viernes, 20 de abril de 2018

Hacking 101: Detect Safe Browsing (DSB)



We will analyze this commercial product widely used by banks in Colombia, United States, Japan and Brazil, Which offers security solutions to more than 70 million users.

"Easy Solutions" It's the name of the vendor company of this new and useful product for user protection, everything sounds great, including the speech of its president Ricardo Villadiego:

"As fraud schemes grow in sophistication, organizations must look for ways to apply data analysis to fraud detection and response strategies"

All the words sound very nice on paper, let's analyze this and see what is true and what is not.

The company never had a bug bounty program, it's funny considering we're talking about banking security industry.

We will start with Davivienda Hybrid Banking App, a Colombian banking application that implements this product.

Google Play: Davivienda Móvil

The application is developed by the company "Todo1" in Spanish, in English its name would be something like "All1", is a Colombian company that manages a large extent the development of banking applications in Colombia:


The tools we will use to analyze this banking application:


Tutorials used by the industry:


To extract the source code from the APK we will use JADX.

Version details:

android:versionCode="4039"
android:versionName="3.8.1"
platformBuildVersionCode="26"
platformBuildVersionName="8.0.0"
package="com.todo1.davivienda.mobileapp"

Checking its code we found the following implemented libraries:

com.newrelic.agent.android


net.easysol.dsb


org.apache.cordova


Among many others, but we will focus on these.

Reading the AndroidManifest.xml file we find the following:


We know that security is oriented to "CONNECTIVITY_CHANGE", "PACKAGE_INSTALL", "PACKAGE_ADDED", "USER_PRESENT", "BROWSABLE" and at first sight it seems to be an effective and very secure protection, we will analyze it.

android.intent.action.USER_PRESENT

User Presence and Screen State

When a user locks a device (that is, presses the power button to turn off the device), the current Activity receives a call to onPause(), signifying that it has lost focus. Similarly, the Activity receives a call to onResume() when it regains focus after the lock screen is disabled. Normally, applications don’t need additional information, but what if you have a Service that needs to be notified every time the user unlocks the device or when the screen goes on or off? Luckily, there are broadcasts for these events as well, as shown in the following code block.



android.net.conn.CONNECTIVITY_CHANGE


android.intent.category.BROWSABLE & android.intent.action.PACKAGE_ADDED & android.intent.action.PACKAGE_INSTALL


Why should you not use hybrid applications in banking applications?

It is very simple, all of them work with a WebView, even Apache Cordova, this type of applications are very insecure, because they allow arbitrarily code injections in WebView, allowing you to clone private data, bank accounts and passwords, if you are loading local files (JavaScript) you will have zero protection against code injections.

We have always been against this type of application, but the industry has a fascination with it, the industry's arguments are countless, but the bottom line is that it is highly insecure, no matter how much code you write to protect it, A WebView allows you to inject JavaScript arbitrarily and that is exessively dangerous in a banking application, it is not a question of if they can do it, they will do it and nothing you can do to stop them or to protect your customers or your business.

Why you should have a development team highly qualified in security systems and software attacks?

It is not enough to read the SDK, or to trust blindly in the sandbox that Android has implemented as a protection measure for the applications, it is not enough to read some papers, books, have certifications, read tutorials in Infosec Institute, OWASP and CERT, or cut and paste StackOverflow or Github code, They are usually insecure and can be hacked without modifying the binary files (APK), if you make architectural errors you will pay dearly, criminals will always find how to break your security, so you will always have to be one step ahead of them, cutting and pasting code is not a good practice.

Let's go back to the code, how attacks work, how they are done:

Apache Cordova hacking the WebView:


This test should be launched by means of an APK code injection, using the LeakVM tool, this will show us how easy it is for an attacker to run an XSS in any application that uses Apache Cordova technology, it can also be modified to attack other types of hybrid applications and launch more complex and advanced attacks.

Easy Solutions hacking the Detect Safe Browsing (DSB):

We begin by analyzing the class "com.todo1.davivienda.mobileapp.ApplicationContext":

The class starts by executing the "onCreate()" method which in turn calls the "OverlappingProtection()" method, which is responsible for initiating the security system "DSB".

