Monthly Archives: April 2015

iOS 8.1.3 / 8.2 Kernel Panic

Earlier last month, I wrote a short post about a possible iOS 8.1.3 / 8.2 kernel vulnerability. Turns out to be nothing exploitable, just an issue where memory is low, causing the kernel to continuously allocate memory until nothing is left, which then triggers the kernel panic. It was no longer possible to replicate the crash on the latest iOS 8.3, so I guess the bug was fixed by Apple Security when I reported it. Below is the video showing how the kernel panic can be replicated.

Stopping the Heartbleed

Attempts to fix the infamous Heartbleed bug requires more than just patching the OpenSSL vulnerability. As login credentials are usually assumed to be compromised after a security incident, keys and certificates are also no exception.

To successfully fix the Heartbleed bug, these are some steps to consider:

  • Patch the OpenSSL vulnerability
  • Generate fresh keys
  • Purchase / generate / issue / install new certificates
  • Revoke old certificates

Many organisations do not understand the impact of the Heartbleed bug. Below is a simple POC I tried showing the extraction of login credentials remotely from a vulnerable server:

heartbleed_poc_2

Fig 1: Login with valid credentials

heartbleed_poc

Fig 2: Dump the memory contents using publicly available exploit code.

There are many exploit codes available online. The exploit code which I used for my test was from https://gist.github.com/eelsivart/10174134 which I personally find to be nicely scripted.

OSCP Course Review

When I first ventured into the Information Security sphere, I wanted to obtain relevant certifications that could help boost my chances in getting an entry-level job that is Infosec related. I then realised that there are far too many Infosec certifications out there, so which to choose? My senior back then told me that most people would opt for the CEH, as it is a common criteria that most HR personnel look out for. I went ahead and took the CEH, followed by the ECSP and then the ECSA, but deep down, I felt that I have not learned anything new, as it was hardly challenging. Most of it was just memorising answers. Also, the credentials of that particular certification body is questionable and frowned upon by the general Infosec community due to various scandals and hacking incidents that happened in the past. To be honest, I am not proud to be holding those certifications.

I then decided to take ISC2’s most entry level certification, the SSCP. This was slightly more challenging as the questions are scenario based. Still, there was zero hands-on, all theory. I then started looking out for hands-on training that are available in my area. If funding was not an issue, I would have opted for some of the SANs courses like GPEN/GXPN/GREM. From what I heard, the training is top-notch quality, but the exam is still multiple choice.

One lucky day at one of the SANs Singapore community night event, my good buddy told me that he has recently enrolled in the OSCP course by Offensive Security. That was when I got to know about the various courses offered by Offensive Security. When I got home that night, I did my own research on the courses offered and was pleased that the pricing was not too expensive and that I could attempt the course from anywhere, as it was all online.

I embarked on my OSCP journey in the month of July 2014 and it is clear that the Offensive Security Certified Professional certification is by far the most insane as well as the most rewarding achievement I have accomplished. The OSCP course, lab and exam takes a totally hands-on approach and is not like your usual certification examination with multiple choice questions where guessing certain answers will work with a bit of luck. The final examination is a gruelling 24-hour affair in which you have to own boxes in a small network.

TL:DR

Take and complete the OSCP course if you want to excel in penetration testing. You will definitely pick up a lot of new skills and tricks, and learn to look at scenarios from a different perspective.

0. OSCP Timeline

  • 8th July 2014 – Enrolled
  • 13th July 2014 – Course started
  • 11th September 2014 – Lab time expired (Did not attempt the labs at all)
  • Huge gap from 11th September to 8 December was due to job transitioning
  • 8th December 2014 – Attempted exam, failed (Did not want to waste the exam attempt)
  • 27th January 2015 – Renewed lab time for 15 days
  • 11th February 2015 – Renewed lab time for another 30 days
  • 13th March 2015 – Attempted exam, passed!

1. Experience prior to taking the OSCP course

I had basic penetration testing experience when I first enrolled for the course. The main goal was to gain more knowledge in penetration testing so that it can facilitate my career switch from an information security analyst to a penetration tester. Obviously, I got my money’s worth and much much more from the course. I was involved in a series of internal vulnerability assessments, internal penetration tests at my previous role, configuring SIEM detection rules, firewall rules and doing daily system administration of linux and windows servers. I believe it is possible to complete the course with little to no prior security related background, as all you need is sheer determination and a passion for Infosec.

2. Course Registration

I will not be describing much about the registration process as there are numerous reviews out there that contains that information. Basically, I signed up for the 60 day course, followed by a 15 day extension, and another 30 day extension.

3. Course

I was excited when the course materials arrived, and dived into it immediately. The videos are clear and concise, making it easy to understand the material without much difficulty. I took roughly 45 days to complete viewing all the videos and completing the course exercises that were in the PDF. Your mileage may vary, I have seen folks completing everything in 30 days, which I personally find to be an awesome accomplishment. I felt that I was not too familiar with some of the tools and concepts, and decided to take a longer time to understand the concepts and practise on shell scripting. The remaining 15 days were gone to waste as I was busy with personal as well as work-related stuff. It is important to make sure that you have allocated time for the course and labs, as each day wasted is approximately USD$10!

