Happy New Year 2018 – Challenge Solution

Want to get paid for a vulnerability similar to this one?
Contact us at: sxsxdx@xbxexyxoxnxdxsxexcxuxrxixtxy.xcom
See our full scope at: https://blogs.securiteam.com/index.php/product_scope

In our post found here: https://blogs.securiteam.com/index.php/archives/3616, we hid a challenge.

The challenge was split into two parts:
1. Finding it
2. Solving it

Finding it wasn’t very hard, the challenge was hidden inside the image, it wasn’t anything fancy, just inside the image you had a zip file appended to the end of the file:

If you binwalk inspect the file you will see:

This looks really promising now, a ZIP file has been appended to the image, and binwalk tells us it’s located at offset 81481. We can use dd to get the archive.

Binwalk also tells us, there are two files inside the archive (challenge and README). Use unzip to get them.

(NOTE: If you downloaded the file to a Linux machine (though other machines may have also worked), and just unziped it you got two files:
1. README
2. challenge

There was no need to use dd)

The readme was pretty simple, just instructed you to make the challenge ELF binary file spit out text:

From this point the solution varied, our first solver reversed engineered the file and discovered what it does, which basically breaks down to:

The program executes the following actions:

  • Open an encrypted file named “eapfxlya” (this can be confirmed with strace)
  • Generate a 32-bit key based on “\xFF\x6B\x28\x66\xD6\x35\xDA\x01\x4D\x64\x47\xA3” (see function keyhash)
  • Read the contents of the opened file
  • Decode it with XOR/ADD/MUL/SHR tricks (see function decode)

The keyhash function is pretty straight-forward so let’s have a closer look at the decode function. It’s purpose is to generate a sequence of 32-bit numbers based on a linear congruential generator (aka *predictive* pseudo number generator) which takes a precomputed hash for seed. Each number of this sequence is then shifted right and used as a 8-bit xor-mask on every byte in the file stream. In conclusion, this program can be used to decode and encode any file in a symmetric way. So let’s use the happy new year string “Happy New Year! From Beyond Security SSD :)” and feed it into the reversed program.

Congratulations to: Alexandre for solving the challenge first (within 2 hours of posting it online).

A few other solutions we received included a brute forcing code (a cool one from Tukan):

Happy New Year – 2018

Happy new year everyone!

Hope you had the chance to celebrate and think about all the good things that happened to you in 2017.

We have a nice surprise for you – this link is worth 1,000$ USD !*

*You don’t need to hack the website, the money is out there in the link*

We also have some new updates for you:
beVX Conference

Beyond Security with VX will have the first all offensive security conference in Hong Kong – beVX Conference.

The conference will take place at Hong Kong (we will announce the venue in the next couple of weeks)

What we will have in the conference?

  • One full day of workshop on vulnerability research and exploit development
  • One full day of lectures on vulnerability research and exploit development
  • Hack2Win eXtreme with hundreds of thousands of dollars of prizes

Stay tune for more details!

Conferences:

  • Offensivecon (Berlin, Germany, 16-17 February 2018)
  • CanSecWest (Vancouver, Canada, 14-16 March 2018)
  • Nopcon (Istanbul, Turkey, 3 May 2018)

We provide free entry tickets, up to 1000$ in flights and accommodation to our security researchers community!

Also, if you plan to attend (and even if you don’t need the ticket or reimbursement) let me know so that I can look for you and say hello.

If any of you guys are interested in attending drop me an email.

We also started to look for 2018 Q2 conferences. If you know about inserting conference – email me.

Friend refer a friend program
We had a great year of 2017 with our friends program and have therefore decided to improve it and make the benefit much bigger, if you refer us a new researcher and he will start working with us on Operating systems / Mobile / Web Browsers – you will get 10,000$ USD.

For other vulnerabilities – you will get 1,000$ USD.

Once again – Happy new year!

SSD Advisory – Monstra CMS RCE

Want to get paid for a vulnerability similar to this one?
Contact us at: sxsxdx@xbxexyxoxnxdxsxexcxuxrxixtxy.xcom
See our full scope at: https://blogs.securiteam.com/index.php/product_scope

Vulnerabilities Summary
The following advisory describes a vulnerability found in Monstra CMS.

Monstra is “a modern and lightweight Content Management System. It is Easy to install, upgrade and use.”

The vulnerability found is a remote code execution vulnerability through an arbitrary file upload mechanism.

Credit
An independent security researcher, Ishaq Mohammed, has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program

Vendor response
We were not able to get the vendor to respond in any way, the software appears to have been left abandoned without support – though this is not an official status on their site (last official patch was released on 2012-11-29), the github appears a bit more active (last commit from 2 years ago).

Without any vendor response the researcher was kind enough to create a patch that addresses this bug, its available here: https://github.com/monstra-cms/monstra/issues/426

Vulnerabilities details
An editor can upload files to the Monstra CMS and can access them by clicking on them from the administrator portal. The default setup of Monstra CMS allows uploading of files only with certain extensions, forbidding all types of executable files which are mentioned in monstra\plugins\box\filesmanager\filesmanager.admin.php. However by simply uploading a php file with “PHP” (all characters in uppercase) extension will bypass this mechanism and will allow an attacker to execute shell commands on the server.

Proof of Concept
Steps to Reproduce:

  1. Login with a valid credentials of an Editor
  2. Select Files option from the Dropdown menu of Content
  3. Upload a file with PHP (uppercase)extenstion contaiing the below code:

  4. Click on Upload
  5. liOnce the file is uploaded Click on the uploaded file and add ?cmd= to the URL followed by a system command such as whoami,time,date etc.

SSD Advisory – Mac OS X 10.12 Quarantine Bypass

Want to get paid for a vulnerability similar to this one?
Contact us at: sxsxdx@xbxexyxoxnxdxsxexcxuxrxixtxy.xcom
See our full scope at: https://blogs.securiteam.com/index.php/product_scope

Vulnerability summary
Mac OS X contains a vulnerability that allows bypassing of the Apple Quarantine and the execution of arbitrary JavaScript code without any restrictions.

Credit
A security researcher from WeAreSegment, Filippo Cavallarin, has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program.

Vendor response
Apple has been notified on the 27th of June 2017, several correspondences were exchanged. Apple notified us that a patch has been put in place in the upcoming High Sierra version. No additional information has been provided by Apple since the notification that a patch has been made – no link to the advisory nor any information on what CVE has been assigned to this have been provided.

We have verified that Mac OS X High Sierra is no longer vulnerable to this, a solution would be to either upgrade High Sierra, or remove the rhtmlPlayer.html file (a workaround).

Continue reading SSD Advisory – Mac OS X 10.12 Quarantine Bypass