maandag 2 juni 2014

Heartbleed, Cupid and Wireless

This is basically the same attack as heartbleed, based on a malicious heartbeat packet. Like the original attack which happens on regular TLS connections over TCP, both clients and servers can be exploited and memory can be read off processes on both ends of the connection.
The difference in this scenario is that the TLS connection is being made over EAP, which is an authentication framework/mechanism used in Wireless networks. It’s also used in other situations, including wired networks that use 802.1x Network Authentication and peer to peer connections.

The vulnerability is triggered before a valid password needs to be presented. Sometimes in order to exploit a vulnerable server you must present a valid username (not password), as the specific EAP mechanism may request a valid username/realm to redirect the user to the proper authentication server.  But this can be easily sniffed off the air when a regular user tries to connect.

Bron en meer info: SysValue

dinsdag 8 april 2014

Ernstig lek gevonden in OpenSSL

Er is een ernstig lek aangetroffen in OpenSSL. De advisory van OpenSSL raadt gebruikers aan zo snel mogelijk te upgraden naar OpenSSL 1.0.1g.

De Heartbleed Bug is een ernstige kwetsbaarheid in het populaire OpenSSL. De kwetsbaarheid zorgt ervoor dat de gegevens die onder normale omstandigheden beschermd worden door de SSL/TLS encryptie laag gecompromitteerd kunnen worden. Communicatie via SSL/TLS biedt beveiliging en privacy voor toepassingen zoals web, e-mail, instant messaging (IM) en virtual private networks (VPN).

Door de Heartbleed bug kan iedereen 64k van het geheugen lezen van de systemen die de kwetsbare versies van de OpenSSL software gebruiken. Hierdoor kunnen aanvallers de communicatie afluisteren en gegevens stelen.

Codenomicon heeft de kwetsbaarheid op haar eigen systemen getest en kwam er achter dat misbruik mogelijk was zonder sporen achter te laten. Ze konden zonder sporen achter te laten en zonder enige voorkennis de geheime sleutels die gebruikt worden voor hun X.509-certificaten, gebruikersnamen en wachtwoorden, instant messages, e-mails en bedrijfskritische documenten en communicatie stelen.

Het uitgebreide verslag lees je op


maandag 17 maart 2014

Samsung Galaxy Back-door

This page contains a technical description of the back-door found in Samsung Galaxy devices.
For a general description of the issue, please refer to the statement published on the Free Software Foundation's website.

This back-door is present in most proprietary Android systems running on the affected Samsung Galaxy devices, including the ones that are shipped with the devices. However, when Replicant is installed on the device, this back-door is not effective: Replicant does not cooperate with back-doors.

Samsung Galaxy devices running proprietary Android versions come with a back-door that provides remote access to the data stored on the device.
In particular, the proprietary software that is in charge of handling the communications with the modem, using the Samsung IPC protocol, implements a class of requests known as RFS commands, that allows the modem to perform remote I/O operations on the phone's storage. As the modem is running proprietary software, it is likely that it offers over-the-air remote control, that could then be used to issue the incriminated RFS messages and access the phone's file system.

Known affected devices

The following table shows which devices are known to contain this back-door as part of the software they ship with.
Please contact us if you know about some other device that could be concerned by this back-door or have more information on one of the listed devices!

Device    Incriminated program running as root    SELinux enabled    libsamsung-ipc support    Replicant support
Nexus S (I902x)     No     Possible with Android 4.2 and later     Yes     Yes
Galaxy S (I9000)     Yes     ?     Yes     Yes
Galaxy S 2 (I9100)     No     ?     Yes     Yes
Galaxy Note (N7000)     No     ?     Yes     Yes
Galaxy Nexus (I9250)     No     Possible with Android 4.2 and later     Yes     Yes
Galaxy Tab 2 7.0 (P31xx)     No     ?     Yes     Yes
Galaxy Tab 2 10.1 (P51xx)     No     ?     Yes     Yes
Galaxy S 3 (I9300)     No     ?     Yes     Yes
Galaxy Note 2 (N7100)     No     ?     Yes     Yes
While we don't have any absolute certainty regarding other Samsung Galaxy devices, it is likely that any other such device in its 3G flavor is affected by the back-door as well, as it probably uses the Samsung IPC protocol with the same proprietary user-space implementation.

