forensics
  • Reporting Tools
This is all well and good but there are a few limitations that regular users of Backtrack may notice right away. Specifically the absence of an entire category of wireless exploration and attacking utilities. This is based upon the obvious hardware limitations of the smartphone or tablet running the operating system. Another limitation you will experience is that the only way to access a network is via a wireless network connection from within the Android operating system. If you are unable to connect directly with the Android device initially you may be limited on what kinds of attack you can perform. However all is not lost as you are required to have root access to your device and this will give you the ability to run software that can create a wireless hotspot. This may create an attack vector that you may not initially suspect within you organization.
One could expect that mobile attack vectors are now much easier to hide and may become more prevalent in the future. Companies need to explore and re-evaluate policies related to connecting external devices to their networks. Smartphones have become much more powerful than they once used to be and can provide some of the same capabilities as an external laptop. If wireless connections are accessible within your organization what do you have in place to prevent these kinds of attacks on your internal network. Many organizations have very little to prevent internal attacks and should consider the addition of intrusion prevention systems to protect their internal networks. One final consideration should be given to which resources need to be accessed from wireless connections and appropriate restrictions should be applied using access control lists or maybe even creating separate subnets that have no or extremely limited access to internal resources on your LAN.
This information was presented by myself at The Tech Garden’s Lightning Talks on June 21st, 2011. The track that I presented in was the Technology Track. The slides are available for download here: Lightning Talk slides