Just Another Security/Programming Blog: 2014

Monday, 10 November 2014

`dpkg' format string vulnerability. CVE-2014-8625

A few days ago, I found a strange/stupid vulnerability in dpkg.

Dpkg is the package manager for Debian-based operation systems, such as Ubuntu.
It handles .deb files.

When creating a dpkg package / .deb a file, a 'control file' must be made. This includes information about the package, such as the package name, description of package, maintainer(s), and version of the package.

That control file is used to display the information before the package is installed.

I found that in the "Architecture" part of the control file, you could put formatting strings, such as %s, %d, etc., and it would output the stack pointer.

For my control file, I have this:

Package: backup
Architecture: %08x.%08x.%08x.%08x.%08x\n
Description: Stuff
maintainer: Joshua Rogers
Version: 1

When building the package, I receive this warning:

dpkg-deb: warning: parsing file 'folder//DEBIAN/control' near line 2 package 'backup:01485120.00415cf8.00000001.00000001.0000001c\n':
Description: Stuff

01485120.00415cf8 is the stack pointers

Saturday, 27 September 2014

Having fun with passwords in Ubuntu RE: intruders/police/etc.

In movies, TV shows, and comics, the idea of a "trap passcode", "secondary passwords", "fake passwords", "kill-switch password", etc., is used every now and then, where if a bad-guy(or a good-guy) is provided with a passcode to something, only to find out that that passcode is set up purely for intruders.
Whether it be wiping the whole system, or a strange gas coming out of the console to concuss the person typing it, the idea is always the same.

In the real world, it's hard to do this sort of thing without it being detected. One method is using incorrect passwords through PAM. This is what I'll be detailing through this blog.

To set this up correctly, it needs to work in a way that after the script has run, it removes itself, and any traces of its actions.
If, say, you're in a corrupt/fascist country such as Australia, the police can apply for a 3LA order, which requires you to hand over your computer passwords, encryption keys, and anything they feel that would help them with their investigation, or you can be charged with a crime, which the maximum prison term is 2 years. -- This includes SSH keys to foreign servers.

If you're a political activist, the access of your sensitive data is 100% unacceptable.
Arguably, forcing somebody to hand over encryption keys is undemocratic, and is comparable to the acts of the Stasi.

Tuesday, 5 August 2014

Paypal Complete 2-Factor Authentication(2FA) Bypass Exploit.

Update: It has been patched on the 12th of August. "Surprise?"

[Revision; 6th of August, 2014]
To make it clear: The Paypal account you were 'hacking' did NOT have to be affiliated with the eBay account you were using. In my original tests, I had made a new eBay account using a temporary email, and had gotten into my Paypal through the same method.

It works even without an eBay account, actually.



This blog is an excerpt from my blog entry, "Paypal's 2-FActor Authentication(2FA): The Good, The Bad, And The Ugly", in which I detail the use[fulness] of Paypal's 2Factor system.

On the 5th of June, 2014, I found a complete bypass for Paypal's 2FA service, in which anybody would be able to access a Paypal account that has 2FA setup, by only logging in through a "special" Paypal page.

Saturday, 5 July 2014

PTV; The police, and the aftermath.

For backstory regarding the PTV story, the following articles should be read:

(Sydney Morning Herald) Schoolboy hacks Public Transport Victoria website - PTV #1
(Wired) Teen Reported to Police After Finding Security Hole in Website - PTV #2
(ABC) Melbourne schoolboy exposes security flaw in Public Transport Victoria's website - PTV #3

This blog entry is more a "diary" of what happened after the story broke.

Originally, I found the bug on the 26th of December, 2013, and around 2AM.
I reported the bug at around 3AM to around 30 company emails.

On the 6th of January, 2014, the original reporter(Adam Carey) was contacted by PTV, and was told that PTV had contacted the police(this was assumed that, if he didn't publish the story, they wouldn't contact the police; but this is unknown)

On the 7th of January, 2014, the story was run in The Age(Fairfax) newspaper.

On Thursday, the 8th of May, 2014, at 8:15AM, 6-8 fully armed police officers showed up at my place of residence(my house). Three of them were e-crime. 

A warrant was served to me, and two e-crime officers went into my room and started to catalogue my electronic belongings, and then seal them for evidence.

