This is my wrap-up for the second day of Troopers15. Before the review of the talks, a few words about the conference. The venue is really nice as well as the facilities. A good WiFi coverage (IPv4/IPv6) and even a dedicated GSM network! “Troopers” SIM card were available for free at the reception desk. Besides the classic activities, a charity auction was also organized to help organizations to realize projects around the Internet like installing a satellite link in a refugee camp.
This is my first Troopers conference. I already heard lot of positive comments about this event but I never attended it. As I’ll start a new job position soon, I had the opportunity to take some days off to join Heidelberg in Germany. The conference is split across two days and three tracks: “attack & research”, “defence & management” and a special one dedicated to the security of SAP. Honestly, I’m not working with SAP environments so I decided to not follow the last track. The core organizer, Enno Rey, made a funny introduction speech and gave some numbers about the 2015 edition: 73 speakers, 160 people from the industry and 51 students (fresh blood). A key message for the conference is to not see speakers as super-stars. Don’t be afraid to talk to them and share!
[This blogpost has also been published as a guest diary on isc.sans.org]
Writing documentation is a pain for most of us but… mandatory! Pentesters and auditors don’t like to write their reports once the funny stuff has been completed. It is the same for the developers. Writing code and developing new products is fun but good documentation is often missing. By documentation, I mean “network” documentation. Why?
CMS or “Content Management Systems” became vey common for a few years. Popular CMS are WordPress, Drupal or Joomla. You can rent some space at a hosting provider for a few bucks or even find free hosting platforms. You can deploy them in a few minutes on your own server. Then, you just have to focus on the content: No need to learn CSS/HTML!
For me, modern CMS have a common point with cars: Their owners like to customize them. The “car tuning” is very popular and is the modification of the performance or appearance of a vehicle. Millions of people like to modify their cars, there is a huge business driven by the car tuning.
We can make a rough comparison between cars and CMS. Your CMS can also be tuned. Most CMS offer a way to extend the features or the look’n’feel via plugins (or add-ons or extensions – whatever you name them). Some examples of commons plugins:
- Link with social networks
- Forms & polls managements
- Reservation systems
- Statistics and reporting
I won’t discuss about the look-n-feel of a websites. Some plugins can completely revamp a website, taste and colours are not always the same. But let’s focus on security. Car engine performances can be modified by adding or reprogramming chips. It’s easy and cheap to gain some horsepower but this could have a huge security impact. Want an example? Brakes or suspensions are designed to stop and maintain on the road a car with a set of known specifications (weight, power) but if you change one parameter, this could have a big impact on you and your security passengers. A Ferrari and a Renault Megane don’t have the same brakes. It’s exactly the same with CMS plugins: they can alter your CMS security.
If most CMS source code is regularly audited and well maintained. It’s not the same for their plugins. By definition, a plugin is a piece of code that adds a specific feature to an existing application. Keep in mind: by using plugins, you change the way the original software will behave. And not all plugins are developed by skilled developers or with security in mind. Today, most vulnerabilities reported in CMS environment are due to … plugins! Here are some tips to increase your CMS security.
- Only install plugins that your really need.
- Some plugins can be configured. Always review the default settings and adapt them to your environment and security requirements
- If you decide to not use a plugin, disable and un-install it completely.
- Do NOT rely on a plugin popularity. It’s not because it is used by many webmasters that it is safe! By contrast, it will maybe be a nice target to compromize more sites.
- Like any pice of software, update them
- Take a deep breath and jump into the code to have a quick code review (any backdoor installed?)
Also, keep in mind that installed plugins can be listed by scanners and crawlers. WordPress has an hardening guide with good recommendations.
An 0-day vulnerability has been posted on Full-Disclosure this morning. It affects the MongoDB GUI phpMoAdmin. The GUI is similar to the well-known phpMyAdmin and allows the DB administrator to perform maintenance tasks on the MongoDB databases with the help of a nice web interface. The vulnerability is critical because it allows to perform remote code execution without being authenticated. All details are available in this Full-Disclosure post.
I had an interesting discussion with a friend this morning. He explained that, when he is conducting a pentest, he does not hesitate to add sometimes in his report a specific finding regarding the lack of attention given to the previous reports. If some companies are motivated by good intentions and ask for regular pentests against their infrastructure or a specific application, what if they even don’t seem to read the report and take it into account to improve their security level? What if the same security issues are discovered during the next tests? This does not motivate the pentester and costs a lot of money for nothing.
The idea of the “evil” CVE popped up in our mind during our chat. What about a specific CVE number to report the issue of non-reading previous reports? As defined by Wikipedia, the “Common Vulnerabilities and Exposures” (CVE) system provides a reference-method for publicly known information-security vulnerabilities and exposures. And a vulnerability can be defined as a weakness in a product or infrastructure that could allow an attacker to compromise the integrity, availability of confidentiality of that product or infrastructure.