Back-door sample
In order to investigate the back-door and check what it actually lets the modem do, some code was added to the modem kernel driver to make it craft and inject requests using the incriminated messages and check its results.

The following patch: 0001-modem_if-Inject-and-intercept-RFS-I-O-messages-to-pe.patch (to apply to the SMDK4412 Replicant 4.2 kernel) implements a sample use of the back-door that will:
open the /data/radio/test file
read its content
close the file
This demonstrates that the incriminated software will execute these operations upon modem request. Note that the software implementation appends /efs/root/ to the provided path, but it's fairly simple to escape that path and request any file on the file system (using ../../). Note that the files are opened with the incriminated software's user permissions, which may be root on some devices. On other cases, its runs as an unprivileged user that can still access the user's personal data (/sdcard). Finally, some devices may implement SELinux, which considerably restricts the scope of possible files that the modem can access, including the user's personal data (/sdcard/).

The following sample was obtained on a Galaxy Note 2 (N7100) running CyanogenMod 10.1.3.

Sample file
The sample file used for this demonstration (/data/radio/test) is filled with "Hello World!":

root@android:/ # hexdump -C /data/radio/test
00000000  48 65 6c 6c 6f 20 57 6f  72 6c 64 21 0a           |Hello World!.|
Kernel log
<3>[   62.712637] c0 mif: rx_iodev_skb: rx_iodev_skb: Dropping RFS frame
<3>[   62.712808] c0 mif: rfs_craft_start: rfs_craft_start: Crafting open
<3>[   62.712966] c0 mif: rfs_craft_start: rfs_craft_start: Adding SKB to queue
<3>[   62.713122] c0 mif: rx_iodev_skb: rx_iodev_skb: Dropping RFS frame
<3>[   62.744690] c0 mif: misc_write: misc_write: Intercepted RFS response
<3>[   62.744867] c0 mif: rfs_craft_write: rfs_craft_write: Open response: fd=21, errno=0
<3>[   62.745116] c0 mif: rfs_craft_write: rfs_craft_write: Adding SKB to queue
<3>[   62.792888] c0 mif: misc_write: misc_write: Intercepted RFS response
<3>[   62.793026] c0 mif: rfs_craft_write: rfs_craft_write: Read response: 12 bytes read
<3>[   62.793154] c0 mif: mif_print_data: 0000: 48 65 6c 6c  6f 20 57 6f  72 6c 64 21 
<3>[   62.793284] c0 mif: rfs_craft_write: rfs_craft_write: Adding SKB to queue
<3>[   62.796168] c0 mif: misc_write: misc_write: Intercepted RFS response
<3>[   62.796269] c0 mif: rfs_craft_write: rfs_craft_write: Rx RFS message with command 0x6 and size 14
<3>[   62.796422] c0 mif: mif_print_data: 0000: 00 00 00 00  00 00 00 00 
The relevant part is the response to the read request:

<3>[   62.793026] c0 mif: rfs_craft_write: rfs_craft_write: Read response: 12 bytes read
<3>[   62.793154] c0 mif: mif_print_data: 0000: 48 65 6c 6c  6f 20 57 6f  72 6c 64 21 

