Thursday, December 10, 2020

Looking back on 2019 and 2020…

Every year we look back on the previous year and reflect on what happened, our achievements, lessons learnt etc. However, last year this fell through i.e. we did not look back on 2019 which is just as well given what happened / is happening in 2020 or maybe this is some version of the butterfly effect  Ƹ̵̡Ӝ̵̨̄Ʒ (∩╹□╹∩)

Okay okay we are being a bit dramatic here but it is 2020 and anything is possible, besides our newly acquired l33t ASCII art one liners ᕕ(⌐■_■)ᕗ, here are some of the highlights over the last 2 years.

Internships / Bootcamps

We ran two successful internships / bootcamps, this is an important part of our strategy to contribute towards developing / nurturing local information skills in South Africa.  For additional information on the two bootcamps that we ran in the past two years, refer to:

From the bootcamps we ran, we ended up hiring 5 new staff members that joined our team and are now on their way to achieving great things both at Telspace and in the community (watch this space).  

Those that did not make it with us, in most of the cases, ended up finding jobs at other info sec companies and / or corporates which is the exact reason we started the bootcamp, to filter more people in to the industry as a whole, not just specifically at Telspace. We also assisted those that could not find anywhere to be placed, by sending their CVs to some of our customers and / or other competitors. Below are some pictures of the bootcamp: 

2020 Bootcamp


2019 Bootcamp

Talks and Research


Over the last two years we have given a number of talks and facilitated training both locally and internationally, below are some of the highlights:

Training - Hack to Basics - x86 Windows Based Buffer Overflows, an introduction to buffer overflows


We gave this training at both DEF CON 1.0 China and DEF CON 27 - Vegas in 2019, it was presented by Dino and Manny, it was really great to meet up with all our friends at DEF CON and make new friends, hopefully in 2021 we will all be able to meet up again!


Undercover hackers on their way to DEFCON China (no black hoody = no hacking going on here)

Epic artwork, epic venue! #HackerVibes


The actual venue where we were presenting but we totally missed the entrance and went on an adventure, thank goodness for Grifter!


Our names in lights O_O


A full house for all our classes with great interactions and learning!



Party time, and man was it a party x_X





Thanks to all the trainers, organisers, volunteers and everyone that made DEFCON China 1.0 possible <3

Training – Ethical Hacking 101

Right after China we were off to sunny Tel Aviv in Israel for BSides Tel Aviv where we were sponsors and also, gave our ethical hacking 101 training course.  The local Israel hacking community are really awesome and a 100% of the proceeds of our training course were given back to be used by the local BSides TLV community. 

Some cool art work on Aviv Beach


Raul (left) and Manny (right), ready to present to the community


Packed house for the kick off of BSides TLV 2019


Aaaaaaaaaaaaaaaaaaaand guess where we are now, VEGAAAAAAS!




Here we gave our Hack to Basics training for our DEF CON workshop, got to catch up with old friends, make new friends, nothing else like DEF CON Vegas!

 Students from one of our classes (the ones that wanted to be in the picture that is!).

#TheBadgeLife – we got to have them all (or at least some!).

 

Back to the Motherland

Telspace has always been very close to the local (South African) infosec community and we believe in giving back. In line with this, we started / established the DC2711 group in South Africa and had our first conference last year on the 5th of October 2019. The conference was completely FREE to attend (for the community) and allowed various international and local researchers to share their research, for a full list of who spoke, refer to https://www.dc2711.co.za/dc2711_Presentations.html. Attendees also got swag packs full of DC2711 goodies.

Jayson Street handing Dino the official DEF CON flag for the DC2711 Group

The official DC2711 sticker but more importantly, a coffeeeeee voucher :D

DC2711 Badges

Some official swag :D

Dino and Manny with their fun faces on :P


#DuckArmyInvasion


The core GOON team for DC2711 – thank you again!



We were also Gold Sponsors of BSides Cape Town 2019 and Amy’s talk was also accepted (this talk was first completed at DC2711)!

On our way to BSides Cape Town!!!!!


Amy Manià giving her talk “Put words in my mouth” although we all know it as the “deep throat” talk.

Amy’s talk is accessible online at https://www.youtube.com/watch?v=4R-g90lplco

Research / Dropping them 0days

In 2019 and 2020 we discovered and reported on a number of vulnerabilities, some of the main ones being:

We also released a tool called Travesty, which is a directory and file enumeration tool (post exploitation). This can be downloaded at https://github.com/telspacesystems/travesty .

For additional information on these and others we released / published this year refer to https://blog.telspace.co.za/ 

During DEF CON Safe Mode (DC28) Greg, Amy and Derek presented at the “War Story Bunker” event (Friday 7th August 2020), which was a pentesting story that caused a lot of big laughs and surprised faces – unfortunately these are not recorded for various reasons, but more information about DC28 can be found at https://www.defcon.org/html/defcon-safemode/dc-safemode-schedule.html .

