MAAS History
Archives

Entries in Poof of Concept (5)

Thursday
Feb102011

Researchers ByPass Keychain on iOS device

DateThursday, February 10, 2011 at 09:04AM

Researchers from Fraunhofer SIT have demonstrated how to bypass the KeyChain on an iOS device. This is a local attack, not remote, but has implications for users who's devices are lost or stolen.

 

  • They Jailbreak the phone with tools already available to gain access to the system.
  • Copy the KeyChain access script to the file system.
  • Execute the Script which returns the passwords it has been able to find.

 

Not all passwords are broken but key ones for online account and corporate network access information can be broken in under six minutes.

For a video on how they did it click here.

If you lose your iPhone or plan to retire it keep this in mind.

 

  1. Do a Hard Factory Reset.
  2. Clear out all data.
  3. Use Mobile Me Find My iPhone in the event that it is lost and erase it fist. (iTunes should have a backup.)

 

If you are an organization you should have a phone/PDA retirement policy.

AuthorSean OConnell Public | CommentPost a Comment | Reference1 Reference |
tagged in , , ,
Saturday
Sep252010

Safari Auto Fill Flaw Can Still be Conducted Using Two Phase Process

DateSaturday, September 25, 2010 at 04:47PM

Jeremiah Grossman's Auto Fill Flaw can still be exploited by socially engineering a user to perform staged clicks on a form or page. In his online example the users location is used to provoke the first key. Other examples can be simple trickery such as type "DuD" to prove your a human. He has posted the technical details on his blog, the result is that the users Auto Fill information is passed without the knowledge of the user.

Auto fill altthough viewed as a convenicnce to users can result in sharing information the user did not plan to disclose. In Safari you should make sure to turn these settings off including on iOS devices. 

Recommended Settings

When thinking about privacy and the sharing of any personal information educate users in the concepts of trust and verification. If the form is completed automatically the user skips triggering mechanisms that can prevent these kinds of information gathering attacks. 

AuthordrStrangeP0rk | CommentPost a Comment | Reference2 References |
in , , , , ,
Monday
Jan182010

Memory Curruption Proof of Concept in QuickTime Library

DateMonday, January 18, 2010 at 06:24PM

Offensive Security has received a posting to their Exploit Database from Dr_IDE that takes advantage of a memory corruption in the QuickTime Library used for a host of Mac OSX applications. This does include QuickLook which will cause a crash to be generated if the file is loaded in Icon view in finder. The proof of concept may be altered to allow an attacker the capability to execute code or produce an Application Crash, it is also possible to use this vulnerability in a remote attack if the attacker is sophisticated. (The URL can be altered very easily in a HEX editor.) The malformed file with codec header can be viewed in FIG. 1. 

Fig 1

At this stage it appears to crash the application, the malformed file is not detected by Mac anti-virus software. Users current defense is to only open and view files from a trusted source and update to the latest version of QuickTime. Remember if you have any doubts about the source then there is no reason to open or load the file on your systems. Additional use of a far more robust firewall which filters incoming and outgoing traffic should also be used locally on the Mac. (ipfw is a great start) These types of files can also be prevented at a proxy or advanced firewall system which can be purchased from from vendors such as WatchGuard or Cisco. Various configuration can drop files that have more the three "characters" together which are very common in POC that are rarely altered by unsophisticated attackers.

It is to be expected that as the popularity of the platform grows so does the interest by crackers. To employ an exploit such as this little tactical effort is needed. However strict defensive measures can mitigate an attack vector such as this. 

AuthordrStrangeP0rk | CommentPost a Comment | Reference1 Reference |
in , , , , , , , ,
Sunday
Jan102010

Buffer Overflow in libc/strtod

DateSunday, January 10, 2010 at 10:51AM

There is a proof of concept (POC) related libc/strtod and dtoa.c implementation in BSD which Apple is aware of for over six months. MacOSX is a hybrid kernel based on Mach 3.0 and FreeBSD, so yes it is BSD. This makes it susceptible to various bugs and exploits that also can affect BSD implementations. SecurityReason.com has posted a security alert and the POC code related to the buffer overflow on BSD indicating that it could result in DOS (System Crash) or malisious code execution. They have also included Mac OSX in this alert along with the POC posted. 

 Fig. 1

The execution of arbitrary code cannot be accomplished using the printf function on the heap as stated on Securityreason.com, they maintain that MacOSX may be vulnerable. I have test the and other functions such as asprintf, vprint and sprintf. (Fig. 1) Open BSD and Mac OSX do ship with Executable Space Protection which does prevent the execution of code on the heap. Code does not need to execute on the heap but it is a far less labor intensive and and a reliable approach for attackers. Calls can be made back to libraries, this allows a buffer overflow a way around Executable Space Protection. (Return to libc is common method.)

The best defense to these kinds of exploits is to only install software from trusted sources, check the sources and do not run them as an admin user. For day to day task (Word Processing, Web, Mail, etc.) you should never be logged in as a privileged user. From a development standpoint secure coding practices are important. Lack of verification and validation can lead to a host of errors, secure development process should be used. Still, there is plenty of poorly written code that miss handles memory, validation and verification. If you do not trust the source for any reason you should not install the software.

AuthordrStrangeP0rk | CommentPost a Comment | Reference2 References |
in , , , , , , , ,
Monday
Aug032009

Poof of Concept Firmware Keyboard Hack Demostrated at Black Hat

DateMonday, August 3, 2009 at 09:11AM

K. Chen gave a talk which demonstrated a proof of concept attack using HIDFirmwareUpdaterTool to insert code into the firmware of Apple keyboards allowing an attacker to record keystrokes. The attack does require physical access to the machine. It is important to remember that all input devices that have firmware can be attacked and it is possible to record information from the device. This is true of wired and wireless devices, a trip to the local Radio Shack and some basic skills a keystroke recorder/interceptor can be constructed. 

The best defense is to restrict physical access to your devices, organizations should control physical access to their offices always. 

AuthordrStrangeP0rk | CommentPost a Comment | Reference1 Reference |
in ,