Kategorie

Italy's regulator found the social giant guilty of misleading consumers as to what it does with their data.

Microsoft patches nine critical bugs as part of December Patch Tuesday roundup.

Consumers are growing angry when it comes to data misuse - but the real change will need to come from the tech industry's culture when it comes to privacy.

Threat actors have updated their malware to include a macro-based delivery framework.

The update includes a raft of critical code-execution problems.

Posted by Natalie Silvanovich, Project Zero
WhatsApp is another application that supports video conferencing that does not use WebRTC as its core implementation. Instead, it uses PJSIP, which contains some WebRTC code, but also contains a substantial amount of other code, and predates the WebRTC project. I fuzzed this implementation to see if it had similar results to WebRTC and FaceTime.Fuzzing Set-upPJSIP is open source, so it was easy to identify the PJSIP code in the Android WhatsApp binary (libwhatsapp.so). Since PJSIP uses the open source library libsrtp, I started off by opening the binary in IDA and searching for the string srtp_protect, the name of the function libsrtp uses for encryption. This led to a log entry emitted by a function that looked like srtp_protect. There was only one function in the binary that called this function, and called memcpy soon before the call. Some log entries before the call contained the file name srtp_transport.c, which exists in the PJSIP repository. The log entries in the WhatsApp binary say that the function being called is transport_send_rtp2 and the PJSIP source only has a function called transport_send_rtp, but it looks similar to the function calling srtp_protect in WhatsApp, in that it has the same number of calls before and after the memcpy. Assuming that the code in WhatsApp is some variation of that code, the memcpy copies the entire unencrypted packet right before it is encrypted.
Hooking this memcpy seemed like a possible way to fuzz WhatsApp video calling. I started off by hooking memcpy for the entire app using a tool called Frida. This tool can easily hook native function in Android applications, and I was able to see calls to memcpy from WhatsApp within minutes. Unfortunately though, video conferencing is very performance sensitive, and a delay sending video packets actually influences the contents of the next packet, so hooking every memcpy call didn’t seem practical. Instead, I decided to change the single memcpy to point to a function I wrote.
I started off by writing a function in assembly that loaded a library from the filesystem using dlopen, retrieved a symbol by calling dlsym and then called into the library. Frida was very useful in debugging this, as it could hook calls to dlopen and dlsym to make sure they were being called correctly. I overwrote a function in the WhatsApp GIF transcoder with this function, as it is only used in sending text messages, which I didn’t plan to do with this altered version. I then set the memcpy call to point to this function instead of memcpy, using this online ARM branch finder.
sub_2F8CCMOV             X21, X30MOV             X22, X0MOV             X23, X1MOV             X20, X2MOV             X1, #1ADRP            X0, #aDataDataCom_wh@PAGE ; "/data/data/com.whatsapp/libn.so"ADD             X0, X0, #aDataDataCom_wh@PAGEOFF ; "/data/data/com.whatsapp/libn.so"BL              .dlopenADRP            X1, #aApthread@PAGE ; "apthread"ADD             X1, X1, #aApthread@PAGEOFF ; "apthread"BL              .dlsymMOV             X8, X0MOV             X0, X22MOV             X1, X23MOV             X2, X20NOPBLR             X8MOV             X30, X21RETThe library loading function
I then wrote a library for Android which had the same parameters as memcpy, but fuzzed and copied the buffer instead of just copying it, and put it on the filesystem where it would be loaded by dlopen. I then tried making a WhatsApp call with this setup. The video call looked like it was being fuzzed and crashed in roughly fifteen minutes.Replay Set-up
To replay the packets I added logging to the library, so that each buffer that was altered would also be saved to a file. Then I created a second library that copied the logged packets into the buffer being copied instead of altering it. This required modifying the WhatsApp binary slightly, because the logged packet will usually not be the same size as the packet currently being sent. I changed the length of the hooked memcpy to be passed by reference instead of by value, and then had the library change the length to the length of the logged packet. This changed the value of the length so that it would be correct for the call to srtp_protect. Luckily, the buffer that the packet is copied into is a fixed length, so there is no concern that a valid packet will overflow the buffer length. This is a common design pattern in RTP processing that improves performance by reducing length checks. It was also helpful in modifying FaceTime to replay packets of varying length, as described in the previous post.
This initial replay setup did not work, and looking at the logged packets, it turned out that WhatsApp uses four streams with different SSRCs for video conferencing (possibly one for video, one for audio, one for synchronization and one for good luck). The streams each had only one payload type, and they were all different, so it was fairly easy to map each SSRC to its stream. So I modified the replay library to determine the current SSRC for each stream based on the payload types of incoming packets, and then to replace the SSRC of the replayed packets with the correct one based on their payload type. This reliably replayed a WhatsApp call. I was then able to fuzz and reproduce crashes on WhatsApp.ResultsUsing this setup, I reported one heap corruption issue on WhatsApp, CVE-2018-6344. This issue has since been fixed. After this issue was resolved, fuzzing did not yield any additional crashes with security impact, and we moved on to other methodologies. Part 4 will describe our other (unsuccessful) attempts to find vulnerabilities in WhatsApp.