Based on this definition, the fact to not read and take appropriate the corrective actions listed in the previous pentest report is a new vulnerability! A good pentest report should contain vulnerabilities and mitigations to remove (or reduce) the associated risks. It is stupid to not read the report and apply the mitigations. Even more if some of them are quickly (and sometimes cheaply) implemented. Think about the evil CVE-666-666 while writing your future reports! Note that the goal is not to blame the customer (who also pays you!) but to educate him.
Tonight the first Belgium OWASP chapter meeting of the year 2015 was organized in Leuven. Next to the SecAppDev event also organised in Belgium last week, many nice speakers were present in Belgium. It was a good opportunity to ask them to present a talk at a chapter meeting. As usual, Seba opened the event and reviewed the latest OWASP Belgium news before giving the word to the speakers.
As a pentester, I’m always trying to find new
gadgetstools to improve my toolbox. A few weeks ago, I received my copy of Dr Philip Polstra’s book: “Hacking and Penetration Testing with Low Power Devices” (ISBN: 978-0-12-800751-8). I had a very interesting chat with Phil during the last BruCON edition and I was impressed by his “lunch box“. That’s why I decided to buy his book.
Is “swf” the new “wtf“? What’s happening with the Flash player? The Adobe’s multimedia platform has been targeted by multiple 0-days since the beginning of 2015! Just have a look on cvedetails.com. Two days ago, security researchers at TrendMicro found another one. It is identified as CVE-2015-0313.
Bored by the multiple patches released by Adobe and the impact on the deployment, many security people are brainstorming about a potential removal of the popular browser plugin from their computers (and their users’ computers). Is it a good idea? If more and more websites are offering alternative interfaces via HTML5 (like Youtube), there are again lot of websites which won’t work without Flash support. In my case, a good example is Deezer which uses .swf files for its players!
To protect ourselves, why not build a whitelist of trusted Flash files? Here is a quick setup via Squid, the open source proxy. Squid has very powerful features and amongst some of them, it offers a powerful ACL (“Access Control List“) system. Basic ACL’s can be used to filter domain names, IP addresses or ports but they are very interesting ACL types like:
- url_regex – which matches on full URLs
- urlpath_regex – which matches on URLs paths (without the protocol – http[s]:// – and hostname/IP)
Regular expressions can be used or flat files (1 element / line). Let’s define two new ACLs:
acl FlashBlacklist urlpath_regex -i \.swf acl FlashWhitelist urlpath_regex "/etc/squid3/allowed-swf.txt"
The first one will match the string (non case sensitive) “.swf” in the URL path and the second one will match any regex from the file “/etc/squid3/allowed-swf.txt“. The file looks like this:
/embedded/small-widget-v2.swf /swf/coreplayer3-v00341125.swf /swf/singlePlayer-v10.swf
This example matches the Flash files used by the Deezer player. The next step is to apply the ACL:
http_access allow FlashWhitelist http_access deny FlashBlacklist
Take care to insert them at the right place within your existing ACLs! Here is the result in the Squid log file:
# grep swf /var/log/squid3/access.log 1423084706.664 0 192.168.254.200 TCP_DENIED/403 3889 GET http://taggalaxy.de/taggalaxy_beta.swf - NONE/- text/html 1423084748.191 0 192.168.254.200 TCP_DENIED/403 3969 GET http://s0.2mdn.net/3070333/beco111_Day_Trip_Promo_Fr_300x250.swf - NONE/- text/html 1423084775.988 8 192.168.254.200 TCP_HIT/200 58684 GET http://cdn-files.deezer.com/swf/coreplayer3-v00341125.swf - NONE/- application/x-shockwave-flash
Note that Squid can also block traffic based on the MIME type of objects but the detected type is not always correct (see the 2nd line). Now, it’s up to you to catch the denied access with your preferred log management tool.
Working with whitelist is not the most efficient way to allow access to trusted files but it is the most secure. By default, any .swf file will be blocked. Last remark, this is just a quick countermeasure: it must not prevent you to patch your systems!
[This blogpost has also been published as a guest diary on isc.sans.org]
Our houses and offices are more and more infested by electronic devices embedding a real computer with an operating system and storage. They are connected to network resources for remote management, statistics or data polling. This is called the “Internet of Things” or “IoT“. My home network is hardened and any new (unknown) device connected to it receives an IP address from a specific range which has no connectivity with other hosts or the Internet but its packets are logged. The goal is to detect suspicious activity like data leaks or unexpected firmware updates. The last toy I bought yesterday is a Smart Plug from Supra-Electronics. This device allows you to control a power plug via your mobile device and calculate the energy consumption with nice stats. I had a very good opportunity to buy one for a very low price (25€). Let’s see what’s inside…