Showing Posts About

Application security

eLinkSmart - Unlocking Bluetooth LE padlocks with polite requests

A critical security analysis of eLinkSmart Bluetooth padlocks revealed multiple severe vulnerabilities. The locks have hardcoded encryption keys, an insecure web API with SQL injection flaws, and weak authentication controls. These vulnerabilities allow attackers to unlock any lock within Bluetooth range and access sensitive user information.

  • 11 Oct 2023

Enumerating Cognito Clients Exposed to the internet

This article details a methodology for discovering and enumerating potential misconfigurations in AWS Cognito at scale. The approach involves finding ways to identify vulnerable Cognito instances using SEO backlink tools, AWS CLI commands, and systematic scanning techniques. The project highlights the challenges of cloud service security and the potential for large-scale vulnerability discovery through programmatic scanning.

Faking Another Positive COVID Test

A vulnerability was discovered in the Cue Health Home COVID-19 Test that allows manipulation of Bluetooth-transmitted test results. By exploiting weaknesses in the device's Protobuf communication protocol, test results could be changed from negative to positive. A Frida script was developed to intercept and modify Bluetooth packets, successfully altering the test outcome.

  • 30 Mar 2021

Click here for free TV! - Chaining bugs to takeover Wind Vision accounts

A critical vulnerability was discovered in the Wind Vision mobile app that enables account takeover through chained security flaws. The attack exploits insecure URL schemes, weak device identification, and authentication mechanisms to intercept OAuth tokens. By crafting a malicious app, an attacker can potentially stream content or remove user devices from the Wind Vision account.

Samsung S20 - RCE via Samsung Galaxy Store App

A remote code execution vulnerability was discovered in the Samsung Galaxy Store app for S20 devices. The vulnerability allowed attackers to install applications without user consent by exploiting a WebView JavaScript interface. An attack could be conducted via a man-in-the-middle attack using NFC or WiFi.

GWTMap - Reverse Engineering Google Web Toolkit Applications

GWTMap is a novel tool for reverse engineering Google Web Toolkit (GWT) applications. The tool extracts and maps service method endpoints from obfuscated client-side code across different GWT versions. It enables cybersecurity professionals to generate example GWT-RPC request payloads and analyze the attack surface of GWT-based web applications.

Operationalising Calendar Alerts: Persistence on macOS

A novel macOS persistence technique leverages calendar alerts in Automator.app to execute arbitrary applications at specified times. The method exploits an undocumented API in EventKit to programmatically create calendar events with executable alerts. By using JavaScript for Automation (JXA), attackers can establish stealthy persistence on macOS systems through calendar event manipulation.

  • 29 Sep 2020

Application-level Purple Teaming: A case study

An application-level purple teaming approach was demonstrated using a file-sharing web application. The methodology focused on improving logging, alerting, and potential response mechanisms by systematically identifying detection gaps across enumeration and injection attack categories. The project used tools like Elasticsearch, Logstash, Kibana, and ElastAlert to enhance application security detection capabilities.

  • 7 Sep 2020

Securing AEM With Dispatcher

This article explores securing Adobe Experience Manager (AEM) using Dispatcher configuration. It demonstrates how to prevent security vulnerabilities by carefully configuring Dispatcher rules to block potential exploits. The walkthrough includes identifying and mitigating Dispatcher bypasses and cross-site scripting (XSS) attacks through systematic testing and rule refinement.

Digital lockpicking - stealing keys to the kingdom

A security analysis of the KeyWe Smart Lock revealed critical vulnerabilities in its Bluetooth Low Energy communication protocol. The lock's in-house key exchange mechanism allows attackers to easily intercept and decrypt device communications by exploiting a predictable common key generation process. By analyzing the mobile application and BLE traffic, the vulnerability in the lock's cryptographic design was exposed.