Issues still exist when it comes to securing biometrics.

Developers of phpMyAdmin, one of the most popular and widely used MySQL database management systems, today released an updated version 4.8.4 of its software to patch several important vulnerabilities that could eventually allow remote attackers to take control of the affected web servers. The phpMyAdmin project last Sunday gave an early heads-up about the latest security update through its

Administrators lost control of the domain for several hours in a DNS hijacking incident.

The third phase of a red team assessment is target identification. In this phase, the red team moves from general information collected about the target to detailed information and potential plans for gaining access to the target environment and preparing to achieve operational objectives. Scoping the Phase In the reconnaissance phase of the assessment, the […]

The post Red Team Assessment Phases: Target Identification appeared first on InfoSec Resources.

Red Team Assessment Phases: Target Identification was first posted on December 11, 2018 at 8:21 am.
©2017 "InfoSec Resources". Use of this feed is for personal non-commercial use only. If you are not reading this article in your feed reader, then the site is guilty of copyright infringement. Please contact me at darren.dalasta@infosecinstitute.com

Most people break out into cold sweats at the thought of conducting an audit, and for good reason. Auditing the information systems of an organization requires attention to detail and thoroughness on a scale that most people cannot appreciate. There are system checks, log audits, security procedure checks and much more that needs to be […]

The post Roles and Responsibilities of Information Security Auditor appeared first on InfoSec Resources.

Roles and Responsibilities of Information Security Auditor was first posted on December 11, 2018 at 8:06 am.
©2017 "InfoSec Resources". Use of this feed is for personal non-commercial use only. If you are not reading this article in your feed reader, then the site is guilty of copyright infringement. Please contact me at darren.dalasta@infosecinstitute.com

Jako lavina se internetem šíří podvodné zprávy, prostřednictvím kterých se snaží podvodníci vydávající se za bankéře připravit důvěřivce o peníze. V pořadí již druhou kampaň cílící na klienty České spořitelny odhalili před Vánocemi bezpečnostní experti z antivirové společnosti Eset. Piráti díky škodlivému kódu mohou důvěřivce připravit až o 200 000 korun.

What’s the safest way to buy counterfeit banknotes? Not on the dark web market, as 235 people have just discovered to their cost.

George Duke-Cohan is the British teen who posed as a worried father whose daughter had called him mid-flight during a hijacking.

They said Facebook emphasizes the service being free, not that it's making big bucks off users' data. They ordered the company to apologize.

LinuxSecurity.com: As vulnerabilities go, it was the best sort: found by internal testing before it led to a security breach. Nevertheless, the latest Google+ software vulnerability was enough to push forward shutting down the service: Google now says it will be shuttered by April 2019 rather than the originally planned August 2019.

LinuxSecurity.com: A House Oversight Committee report out Monday has concluded that Equifax's security practices and policies were sub-par and its systems were old and out-of-date, and bothering with basic security measures - like patching vulnerable systems - could've prevented its massive data breach last year.

Women are key to solving the workforce shortage, which is expected to reach 3.5 million open jobs by 2022.

In this article, we’ll be carrying on with our walkthrough of an interesting VulnHub machine called Brainpan. In Part 1 of this article, we looked into how we got the user-level reverse shell from this machine. In this part, we will see two different methods of escalating to root. Note: For all these machines, I […]

The post VulnHub Machines Walkthrough Series: Brainpan – Part 2 appeared first on InfoSec Resources.

VulnHub Machines Walkthrough Series: Brainpan – Part 2 was first posted on December 10, 2018 at 3:15 pm.
©2017 "InfoSec Resources". Use of this feed is for personal non-commercial use only. If you are not reading this article in your feed reader, then the site is guilty of copyright infringement. Please contact me at darren.dalasta@infosecinstitute.com

Google today revealed that Google+ has suffered another massive data breach, forcing the tech giant to shut down its struggling social network four months earlier than its actual scheduled date, i.e., in April 2019 instead of August 2019. Google said it discovered another critical security vulnerability in one of Google+'s People APIs that could have allowed developers to steal private