The system works by sending a "Context" as an argument for its initialization:


The class "net.easysol.dsb.DSB" is a singleton pattern that is the main entrance to your security library:


SharedPreferences:


We will store a key and value in our SharedPreferences, this file will be stored as a plain text path file: "/data/data/com.todo1.davivienda.mobileapp/shared_prefs/dsb_preferences.xml", and will assign access permissions "660" and the same UID/GID as the application.

The content of the file is as follows:


In theory it should be secure, because it is not visible to the world "Context.MODE_PRIVATE", but in reality criminals easily obtain root permissions (UID/GID 0), they hide malware for months without being detected, so it is no problem to modify the file.

We also found an unprotected SQLite database in the path: "/data/data/com.todo1.davivienda.mobileapp/databases/DSB_SDK_EASYSOL.db" with the same permissions as the file "dsb_preferences.xml" that can actually be tampered by any attacker.

To view the SQLite database we will use the DBeaver tool.

Detecting Root:

Programmers generally believe that an effective way to detect root is to check the "android.os.Build.TAGS" field to see "test-keys" in a modified rom and "release-keys" in an original rom, but this is not true, these values can be modified in real time, "android.os.Build.TAGS" is a "static final" field, it shouldn't be possible, but it is and can be loaded even before any application code is started, without leaving a single trace, let's see an example:

The product "Detect Safe Browsing" also implements 3 other root detection methods, which are also incorrect:


Even if these 3 methods were correctly implemented they could also be hacked by native hook to a pipe, something supremely simple for an attacker, this type of attack will be implemented in future versions of LeakVM to perform simple attack testing, as well as advanced hooking methods.

Truncating the update system:

This service is managed by the class "net.easysol.dsb.UpdateService", because the commercial product "Detect Safe Browsing" has a very bad security architecture; It is very simple for any attacker to stop the update system, we will explain how it could be possible, for the attacker it would only be enough to do the following:

This code will launch an "Intent" to stop the service if it is running in background:


And this would simulate that the service already updated, if you tried to start it again, it would not execute any updates at all, they could even create a loop to check if these values are modified and execute the two tasks again:


Once the update system is completely paralyzed, the real attack or what we would call the "infiltration" in the app will start.

As we have already seen in Easy Solutions, they are fanatical about the use of "SharedPreferences" and "Poorly Implemented Encryption", now the most absurd and one of the worst practices in the use of encryption begins.

We created a class called "com.xekri.hacking101.easy.solutions.dsb.Device" that allows to generate a seed used in the encryption, this class allows the arbitrary use of values and also to detect the values currently detected in the device, the seed is generated with the method "getFingerprint()" and "getDeviceFingerprintKey()", this class has been created under the design pattern "Proxy", so it is very configurable.

We also created another class called "com.xekri.hacking101.easy.solutions.dsb.SecurePreferences" which uses the "Singleton" design pattern, which allows us to arbitrarily decrypt data and hack the "encryption and storage" used in the commercial "Detect Safe Browsing" product, it is also very configurable.

The code below allows us to access the entire system of "secure" and "encrypted" properties:


Having full control over the system of updates and encrypted properties of the commercial product "Detect Safe Browsing (DSB)", the attackers will be able to do absolutely whatever they want with the "protected" application through this library, without modifying the APK.

The entire system works through hashes, package names, paths and urls for malware detection, phishing and other attacks, these values can be easily modified by any criminal or attacker, the errors made in the product analyzed, are only the result of inexperience in the area of security, no one in their right mind would use such a "poorly implemented SharedPreferences" class in a product intended to protect the banking industry.

Tests Source Code (have surprises): here

For the correct use of the LeakVM SDK read our documentation: here

Final recommendation:

For the safety of your company and your product and your customers, contact specialists, make sure what you are buying, stay about if the product is solid and secure as it promises to be, otherwise, we don't know how it could pass a test of penetration testing, or how this library protects someone if they can't protect themselves.

This is execively worrying, it affects more users and companies in several countries including the United States, This was the original reason to create LeakVM, so that the whole industry can have a real approach about security and criminal attacks.

Happy Testing, LeakVM Team !!!


lunes, 5 de marzo de 2018

File Parser: OnBelay Flash/Disk Media Backup (CompuApps, Inc.)


This type of file have a header "33 00 00 00 43 4F 4D 50 55 41 50 50 53"

Usage: java -jar FMBParser.jar "/path/file.FMB"

Mount with: losetup -f -P /path/file.FMB.img

miércoles, 17 de enero de 2018

LeakVM: Research & Pentesting Framework for Android, Run security tests instantly.