which matches the content of the /data/radio/test file, hence making it obvious that the incriminated software implements the back-door.
Incriminated software log
E/RIL     ( 1927): processRFS: received standalone RFS frame. len 35
E/RIL     ( 1927): ipc_recv_rfs()
E/RIL     ( 1927): get_wakelock: 1. on 1, ril_WakeLock_Mask 0
E/RIL     ( 1927): get_wakelock: 2. on 1, ril_WakeLock_Mask 1
E/RIL     ( 1927): RxRFS_OpenFile:
E/RIL     ( 1927): RxRFS_OpenFile: open file "/efs/root/../../data/radio/test" flag O_RDWR (0x00000002)
E/RIL     ( 1927): check dir '/efs/root/../../data/radio'
E/RIL     ( 1927): A directory already exists.
E/RIL     ( 1927): RxRFS_OpenFile: length 14
E/RIL     ( 1927): TxRFS_CfrmOpenFile()
E/RIL     ( 1927): TxRFS_CfrmOpenFile(): length 14
E/RIL     ( 1927): IPC_send_singleRfsIPC: fd 16 sendto 14 bytes rfs_hdr =6
E/RIL     ( 1927): get_wakelock: 1. on 0, ril_WakeLock_Mask 1
E/RIL     ( 1927): get_wakelock: 2. on 0, ril_WakeLock_Mask 0
E/RIL     ( 1927): set_wakelock: secril_rfs-interface 0
E/RIL     ( 1927): set_wakelock: secril_fmt-interface 1
E/RIL     ( 1927): processIPC: Single IPC plen 23, pkt 23
E/RIL     ( 1927): processRFS: received standalone RFS frame. len 14
E/RIL     ( 1927): ipc_recv_rfs()
E/RIL     ( 1927): get_wakelock: 1. on 1, ril_WakeLock_Mask 0
E/RIL     ( 1927): get_wakelock: 2. on 1, ril_WakeLock_Mask 1
E/RIL     ( 1927): RxRFS_ReadFile:
E/RIL     ( 1927): RxRFS_ReadFile: length 4110
E/RIL     ( 1927): TxRFS_CfrmReadFile()
E/RIL     ( 1927): TxRFS_CfrmReadFile(): length 4110
E/RIL     ( 1927): IPC_send_singleRfsIPC: fd 16 sendto 4110 bytes rfs_hdr =6
E/RIL     ( 1927): processRFS: received standalone RFS frame. len 10
E/RIL     ( 1927): get_wakelock: 1. on 0, ril_WakeLock_Mask 1
E/RIL     ( 1927): get_wakelock: 2. on 0, ril_WakeLock_Mask 0
E/RIL     ( 1927): set_wakelock: secril_rfs-interface 0
E/RIL     ( 1927): [EVT]:Req(0), RX(0)
E/RIL     ( 1927): ipc_recv_rfs()
E/RIL     ( 1927): get_wakelock: 1. on 1, ril_WakeLock_Mask 0
E/RIL     ( 1927): get_wakelock: 2. on 1, ril_WakeLock_Mask 1
E/RIL     ( 1927): RxRFS_CloseFile:
E/RIL     ( 1927): RxRFS_CloseFile: length 14
E/RIL     ( 1927): TxRFS_CfrmCloseFile()
E/RIL     ( 1927): TxRFS_CfrmCloseFile(): length 14
E/RIL     ( 1927): IPC_send_singleRfsIPC: fd 16 sendto 14 bytes rfs_hdr =6

The following analysis was conducted using the binary file (the incriminated proprietary software) as extracted from the CyanogenMod 10.1.3 system zip for the Galaxy S 3 (I9300), from location system/lib/

The developers involved in the present analysis did not ever agree to any sort of End User License Agreement that explicitly prohibited the reverse engineering and decompiling operations of the incriminated binary. The reverse engineering operations that led to these findings originally took place during the development of Samsung-RIL, the free software replacement for the incriminated program. Hence, we believe these operations were conducted for the sole purpose of interoperability and not with the intent of creating a competing product. As the involved developers were based in Europe, we believe the legality of these operations is granted by article 6 of the 1991 EU Computer Programs Directive.

As a first approach, using the strings tool against the incriminated program reveals numerous suspicious command names that appear to be Samsung IPC protocol definitions:

The names of these commands make it obvious that they let the modem perform I/O operations.

The strings utility also reveals matching function names that seem to implement the handling of these commands:


Taking a closer look at these functions, using the objdump decompiler, reveals that they are actually called from the ipc_recv_rfs function, itself called from process_ipc_notify_message, which appears to handle the received messages from the modem. Hence we can deduct that the incriminated functions are actually called upon modem request.