Two of the other(non e-crime) officers sat me down, and started asking me general questions, such as how I was, etc. I commented to them how I had been warned around a week earlier that a search warrant may have been approved by the court, and would subsequently executed(I have a contact). They were definitely stunned, but we didn't speak of it other than that.

Friday, 27 June 2014

Paypal's 2-Factor-Authentication(2FA): The Good, The Bad, And The Ugly. (Incl. full 2FA bypass without security questions)


Paypal, like many other services, offer 2-Factor-Authentication in an attempt to strengthen the security of users' accounts. As noted on Paypal's website, "The security key gives you an extra layer of security when you log in to your PayPal account. It creates random security codes to use along with your regular username and password."

Paypal provides two ways of using this service; through a one-time code sent as an SMS to your mobile phone, or through a physical, creditcard sized code generator.(Or optionally, a VeriSign ID Protection key, which you can set-up on your phone for free here.)

An example of Paypal's security-card

Paypal's implementation of 2FA has been heavily scrutinized[1] again[2] and again[3] due to the lack of apparent security surrounding it. They allow security questions to be used to bypass the blockade of not having access to your 2FA device, and sometimes even when you do have access to your device, the code just doesn't work.

In this article, I'll be detailing "The good, the bad, and the ugly" of Paypal's 2FA programme. This includes what works, how it works, how it doesn't work, and security implications(full disclosure: there is/was a complete bypass for the 2FA without security questions.)

Personally, I use the SMS version of Paypal's 2FA, thus I can only directly comment on that. Nonetheless, I'll reference a few articles in regard to their creditcard sized number generator, and the VeriSign key generator.

Tuesday, 10 June 2014

Securing Ubuntu-Desktop From the Bad-Guys, and the Good-Guys.

Securing your Ubuntu Desktop OS from intruders

Recently I have become interested in securing my laptop from predators such as hackers, thieves, and law enforcement.
To do this, I've explored various programs to run; and how to run them, without interrupting usability by the average user.

In this blog we'll be running through vectors of attacks that one could use to gain access to your unencrypted data.

Before starting, the following must be known:

1. The author of this article is currently running Ubuntu 14.04 LTS(Trusty), and all commands and patches work on it for the author. The author accepts no liability when it comes to these commands/patches being run by other users; this is purely informational.
2. It is assumed Full-Disk-Encryption is being used.
3. It is assumed your $HOME directory is encrypted using ecryptfs, with filenames encrypted. This can be checked using the command `ecryptfs-verify -h -e'
4. It is assumed you do not have the evil program called Java, or any of its counterparts like IcedTea, etc. installed.

When you're told to run the program 'Nano', you can use vim,vi,emacs, etc. Nano is purely the text editor that I use. To exit out of Nano, you press control-x.

Monday, 26 May 2014

Facebook "Skype-to-Email" leak [$3,000 Bounty]

Facebook Bug Bounty



 In the middle of January of 2014, I submitted a bug to Facebook through its bug bounty program.

The bug was effectively a Skype account email disclosure. You would find somebodies Skype name, add them on Skype(they didn't have to accept you), and then login to Facebook with your Skype.

Here's a look at how it worked exactly:

In Facebook's "Find Friends" feature, you can login to your Yahoo,Outlook,Skype, and other accounts to add people into your contacts list on facebook(and then in turn add them, I guess).

The feature in question

By logging into your skype account on the feature, and pressing "Find Friends", you were submitted to the next page.

Sunday, 25 May 2014

SQL Injection on eBay.com.au subdomain / eBay.de, eBay.fr subdomains


Whilst looking for some bugs in ebay.com and ebay.com.au, I came across the domain http://3.ebay.com.au/. It appears to be a domain for phone users on the old "Three" phone carrier/network, but I'm unsure. Three was bought out by Vodafone awhile ago.

The website is the exact same as http://imode.ebay.de/, http://imode.ebay.fr/, etc.
The database itself was most likely part of http:// ebay.com/, too.

On the third tab of the page, there's a link to the 'Categories' section. -- If anybody has ever used eBay before, they would understand what this is; a list of categories as to where you can view items to buy.(Or in this case, go into a sub-category.)

Instinctively, I saw that there were a few $_GET parameters being used, so I just put a simple apostrophe into the end of the first parameter, "emv_CatParent".
To my amazement, it came back with a half-completed page. -- Pretty much the poster-child of a blind SQL Injection.