  • 15 Nov 2019

Prince of the Honeycomb

A critical heap-buffer overflow vulnerability was discovered in Prince XML, a PDF conversion tool used by the Honeycomb application. The vulnerability was found through fuzzing and binary analysis of TIFF image parsing code. By crafting a malicious TIFF file, an attacker could potentially achieve remote command execution when processing specially crafted image files.

  • 1 Nov 2019

Automating Pwn2Own with Jandroid

Jandroid is an automated tool designed to help identify potential logic bugs in Android applications. The tool uses configurable templates to analyze APK files, searching for specific patterns in Android manifests and code. By reducing manual analysis effort, Jandroid enables semi-automatic detection of exploitable vulnerabilities in mobile applications.

How Secure is your Android Keystore Authentication?

This article explores vulnerabilities in Android Keystore authentication mechanisms for local device security. Multiple security weaknesses were identified in how developers implement biometric and keystore authentication in Android applications. Frida scripts were developed to help security professionals audit and test the robustness of Android application authentication implementations.

Getting Real with XSS

This article provides a comprehensive guide to practical Cross-Site Scripting (XSS) attacks in modern web applications. It explores technical challenges such as innerHTML limitations, Content Security Policy (CSP) restrictions, and techniques for bypassing browser security controls. The guide demonstrates how to craft meaningful XSS payloads that go beyond simple alert demonstrations.

  • 23 Jan 2019

What the Fuzz

Fuzzing is an automated software testing technique that generates random inputs to identify potential vulnerabilities in programs. The article explores fuzzing fundamentals, including its architecture, different approaches like dumb and smart fuzzing, and a selection of fuzzing tools and recent research. The goal is to provide an overview of fuzzing techniques and their potential for discovering software bugs.

  • 21 Dec 2018

Twinkly Twinkly Little Star

Multiple security vulnerabilities were discovered in Twinkly IoT Christmas lights. The vulnerabilities include unencrypted local network communications, trivial authentication bypass, and potential remote control through MQTT and DNS rebinding attacks. These flaws could allow attackers to manipulate or control the lights remotely, potentially affecting thousands of connected devices.

Debugging Released Xamarin Android Applications

A technical investigation revealed debugging techniques for released Xamarin Android applications. By manipulating system properties like 'debug.mono.runtime_args', method tracing can be performed on release builds. Code execution is possible through the Mono log profiler by creating a payload in the '.__override__' directory, allowing analysis of Xamarin applications without modifying the original APK.

  • 11 Jul 2018

Passing-the-Hash to NTLM Authenticated Web Applications

This article details a Pass-the-Hash (PtH) attack technique against web applications using Windows NTLM authentication. The attack allows impersonation of domain users by injecting a user's NT hash to authenticate to web applications without knowing the actual password. A practical demonstration is provided using an Exchange 2013 server and Mimikatz to execute the attack.

Chainspotting: Building Exploit Chains with Logic Bugs

A presentation explores the development of an exploit chain involving 11 logic bugs across 6 Android applications. The study demonstrates how logic vulnerabilities can be chained together to achieve malicious actions like silent APK installation. Techniques for discovering and exploiting logic bugs in Android systems are discussed, highlighting the challenges of complex vulnerability chaining.

  • 13 Jun 2018

EQL Injection (not a typo) and Oracle Endeca

EQL injection is a novel attack technique targeting Oracle Endeca search functionality in e-commerce platforms. Attackers can exploit unsecured Endeca search parameters to extract sensitive product information or perform denial of service attacks. The vulnerability stems from improper input validation in Endeca search implementations.

Huawei Mate 9 Pro Mobile Pwn2Own 2017

A whitepaper details vulnerabilities discovered in the Huawei Mate 9 Pro during Mobile Pwn2Own 2017. The document focuses on security issues found in the Huawei Reader and HIApp applications. Technical details of the vulnerabilities and exploitation methods are presented in the document.

  • 17 Dec 2017

Finding the Low-Hanging Route

A critical vulnerability was discovered in Cisco's APIC-EM SDN controller that allows unauthorized access to internal network services. By adding a static route and exploiting IP routing configurations, an attacker can bypass network isolation and directly access sensitive internal services without authentication. The vulnerability enables potential compromise of system credentials and unauthorized access to critical infrastructure components like Apache Cassandra and RabbitMQ.

