Friday, April 24, 2009

iPhone, Mobile Security and Osx

Hey guys,
so back with some updates on my research. First of all I gave a talk with Charlie Miller on iPhone and OSX payloads at Black Hat Europe.
Here are a few links:
The slides will be available soon.

In May I'm going to join Jeff Moss and a bunch of really cool people in the next Black Hat webcast: Mobility and Security. I hope all of you will register and join the round table.

One last appointment, if anyone wants to meet, I'll be speaking at EuSecWest in London at the end of May.
Snagg

Monday, April 20, 2009

Client side code execution via JNLP files

As you may know, I'm a kind of Java enthusiast. This is especially true when a Java technology overlaps with web security.
I was actually testing a software based on Java Web Start when I've realized how practical (and dangerous) may be this technology. The overall idea of Java Web Start is to deploy and execute Java standalone client, directly from the Internet using a web browser. Unlike Java Applets, Web Start applications do not have all the limitations enforced by the sandbox.

Specifically I was testing Eye of the Storm, a network management software composed by several server side components as well as a nice Web Start application. A CGI program /EOS/cgi/EYELauncher generates personalized JNLP files so that Java Web Start can invoke a standalone Java application with the proper parameters and configuration.
Besides other usual issues, I've discovered a way to trigger client side code execution via a tampered JNLP file. Thinking about a real-world attack scenario, an aggressor could convince a user to follow a malicious link which abuse the online CGI in order to generate malicious JNLP files. Since the CGI does not properly filter the input, it is possible to pollute the JNLP file content.

A simple GET request, as the following
http:///EOS/cgi/EYELauncher?%2d%2d%75%73%65%72%3d%61%61%61%3b%2d%2d%68%6f%73%74%3d%61%61%61%3b%2d%2d%68%74%74%70 %50%72%6f%74%6f%63%6f%6c%3d%66%69%6c%65%3a%2f%2f%2f%43%3a%5c%5c%57%49%4e%4e%54%5c%5c%73%79%73%74%65%6d%33%32%5c%5c%63 %6d%64%2e%65%78%65%3f
will cause the inclusion of user-supplied parameters in com.entuity.eos.client.startup.EYELauncher.main(String args[]).

In particular circumstances, the application may invoke the executeEYEClient(String, String, String, String, String) method, which can be used to exploit a vulnerable com.entuity.util.BrowserLauncher.openURL(String) method executing the well-known Runtime.getRuntime().exec()call.
The execution of the vulnerable method is triggered by an exception while the Main method runs. EYELauncher handles this specific exception by requesting a new JNLP file from the server, using the insecure "openURL" call.

To locally test the vulnerability, just use the following code:
import com.entuity.eos.client.startup.EYELauncher;

public class EOTS_poc1 {
public static void main(String[] args) {
String arguments[]={"--user=aaa","--host=aaa","--httpProtocol=file:///C:\\WINNT\\system32\\cmd.exe?"};
EYELauncher.main(arguments);
}}
Unfortunately, I was not able to find a reliable way to trigger the exception, thus the exploitability of this finding is likely low. However, at least in my humble opinion, it is a nice demonstration of one-click code execution.

In addition to the usual stuff (XSS, ActiveX exploits and so on), let's not forget about Java Web Start as well.

Thursday, April 2, 2009

IT Underground and TomcatZOO

Finally, it is my turn! I really enjoy the idea of sharing my thoughts here.

Since NibbleSec is a multi-author blog, I'm not going to bore you with low-level stuff - Snagg is just enough!

For fun (and profit) I'm usually involved in web application pentests and lately in Java security. It is a kind of fun and this is usually the easiest way to get a shell in these days.

I'm just back after IT Underground Prague where I gave a speech about Apache Tomcat security and TomcatZOO, one of the first NibbleSec project. While waiting for the release of the tool, you may enjoy the presentation.

Ikki