OptionsBleed – Apache Bleeds In Uncommon Configuration

September 19, 2017 by Pedro Umbelino 8 Comments

[Hanno Böck] recently uncovered a vulnerability in Apache webserver, affecting Apache HTTP Server 2.2.x through 2.2.34 and 2.4.x through 2.4.27. This bug only affects Apache servers with a certain configuration in .htaccess file. Dubbed Optionsbleed, this vulnerability is a use after free error in Apache HTTP that causes a corrupted Allow header to be replied by the webserver in response to HTTP OPTIONS requests. This can leak pieces of arbitrary memory from the server process that may contain sensitive information. The memory pieces change after multiple requests, so for a vulnerable host an arbitrary number of memory chunks can be leaked.

Unlike the famous Heartbleed bug in the past, Optionsbleed leaks only small chunks of memory and more importantly only affects a small number of hosts by default. Nevertheless, shared hosting environments that allow for .htaccess file changes can be quite sensitive to it, as a rogue .htaccess file from one user can potentially bleed info for the whole server. Scanning the Alexa Top 1 Million revealed 466 hosts with corrupted Allow headers, so it seems the impact is not huge so far.

The bug appears if a webmaster tries to use the “Limit” directive with an invalid HTTP method. We decided to test this behaviour with a simple .htaccess file like this:

Continue reading “OptionsBleed – Apache Bleeds In Uncommon Configuration” →

Sneakers: A Love-Fest

September 15, 2017 by John Baichtal 62 Comments

“A TURNIP CURES ELVIS” begins the opening credits, an intriguing beginning to a smart and still timely film that was released around 25 years ago. If you’ve never seen the movie, I’m about to spoil the hell out of it.

Sneakers features the title characters, hackers who work the 1992 gig economy as freelance penetration testers. They work for Martin Bishop, a hippie hacker Obi Wan who works San Francisco’s gray market, doing good deeds and helping banks improve their security.

While there is a fair amount of cheese in Sneakers, a lot of the problems the characters face — physical security and cryptography come to mind — remain the problems of today. Securing our digital business? Check. Surveillance? Check? Gray operators? Absolutely. At the same time, the movie does a good job of exploring different categories of hacker. The various characters seem to offer glimpses of people I see all the time at the hackerspace. Bigger than life, certainly, but they are in a Hollywood movie, after all.

Finally, the movie is just smart. Those opening credits offer a preview: the anagrams that begin the movie (“A TURNIP KILLS ELVIS” translates to Universal Pictures) are not just some art director’s conceit for the opening credits. The anagrams end up being important later on in the film, where there is a key clue hidden but if you think about it, shuffling letters on your Scrabble tray could be taken as a metaphor for hacker thinking — taking the same information as everyone else but looking at it in a different way.

Continue reading “Sneakers: A Love-Fest” →

Bluetooth Vulnerability Affects All Major OS

September 14, 2017 by Pedro Umbelino 52 Comments

Security researchers from Armis Labs recently published a whitepaper unveiling eight critical 0-day Bluetooth-related vulnerabilities, affecting Linux, Windows, Android and iOS operating systems. These vulnerabilities alone or combined can lead to privileged code execution on a target device. The only requirement is: Bluetooth turned on. No user interaction is necessary to successfully exploit the flaws, the attacker does not need to pair with a target device nor the target device must be paired with some other device.

The research paper, dubbed BlueBorne (what’s a vulnerability, or a bunch, without a cool name nowadays?), details each vulnerability and how it was exploited. BlueBorne is estimated to affect over five billion devices. Some vendors, like Microsoft, have already issued a patch while others, like Samsung, remain silent. Despite the patches, some devices will never receive a BlueBorne patch since they are outside of their support window. Armis estimates this accounts for around 40% of all Bluetooth enabled devices.

A self-replicating worm that would spread and hop from a device to other nearby devices with Bluetooth turned on was mentioned by the researchers as something that could be done with some more work. That immediately reminds us of the BroadPwn vulnerability, in which the researchers implemented what is most likely the first WiFi only worm. Although it is definitely a fun security exercise to code such worm, it’s really a bad, bad idea… Right?…

So who’s affected?

Continue reading “Bluetooth Vulnerability Affects All Major OS” →

RaspiReader, An Open Source Fingerprint Reader

September 4, 2017 by Jenny List 14 Comments

In 2008, the then German interior minister, [Wolfgang Schäuble] had his fingerprint reproduced by members of the German Chaos Computer Club, or CCC, and published on a piece of plastic film distributed with their magazine. [Schäuble] was a keen proponent of mass gathering of biometric information by the state, and his widely circulated fingerprint lifted from a water glass served as an effective demonstration against the supposed infallibility of biometric information.

Diagram showing the fingerprint reader's operation. — Diagram showing the fingerprint reader’s operation.

It was reported at the time that the plastic [Schäuble] fingerprint could fool the commercial scanners of the day, including those used by the German passport agency, and the episode caused significant embarrassment to the politician. The idea of “spoofing” a fingerprint would completely undermine the plans for biometric data collection that were a significant policy feature for several European governments of the day.

It is interesting then to read a paper from Michigan State University, “RaspiReader: An Open Source Fingerprint Reader Facilitating Spoof Detection” (PDF downloadable from the linked page) by [Joshua J. Engelsma], [Kai Cao], and [Anil K. Jain] investigates the mechanism of an optical fingerprint reader and presents a design using the ever-popular Raspberry Pi that attempts to detect and defeat attempts at spoofing. For the uninitiated is serves as a fascinating primer on FTIR (Frustrated Total Internal Reflection) photography of fingerprints, and describes their technique combining it with a conventional image to detect spoofing. Best of all, the whole thing is open-source, meaning that you too can try building one yourself.

If [Cao] and [Jain] sound familiar, maybe it’s from their Samsung Galaxy fingerprint hack last year, so it’s neat to see them at work on the defense side. If you think that fingerprints make good passwords, you’ve got some background reading to do. If you just can’t get enough fingerprints, read [Al Williams]’ fundamentals of fingerprint scanning piece from earlier this year.

Via Hacker News.

The Enigma Enigma: How The Enigma Machine Worked

August 22, 2017 by Steven Dufresne 32 Comments

To many, the Enigma machine is an enigma. But it’s really quite simple. The following is a step-by-step explanation of how it works, from the basics to the full machine.

Possibly the greatest dedicated cipher machine in human history the Enigma machine is a typewriter-sized machine, with keyboard included, that the Germans used to encrypt and decrypt messages during World War II. It’s also one of the machines that the Polish Cipher Bureau and those at Britain’s Bletchley Park figured out how to decipher, or break. Most recently the story of how it was broken was the topic of the movie The Imitation Game.

Let’s start with the basics.

Continue reading “The Enigma Enigma: How The Enigma Machine Worked” →

Apple’s Secure Enclave Processor (SEP) Firmware Decrypted

August 18, 2017 by Jack Laidlaw 14 Comments

The decryption key for Apple’s Secure Enclave Processor (SEP) firmware Posted Online by self-described “ARM64 pornstar” [xerub]. SEP is the security co-processor introduced with the iPhone 5s which is when touch ID was introduced. It’s a black box that we’re not supposed to know anything about but [xerub] has now pulled back the curtain on that.

The secure enclave handles the processing of fingerprint data from the touch ID sensor and determines if it is a match or not while it also enables access for purchases for the user. The SEP is a gatekeeper which prevents the main processor from accessing sensitive data. The processor sends data which can only be read by the SEP which is authenticated by a session key generated from the devices shared key. It also runs on its own OS [SEPOS] which has a kernel, services drivers and apps. The SEP performs secure services for the rest of the SOC and much more which you can learn about from the Demystifying the Secure Enclave Processor talk at Blackhat

[xerub] published the decryption keys here. To decrypt the firmware you can use img4lib and xerub’s SEP firmware split tool to process. These tools make it a piece of cake for security researchers to comb through the firmware looking for vulnerabilities.

The Amazon Echo As A Listening Device

August 3, 2017 by Jenny List 31 Comments

It is an inevitability that following swiftly on the heels of the release of a new device there will be an announcement of its rooting, reverse engineering, or other revealing of its hackability. Now the device in question is the Amazon Echo, as MWR Labs announce their work in persuading an Echo to yield the live audio from the microphone and turn the voice assistant device into a covert listening device.

The work hinges on a previous discovery and reverse engineering (PDF) of Amazon’s debug connector on the base of the Echo, which exposes both an SD card interface and a serial terminal. Following that work, they were able to gain root access to the device, analyze the structure of the audio buffers and how the different Echo processes use them, and run Amazon’s own “shmbuf_tool” application to pipe raw audio data to a network stream. Astoundingly this could be done without compromising the normal operation of the device.

It should be stressed, that this is an exploit that requires physical access to the device and a bit of knowledge to perform. But it’s not inconceivable that it could be made into a near-automated process requiring only a device with a set of pogo pins to be mated with an Echo that has had its cover quickly removed.

That said, inevitably there will be enough unused Echos floating around before too long that their rootability will make them useful to people in our community. We look forward to what interesting projects people come up with using rooted Echos.

This isn’t the first time we’ve covered the use of an Echo as a listening device.

Via Hacker News.

Amazon Echo image: FASTILY [CC BY-SA 4.0].