Why LeakVM: LeakVM fast security test on Android, by skipping the time-consuming build pen-testing laboratories, you can test on real devices or virtual devices. LeakVM makes researchers and pen-testers more productive since they can run the test on real time and with zero knowledge on malware develop or attacks.

Our technology uses the same techniques used in criminal software, but in a controlled environment, you always have control over the SDK, our product, gives you a real approach against real malware and real attacks.

 
Why Pentesting: With 2000 million active devices, 90% of mobile users are vulnerable to exploit kits (software vulnerabilities), Cyber crime damage costs to hit $6 trillion annually by 2021, Mobile Malware Shows Rapid Growth in Volume and Sophistication, Mobile security is a big data problem.

Unsecured devices and apps are the norm, In 2017 every 4.2 seconds a new malware specimen emerges, You need to reduce the threat surface.
 
Rewards:

Our platform is designed even so that anyone can make money with us, without any type of investment, by sharing your reseller link, the customer that is obtained will bring you rewards, now we have 3 methods of payment: Western Union, Wire Transfer and PayPal, These rewards will be received for life, is just share a link.

For first 100 customers: new client 20%, renewal 10%.
For next 900 clients: new client 15%, renewal 10%.
After reaching 1000 clients: new client 10%, renewal 5%.


Features:
  • Ptrace/ASLR/Yama Bypass
  • API for 3rd party projects
  • Linux common features
  • Dynamic library loading
  • SmartLock extraction
  • Private file extractor
  • KeyStore extraction
  • Advanced reflection
  • WebServices Engine
  • Privilege escalation
  • Core Observers
  • Library injection
  • OOP Bypass
  • Extensible
 
Support:
  • Android 4.4 to 6.0
  • Architectures Arm(32/64 bits), x86(32/64 bits), MIPS(32/64 bits)

Samples:


Social Media:
 


It has been a long time developing this platform, with delays, problems and bugs of the Android core, now this are ready, we are packaging the product, in around two weeks we will be available on Google Play, thanks for await. 

miércoles, 22 de marzo de 2017

Xtreme Tech LLC: An Offensive Security Startup


Finally are finishing our first commercial product 'LeakVM', and be published under our company 'Xtreme Tech'.

LeakVM fast security test on Android, by skipping the time consuming build pentest laboratories, you test on real devices, do not need root your smartphone. LeakVM makes researchers and pentesters more productive since they can run test on real time and on real environments.

Our technology uses the same techniques used in criminal software, but in a controlled environment, you always have control over the SDK, our product, gives you a real approach against real malware and/or real attacks.

Current features:

  • Linux common features
  • Dynamic library loading
  • Native/VM library injection
  • Private file extractor
  • Privilege escalation
  • KeyStore extraction
  • Advanced reflection
  • Core Observers
  • Extensible

We are currently under development, in a short time LeakVM will be available to the public with 10 days Trial Free, you can test our Web Interface, and check our JavaDoc

Follow us on: TwitterLinkedIn, Facebook

jueves, 22 de diciembre de 2016

LeakVM: You team are ready for us ?


I be working hard for an long time on related projects: code transformation, reflexing, modify, remove, overwrite, hooking, injecting, bypass security, spy/crypt tech, oh well now i be very close to finish my first commercial version of LeakVM, on the next weeks i update info about, payment ways, documentation, code examples, SDK, etc.

Surely your team has a very important question, can everyone buy this? Yes absolutely everyone, we are not HackTeam, we sell our tools thinking on an good price, an price averyone can pay, there are no rules, it's the real world, The Free Market, no matter that they try to ban my accounts, I always will found how to trade this, we do not have stupid rules like in US or EU, simply our only rule is: you can pay it? 

LeakVM web interface

You team are ready for us ? LeakVM 

Insecure Cordova Banking App


This time i be exposes to: Davivienda Móvil, BANCO DAVIVIENDA S.A.

Which it has a number of serious security problems:

1-Insufficient Transport Layer Protection
2-Lack of Binary Protections
3-Insecure Local Storage
4-Broken Cryptography


This application allows cloning of credentials via VM Injection attacks, the company responsible for developing the app was "Todo1", too detect an insecure library developed by "Easy Solutions".

Details: BANCO DAVIVIENDA S.A.