After my lab time has expired, I did not find time to get a renewal. One day when I was checking through my email, I opened the expiration email and saw that my examination attempt was going to waste. I decided to schedule it to get a glimpse of what the examination is like, instead of letting it expire. I will elaborate more on the exam in point 5. Bottom line is, I failed that attempt as I have only gathered approximately 50 points (1 root and 2 limited shells). 70 points were needed to pass the exam.

4. Labs

The labs is where all the fun is at. After the failed exam attempt, I was quite demoralized and decided that I will attempt the exam again only after I have at least obtained root on some of the machines in the labs. When I renewed my lab time, I was amazed by the size of the lab network. On hindsight, I should have spent most of my available time in the labs rather than aiming to complete all the course exercises. One by one, I managed to root the boxes in the labs. Sometimes it would take a few minutes for the low-hanging fruits, and several days for the really hardcore boxes like pain, sufference, humble, timedev etc. The more I progressed in the labs, the more addicted I became. I ended up unlocking all 3 networks with approximately 47 boxes with full root access.

5. Exam

Since I have attempted the exam once, I knew roughly what to expect. I was not as lucky as some of the folks to get multiple examination boxes that are the same as their previous examination attempt. All but one was new! The box which I got previously was the box I dreaded, because I have spent 12 hours on privilege escalation without success. I panicked a little but decided to do my best.

First, I did enumeration of the 5 boxes. After 2 hours in, I got an easy win with one of the 20 point linux box. I then referred to my previous exam report and got a limited shell on the windows box that I have attempted before, and left privilege escalation for that last. I then proceeded to work on the exploit development box, which was not too difficult as I have successfully completed a similar box in the previous examination attempt. It was just using the same concepts taught in the course videos, just on a different vulnerable software. Before I know it, 12 hours have passed and I still have not raked enough points. I was starting to panic. I then used my Metasploit chance on a 10 point box, worked the next 8 hours on the limited shells I had and finally decided that I should have enough points to pass. I was uncertain how much points will be given for a limited shell as the marking scheme only indicated point values for full administrative access. I was really exhausted at this point of time and I decided that it was probably enough. I then went to bed, slept for 12 hours and woke up to complete the exam report. I had created my lab report one week prior to the exam, so I did not have to rush. The exam report took me approximately 3 hours. After checking through the reports several times, I submitted them and went to grab some beers as a mini celebration.

3 days later, I got the email indicating that I have successfully completed the course. I was overjoyed! To those contemplating on whether to take the OSCP course, do not hesitate further. To those in the process, do not give up and always try harder. Cheesy, but effective.

Certification Package

IMG_0593

PROLiNK PRN2001a Default Firmware Backdoor Account

I was playing with a cheap wireless-N router (S$25) that I bought at a nearby store and found out that there are some serious security issues with it.

IMG_0586

It seems that in the default firmware that came with the router, there is actually another ‘admin’ account with the same login name, just a different password. I telnet to the router with the default credentials of admin:password and took a look around.

img_0584

The ‘show login’ command showed that there were 2 login accounts, the default admin account and another backdoor admin account with the password XXXXairocon, where XXXX is the last 4 characters of the router’s MAC address. The MAC address can be easily obtained from an NMap scan.

mac_4digits

I then proceed to hard reset the router to confirm it was built into the firmware and the account was still there after numerous resets. Dumping the config.img, it is confirmed that it was a backdoor account set by the firmware vendor. There was even a blatant “BACKDOOR” attribute with the value of “0x1” for that account!

IMG_0582

Using the backdoor credentials did not work on the interface on port 80 but it was possible to use those credentials through telnet:

login_with_backdoor_telnet

Most of the other issues I found has already been discovered by Herman Groeneveld (http://www.exploit-db.com/exploits/35419/), although his tests were done on the PRN2001 model while I did tests on the PRN2001a model. I went ahead and downloaded the latest firmware for the PRN2001a model from http://bit.ly/1bZ5YLK, upgraded the firmware and saw that the backdoor account was still there, since it was an incremental update. After doing a hard reset with the latest firmware, the backdoor account was no longer present. There is also an NSE script created by Cesar Neira @ http://bit.ly/19XlFS5 which might also be used against this router, but some modifications will have to be made.

This could be a security issue if someone does not update the router’s default firmware, or did not do a hard reset after the latest firmware is installed. Someone in the same network segment could utilize this account to gain administrative privileges to the router and make configuration changes. If the router user has configured remote WAN administration access to the router, remote access through the backdoor account will be possible. I believe that many of these shoddy firmware are created by third-party vendors and that the router company themselves are unaware of it.

References: