BLOG

20 October 2017

Frida Engage Part One | Building an ELF Parser with Frida

Introduction

In this blog series we will be covering the endless possibilities and power of Frida. For those of you who have never heard of Frida, it is a dynamic instrumentation toolkit that allows you to inject Javascript or your own libraries into native apps across multiple platforms. Frida is commonly used for hooking and manipulating functions. If you search the internet for tutorials on Frida, you will find many resources on how to use Frida’s Interceptor API, which gives you the ability to ‘intercept’ target function calls. In this series I would like to explore beyond just hooking functions, and into all of the crazy and cool things you can do when the control of a process is at your fingertips.

Continue reading ›
06 June 2017

Being a Benevolent Dictator with Admin Rights

Introduction

Imagine this scenario: You are a systems engineer. You are tasked with managing user and group access controls. Your company’s two person NOC team has admin rights to perform triage work. Eventually, you discover that your company is compromised and has been for an unknown length of time. Forensic analysis identifies that one of the NOC admin accounts was used to create a rogue domain admin account. The attackers have admin rights over the domain and have been running rampant.

Continue reading ›
22 Sep 2015

Medical Record Retention Across States (HIPAA / HITECH)

Introduction

The retention of medical records is, unfortunately, not a cut and dry sentence highlighted in the opening paragraph of HIPAA. There are several factors to consider when determining what documents need to be stored and for how long. It is important to realize that HIPAA makes no firm assertion as to medical records retention leaving the long-term storage of medical records to state and other federal laws. These laws vary from state to state and federal laws vary based on the type of medical record.

Continue reading ›
16 Sep 2015

Command Injection in the WD My Cloud NAS

Introduction

The Western Digital My Cloud ("Personal Cloud Storage"), or WD My Cloud for short, is a consumer NAS product. The idea behind this device is for a household, team, or small-organization to have full and complete control over their data in a private cloud environment without having to trust their data storage to multi-tenanted services hosted by other companies. Their data can be accessed from a desktop behind a private LAN or a smartphone located on the other side of the world. Given frequent news stories of major hacks and database leaks and the exposure of private information, personal NAS devices are ideal solutions for many looking for more privacy.

Continue reading ›
16 Jun 2015

Anti-Nausea Medicine for Last Pass, Password Management FUD

I woke up this morning with a severe case of 140 character malaise all over my Twitter feed. It all centered around LastPass, password managers, and the usual InfoSec hatorade that usually comes free with the purchase of a CISSP (not a ding to the cert, more to the certified). After tearing my morning cloak in two and wailing in a cloud of incense, I evaluated my post-rage options and elected to write this blog.

Continue reading ›
08 May 2015

SSL/ TLS Security 2015 - A Simplified, Quick Guide

Intro

Much of the following may be common knowledge to most but many in IT and beyond misuse the term 'SSL' so a refresher can’t hurt.

Continue reading ›
27 Apr 2015

Into The Jar | jsonpickle Exploitation

Overview

Python’s pickle module is its primary mechanism for the serialization and deserialization of Python object structures. This module has also been the target for exploitation when it used insecurely by loading malicious ‘pickle’ streams and reconstructing objects from them. The dangers are so prevalent in fact that the pickle documentation explicitly states that it is not intended to be secure against erroneous or malicious constructed data.

Continue reading ›
26 Apr 2015

Assessing Emerging JavaScript Platforms - What to Look For

Overview

Node.js is known as one of the most important emerging technologies. It is an event driven open source runtime to create server side applications. It is highly customizable server engine that is popular amongst JavaScript coders to create real time web APIs. It processes in a loop and sets up to respond to the requests.

Continue reading ›
17 Apr 2015

Android Titan SMS Trojan Analysis Part One

Analysis

As the title states, this Android malware utilizes Trojan functionality in order to steal SMS and exfiltrate them off of the target user's device. It attempts to mask itself as a "SmartCard Service" on installed on the device, but is hardly such. The bulk of Titan is code, using natively, which have method declarations within the Android components:

Continue reading ›
06 Apr 2015

Security Metrics Rehab - Part I

In this two part security governance series, we'll take a look at the broader picture of security metrics and how to derive them from security activities.  The drug-like fervor around its discovery and cultivation across security and compliance groups has led no where fast; largely due to the same causal factors related to InfoSec group unable to associate operational impact from technical and process related {flaws|vulnerabilities|control gaps|weaknesses}. This has created a fog of ineptness from which many groups in the Fortune 500 stand today.  This first part aims to level-set on how metrics should be applied in InfoSec and what frameworks to leverage in order to subsequently define a suite of security activities that produce performance indicators that matter.

Continue reading ›
25 Mar 2015

Android Infostealer - Godwon - Analysis

Analysis

From the description on contagio mobile this piece of malware is used by an online criminal group for 'sextortion'. Honestly, I had never heard of this term before, but apparently it is a form of sexual exploitation that employs non-physical forms of coercion to extort sexual favors from the victim (Wikipedia).

Continue reading ›
25 Mar 2015

Multiple Vulnerabilities in Mercury Browser for Android Version 2.2.2 & 3.0.0

Insecure Intent URL Implementation

An insecure implementation of the intent URL scheme revolves around the Intent.parseUri() method, which allows you to create an intent from an URI. The first thing we did when reversing the Mercury Browser was search for that specific method within the target packages.

Continue reading ›
23 Mar 2015

Android Emulator Detection

Overview

I wanted to explore all the ways that an Android application or malware could go about detecting whether or not it was being run in an emulator. After some researching (Google), I found that there were two common ways that one could go about accomplishing this programmatically. The post will explore each of these techniques implemented in a Proof-of-Concept application, and detection through reverse engineering. My setup for this experiment was running the application on top of Genymotion, which leverages VirtualBox to create Android virtual machines.

Continue reading ›
01 Feb 2015

Baidu Browser for Android | Vulnerable Handling of Intent URL Scheme

Overview

The VerSprite Research & Development Team discovered that the Baidu Browser for Android insecurely handles the intent url scheme, allowing attackers to arbitrarily read local files. This vulnerability was discovered in VerSprite's effort to explore systemic vulnerability patterns in browsers for Android offered on the Google Play Store. The vulnerability is leveraged by minimal user interaction and the targeting of specific Baidu Browser components. This vulnerability was discovered in version 4.5.0.6.

Continue reading ›
23 Oct 2014

iOS Reverse Engineering Part Two Debugging and Tracing with LLDB

Overview

In our previous post - http://versprite.com/og/ios-reverse-engineering-part-one-configuring-lldb/ - we learned how to configure and setup debugserver and LLDB on your iOS device. In this post we will demonstrate how to use LLDB to perform basic debugging and message tracing.

Continue reading ›
05 Oct 2014

iOS Reverse Engineering Part One - Configuring LLDB

Overview

This is the first part in a series where we will show you how to configure an environment and learn the basics for reverse engineering iOS applications. In this series we are using a jailbroken iPhone 4, running iOS 7.1.2.

Continue reading ›
15 Aug 2014

Experiments with json-io, Serialization, Mass Assignment, and General Java Object Wizardry

Overview

So before I even begin, I want to immediately layout that this is purely experimental research, and that conceptually it was hard to build a working abuse case around the ideas I will be presenting. It was also difficult for me to find real word examples representing any of the issues around the technologies and design I think are potentially relevant. That being said, this is the beauty of research and using it to lay a foundation of forward thinking to address the possibilities of new problems.

Continue reading ›
05 Aug 2014

Liffy v.1.2

Overview

Liffy v.1.2 is out with built-in web serving functionality for all techniques using staged approaches for payload delivery. Check it out!

Continue reading ›
16 Jul 2014

Quick and Dirty Web Services Testing with Suds and Burp Suite

Overview

This is a really simply example of using the Python Suds library to consume and inspect SOAP web services with integration into Burp Suite. I decided once upon a time that I didn't think SoapUI was efficient for what I needed when it came testing web services and getting that data into Burp Suite, so I began searching for a simple Python library that could help me out. I will caveat that statement with, I always enjoy trying to write my own implementation of things, even if they aren't the best, it helps with my overall objective -> Learning!

Continue reading ›
07 Jul 2014

LFI Exploitation with Liffy

Exploiting LFI's with Liffy's Data Technique

27 Jun 2014

Unsafe Application State Restoration (iOS)

Overview

So what does Unsafe Application State Restoration actually mean?  Despite the fancy title, it essentially means that a mobile application saves the state of a view location that is only presented to an authenticated user, or that contains sensitive data.  Within the event of the application being unexpectedly terminated, the state is restored and loaded back into the UI without first validating or re-authenticating the current user.

Continue reading ›
19 Jun 2014

Liffy v1.1 Release

Overview

Since releasing the first version of Liffy I have had the pleasure of working with Dan 'unicornFurnace' Crowley on bug fixes and feature enhancements for the tool. We have made some serious progress in the last month or so, and to Dan's credit, he really helped round out the tool with existing LFI exploitation techniques and overall code quality.

Continue reading ›
28 Mar 2014

Exploiting XML Serialization in Python

Overview

Lately I have been really interested in XML serialization vulnerabilities. There has already been some eye opening research into the vulnerabilities that exist within implementations of Java.

Continue reading ›
25 Mar 2014

Force Feeding Enterprise Security Failures

Metaphorically speaking, force-feeding security solutions translates to the industry's persistent push of the latest security products and solutions down the throat of the enterprise. Continuing with this metaphor, a company becomes unable to properly digest the newly adopted solution into their overall security program. Ironically, this usually takes place on the heels of a fairly new security process or technology that has been recently adopted.

Continue reading ›