GitHub: ExposingIndustryMediocrity

miércoles, 12 de octubre de 2016

The Untold Truth about Zeus Case



So many publications on the case were made, this gave around the world, still does.

A judge sentenced two hackers involved in the creation, maintenance, and marketing of the SpyEye financial botnet to a combined sentence of 24 years in prison, the US Department of Justice has announced today

Aleksandr Andreevich Panin, 27, from Russia, known online as Gribodemon and Harderman, received nine and a half years in prison, while his accomplice, Hamza Bendelladj, 27, from Algeria, known online as Bx1, got 15 years in jail.

The official documents say that:

The lawsuit names "John Does 1-39" which are described by their online monickers or "handles", many of which will be well known to anyone who has been researching Zeus:

JOHN DOES 1-39 D/B/A Slavik, Monstr, IOO, Nu11, nvidiag, zebra7753, lexa_Mef, gss, iceIX, Harderman, Gribodemon, Aqua, aquaSecond, it, percent, cp01, hct, xman, Pepsi, miami, miamibc, petr0vich, Mr. ICQ, Tank, tankist, Kusunagi, Noname, Lucky, Bashorg, Indep, Mask, Enx, Benny, Bentley, Denis Lubimov, MaDaGaSka, Vkontake, rfcid, parik, reronic, Daniel, bx1, Daniel Hamza, Danielbx1, jah, Jonni, jtk, Veggi Roma, D frank, duo, Admin2010, h4x0rdz, Donsft, mary.J555, susanneon, kainehabe, virus_e_2003, spaishp, sere.bro, muddem, mechan1zm, vlad.dimitrov, jheto2002, sector.exploits AND JabberZeus Crew CONTROLLING COMPUTER BOTNETS THEREBY INJURING PLAINTIFFS, AND THEIR CUSTOMERS AND MEMBERS.

All of the supporting legal documents can be found on the Microsoft-registered server: 
Summons.pdf

The Zeus malware also goes under the name Ice-IX and SpyEye. Microsoft said John Doe 1, who goes by the name Slavik, Monstr, IOO, and Nu11, is the creator. John Doe 2, aka zebra 7753, lexa_mef, gss, and iceIX, created a Zeus family member called Ice-IX, Microsoft said, and John Doe 3, aka Harderman and Gribodemon, created another family member called SpyEye, the complaint said.

John Doe 5, aka miami and miamibc, John Doe 9, aka Kusunagi, and John Doe 38, aka jheto2002, are other developers involved, writing "Web inject" code that gets the malware onto victims' computers, the complaint said. Some other defendants also were involved in developing the software.

John Doe 4, aka Aqua, aquaSecond, percent, cp01, and other aliases, recruits "money mules" whose job it is to travel to different countries to create bogus bank accounts into which victims' money is transferred. Several of the other John Does are these money mules. John Does 23 and 24, aka jtk and Veggi Roma, respectively, also recruited money mules, the lawsuit said.

My mistake was publish an link of my PoC without source code on Hackforums, now not remember the post, that is the Source Code

For years i searching info about that, why , why, why, Until both found on LinkedIn, "Jorge Mieres" an researcher, he knowns all about Zeus, the he told me that had spent much time researching and long after demand also, we talk more for months, he explained that, the research was done lightly, without a thorough analysis, without facts simply they wrote down on paper, any damn profile fit on that, the investigation was not serious, just fish in a jumbled barrel, he spoke with many people from Microsoft and thought the same, but everyone kept his mouth shut, criminals, protecting criminals i always say, you do wrong things, you not like be "catched", especially if your company is "Microsoft" trying to "catch" Banking Trojans criminals.

On this time i be really desperate, months without job, freelance, nothing, all people call me criminal, that was the shit, and continues today, on this times i "decide" be "an criminal", an write a lot of shit on Pastebin, saying good bye, Jasper Hamill , write an article on Forbes "A Hacker's Guide To Finding A Job"

On 2011 the Source Code of Zeus was published on Github that contains the Server Code

On this days i try to demand this guys for that, but all layers on my country only talk about of lot money to review my case, and more money to send that to the court, well i continue with my life, doing more "PoC's", doing more reversing, cheeking Apps, Libs, API, a lot of things, is a lot of bullshit on the head, on this time i meet security people on LinkedIn (Kandy, Bob, Jorge, Hernan, Mayur, Dave, Remo, Marnix, Dhamu, and more) and Twitter (Disassembler, Claus, Odisseus, maldevel, and more), they always try give me ideas to get job or make tools to sell, sharing post's, or this type of things, really good people, while everyone called me criminal they always try to help me.

