Tuesday, May 28, 2013

MML Injections


In a recent penetration test we came across a Huawei device that used a Tomcat frontend to send certain parameters to a separate interface or to the command line. At the time we were not sure where the parameters were being sent, but it did seem to give strange returns when playing around with it. Upon further inspection we noticed an error code commented within the page when an error was generated.


After a bit of googlin’ we discovered it was Man-Machine language (MML). According to the wikipedia page:

A man-machine language or MML is a specification language. MML typically are defined to standardize the interfaces for managing a telecommunications or network device from a console.”

And;

“Man-Machine Language (MML) is the industry standard command line language used to manage telecommunications network elements.”

We won’t be getting into the technical stuff on MML and TL1, there is already a lot of information out there on it. We will just be focusing on web portals that use parameters to feed into a query. Essentially our attack was an injection attack. We had a predefined command with our supplied value inserted into one of the properties and the command was run. This may be common on quite a few telecom devices with a web frontend.

A simple query may look like: 

Function{ PARAM1=”Value”, PARAM2=”$user_supplied_value”, PARAM3=”predefinedValue” }

Let’s say we are able to specify the value for ‘value2’ and the other values are already set and we want to redefine the value for ‘PARAM3’ our input may look like:

Anything”, PARAM3=”our new value”};

This will overwrite the PARAM3 value with ours, the semicolon acts as a comment to comment out the remaining part of the query containing the initial value for PARAM3. 

Unfortunately it is not currently possible to redefine a value if it is declared before our input. This will generate an error stating duplicate values exist. 

Another trick that can be used is to escape prefixes to our supplied value is to use a colon(:) this can be used to specify multiple values for an input.

Let’s say the following query has a prefix on our value:

Function{ PARAM1=”Value”, PARAM2=”PREFIX_$user_supplied_value”, PARAM3=”predefinedValue” }

We could supply the following to escape the prefix:

Anything” : “noPrefix

This will supply the extra value without a prefix.

So that’s it for now, hopefully this helps someone out there, please feel free to add extra info or other attack methods in the discussion.

Cheers, Charlton

Thursday, May 23, 2013

Hack the Planet targets MIT again


Following its defacement to the Massachusetts Institute of Technology (MIT) website (mit.edu) in January earlier this year, hacker group Hack the Planet (HTP) have once again done damage to the organisation.

Earlier this year, the group not only performed an anti-Anonymous troll defacement on the MIT homepage, but they managed to intercept and gain full control of the Institute’s incoming and outgoing e-mail by compromising its domain. Although this claim was initially denied by MIT spokespeople, a later statement proved it to be accurate.    
Since then, the hacktivists have managed to maintain access to MIT’s EDUCAUSE domain and have, according to one of their previous newsletters (HTP Zine 5), “entrusted the login credentials of nearly every EDU domain to hackers worldwide”. Links to downloadable ZIP files of the login credentials were also made available in the newsletter.
As it stands, HTP claims to still have active access to MIT’s information, although they have not disclosed any details as to the techniques they used to do so.
The above incident is one of many examples attributable to a steady rise in hacktivism. Up until a few years ago, hacking existed very much as means to procure illicit funds as part of a growing “underground economy”. Almost all cybercriminal incidences were centred around monetary gain.
However, nowadays with the likes of LulzSec, Anonymous and as illustrated above HTP, hacktivist groups are cropping up in growing numbers, their sole purpose being to cause damage via targetted attacks. Much of the time, these attacks are in accordance with some political agenda, but in many cases, these groups are gaining access to high profile organisations for their own enjoyment or, as many of them claim, to teach the target “a lesson in security”.
On the one hand, the rise in popularity of these types of attacks have had a positive influence in the industry, as they have forced many organisations to increase their corporate information security tenfold, something that security companies have been urging them to do for years.
On the other hand, damages to some organisations’ reputations have been irreversible and members of the public are increasingly showing distrust towards the companies that handle their online transactions and information.
To safeguard yourself and your company from damage caused by hacktivist groups such as HTP, we believe it is extremely important to take proactive steps in protecting all facets of your network on a continual basis. This will ensure peace of mind that your organisation is protected from even obscure attacks such as this one.