Amy Mania also represented Telspace during a Woven Experiences podcast with Melissa Monnig, the interview can be listened to on Spotify at:

Throughout the year we also participated in other local and international conferences, round table events and provided comments on news stories in the media.


Last but not least, our CEO and Founder (Dino Covotsos) is officially part of the DEF CON Review board (Talks and Workshops). This is a great achievement, in particular, representing South Africa at such an international level.  More information can be found at: https://www.defcon.org/html/defcon-27/dc-27-cfp-review-board.html  
In closing, we would like to thank everyone who made our 2019/2020 so amazing, a huge thank you to our staff, clients, employees, friends and most importantly the local and international Information Security community.   
We wish you all the best and a prosperous year for 2021.

Thursday, July 9, 2020

phpList – CVE-2020-15072 & CVE-2020-15073 – Story Time

phpList is currently used in 73 countries and is a popular choice for sending email newsletters, marketing campaigns and announcements. It is accessible via web browsers and is Open Source (https://www.phplist.org), however a paid for version also exists as a service via https://www.phplist.com.

Given its wide use / adoption, I decided to take a look at phpList recently, in order to give back to the Open Source community. 

I would also like to give credit to phpList for responding and patching very quickly, especially to Suela at phpList. A new version of the application is now available for download.

You can browse all the fixes, comments and patching by going to the following URLs:



A walkthrough of the 2 identified vulnerabilities is given below:

1.) Code Injection via "Import administrators"


1.1) Click on "Config" then "Import administrators"

1.2) Edit a txt file to include basic headers and test (offline) as follows:


1.3) Click on "Choose File" and select the text file.

1.4) Click "Do Import"

Code Injection Triggered (not stored)

1.5) Go back to "Import administrators"
1.6) Untick "Test output:"


1.7) Click "Do Import" and you will get an import database error.
1.8) Edit the same text file and add another user as follows:

1.9) Go back to "Import administrators"
1.10) Click on "Choose File" and choose the text file.
1.11) Untick "Test output:"

1.12) Click "Do Import" and you will get more import database errors
1.13) Browse to "Subscribers" then "Subscriber Lists"

1.14) Click on the first one and you'll get a "hi" popup:

 1.15) Go back and click on the second one and you'll get a cookie.

2.) Error based SQL Injection via "Import administrators"


2.1) Click on "Config" then "Import administrators"
2.2) Edit a txt file to include basic headers and text (offline) as follows

email   loginname      password

test2@test.com          "'testsql          test

2.3) Untick "Test output:"
2.4) Click on "Choose File" and choose the text file.


 2.5) Click "Do Import" - you'll see the Error Based SQL injection.



Creative Commons - Attribution-ShareAlike 4.0 International (CC BY-SA 4.0) - https://creativecommons.org/licenses/by-sa/4.0/

Tuesday, June 23, 2020

Pi-hole Code Injection – CVE-2020-14971– Story Time

A while ago, we had an internal discussion around people working from home and the technologies/products that could be implemented and/or bought to protect home users. This was due to the implementation of the nationwide lockdown which resulted in companies being forced to change their approach entirely to having employees work from home. 

During this discussion the Pi-hole was mentioned. Pi-hole is a very popular option for the more “tech savvy” home user and generally, anyone that’s tired of being spammed with random adverts on every website. You can find more information about it here https://github.com/pi-hole/pi-hole/.

Since I had a Pi-hole installed already, I decided to take a look at this beautiful piece of ad blocking software in more detail, specifically reviewing the code and logic of the application. Because it’s Opensource and available freely, this was easily accomplished by downloading and installing the latest Pi-hole (v5.0 at the time).

It’s worth mentioning that a lot of vulnerabilities had already been found in this software, some overlapped with findings that I had found particularly during April and May, which were rightfully allocated to the first people that reported the issues. With that being said, the Pi-hole is a popular target for researchers and adds a lot of value to people’s home and small office environments, so the more findings and fixes the better. I also wanted to focus on the latest version because of this.

Initially, I had found a few critical security vulnerabilities but many had been found and fixed already and others eventually required local shell access in some form, some functionality had been changed over time, which solved those particular RCE issues too. So, I therefore looked at a few other vectors and decided to focus on one specific attack vector, which looked promising.

Backup Functions:


Settings.php has lots of functionality, one of which allows users to back up and restore (export and import) configurations of the Pi-hole with a limited set of files (teleporter tab). 



This was interesting for me because when you export files, they are compressed in tar.gz format and saved. Upon decompression and by systematically reviewing each file that was saved, I found that there were several files which were useful and easy wins for RCE, in particular if no whitelisting and sanitising was taking place. However, those particular ones are not restored if you modify them, re-compress and upload to restore the backup.



In this instance though, the affected files I found are dnsmasq.d configuration files and the adlist.json file. The dnsmasq.d/04-pi-hole-static-dhcp.conf file allows static DHCP leases, which link to MAC, IP and host. 