Taking a closer look at one of these functions, e.g. RxRFS_ReadFile reveals multiple calls to the Procedure Linkage Table (PLT). Hence we believe these calls are linked functions from the libc library, especially I/O-related functions such as (in a general manner) open, close, read, write, etc.

Samsung IPC RFS messages
The following table associates each Samsung IPC RFS message with its hexadecimal command value:

Message    Hexadecimal command value

The incriminated RFS messages of the Samsung IPC protocol were not found to have any particular legitimacy nor relevant use-case. However, it is possible that these were added for legitimate purposes, without the intent of doing harm by providing a back-door. Nevertheless, the result is the same and it allows the modem to access the phone's storage.

However, some RFS messages of the Samsung IPC protocol are legitimate (IPC_RFS_NV_READ_ITEM and IPC_RFS_NV_WRITE_ITEM) as they target a very precise file, known as the modem's NV data. There should be no particular security concern about these as both the proprietary implementation and its free software replacement strictly limit actions to that particular file.

Areas of work Some work could be done in order to handle that back-door:
Samsung-RIL could show a message alerting the user when the back-door is being used, including the requested path and asking the user to save logs and contact us.
Alternatively, the kernel could block the incriminated RFS requests and keep a trace of them in the logs for the record. That option would work for CyanogenMod, where the incriminated proprietary blob is still used.

Our free software replacement for the incriminated binary is Samsung-RIL which relies on libsamsung-ipc: both are used in Replicant.

The affected devices have modems that use the Samsung IPC protocol, mostly Intel XMM6160 and Intel XMM6260 modems. Note that despite this back-door, the devices using these modems are most likely to have good modem isolation, compared to other devices using Qualcomm platforms. Bear in mind that this back-door is implemented in software and can easily be removed by installing a free replacement for the incriminated software, for instance by installing Replicant. Hence, we don't consider the incriminated devices to be inherently bad targets because of this back-door.

Bron: Redmine

dinsdag 14 januari 2014

Researcher describes ease to detect, derail and exploit NSA's Lawful Interception

Summary: Infamous security researcher Felix "FX" Lindner exposed Lawful Interception surveillance systems as easy to detect, derail, and maliciously exploit in his recent talk at hacking conference 30c3.

While headlines from European hacking conference 30c3 featured speakers vying for U.S. National Security Agency revelation sensationalism, one notorious hacker delivered an explosive talk that dismantled one thing the NSA, law enforcement, and global intelligence agencies depend on: "Lawful Interception" systems.

And German researcher Felix "FX" Lindner did exactly that, in what was stealthily 30c3's most controversial bombshell of the conference.

In a talk titled CounterStrike: Lawful Interception, Lindner explained to a standing-room-only theater of 3,000 hackers how easy it is to find out if you're under legally imposed surveillance, detailing how easily a user can jam the shoddy legacy systems running Lawful Interception (LI).

In explaining how LI works, Lindner revealed the shocking lack of accountability in its implementation and the "perverted incentive situation of all parties involved" that makes it easy to perform interception of communications without any record left behind.

In all, the hacker known for the default password list and Huawei's router backdoors told the world that he's confident the bug-ridden, copy/pasted systems are being used for data acquisition by intelligence services.

LI interfaces, he explained, are the same ones used for bulk collection in the NSA surveillance scandal.

After delivering the CounterStrike talk, Lindner told ZDNet: "I'm convinced that any serious actor, especially nation state or terrorist organizations, is already well aware of the limitations of LI and perfectly capable of circumventing it anytime they want."

He added: "They might use the increased attack surface to actually turn LI against the router itself."
"On the other hand, the current design makes it fairly easy for agencies to establish a tap without going through the official channels, so a change in the architecture is probably not in their interest."
LI it turns out, is based on years and years of legacy code.

It is also based on critically bad decisions — like Cisco's LI router configuration guideline that requires both the router and the mediation device used in LI to be registered in the Domain Name System (DNS).

In an exclusive interview with ZDNet, Lindner said his talk CounterStrike was "meant for network engineers as well as management of service provider companies," with the eye of, "hop[ing] of striking a chord with policy makers."

Bron: zdnet