Wrap-up: Hack-Lab 2017#1

What is a Hack-Lab?

Compass Security provides a monthly playful occasion for the security analysts to get-together and try to hack new devices, dive into current technologies and share their skills with their fellows.

This also includes the improvement of internal tools, the research of newly identified publicly known attacks, and security analysis of hardware and software we consider useful for our future engagements.

   

Topics

The following topics, tools and technology has been discussed during this Hack-Lab:

  1. SharePoint Security
  2. Bypassing Android 7.0 HTTPS Apps Certificates Restriction
  3. JWT4B
  4. CodeInspect
  5. Smart Meter
  6. DNS Tunnel Debugging

Wrap-Up

Topic #1 – SharePoint Security Lab and Knowledge Sharing

SharePoint is a very popular browser-based collaboration and content management platform. Due to its high complexity, proprietary technology and confusing terminology it is often perceived as a black-box that IT and security professionals do not feel very comfortable with.

In a combination of talks and hands-on workshop sessions, Thomas Röthlisberger shared his research work with colleagues. They challenged his findings and shared their thoughts on pros & cons of security relevant settings. The outcome of this Hack-Lab session will be shared in a series of blog posts within the next couple of weeks.

The research in our very own hands-on SharePoint lab allows us to gain an in-depth understanding of any type of SharePoint environment, be it a purely internal collaboration web application, a platform to share information with external partners or a publishing site hosting the company website. To build or assess a secure SharePoint environment one needs to understand the importance of governance, logical and physical architecture, network topology, active directory considerations, authentication and authorization, segregation of classified data, hardening and most importantly web security relevant settings to make sure the built-in protection measures are effective. Like other modern Microsoft products, an out-of-the-box SharePoint installation can be considered secure. However, there are so many weirdly named settings which heavily depend on each other that misconfiguration is likely to happen, leaving the door wide open for unauthorized access by adversaries with SharePoint skills.

TECHNOLOGY:

  • SharePoint Server 2010 & 2013
  • Web Applications, Site Collections, (Sub-)Sites, (Custom) Lists, Document Libraries, Web Part Pages, Web Parts, Apps
  • Web Security, Cross-site Scripting (XSS), Cross-site Request Forgery (CSRF)
  • Navigation Links
  • Web Sensitive Files, permission to Add & Customize Pages and Scriptable Web Parts, e.g. Content Editor and Script Editor (“SafeAgainstScript=False”)
  • Browser File Handling
  • Web Page Security Validation (aka Anti-CSRF token)
  • Lockdown Mode Feature
  • Remote Interfaces SOAP, CSOM, WCF Service, REST Interface
  • Server-Side Controls
  • .NET Sandboxing, Sandboxed Solutions and Apps
  • Self-Service Site Creation
  • Developer Dashboard
  • Audit Logs
  • People Picker

Topic #2 – Bypassing Android 7.0 HTTPS Apps Certificates Restriction

With Android 7.0, apps do not trust user imported certificates anymore.  Intercepting app network traffic with a proxy has become more complicated.

The goal is to find or create a custom application which is explicitly developed for Android 7.0. Then to configure the app with the network_security_config.xml file, which is used to bypass this restriction,  and therefore enables user defined certificates.

Technology:

  • Android Studio
  • Android 7.0
  • Apktool

Topic #3 – JWT4B

Create a Burp plugin which helps the analyst when testing an app that uses JSON Web Tokens (JWT.IO).

Frist step is to create a prototype which enables Burp to visualize the tokens. On further hacklabs it should be possible to automatically perform JWT attacks.

Technology:

  • Java
  • JJWT (library)
  • JWT

Topic #4 – CodeInspect

Evaluation of CodeInspect’s features.

Determine if CodeInspect could be used to make future  Android app analysis assessments more efficient.

Technology:

  • Java
  • Android

Topic #5 – Smart Meter

Description:

An Energy Monitoring System was provided for testing. It is used to measure the current consumption and provides various interfaces. Web browser (TCP/IP) and Modbus are the main ones.

Assess the security of the interfaces. What can an attacker exploit if given network access to the device?

Technology:

  • TCP/IP
  • Modbus
  • HTTP Web Application

Topic #6 – DNS Tunnel Debugging

Compass Security has its own trojan toolkit which we use for responsible phishing attacks in mandate for our customers, and also demos and proof of concepts. The trojan also implements DNS tunneling.

Analyze the source code and perform debugging to identify and fix some reliability issues while performing DNS tunneling with multiple clients.

