magmatic.com - Squawk Box

MAAS History

Jail Breaking and Entering the iPhone

Sunday, November 8, 2009 at 06:18PM

If you have taken the risk to jailbreak your iPhone you should be aware of reports of an attack in the wild reported by Intego on November 3. Jailbroken iPhones allow users to run software and applications not approved by apple, part of the jailbreak package includes allowing root ssh shell access among other services. Most users do not disable root remote login nor do they change the root password. The management of ssh on a jailbroken iPhone is very insecure, the root password is alpine so now you can wow your jailbroken iPhone friends.

I never recommend using any software that is cracked or jailbroken so I feel little compassion for people who have gone this route on phones that are not for personal experimentation. (Hack to Learn, keep it in the sand box or you might get burned.) General users should never run cracked devices or software, a recent Mac Trojan was spread via cracked software. With that said users can change the password using the passwd command after logging in as root. It is highly recommended that users also disable remote access by root. (Common on any system that runs ssh.)

What begun as soft core ransom ware used by a Dutch hacker which scanned networks looking for jailbroken iPhones has expanded into a full fledged worm called iKee. The original hack preceded to prompt users via SMS for five Euros to secure the phone. In its current form iKee scans the follow network ranges belonging to Australia 3G customers and is conducting a host of evil hack including changing of background images, lock outs and stealling of personal data. The current network ranges are the following:

202.81.64.0-202.81.79.255
23.98.128.0-123.98.143.255
120.16.0.0-120.23.255.255
114.72.0.0-114.75.255.255
203.2.75.0-203.2.75.255
210.49.0.0-210.49.255.255
203.17.140.0-203.17.140.255
211.28.0.0-211.31.255.255
58.160.0.0-58.175.255.255

It will be interesting to see if there is a spike in scanning of ssh on mobile networks in the coming weeks. Users should never ever used a cracked iPhone, make sure that if your company provides iPhones that all users including the IT department employees understand not to use jailbroken or cracked software. This should be part of employee usage aggrement and may need to be revisited in a Monday email blast from your security team.

Update on Monday, November 9, 2009 at 11:15AM by

drStrangeP0rk

iKee is replacing the default wallpaper with a photo of Rick Astley. Users will have to use the chown, chmod and of course the rm command to remove the exploited wallpaper. This can only be done of course if the root password was not change from alpine by iKee. (Currently it does not alter the root password but stay tuned.) I have to admit it is funny. Maybe jailbroken iPhone users after getting "Never Gonna Give You Up" stuck in their head will realize that they should not alter a system unless they understand the underlying implications or of course if they are big Rick Astley fans and do not care about the CIA of their data.

drStrangeP0rk |

Post a Comment |

2 References |

Apple,

Exploits,

Trojan,

Zero Day,

iPhone

Saturday

Nov072009

TLS/SSL Vulnerability

Saturday, November 7, 2009 at 06:44AM

This flaw affects browsers, servers, VPN deployments, https and any other service or devices that use the protocol. The Internet Engineering Task Force (IETF) will be proposing an extension to the protocol to address the vulnerability. Neither protocol ensures continuity before and after renegotiation allowing a man in the middle (MITM) to introduce data at the beginning of an SSL session. If you are using SSL/TLS for any service from Mac OSX Server 10.6.x or 10.5.x then it is vulnerable to this exploit. If you use a web site and connect to it via https then you are vulnerable as well. However you should continue to always use https.

The MITM needs to intercept the traffic, send their data to the SSL server and then request renegotiation. They can then forward the data from the original user exactly as it is done in the standard MITM attack. Web servers combine the data before renegotiation with data after renegotiation which compounds the problem and affects any site or web user of SSL. Client certificate authentication is the technology that is highly vulnerable in real world deployments but is a rarely used. The attack has been proven successful against a host of SSL applications and services including Apache and Microsoft IIS. Due to the difficulty of mounting the attack it would most likely be successful as a cocktail of exploits to attack a system. Encrypted data that is exposed to the MITM remains unreadable to the attacker but other weaknesses in the SSL/TLS protocol can be leveraged. Thus proving that a layer approach to security limits risk to a cocktail of exploits from crackers.

