SSD Advisory – VK Messenger (VKontakte) vk:// URI Handler Commands Execution

Vulnerability Summary
The following describes a vulnerability in VK Messenger that is triggered via the exploitation of improperly handled URI.

VK (VKontakte; [..], meaning InContact) is “an online social media and social networking service. It is available in several languages. VK allows users to message each other publicly or privately, to create groups, public pages and events, share and tag images, audio and video, and to play browser-based games. It is based in Saint Petersburg, Russia”.

Credit
An independent security researcher has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program.

Affected Version
VK Messenger version 3.1.0.143

Vendor Response
The vendor responded that the problem no longer affects the latest version – but didn’t provide any information on when it was fixed and whether it was fixed due to someone else reporting this vulnerability.
Continue reading SSD Advisory – VK Messenger (VKontakte) vk:// URI Handler Commands Execution

beVX Conference Challenge – OffensiveCon

During the event of OffensiveCon, we launched a reverse engineering and encryption challenge and gave the attendees the change to win great prizes.

The challenge was divided into two parts, a file – can be downloaded from here: https://www.beyondsecurity.com/bevxcon/bevx-challenge-1 – that you had to download and reverse engineer and server that you had to access to have a running version of this file.

The challenge could not have been resolved without access to the server as the encryption key that you were supposed to extract was only available in the running version on the server.

We had some great solutions sent to us, some of them were posted below – some arrived after the deadline, and some were not eligible as their solution was incomplete, but in the end we had three winners.

First place winner got an all paid, flight and hotel, and entry to our security conference beVX in September, second place prize winner got flight and entry to our security conference and the third place winner got a free entry to our event.
Continue reading beVX Conference Challenge – OffensiveCon

SSD Advisory – CloudMe Unauthenticated Remote Buffer Overflow

The following advisory describes one (1) vulnerability found in CloudMe.

CloudMe is “a file storage service operated by CloudMe AB that offers cloud storage, file synchronization and client software. It features a blue folder that appears on all devices with the same content, all files are synchronized between devices.”

The vulnerability found is a buffer overflow vulnerability, which when exploited can be used to cause the product to execute arbitrary code.

Credit
A security researcher from, hyp3rlinx, has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program

Vendor response
The vendor has released CloudMe version 1.11.0 which addresses this vulnerability.

CVE: CVE-2018-6892
Continue reading SSD Advisory – CloudMe Unauthenticated Remote Buffer Overflow

Happy New Year 2018 – Challenge Solution

In our post found here: https://blogs.securiteam.com/index.php/archives/3616, we hid a challenge.

The challenge was split into two parts:
1. Finding it
2. Solving it

Finding it wasn’t very hard, the challenge was hidden inside the image, it wasn’t anything fancy, just inside the image you had a zip file appended to the end of the file:

If you binwalk inspect the file you will see:

This looks really promising now, a ZIP file has been appended to the image, and binwalk tells us it’s located at offset 81481. We can use dd to get the archive.

Binwalk also tells us, there are two files inside the archive (challenge and README). Use unzip to get them.

(NOTE: If you downloaded the file to a Linux machine (though other machines may have also worked), and just unziped it you got two files:
1. README
2. challenge

There was no need to use dd)

The readme was pretty simple, just instructed you to make the challenge ELF binary file spit out text:

From this point the solution varied, our first solver reversed engineered the file and discovered what it does, which basically breaks down to:

The program executes the following actions:

  • Open an encrypted file named “eapfxlya” (this can be confirmed with strace)
  • Generate a 32-bit key based on “\xFF\x6B\x28\x66\xD6\x35\xDA\x01\x4D\x64\x47\xA3” (see function keyhash)
  • Read the contents of the opened file
  • Decode it with XOR/ADD/MUL/SHR tricks (see function decode)

The keyhash function is pretty straight-forward so let’s have a closer look at the decode function. It’s purpose is to generate a sequence of 32-bit numbers based on a linear congruential generator (aka *predictive* pseudo number generator) which takes a precomputed hash for seed. Each number of this sequence is then shifted right and used as a 8-bit xor-mask on every byte in the file stream. In conclusion, this program can be used to decode and encode any file in a symmetric way. So let’s use the happy new year string “Happy New Year! From Beyond Security SSD :)” and feed it into the reversed program.

Congratulations to: Alexandre for solving the challenge first (within 2 hours of posting it online).

A few other solutions we received included a brute forcing code (a cool one from Tukan):