BSides Challenge

BigCorp has discovered that its employees are connecting their mobile devices to BigCorps network. BigCorp have not implemented a BYOD policy or a technology such as an MDM solution. The mobile devices are therefore unauthorised.

It has come to BigCorp’s attention that one of its employees has been acting ‘suspiciously’ and it is believed that they have been attacking BigCorp systems. His intentions are unclear, but the rise in activity suggests that ‘something’ big is planned. The wizards in BigCorp’s IT department have discovered that the employee in question is using an Android mobile device and has the ‘Evil Planner’ application installed. BigCorp have acquired the application that is readily available from a popular ‘hackers’ forum and are busy scrutinising it; however it appears that the application enforces what the developers refer to as ‘secure encryptions’.

The employee is due to return to work from a recent leave of absence on 02/04/2013. He has been summoned to appear before HR and BigCorp investigators, believing he is to receive a promotion and salary increase. BigCorp require assistance in acquiring evidence that proves the employee’s guilt before confronting him. It is expected that his device will be connected to the BigCorp network for a very limited time. Whilst it is connected, the IT wizards will aim to compromise the device to install a piece of custom malware which will extract and decrypt the data stored within the ‘Evil Planner’ application.

Your mission, if you choose to accept it, is to analyse the application for any vulnerabilities that may allow BigCorp to gain access to the employee’s data stored within the ‘Evil Planner’ application. It is imperative that BigCorp retrieves all of the data in an unencrypted state as once the employee disconnects from the BigCorp network, access to the device will be lost and it may no longer be possible to decrypt the data without access to the device.

The BigCorp wizards intend to attack the application by means of installing a piece of malware on the employee’s phone. The IT wizards have already discovered an issue that will allow this to happen without the employee’s knowledge. BigCorp will be extremely grateful and impressed if you deliver a working piece of malware to automagically accomplish the task.

Rewards will be received by those who submit verbose details of any discovered vulnerabilities within the application. Entries should take the form of a brief description of the vulnerabilities identified, how it was identified and how BigCorps IT wizards could exploit the vulnerability/vulnerabilities to retrieve the data.

Participants are encouraged to actually write the malware. Android malware can be submitted to the BigCorp IT wizards, who will execute the malware in their lab and get back to you with the results / any information you manage to uncover.

If you can provide actionable and proven intel on the employee’s actions and plans, then BigCorp will show their appreciation.

BigCorp are known for rewarding those that display impressive wizard skills, so expect extra rewards for the demonstration of awesomeness and for finding ‘hidden’ gems.

Follow @mwrlabs and @mwrinfosecurity for clues as the challenge progresses.

The Prizes

There are a number of serious vulnerabilities to find in the application, it is suggested that you do not wait until you have found them all to submit. The first contestant to submit a verbose and accurate report detailing a qualifying vulnerability will be awarded a BSides ticket and a prestigious 2013 design MWR Tee!

There are a total of three vulnerabilities that will earn the contestant a BSides ticket and a 2013 MWR Tee.

The closing date for entries is Easter weekend, so there is an Easter related challenge that will earn the contestant who correctly submits the ‘answer’ to this hidden challenge a BSides ticket, a 2013 MWR Tee as well as a “Nerf N-Strike Havok Fire Vulcan EBF-25” automatic assault rifle – Oorah!

The contestant that submits the ‘best’ write up / report that details all of the vulnerabilities accurately, concisely and clearly demonstrates an exploitation chain that can be leveraged to achieve the goals as outlined, will earn themselves a BSides ticket, a highly sought after 2013 design MWR Tee as well as a ticket to Nuit du Hack!

Finally, for the contestant who submits a working piece of malware and/or fully functional Mercury module that exploits the application and retrieves the unencrypted data for the IT Wizards, there is a special additional prize up for grabs – a 44Con Ticket!!!

In summary:

  • Vuln #1 – BSides Ticket + MWR Tee
  • Vuln #2 – BSides Ticket + MWR Tee
  • Vuln #3 – BSides Ticket + MWR Tee
  • Easter Egg – BSides Ticket + Nerf Gun + MWR Tee
  • Best write up – BSides Ticket + Nuit du Hack Ticket + MWR Tee
  • Working malware/Mercury module – BSides Ticket + 44Con Ticket + MWR Tee

Download: Evil Planner