  • 21 Apr 2017

Add-In Opportunities for Office Persistence

This article explores multiple techniques for gaining persistence through Microsoft Office add-ins. Multiple methods are examined, including WLL, XLL, VBA, COM, Automation, VBE, and VSTO add-ins that can execute code when Office applications start. Each add-in type offers unique mechanisms for potential code execution with different technical advantages and limitations.

  • 21 Apr 2017

Logic Bug Hunting in Chrome on Android

A methodology for identifying logic flaws in mobile applications is demonstrated through an analysis of Chrome for Android. The approach focuses on finding logic bugs that enable access to user files and emails without memory corruption exploits. A specific logic bug in Chrome for Android is highlighted as allowing attackers to bypass Android Nougat security mechanisms.

  • 17 Nov 2016

Working 9 till 5

A summer intern at MWR conducted security research on the Android game "Legion Hunters", uncovering multiple vulnerabilities in the game's login system. The research revealed unencrypted API calls, weak authentication mechanisms, and insecure account management that could allow unauthorized access to user accounts. The intern demonstrated how an attacker could potentially log in as any user by exploiting these security flaws.

  • 3 Nov 2016

AVRop VM: A ROP based M/o/Vfuscator VM on a Harvard device

A novel virtual machine (VM) based on Return-Oriented Programming (ROP) was developed for an AVR microcontroller. The VM adapts the Movfuscator concept to a Harvard architecture device, implementing a single ROP chain that can execute different payloads through memory-mapped instruction interpretation. The approach allows for executing varied functionality using the same ROP chain on an embedded device with limited resources.

Needle: Finding Issues within iOS Applications

Needle is an iOS application security testing tool presented at OWASP AppSec USA 2016. The tool enables comprehensive vulnerability identification in iOS applications through both black-box and white-box testing methodologies. Marco Lancini's presentation detailed Needle's architecture and testing capabilities for finding security issues in mobile applications.

Static Analysis for Code and Infrastructure

Static analysis techniques for software development are explored in this presentation by Nick Jones at DevSecCon 2016. The talk covers methods like taint checking and control flow graph analysis for identifying software bugs early in the development cycle. Guidance is provided on integrating static analysis tools effectively into development environments and infrastructure.

Windows Kernel Fuzzing

A distributed fuzzing technique was developed to target the Windows kernel and identify critical vulnerabilities. The approach focused on generating high-quality test cases to detect potential privilege escalation and sandbox breakout exploits. The fuzzing method scaled across hundreds of CPU cores to systematically assess the kernel's attack surface.

  • 17 Aug 2016

A quick intro to Needle

Needle is an open-source modular framework designed to streamline iOS application security assessments. The tool provides a comprehensive set of modules for binary analysis, storage examination, dynamic analysis, hooking, communications testing, and static code checks. Its modular design allows security professionals to easily conduct thorough iOS app security evaluations.

Bug hunting with static code analysis

Static code analysis techniques can improve application security by identifying vulnerabilities early in the software development lifecycle. The presentation explores automated methods for detecting security flaws, ranging from simple scripts to sophisticated analysis tools. These techniques can be integrated into continuous integration systems to proactively catch and resolve security issues before product release.

QNX: 99 Problems but a Microkernel ain't one!

This presentation explores security research on the QNX microkernel operating system used in critical systems like automotive and consumer devices. The talk examined QNX's security architecture through reverse engineering and fuzzing techniques. The goal was to provide insights into QNX subsystems and potential attack surfaces for privilege escalation.

QNX: Security Architecture Whitepaper

A whitepaper by Alex Plaskett and Georgi Geshev examines the security architecture of QNX, a microkernel operating system. The document explores key operating system features and potential attack vectors against QNX-based platforms. The research identifies security weaknesses and suggests opportunities for further investigation into the QNX platform's security.

  • 25 Jun 2015

Set Fire to the Phone

Two security researchers from MWRLabs discovered multiple vulnerabilities in the Amazon Fire Phone's AppStore ecosystem. By chaining three distinct vulnerabilities, they achieved remote code execution without using native or memory-based attacks. The exploit allowed installation of malware, extraction of device data, and demonstrated significant application security risks in the Fire Phone's software.

Android Wear Security Analysis

A security analysis of Android Wear reveals robust security controls in WearableListenerService and WearableService. The research examined how Android Wear applications communicate and found strict checks preventing unauthorized message delivery between applications. Security mechanisms effectively block low-privileged malware from interfering with inter-application communication on wearable devices.

  • 28 Nov 2014

My NFC Remains Enabled - Reflections on Mobile Pwn2Own 2014

Mobile Pwn2Own 2014 highlighted zero-day vulnerabilities in mobile devices, particularly those involving NFC technologies. The competition demonstrated the ongoing challenges in mobile device security, emphasizing the importance of careful app store selection for users and proactive security design for developers. Despite potential NFC-related risks, most users are more likely to encounter threats through phishing and malware.

Fracking With Hybrid Mobile Applications

Dave Hartley's presentation explores the security implications of hybrid mobile applications across multiple platforms. The talk examines how hybrid apps combine web and native application features using frameworks like PhoneGap. It highlights security risks introduced by WebView and cross-platform development approaches that allow web code to access local device resources.

  • 12 Jun 2014

Putting JavaScript Bridges into (Android) Context

This article explores techniques for obtaining Android Context in WebView JavaScript-to-Java bridge vulnerabilities. Multiple methods for retrieving Context are investigated using reflection and Java Native Interface (JNI) techniques. The research demonstrates approaches to accessing system resources and package information during post-exploitation scenarios in Android applications.

  • 5 Jun 2014

Continued Adventures with iOS UIWebViews

This article explores security vulnerabilities in iOS UIWebViews, specifically focusing on custom NSURLProtocol implementations. The research demonstrates how attackers can bypass naive security checks by manipulating HTTP headers and using techniques like XMLHttpRequest to access restricted resources. A proof-of-concept JavaScript payload is presented to illustrate potential exploitation methods for file access and data exfiltration.

Windows Phone 8 Application Security Slides Syscan 2014

MWR researchers Alex Plaskett and Nick Walker presented slides at Syscan 2014 analyzing Windows Phone 8 application security. The presentation covered novel vulnerabilities in mobile app development. Slides provide programmatic guidance for developers to improve Windows Phone 8 application security.

Windows Phone 8 Application Security Whitepaper Syscan 2014

A whitepaper on Windows Phone 8 application security was presented at Syscan 2014. The research identified common developer mistakes that introduce security vulnerabilities in Windows Phone 8 applications. The whitepaper provides guidance on detecting and mitigating specific application security weaknesses in the platform.

  • 11 Apr 2014

Laravel cookie forgery, decryption, and RCE

A critical vulnerability in Laravel's encryption API allowed attackers to forge session cookies and impersonate users. The flaw enabled potential remote code execution by exploiting weaknesses in MAC verification, IV handling, and PHP object deserialization. Attackers could manipulate cookies to authenticate as any user and potentially inject malicious code through serialized PHP objects.

  • 20 Dec 2013

Google AdMob Ad Library - Arbitrary Intent Activity Invocation

A vulnerability was discovered in the Google AdMob SDK for Android that allows attackers to manipulate Intent Activities by injecting JavaScript into a WebView. The vulnerability enables arbitrary activity invocation by controlling multiple parameters passed to the 'startActivity' method. Potential remote exploitation can occur by targeting exposed activities in other Android applications.

  • 29 Nov 2013

Debug All the Android Things

This blog post describes a technique for enabling debugging on Android applications using Cydia Substrate. The method involves hooking the Android process startup method to force debugging flags, allowing developers to use jdb to interact with and manipulate running Android applications, even for apps not marked as debuggable in their manifest.

  • 27 Nov 2013

Millenial Media Ad Library

A critical vulnerability was discovered in the Millenial Media SDK across mobile platforms. The SDK's WebView implementation allows attackers to perform dangerous actions like file manipulation, clipboard access, audio recording, and cross-application exploitation through malicious JavaScript injection. These security flaws could enable comprehensive mobile device compromise and unauthorized access to sensitive user information.

  • 20 Nov 2013

AppLovin Ad Library SDK: Remote Command Execution via Update Mechanism

A critical vulnerability was discovered in the AppLovin Ad Library SDK for Android that enables remote command execution through an insecure update mechanism. The vulnerability allows attackers to inject malicious code into applications by exploiting the SDK's dynamic class loading process during updates. An attacker can craft a malicious SDK update that gets automatically downloaded and executed when an application starts.

  • 24 Sep 2013

WebView addJavascriptInterface Remote Code Execution

A critical remote code execution vulnerability was discovered in Android WebViews using JavaScript interfaces. The vulnerability allows attackers to execute arbitrary system commands by injecting malicious JavaScript into applications using advertising network SDKs. Analysis revealed that a significant number of Android applications could potentially be compromised through this security flaw.

  • 1 Sep 2013

Introducing drozer

Drozer is an open-source mobile security tool for Android exploit development. It enables advanced payload deployment and post-exploitation through multiple "weasel" techniques for gaining device access. The tool allows security researchers to build exploits, create reverse TCP shells, and escalate privileges on target Android devices.

  • 4 Jul 2013

BSides Challenge Walkthrough

The BSides London 2013 challenge involved analyzing the 'Evil Planner' Android application for security vulnerabilities. Multiple critical security flaws were discovered, including directory traversal in content providers, weak PIN encryption using device ID, and SQL injection in database content providers. These vulnerabilities could allow an attacker to access sensitive user data stored within the application.

Is Blackberry Dead?

Alex Plaskett from MWR presented an overview of Blackberry 10's security features at the MWR Briefing in 2013. The presentation explored the mobile operating system's security capabilities and potential future. A PDF of the presentation is available for download.

  • 28 Mar 2013

Announcing Mercury v2.2

Mercury v2.2, an Android Security Assessment Framework, introduces enhanced auto-completion features for command suggestions. The update maintains separate command histories for different contexts and improves ContentProvider interaction stability. A vulnerable Android app called Sieve is released to help security practitioners practice using the framework.

  • 11 Mar 2013

BSides Challenge

MWR Labs hosted a cybersecurity challenge focused on analyzing the "Evil Planner" Android application. The challenge invited participants to find vulnerabilities that would allow BigCorp to extract encrypted data from a potentially malicious employee's device. Multiple prizes were offered for discovering and exploiting application security weaknesses.

  • 7 Feb 2013

Announcing Mercury v2.1

Mercury v2.1, an Android security assessment framework, introduces three key improvements. Modules can now be installed directly from an online repository. Connections between the Mercury console and device can be secured with SSL and optional password protection. Performance optimizations have been made to the Mercury Agent to improve efficiency and resource management.

  • 7 Sep 2012

Mercury v1.1 is Released

Mercury v1.1 is an Android security testing framework with enhanced compatibility for newer Android versions. The release introduces a Reflection Interface for dynamic feature addition and includes new modules for comprehensive security scanning of Android devices and applications. Key improvements enable security professionals to more efficiently analyze potential vulnerabilities in Android systems.

  • 1 Sep 2012

A Look at the BlackBerry OS as a Secure Platform for Third Party Applications

This article examines critical security vulnerabilities in the BlackBerry OS for third-party applications running in the BlackBerry Internet Service environment. Key security issues include unprotected data storage, insecure data transmission, and weak application sandboxing that could allow malicious apps to compromise device security. The study reveals multiple attack vectors such as database manipulation, input simulation, and unauthorized screenshots.

