Defencely USP for Major Finance Brokering Giants! Are you Ready!?

As part of our ongoing efforts to spread cyber security awareness, we’ve taken measures to go an extra mile & bring you rich blog posts about tales & adventures at Defencely Lab. We are going to explain & demonstrate how we chained up critical information to gain access to millions of customer accounts in order to safeguard our valued clientele pro-actively.

Majority of our clienttele are major finance brokering companies & we’d like to add that as the industry is grooming under leadership of real time markets, it’s critical to retain the value accordingly & an online heist would certainly impact as part of financial loss to the growing company.

We are intentionally excluding the names of the target to stick to confidentiality clause which we’ve signed up. At this point, our readers should be able to have an analogy of the steps which are taken & mentioned in this post to get the complete picture of what’s happening.

We have been assigned the same target several times for serious security threats, we have reported some SQL Injection’s and some more serious security threats but the vendor was still not satisfied. This was time to escalate this more and make it more serious.

We started enumerating the target. While the enumeration process was going on, we got hands on a HTTP Service running on a port `8080`.

This was not any white-box – Pentest, we were not having any test credentials to check out the application. We don’t want to miss anything out this time, so we checked if these login parameter’s were properly sanitized. I tried breaking the Query – No errors thrown.

We were sure that this is a Time based Blind SQL Injection. We made the application sleep(20) for 20 seconds. Not wasting much of our time thrown the same to SQLMap. Exploitation process was quite slow, even after increasing the threads.

The application was built under ASP.NET framework – most probably written in C# with DBMS used was MSSQL. If you have used SQLMap before, you already know there’s a flag used for gaining os-shell if requirements meets & depending on the DBMS detected.

We gave this a try – this flag in SQLMap checked if the xp_cmdshell is enabled on the target system and luckily our target was having that enabled. SQLMap promoted us with this screen:

We were happy that we gained a not-a-proper shell but at least have command execution in there this time ..

As this is a Windows System .. i executed the some commands to make sure everything is working fine .. but the problem was no standard output was thrown our side. So were not able verify if everything is working that side and the commands are actually getting executed.

To make sure if the commands are getting executed i started capturing the ICMP packets on my side and tried pinging from the target system.

 

Pinging our system from the target

Capturing the ICMP packets on our side:

We received several requests from a specific IP. Including an Web Address on the headers.

We opened up the website and it was of an ISP. Our target was at the TOP of their client list.

Now it was time to get a proper shell on the target. We were not sure if powershell was present there on the target. Simply typed powershell.exe on the os-shell prompt and it was a long delay and did a exit from the prompt. What we did is, created a file name ‘def.txt’ on our local and started the inbuilt Python HTTP Server and tried downloading the file on the target’s machine using powershell ..

We can see, it actually tried downloading the file from our created HTTP Server ..

Tried downloading netcat on the target machine to initiate a connection between both the target and my system. But there was some kind of firewall dropping my netcat connection every time i connect to the target ..

But a simple MSF reverse TCP did the work ..

That’s all we have for now. Let’s look forward to more amazement at Defencely Red Team Operations Labs next week for absolutely yet another amazing uncover story of how we’re adding value to our customerbase with insider threat program as well as routine sound-ful & an offensive Vulnerability Assessment followed by a Penetration Test for critical applications both at the staging level & production bases. Our manual security assessments methods have proved the best value. Feel free to touchbase at shritam@defencely.com, Shritam Bhowmick, Red Team Lead @Defencely for any Security Operations Related queries or say “Hi” to us at hi@defencely.com for inquiries.

We should see you again next week with another operational tale of the broad security premises where 0days are always a possibility & at proximity of a security compliance issue which always will be a sooner or later decision by the Indian E-Commerce Management & stakeholders.

Let’s act pro-actively.

 

Security Mis-configuration in the Corporate World!

It’s again a pleasure to look forward to the crowd that we’re gathering here at our blogs & an immense gratitude that i feel of the responses. With your support, we bring you another extraordinary tale of red teaming & penetration testing scenario where Defencely breaks all frontier barriers & escalates the ecstasy of pure bliss of Red Teaming!

This post is intentionally crafted to show how much our Client benefit from our Dedicated Services & how few short fall measures in security could lead to a larger sub-set (not to talk of the master set) risks involved with businesses, data & a paramount of reputation included all in one fine package.

Security Misconfiguration

A security misconfiguration can happen in any part of an application.

Today, We are going to discuss about how we owned a target using a similar misconfiguration which lead us to compromise the whole database system.

The screenshots used in the post will be intentionally created on our lab environment to reproduce the same scenerio and maintaining the security policy of the target company.

The process of reconnaissance took us to a IP. A simple NMAP scan throws the result:

So, there was something running at the PORT `8000`. When we took a look into the that – we found that:

The developers left the old config files lying that too on a publicly exposed server. We checked if any phpMyAdmin was running on the target host.

And we were in.

Let’s look forward to more amazement at Defencely Red Team Operations Labs next week for absolutely yet another amazing uncover story of how we’re adding value to our customerbase with insider threat program as well as routine sound-ful & an offensive Vulnerability Assessment followed by a Penetration Test for critical applications both at the staging level & production bases. Our manual security assessments methods have proved the best value. Feel free to touchbase at shritam@defencely.com, Shritam Bhowmick, Red Team Lead @Defencely for any Security Operations Related queries or say “Hi” to us at hi@defencely.com for inquiries.

We should see you again next week with another operational tale of the broad security premises where 0days are always a possibility & at proximity of a security compliance issue which always will be a sooner or later decision by the Indian E-Commerce Management & stakeholders.

India’s Toppest Travel & Leisure Benefits from Defencely!

This might not be a fairy tale of an incident handling case where the cyber security experts @Defencely were able to crack open something in a minute and expose the flaw. But in such cases, to save India’s 2nd largest travel agency – a brief active incident handlers were required to slam out the existing flaw and hence save financial data at stake.

Thanks to our first oldest Exclusive Client which have passed our Excellence & have introduced us to major Airlines with whom we’re working now & continuously have been in state of expansion keeping our vision intact – to provide security as a process & not sell it as an end product!

(more…)

Defencely Clarifies Python Object Injection Exploitation

 

Readers,

Welcome to Defencely Blog, This is Rony, part of the Red Teaming Operations Associate at Defencely Cloud Security Pvt. Ltd. & we are extremely delighted to present scenarios of exploitation of a recently conducted security operations for prestigious organizations in India & for Global Enterprises.

Today at Defencely Lab we are going to explain & demonstrate the Python Object Injection attack in minute details. The whole demonstration will be done with our coded intended vulnerable Application & Exploit which you can find at this Link –  Github – Python Object Injection

Contents – 

  • Introduction to Python Classes and Objects.
  • What is an Object Injection?
  • Detecting an Object Injection Attack.
  • Understanding the workflow of a Vulnerable Application.
  • Coding our own exploit against the intended Vulnerable Application.

Prerequisite – 

  • Basic Understanding on OOP Concepts.

Introduction to Python Classes and Objects.

 

What are Classes?

Class is basically a template where you store your variables & methods.

What are Objects?

Objects can be Anything, an instance of a class, a variable or a function in a class.

 

Lets go into the practical examples :-

Here you can see we have created an instance of the class named Test, and assigned the same to a variable named simpleapp passing the value of the variable rony to the Instance.

Output –

“ simpleapp = Test(rony) ”

When this particular code is executed python creates an object and then we are passing our value to the first parameter. Whenever python creates an object the __init__ function gets invoked. __init__ works like a constructor in python.

The random things which got printed with our output it’s because We are directly printing out the instance assigned variable to show how python is treating this as an object.

What is an Object Injection?

Object Injection is an Application Level Security Vulnerability that could allow an attacker to perform critical level attacks depending on the context.

Python specifically have its native module named as “Pickle” which is vulnerable to Object Injection on particular scenarios.

Python already lists pickle as risky module on their official documentation when user controlled data is passed.

We can compare the module “Pickle” with the serialize/unserialize() native functions in PHP which is also vulnerable to Object Injection when user inputs are supplied.

In Python we don’t need a magic methods as a condition to Inject into the Objects Unlike PHP.

Serializing and Deserializing in python is just Pickling and Unpickling of data.

Unpickling of data is NOT necessarily dangerous in Python until and unless user input data are passed to the process of Unpickling.

This is how Pickled and Unpickled data looks like in python –

 

Detecting an Object Injection Attack 

To achieve an Object injection, you have to do a white-box Pentest on a application. Because whenever you are pickling on complex Objects the serialized data in Python comes with the name of the class, variables & their values.

The Pickle module offers us four methods for easy and fast pickling/Unpickling.

  • dump()
  • dumps()
  • load()
  • loads()

You can find their respective functioning in Python’s Official Documentation.

As I already mentioned Unpickling of data is NOT necessarily dangerous, but If you are handling user inputs where in the backend you are pickling and unpickling the user inputted data that’s where the risk comes in. I quote – “Never Trust User Inputs”.

If the data supplied is user controlled it can obviously get tampered.

So, if you see pickled data is passing through any HTTP method, there might be a possibility of Object Injection.

 

Understanding the workflow of a Vulnerable Application

Filename: pickle.py

We will be studying the above code and tweak this accordingly to achieve an object injection.

Ignore everything else written on the code above let’s concentrate on the three things.

  • The user input which is the arg variable in this case.
  • The final_workout() method inside the class simpleApp which interestingly runs a python file.
  • The method which is called app.secureaApp() which is unpickling the inputted data.

Now lets dive deep and lets understand what role does these methods are playing.

The secureApp() method in the simpleApp() class

I am assuming that you probably have read the Python Official Documentation which i have already linked above & know the in’s and out’s of the methods used in this particular post by now.

Methods

  1. dump()
  2. dumps()
  3. load()
  4. loads()

What this secureApp() method is doing is taking a filename as an argument. Unpickling the data from the file using the load() method from the pickle module and assigning the value means the unpickled data to the variable workDone. Which is later on taken as an argument by the final_workout() method.

Let’s see what’s there on the final_workout() method.

The final_workout() method in the simpleApp() class –

This method creates a python file named code.py writes the unpickled data into the file and runs it. Simple right?

Let’s see how it looks like when we run our main vulnerable application pickle.py with the already generated serialized data.

As we can see it prints out the content from the serialized data and runs it successfully which prints out the string.

We will learn, crafting our own serialized data to do a successful object injection on the same application.

 

 

Coding our own Exploit

We now know that the pickle.py is working with the serialized data, so to serialize and making our own crafted payload we will be using the dumps() method to pickle our payloads.

And here is our final exploit to have our own serialized payload data which you can also found on the shared Github Link.

Filename:- exploit_pickle.py

 

We are going to serialize a piece of code which includes system commands with the exploit coded and test it if it works.

And we are now able to Successfully inject our own crafted codes.

I hope this will be a tremendous insight for such vulnerabilities which are well hidden in heap of crafted Enterprise Code & we are hoping to continue providing excellent security services for all kind of business houses & the enterprises in an absolute integrity.

This is Rony Das from Defencely Cloud Security Pvt. Ltd. & join you next week on Defencely Blog with more such highlights whereby our Defencely Lab exploitation goes beyond all measurements bypassing all kinds of security walls.

Thank you & have an excellent day ahead.