Technology:

  • C++

Black Hat USA 2016 / DEF CON 24

At the beginning of August, as every year, two of our security analysts attended the most renowned IT security conferences Black Hat USA and DEF CON to learn about the latest trends and research. This year’s Black Hat conference, the 19th edition, took place at the Mandalay Bay Conference Center while DEF CON 24 was located in Paris and Bally’s in Las Vegas.

Welcome to Las Vegas

In the following, we are going to summarize a selection of the talks attended.

Continue reading

Windows Phone 8 – An iPhone Alternative for Business?

During our most recent HackLab Day – a quarterly event where Compass analysts research new security topics or solutions – I have investigated Microsoft’s next version of its mobile operating system “Windows Phone 8” (WP8). This update to the previously released Windows Phone 7 version integrates a complete new Kernel (shared with Windows 8 ) and is supposed to have a much stronger focus on the needs of businesses.
One question I have asked myself is, whether this new system has the potential to gain traction in the business environment and possibly, cut a slice of cake from Apple’s iPhone market share. For this to happen, WP8 would need to focus more on the integration into existing MDM solutions and offer more than just plain Exchange ActiveSync support.

Please have a read of my small presentation containing all important updates, changes and additions made for WP8.

Please download the slides at:  compass_security_windows_phone_8_security_v1.0

A few notes about Windows Phone 8

Mobile Device Management –  Microsoft really has taken feedback serious and now allows MDM providers such as Good Technologies, MobileIron and AirWatch to enroll phones to their servers. However, Microsoft’s approach is different compared to how iPhones support MDM: Instead of having an MDM provider write his own application, a ready-to-use MDM client is already built into the WP8 operating system (called “Company Apps”). The user simply enters his credentials (not necessarily his Active Directory ones) and the application communicates with the MDM server.
However, the MDM providers are not yet ready to manage WP8 devices. But it is expected that, by the end of this or start of next year, solutions will be ready.

Updated Chamber System – Windows Phone has always been using so called chambers (details from Nokia), in which an application can run. All applications from the Windows Phone Store were always executed in the least privileged chamber (called Least Privilege Chamber, LPC). Pre-installed applications such as Outlook and OEM apps had additional rights (chamber Standard Rights). Since they weren’t cryptographically signed they have been target for attacks up until now (see MWR’s advisory).  Applications that require to run with even higher rights/capabilities ran in the so called Elevated Rights chambers. These were usually applications like services for listening music or media sharing services. The chamber with the most rights was the Trusted Computing Base (TCB). Here only the Kernel and drivers were allowed to run.
In Windows Phone 8, only two chambers will be available: Trusted Computing Base and Least Privilege Chamber. All applications and even some drivers will run in the LPC and therefore pose little risk to attacks, as a vulnerability in that application would only permit access to the described capabilities.

Enhanced Capabilities – These are descriptions of features of a phone (hardware and software wise). A developer has to explicitly declare what capabilities his application requires. At run- and access-time, those declared capabilities will be compared to the ones requested. If there is no match, the action can not complete.
Due to the updated chamber system, many new capabilities have been added to Windows Phone 8. An overview  can be found on the Microsoft Developer Network.

Side loading of Applications –  A complete new feature in Windows Phone 8 is the ability to side load (installing applications from other places than the Windows Phone Store) applications. This allows companies to deploy custom applications to WP8 users without having to publish them to the entire world. It also permits MDM solutions to install a private app catalog for its employees. Two ways exist to install applications on a mobile phone:

  • Copy an application to the micro SD card. Windows Phone 8 will detect the new app and ask if it should be installed.
  • At enrollment, the process allows the installation of one application. According to Microsoft, an app catalog or app discovery application should be pushed. This app can then be used to install other applications or display company information

No matter how the application gets deployed, it must be signed by a trusted certificate authority. If a company considers deploying custom apps, it has to register at Microsoft to receive the required tools and certificates.

Conclusion: Microsoft really pushes aggressively to achieve further business integration. Two major concerns with Windows Phone 7 have been attacked: The lack of MDM support and missing device encryption. However, with the current possibilities in WP8, Microsoft is still behind iOS with respect to support in the MDM world. Many business features such as VPN configuration, W-LAN configuration or a larger API for MDM solutions have yet to come. But a first step has been made and Microsoft is now ready to build upon this new foundation.

I hope this gives you a short overview of the new security features Windows Phone 8 has to offer. If you have any more questions, please feel free to contact us.