OpenSSL developers (released here) and GNU TLS are working on patches which allow you to disable renegotiation but this does not fix the protocol's issue. The removal of renegotiation may render some web services and applications unusable so updates should not be applied to production systems until detailed test are accomplished. A broader approach is to ensure that routers are running up to date firmware, Kaminsky DNS bug patch is applied, system software has the latest security patches and even within trusted networks packets are filtered (ingress and egress) including application layer firewall and IPFW firewall in OSX server. Application firewalls can filter embedded http request lines since they are not obfuscated which can limit the risk of this vulnerability.

Needless to state that this may be the tip of the iceberg and a vulnerability such as this can be used in countless imaginative ways. Similar to the Kaminsky DNS issue the internet is not falling but prudent action allows administrators to managed the risk of such vulnerabilities in widely used protocols.

Update on Monday, November 16, 2009 at 08:20AM by

drStrangeP0rk

It is being reported that a Turkish grad student, Anil Kurmus, has developed a real world attack using the SSL renegotiation bug. As was reported most researchers felt that the vulnerability most likely would not be used in an attack since it was complicate to execute resulting in limited results. Kurmus was able to use the bug to steal Twitter account information by injecting text that instructed Twitter's API to dump the contents of the web request into a Twitter message after it was decrypted. Twitter is the perfect victim since every request sent over their network includes user credentials in the form of user name and password. Second the API is very similar to the http protocol thus the Twitter API makes injection into a stream is easy. Users tend to also use applications which do not handle Twitter errors properly (error pages are not reported) thus users may never know about the attack. Twitter has closed this security hole last week but the TLS/SSL renegotiation bug is beyond theory and is effective with the balance of right attack surface, technical skill and determination.

http://www.theregister.co.uk/2009/11/14/ssl_renegotiation_bug_exploited/

drStrangeP0rk |

Post a Comment |

3 References |

Client,

Exploits,

Mac OSX 10.5,

Mac OSX 10.6,

OpenSSL Vulnerabilitites,

Server,

Zero Day

Friday

Nov062009

Firefox Version 3.5.5

Friday, November 6, 2009 at 07:31AM

This short-cycle security and performance fix addresses several bugs that cause the 3.5.4 application to crash. This includes issues related to inserting multiple children without flushing them, gif decoder crashing and a startup crash related to the windows font group support. Administrators should apply this update to Fireforx 3.5.4.

drStrangeP0rk |

Post a Comment |

1 Reference |

Firefox,

Firefox Updates,

Software Update,

Updates

Friday

Oct302009

Malware Artware

Friday, October 30, 2009 at 08:16AM

Developer Zach Gage has a digital art project which has appeared in Electro-online that is an online malware game called Lose/Lose. The game premise is that each Alien you destroy is based and linked to a file on the users computer. When you destroy the Alien, the file is deleted. Intego has labeled it as malware and tag it as OSX/LoserGame. Administrators should make sure that no users visit or play the game because it can result in data lost.

drStrangeP0rk |

Post a Comment |

2 References |

Safari

Wednesday

Oct282009

Mozilla Releases Firefox 3.5.4

Wednesday, October 28, 2009 at 10:56AM

Mozilla has released update 3.5.4 of Firefox which address various issues. This includes critical issues including crashes due to memory corruption, heap overflows due to string number conversions, crash due to web-work recursive calls and form history vulnerability.

MFSA 2009-64 Crashes with evidence of memory corruption (rv:1.9.1.4/ 1.9.0.15)
MFSA 2009-63 Upgrade media libraries to fix memory safety bugs
MFSA 2009-62 Download filename spoofing with RTL override
MFSA 2009-61 Cross-origin data theft through document.getSelection()
MFSA 2009-59 Heap buffer overflow in string to number conversion
MFSA 2009-57 Chrome privilege escalation in XPCVariant::VariantDataToJS()
MFSA 2009-56 Heap buffer overflow in GIF color map parser
MFSA 2009-55 Crash in proxy auto-configuration regexp parsing
MFSA 2009-54 Crash with recursive web-worker calls
MFSA 2009-53 Local downloaded file tampering
MFSA 2009-52 Form history vulnerable to stealing

Users should perform the update by selecting check for updates under the help menu. Macintosh administrators should mark this update as critical and perform it during their next update cycle via Apple Remote Desktop.

Update on Friday, October 30, 2009 at 08:13AM by

drStrangeP0rk

This update addresses the memory reallocation regarding handling changes to the color map in multi image GIF files. This exploitation could lead to an attacker executing code with the privileges of the users permissions.

http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=830

drStrangeP0rk |

Post a Comment |

Firefox,

Firefox Updates