/var/log/messages (2012)

This section contains the latest news, announcements and thoughts from the MWR InfoSecurity team.

Building Android Java/JavaScript Bridges

Apr 30, 2012

Recently we have been assessing a number of mobile Android and iOS applications. The majority of the applications we have reviewed make use of WebKit WebViews. WebKit is an open source web browser engine. A WebView is often used to load HTML content as an in process web browser to save passing the user off to the platforms web browser. They are also often used when a developer wants to quickly port a web application to multiple mobile platforms without having to create a specific UI for each. In addition to these ‘general’ use cases, we keep seeing ingenious ways to make use of them. The most common implementation that we come across is to facilitate advertisement loading from remote advertisers.

We’ve recently been performing an attack surface analysis against various platform WebKit WebView implementations. This post concentrates on our adventures with the Android platform.

As part of this research we came across a paper titled Attacks on WebView in the Android System, which made for interesting reading.

Our original intention was to create a series of posts that provide advice to platform developers on how to implement an “as-good-as-it-can-be” WebView. However, we found ourselves a little side tracked after reading this paper. In particular we were intrigued by section 4.2 “Attacks through Frame Confusion”.

Additionally, on our to do list, is to take a closer look at some of the frameworks that are available for cross platform development. Particularly solutions that allow developers to produce an application in one common language and ‘automagically’ push this application to all major mobile platforms, with very little or no effort at all.

MWR SAP Metasploit Modules

Apr 27, 2012

We have recently developed several Metasploit auxiliary and exploitation modules to assist consultants in assessing SAP systems, and Dave has also delivered a presentation “SAP Slapping (a pentesters guide)” at CRESTCon and BSides London where some of these modules were demonstrated. We plan to submit these modules to the Metasploit Framework; however until this process is complete the modules will be available here. We have not yet finished all of the modules that we plan to write, so stay tuned for future updates.

Some of the modules here are based on, or are ports of the plugins available in the Onapsis Bizploit Opensource ERP Penetration Testing framework. Others are not. Bizploit has been an essential tool for security consultants assessing SAP systems since its release. However the framework has not been updated since then. Bizploit was our inspiration for writing the Metasploit modules.

The intention behind writing the Metasploit modules, as opposed to contributing back to the Bizploit framework, was to encourage contributions from the community. Bizploit is written in Python and C and has not seen any community contributions; this is unfortunate. We’re hoping that the community finds it easier to contribute to the Metasploit framework and helps to build an even more impressive free and open source SAP assessment tool set leveraging the capabilities of the Metasploit framework.

Adventures with Android WebViews

Apr 23, 2012

The majority of the mobile applications we have reviewed lately make use of WebKit WebViews. WebKit is an open source web browser engine. A WebView is often used to load HTML content as an in process web browser to save passing the user off to the platforms web browser. They are also often used when a developer wants to quickly port a web application to multiple mobile platforms without having to create a specific UI for each. In addition to these ‘general’ use cases, we keep seeing ingenious ways to make use of them. The most common implementation that we come across is to facilitate advertisement loading from remote advertisers.

We often find that by reviewing the code base and/or performing an application assessment, vulnerabilities are discovered that can be leveraged specifically due to how a WebKit WebView has been implemented; however the level of compromise achievable and to what end, is very platform dependent. The level of compromise is obviously also dependent on the application itself and in most cases, specific to the case we are dealing with. The remediation and mitigation strategies also differ wildly from platform to platform. When we report back to developers we are often giving the iOS and Android developers different remediation and mitigation strategies. As part of this process we are often also asked to provide a “best practice” configuration guide for WebKit WebViews.

So, in this post I intend to provide details on how to implement an “as-good-as-it-can-be” WebKit WebView for Android applications.

