HackDefense Publications.
Here we gather our ramblings on IT security — things that we think may be of interest.
Vulnerabilities in controller of refrigeration equipment
In this blogpost Stan Plasmeijer and Jony Schats will describe the vulnerabilities discovered in the AK-EM100 controller. This blogpost won’t include a proof of concept of the atttacks since there are still devices connected to the internet and the vulnerabilities discussed are of high risk. The AK-EM100 is a physical device and provides a web based graphical user interface of a store which allows a range of daily users to monitor data, alarms and reports, either locally or remotely, regarding all of their refrigeration equipment.
ASR rules keep attackers out
A possible first step for a cybercriminal is to gain access to a user’s workstation or laptop. Cybercriminals use various attack vectors to do so. To reduce the chances of a successful attack, Microsoft introduced Attack Surface Reduction (ASR) rules. These rules improve the security of a system, making it harder for an attacker to gain access.
Is the local administrator’s password reused in your environment?
The Windows operating system includes by default an administrator account for management purposes whose password is the same in many environments on multiple systems.
The importance of SMB signing
When testing Windows environment, we regularly see the encrypted password of a user with high privileges being sent accros the network. In combination with systems where SMB signing is disabled, an attacker or malicious person can, by performing an NTLM relay attack, increase the privileges within the network. Depending on the network environment an attacker may be able to increase privileges to the highest level.
Log4J and the power of egress filtering
What is missing in much of the advice about how to remediate/mitigate the Log4J vulnerability Log4Shell (CVE-2021 – 44228) is firewalling. If you apply proper filtering on outgoing traffic, your problem becomes a lot less urgent.
What is XXE (XML eXternal Entity) injection?
A lot of modern web applications still use XML for transportation and storage of data. In 1996 the World Wide Web Consortium (W3C) created this standard and to this day, it is used for a wide variety of implementations. XML has many features that developers are not always familiar with, offering hackers an opportunity for abuse.
Birdwatching
I’ve been looking into the MySQL authentication protocol for my thesis. In this research I looked into the implementation used in OpenCanary. This is a honeypot written in Python created by Thinkst. During testing I noticed a small difference in the error returned by Mysql and by OpenCanary which made me curious.
How hackers guess passwords, and how to stop them
A first step any hacker has to take in an attack on a company network is to get access to a regular user account. Sadly, we often see that this is not very difficult due to the insecure use of passwords in customer networks. We even see bad passwords on administrative and service accounts. In short: organisations — all of them — struggle with the use and management of passwords. What can be done?
Compilers can remove your integer overflow check
Wei Liu (刘炜) of Tencent Security Xuanwu Lab discovered an interesting issue in libexif: the code checked for an integer overflow when handling a field in EXIF files, but that check was silently removed by the compiler.
Password? See “Description”.
System administrators frequently store passwords for non-personal accounts in the Description field of the account. Very convenient — other administrators will be able to use this account too. However, this field is readable by all users by default in Active Directory.
CVE-2019 – 18346 Cross-Site Request Forgery (CSRF) vulnerability in DAViCal CalDAV Server
At HackDefense, we were evaluating various calendaring solutions, and during installation and configuration of DAViCal we discovered three (severe) vulnerabilities. We reported these vulnerabilities to the vendor. Unfortunately, the DAViCal project itself was not able to fix these vulnerabilities. As DAViCal is an open source project we decided to contribute patches for these vulnerabilities ourselves. DAViCal has accepted our patches in the 1.1.9.2 release. If you use DAViCal as a calendaring server, we recommend upgrading to version 1.1.9.2 immediately to remediate the issues we’ve discovered.
CVE-2019 – 18345 Reflected Cross-Site Scripting (XSS) vulnerability in DAViCal CalDAV Server
At HackDefense, we were evaluating various calendaring solutions, and during installation and configuration of DAViCal we discovered three (severe) vulnerabilities. We reported these vulnerabilities to the vendor. Unfortunately, the DAViCal project itself was not able to fix these vulnerabilities. As DAViCal is an open source project we decided to contribute patches for these vulnerabilities ourselves. DAViCal has accepted our patches in the 1.1.9.2 release. If you use DAViCal as a calendaring server, we recommend upgrading to version 1.1.9.2 immediately to remediate the issues we’ve discovered.
CVE-2019 – 18347 Persistent Cross-Site Scripting (XSS) vulnerability in DAViCal CalDAV Server
At HackDefense, we were evaluating various calendaring solutions, and during installation and configuration of DAViCal we discovered three (severe) vulnerabilities. We reported these vulnerabilities to the vendor. Unfortunately, the DAViCal project itself was not able to fix these vulnerabilities. As DAViCal is an open source project we decided to contribute patches for these vulnerabilities ourselves. DAViCal has accepted our patches in the 1.1.9.2 release. If you use DAViCal as a calendaring server, we recommend upgrading to version 1.1.9.2 immediately to remediate the issues we’ve discovered.
Microsoft ends support for Windows 7 and Server 2008. And now?
On January 2020, official security support for Windows 7 and Windows Server 2008 will end. This poses major security risks. Therefore, make the switch to Windows 10 and Windows Server 2019 now.
Configuring SSL/TLS with strong cryptography
Most vulnerability scans and pentests produce many findings related to SSL (TLS). Because cryptograhpy is complex and the requirements change quickly. But how do you set up your server so that at least no outdated versions or weak encryption is running? And what is reasonable compromise to not lose visitors with slightly older browsers?
Remote Code Execution in Apache UNO API
During his research on the potential use of DCOM for lateral movement in Windows networks, our very talented intern Axel Boesenach discovered that the Apache UNO API (used by both OpenOffice and LibreOffice in so-called ‘office server’ mode) allows anyone to send it system commands, without any form of authentication, and it will execute the command with the rights of the user running OpenOffice or LibreOffice in ‘office server’ mode.
Finding RCE capabilities in the Apache UNO API
During my internship at HackDefense I researched lateral movement techniques using the Distributed Component Object Model (DCOM), the built-in system to call software over the network from one Windows system to another. During my research I was looking at the Apache LibreOffice project to see if they had any DCOM functionalities implemented. What I found was not a DCOM functionality but an API with functionalities to remotely execute code.
DCOMrade — Automating the enumeration of DCOM applications
Research project into lateral movement techniques using the Distributed Component Object Model (DCOM), the built-in system to call software over the network from one Windows system to another. Part of this project was creating a script to enumerate DCOM objects that can be abused for lateral movement.
SSH hardening on LTS systems
Recently we came across some Linux systems still supported by Long Term Support (LTS) but running a weak Secure Shell (SSH) server configuration. By further digging into this matter, we discovered that this is the default setup for these systems. In this blog we’ll show you how you can harden the SSH daemon running on these systems.
CSP – The how and why of a Content Security Policy
Recently we’ve recommended to more and more of our customers that they set up a Content Security Policy alongside the usual security headers. In this blog we dive deeper into that topic: where does this new standard originate from? Why would you like to use one? How do you set one up? And how does CSP relate to other, similar standards?
#EFail — the security industry and the importance of nuance
Today, details were rushed out regarding two serious vulnerabilities that might enable a determined attacker to decrypt users’ encrypted e‑mails. Not just current ones, but older e‑mails too. Doesn’t that sound alarming?
Information disclosure vulnerability in Apache Tomcat
On a pentest for a client we discovered a way to obtain information about a web application’s internal structure from the network. We reported the issue to the vendor and a fix was released. The following security advisory details the vulnerability and how to resolve it.
Crowd Control?
Voor de viering van Leids Ontzet zette de politie o.a. een speciale app in om de drukte in de stad onder controle te houden. Het publiek werd gevraagd om de app te installeren op de smartphone en om de app toegang te geven tot locatiegegevens. Het lijkt erop dat dezelfde app is ingezet voor Koningsdag, de Gay Pride in Amsterdam en de Vierdaagse in Nijmegen — de app bevat van dit laatste ook nog sporen. QCSec testte de privacy en veiligheid van de app en vond opmerkelijke resultaten. Derden kunnen eenvoudig ‘meelezen’ met de communicatie tussen de app en de politie, en kunnen zelfs de berichten manipuleren die aan het publiek worden verzonden. De privacy is niet gewaarborgd, en er kunnen gevaarlijke situaties ontstaan als iemand hier misbruik van zou maken.