Tuesday, May 14, 2013

Opportunities and success in the UK


Last month, Telspace Systems made a very important trip to the UK. On the one hand, we went to showcase the company among the other 350+ exhibitors at Infosecurity Europe, but just as importantly, we officially launched our EU-based office in central London.

Infosecurity Europe, considered to be Europe’s number one Information Security event, took place between 23-25 April, at Earl’s Court, London this year.

Although this event has been successfully running for 18 consecutive years, this was Telspace’s first time exhibiting there, and it proved to be the perfect opportunity to coincide with our local office opening.



With over 17 000 registered attendees, we were kept very busy interacting with all the delegates at our stand. We gained a lot of international exposure and met a lot of key industry players, including many competitors. Overall it increased our market presence and also provided us with the opportunity to service new clients.

We managed to collect many great leads, of which we had a large amount of callbacks. Some of the top most contacted clients from the exhibition include UK, Italy, USA, Germany, and Spain. The event also proved to be a great platform for us to present our highly-talented EU-based security engineers to potential international clients.

We were very impressed with how professionally the event was organised and executed. During the whole time we were there, we never ran into any problems. We were amazed by the massive networking opportunities the event offered and we enjoyed the chance to compete in the EU market. The interest and knowledge presented about our industry was huge and it was very exciting to see where we are heading.


Overall, it was a great experience and everyone was very welcoming. We were proud to represent South Africa at an international level and hope to attract even more customers in 2014. We've already booked a stand for next year in the main exhibitor zone!

Check out these links for more information about our EU office launch:

Thursday, May 2, 2013

Join us at ITWeb’s Security Summit

ITWeb’s Security Summit is taking place at the Sandton Convention Centre this year between 7 and 9 May, and we hope you’ll be joining us there.

Telspace Systems has been involved with this event almost since its inception in 2005. Initially, we presented talks on topics such as Bluetooth Hacking to the local and international delegates, and more recently, we've been involved as sponsors and exhibitors.

A few years ago, as some of you might remember, we were involved in a very successful charity drive for renowned computer security expert Johnny Long’s (j0hnnyhax) Hackers For Charity initiative.

Whatever our involvement, though, one thing has stayed the same - Telspace Systems always has a lot of fun at ITWeb’s Security Summits. Not only that, but we find the event to be a great place for us to keep up-to-date with the local IT security community and to get in touch with our customers face-to-face. It also always gives us the opportunity to discuss industry issues and solutions in-depth, which helps us better figure out what our clients want from us on a service level.

According to the website, at ITWeb’s eighth annual Security Summit, “We take a stand, and assert that while some battles have been lost, we need not lose the war. With informed strategy, and effective tactics, as well as a better understanding of the enemy, we may yet turn the tide of the growing cyber security threat.”

This year’s international keynote speaker will be Misha Glenny, investigative journalist and leading expert on cybercrime and on global mafia networks, and he will be contextualising the current information security challenges faced by organisations across the globe.

Other speakers include: Richard Bejtlich, chief security officer at MANDIANT; Adam Ely, founder and chief operations officer of Bluebox; Runa Sandvik, developer, security researcher, and translation co-ordinator, at The Tor Project; Ben Gatti, independent software hacker; and Robert Weiss, founder of Password Crackers.

The event will not only showcase expert insights, but will also feature interactive workshops, valuable networking opportunities, sought-after SANS training, and practical solutions.

With less than a week to go, we hope you’ve registered and are gearing up to attend this top-level local event. But most importantly, we hope you are as excited as we are!  

Come visit us at Stand 2, it would be great to catch up with you all!