But the top news never says they spoke lies about me, I was never part of a criminal network, Internet all the idiots believe that "you are a criminal".

Some days ago, again come back this mother fucker, and sent an inbox message:

8 Oct, 21:57 Request: Please tell me a little bit about yourself. I remember your name from the Zeus botnet matter that I was involved with. I would appreciate learning a bit more about you. Thanks, Gabe.

That explode on my mind, this guy not have shame, i'm not "involved with", you say more crap about me, but i remember the words of Kandy: You are gifted, not an criminal, be an legend; That is the reason of this post and all my PoC's and Tools.

All my Twitter, LinkedIn and Blogger followers knowns what i can do with the code, if i be criminal, i be fully of money, and would not be seeking employment and/or trying to create my own LLC Company.

For this reason i send an email to "Public Defender on California", telling him this story, oh well, if these guys do not get charges, the legal system in the US sucks and is criminal, plain and simple.

How i probe i not be an criminal simple, i found and report this vulnerabilities:

Android CitiBank Colombia
Android IPC Communication 

Android Third Party Validation
Android Amazon AWS SDK 

Android Parse SDK

Technicolor TC7300 Bad configuration
Windows Privilege Escalation

Too i develop this things to detect vulnerabilities and protect the data of the people.

VectorAttackScanner - VAS
E2EE (End To End Encryption, RSA2048 + AES256 + PBKDF2 + RSA Signature Verification)


Too the news say that:

Thanks to Alexander Knorr for the research, and Security Scorecard by publishing: The Calm Before the Mobile API Data Breach Storm
  
Thanks to Jeremy Wagstaff for the research, and Reuters by
publishing: 'Billions' of Records at Risk From Mobile App Data Flaw  



Too if you compare My code and Zeus code is another thing, You need to be a very big ignorant if try to compare my PoC with the code of Zeus.

Or well, if i be an criminal spreading "Zeus", where are my fucking thousands or millions dollars ?  The reality is if i not finish my new tool LeakVM on few months, literally "we be on the street". 

When you say on an legal case, "jheto2002 (Jheto Xekri - Me), are other developers involved, writing "Web inject" code that gets the malware onto victims'", you are affirming, you need
facts, you defame me, you do damage the my public image, you doing damages their mental health and tranquility, and utterly destroy job opportunities on software/security industry, and maybe more, this makes you a criminal by you acts and by you words, you are a liar.

miércoles, 28 de septiembre de 2016

Exposing the Colombian Industry Mediocrity




This time i be exposes to: CitiMobile CO, Citibank Colombia S.A

Which it has a number of serious security problems:

1-Insufficient Transport Layer Protection
2-Lack of Binary Protections
3-Insecure Local Storage
4-Broken Cryptography



This application allows cloning of credentials via MITM attacks, It is something really serious in a banking application.

Details: CityBank.CO


GitHub: ExposingIndustryMediocrity

miércoles, 3 de agosto de 2016

Transformation Oriented Programming (TOP)






For some time now I can not stop thinking about how this built our world (opcodes), developing Vector Attack Scanner and Dark Ether, I've seen this is as primordial matter, apparently are only actions for a processor, but this is like elementary particles , all together form our universe, meet each other to create more complex elements, if all the matter of our universe is created by frequency (M and String Theory), this is almost the same, I can not sleep of thinking in this, so I stopped a few things that was developing and testing it out in my free time, I think to finish this is more important, not how long it takes to write me, you maybe a few months or more, but it will be great fun to do, so it will not be more PoC's for a while, just the usual publications on Twitter and LinkedIn.

All this on the theory of Dark Ether has made me think about a paradigm: "Transformation Oriented Programming" when this is over is the'll show you, I know you will love it, this is no longer tries to find an 0day, or bypass something, is like not to see a world solid in three dimensions, it is like seeing formless, multidimensional to infinity, where all dimensions are one above the other, communicating among themselves, where everything can be what you want it to be, if know how to do it, it sounded crazy, but it's always the same, only the crazy people can create different things.

Thanks for reading me and send me emails.