I modified the configuration file for dnsmasq.d initially, in which I added my own code for the host parameter. Once I did this, I recompressed the file accordingly and imported the file back in via teleporter:


Upon browsing to the static DHCP leases section of the Pi-hole web interface, I could see my code was executing correctly i.e. I had found a Code Injection vulnerability. 


The same then applied to adlists.json and other parameters in other files, as all the files were not being properly checked upon upload, they also just overwrote whatever was previously there and therefore your code executed accordingly:



Browse to host/admin/groups-adlists.php and you should get the ‘Adam popup’:



There are more examples, however it’s more of the same as what has been discussed above. I would also like to mention, that the Pi-hole is an amazing piece of software, built by people who really care for the community, please support them and donate. All the responses (especially from Adam) were really quick and things were patched exceptionally quickly.

You can browse all the fixes, comments and progress of patching by going here:







Thursday, May 28, 2020

{Certification Review} - OSWE - Staff Review

Recently, Offensive-Security released an online version of their certification called “Offensive Security Web Expert” aka OSWE. After having already experienced and successfully obtaining several other certifications from Offensive Security such as OSCP and OSCE, I was curious and intrigued to give the OSWE course a try as well.
I decided to choose the 2-month package option for the course called “Advanced Web Attacks and Exploitation” and due to other commitments I was able to request and was granted a minor 15 day extension.
After watching the videos and reading through the course material, I was very impressed by the content of the course, as it contained detailed information and analysis on certain in-depth attacks.
The course followed a white-box testing approach which was based on source code review, by reading the code of the web application in order to find and exploit potential vulnerabilities.
The course material included several labs with web application software installed on them and by following the content provided in the course material, exploiting the machines was relatively easy.
Before embarking on this course, I would recommend that you have a good understanding of the following skills:

1.      Python scripting language:

The course will require you to have a solid understanding of, as well as experience with python scripting, as it  is used for automating the process of exploiting vulnerabilities as well as automating exploits. 

2.     Other programming languages:

It is also very important to have basic knowledge and understanding of other programming languages such as C#, JavaScript and Java.

3.     Prior experience with web application attacks:

Prior experience with web application attacks will also be very advantageous as you will be required to have strong knowledge and understanding of common modern web attacks. Personally, I would also highly recommend reading the book titled “Web Application Hacker’s Handbook”  beforehand as its content will be very helpful during the course and thereafter.

4.     Source code review:

One of the outcomes that this course will teach you is how to do Whitebox testing on web applications by reviewing and understanding the code of the application. Therefore, prior experience in doing source code review on web applications will be advantageous.

5.     Web development experience:

Having prior experience with web development and the workings of web applications will also assist with successfully completing this course.

Course Overview:


After receiving the course materials, I began reading the book, watching videos and solving the exercises and milestones. 
The first few chapters of the course were relatively basic but from Chapter 4 onwards it became far more advanced. Personally it was at this point that it really became fun, as the course delved deeper into  advanced techniques and attacks types.
Offensive Security recommends that you try and solve the exercises and milestones  as you progress through the chapters to ensure that you get a better grasp and understanding of the materials and also as proof that you have understood everything in that particular chapter.
Listed below, is a list of pros and cons to consider when deciding to take this course:

·       PROS:

o  Great for learning and advancing white box testing and source code review skills.
o  The course covers advanced real-world vulnerabilities such as deserialization attacks and advanced techniques. 
o  The course covers a wide range of vulnerabilities and exploits, including medium, high and critical risk.
·       CONS:

        o Although the course covers many different attack types, there are a few that are not covered in the course, for example, XXE, SSRF, CSRF and SSTI.
        o More exercise work and milestones would be advantageous to learners 

The lab review:


The lab consisted of 5 machines  which contained the web applications as discussed in the course material. Therefore, by going through the course material comprehensivly and successfully completing the course exercises and milestones, you should be able to successfully execute the necessary attacks and exploitation paths.
Personally, I would recommend practicing as much as possible before moving onto the exam, as this will help increase your skills and confidence. 

The exam review:


The exam for the OSWE course is a 48 hour exam, which includes an additional 24 hours for writing your step by step report of the exam. As with all exams, I would recommend that you ensure that you get enough sleep to ensure that you are well rested and able to perform at your peak. 
During the exam, I had not rested enough and it started to affect my performance, therefore my recommendation is that if you start feeling tired, go sleep for a bit and then resume as this will help you to think clearer.
A few other suggestions from my experience is to remember to get up and take a walk every few hours and don’t forget to take screenshots as you solve the challenges in the exam.
Lastly, try not to stress too much about the exam, try to think of it as a challenge that you are trying to solve, rather than an exam itself.

Important material to read before undertaking this course:


Below is a list of content material that I would recommend that you read and work through before you undertake the OSWE course:

Summary:


OSWE is a very good course for people looking to improve their source code review skills as well as learning how to detect bugs and vulnerabilities by searching for them in the code itself. I would recommend that you book your exam not long after your lab time ends, so that the information you have learned will be fresh and ready to be used. Overall I enjoyed my OSWE experience and would therefore recommend it to others.
- Blog post by Motaz of Telspace Systems