PinPadPwn

A presentation at BlackHat 2012 exposed critical security vulnerabilities in payment terminals. Memory corruption attacks were demonstrated to be possible through complex input handling and network interfaces. The research highlighted potential code execution risks in payment terminal systems.

  • 30 Apr 2012

Building Android Java/JavaScript Bridges

This article explores security vulnerabilities in Android WebView implementations, focusing on Java/JavaScript bridges. It examines methods like addJavascriptInterface and method overriding that allow native code exposure to web content. The research highlights potential attack vectors in cross-platform mobile application development frameworks, particularly in PhoneGap.

  • 23 Apr 2012

Adventures with Android WebViews

This article provides guidance on securing Android WebViews by implementing best practices for mobile application security. Key recommendations include disabling JavaScript and plugins, restricting file system access, and implementing resource inspection techniques to prevent potential vulnerabilities. The article details methods for intercepting and controlling resource loading within WebViews to enhance mobile application security.

  • 16 Apr 2012

Adventures with iOS UIWebviews

This article explores security challenges with iOS UIWebviews, focusing on techniques to mitigate risks when loading remote content. It discusses methods for implementing secure WebView interactions, including using SSL/TLS, implementing URL request inspection, and carefully managing content loading to prevent unauthorized access to local resources.

  • 7 Jul 2011

Debuggable Apps in Android Market

A security analysis of Android applications revealed that approximately 5% of popular free apps are shipped with debugging enabled. Debuggable applications can be exploited by malicious apps to establish a JDWP connection and gain full access to the Java process. Developers are advised to disable debugging before shipping applications to prevent potential security risks.

  • 18 May 2011

The Google Android Update Dilemma

The Android update process involves multiple parties including Google, device vendors, and carriers, creating a complex and fragmented security update mechanism. This multi-stage update chain introduces significant delays and vulnerabilities, as patches must pass through numerous intermediaries before reaching end-users. Google's recent update initiative fails to comprehensively address the fundamental security challenges in Android's update ecosystem.

  • 18 Oct 2010

Building Android Sandcastles in Android's Sandbox

This paper examines Android's sandbox architecture and security vulnerabilities beyond traditional kernel-level exploits. The study shifts focus to analyzing systemic and third-party application security risks in the Android ecosystem. The research explores potential security weaknesses in Android's application isolation and sandbox implementation.

Middleware Risks: Guidance for IT Security Managers

A whitepaper examines risks associated with middleware technologies, specifically WebSphere MQ. The document provides guidance for IT security managers on assessing and addressing potential vulnerabilities in middleware systems. The goal is to help organizations better understand and mitigate middleware-related security risks.

HashCookies - A Simple Recipe

HashCookies is a session security technique that uses random salt and hashing to generate browser-specific session cookies. The method prevents session hijacking by making stolen session IDs unusable without the original salt. Implementation requires support from both web browsers and web servers to generate secure, context-specific session identifiers.

DeepSec 2008 - Behind Enemy Lines: Administrative Web Application Attacks

At DeepSec 2008, Rafael Dominguez Vega presented research on administrative web application attacks. The presentation focused on script injection vulnerabilities in SSID and DHCP systems. Demonstration techniques for exploiting administrative web interfaces were discussed in the talk.

  • 31 Jul 2008

Behind Enemy Lines: Administrative Application Attacks White Paper released

A white paper by MWR InfoSecurity explores security vulnerabilities in administrative web applications. The research details how alternative network protocols like DHCP and 802.11 can be leveraged to conduct web-based attacks. The paper provides insights into practical exploitation techniques for testing and compromising administrative web applications.

IBM WebSphere MQ Security Part 1

This whitepaper examines security vulnerabilities in IBM WebSphere MQ middleware, a widely used enterprise messaging system. It highlights the complexity of securing middleware environments and introduces a penetration testing methodology for assessing WebSphere MQ security. The research aims to provide insights for security professionals responsible for protecting complex messaging infrastructure.