HackFu Challenge 2012

Apr 20, 2012

HackFu is an MWR InfoSecurity sponsored event in the UK filled with solving puzzles, hacking, scripting, tinkering, lock picking, crypto challenge, thinking outside the box, lots of learning and exposure to a team of some of the world’s best security researchers and penetration testers from the MWR LABS team. If you have a keen interest in information security and are interested in pursuing an exciting career in this field as a researcher, penetration tester and consultant, this could be the opportunity you have been waiting for.

MWR will be sponsoring up to 10 places to the annual HackFu event hosted at a secret location in the UK at the end of June (see Competition Rules for eligibility).

HackFu 2012

Apr 18, 2012

This year’s HackFu has now been booked for the 28th to 30th June. Last year there were four teams that battled against each other to discover the Secret of Hacker Island. This year the teams will be transported to the future in an event titled “EarthDate: 2139”, the location and challenges still remain closely guarded secrets.

We have now finalised this year’s specially selected guest list and have sent out all the invites, if you haven’t received one and you think you should have let us know asap. If you weren’t on the list don’t worry as there may be one last chance for you to win a place at the event so keep following us on Twitter for further details.

hackfu

Adventures with iOS UIWebviews

Apr 16, 2012

Recently MWR have been assessing a number of mobile Android and iOS applications. The majority of the applications we have reviewed make use of WebKit Webviews. WebKit is an open source web browser engine. A Webview is often used to load HTML content as an in process web browser to save passing the user off to the platform’s web browser. They are also often used when a developer wants to quickly port a web application to multiple mobile platforms without having to create a specific UI for each. In addition to these ‘general’ use cases, clients keep finding ingenious ways to make use of them. The most common implementation that we come across is to facilitate advertisement loading from remote advertisers.

When assessing the same mobile application on multiple platforms, the same issues can be found, but when we report back to the developers we are giving the iOS and Android developers different remediation and mitigation strategies. This is a point of frustration (for all involved) and what has ultimately led to us to produce this post.

In this post we’ll try and illustrate the differences between the OS X, Android and iOS WebKit implementations. we’ll specifically be concentrating on how to best implement a WebKit UIWebview in order to ‘reduce’ the likelihood of exploitation and to help ‘limit’ an attackers movements, should a compromise occur on the iOS platform (as this is the platform that offers the least amount of assistance!).

Security B-Sides Challenge

Mar 06, 2012

Recently, MWR offered a challenge to win tickets to Security B-Sides London 2012, those on the waiting list were particularly encouraged to enter.

Entrants were invited to solve the challenge by decrypting the secret message using the clues provided.

CP3-bottle

Click here to see the solution.

Summer Internship Positions

Mar 02, 2012

MWR InfoSecurity is a leading information security consultancy with a recognised history of generating world class research. MWR’s researchers regularly speak at major conferences such as Blackhat, DeepSec and SchmooCon, and MWR’s clients include some of the biggest and well-known companies in the UK.

MWR are offering paid summer internships with our consultancy team. Interns will primarily work on a security-related research project and will also have the opportunity to experience security consulting in a passionate and exciting company. The length of the internships can be variable but is intended to be around 12 weeks long and successful internships may lead to full time employment.

A range of research projects are available, ranging from the more technical to the more high-level and there is flexibility if candidates have a project or idea that they would particularly like to work on. Interns will be based in the UK offices in Basingstoke and will be aided in their projects by MWR’s researchers.

Distributed Hash Cracking on the Web

Jan 05, 2012

The web is constantly evolving with new technologies being added all the time, creating a platform completely unrecognizable from when the web first began. MWR Labs recently carried out a research project to assess some of these new technologies and the possibilities they bring for helping to solve computationally intensive problems within security.

The main aim behind the project was to try to harness the power of two new technologies in particular, WebGL and WebCL, for retrieving passwords from hashes using a brute force technique. If this proved possible, the secondary aim was to assess how cost effective it would be to retrieve hashes in this way compared to using cloud computing. Let’s start with a brief introduction into these two new technologies…