Happy New Year 2018 – Challenge Solution

Want to get paid for a vulnerability similar to this one?
Contact us at: sxsxdx@xbxexyxoxnxdxsxexcxuxrxixtxy.xcom
See our full scope at: https://blogs.securiteam.com/index.php/product_scope

In our post found here: https://blogs.securiteam.com/index.php/archives/3616, we hid a challenge.

The challenge was split into two parts:
1. Finding it
2. Solving it

Finding it wasn’t very hard, the challenge was hidden inside the image, it wasn’t anything fancy, just inside the image you had a zip file appended to the end of the file:

If you binwalk inspect the file you will see:

This looks really promising now, a ZIP file has been appended to the image, and binwalk tells us it’s located at offset 81481. We can use dd to get the archive.

Binwalk also tells us, there are two files inside the archive (challenge and README). Use unzip to get them.

(NOTE: If you downloaded the file to a Linux machine (though other machines may have also worked), and just unziped it you got two files:
1. README
2. challenge

There was no need to use dd)

The readme was pretty simple, just instructed you to make the challenge ELF binary file spit out text:

From this point the solution varied, our first solver reversed engineered the file and discovered what it does, which basically breaks down to:

The program executes the following actions:

  • Open an encrypted file named “eapfxlya” (this can be confirmed with strace)
  • Generate a 32-bit key based on “\xFF\x6B\x28\x66\xD6\x35\xDA\x01\x4D\x64\x47\xA3” (see function keyhash)
  • Read the contents of the opened file
  • Decode it with XOR/ADD/MUL/SHR tricks (see function decode)

The keyhash function is pretty straight-forward so let’s have a closer look at the decode function. It’s purpose is to generate a sequence of 32-bit numbers based on a linear congruential generator (aka *predictive* pseudo number generator) which takes a precomputed hash for seed. Each number of this sequence is then shifted right and used as a 8-bit xor-mask on every byte in the file stream. In conclusion, this program can be used to decode and encode any file in a symmetric way. So let’s use the happy new year string “Happy New Year! From Beyond Security SSD :)” and feed it into the reversed program.

Congratulations to: Alexandre for solving the challenge first (within 2 hours of posting it online).

A few other solutions we received included a brute forcing code (a cool one from Tukan):

SSD Advisory–D-Link DSL-6850U多个漏洞

Want to get paid for a vulnerability similar to this one?
Contact us at: sxsxdx@xbxexyxoxnxdxsxexcxuxrxixtxy.xcom
See our full scope at: https://blogs.securiteam.com/index.php/product_scope

漏洞概要

以下安全公告描述了在D-Link DSL-6850U BZ_1.00.01 – BZ_1.00.09中的发现的两个漏洞。

D-Link DSL-6850U是一款“以色列Bezeq制造的路由器”,在这款路由器中发现的漏洞是:

  • 默认凭证
  • 远程命令执行

Continue reading SSD Advisory–D-Link DSL-6850U多个漏洞

Know your community – Sergi Alvarez AKA Pancake

Want to get paid for a vulnerability similar to this one?
Contact us at: sxsxdx@xbxexyxoxnxdxsxexcxuxrxixtxy.xcom
See our full scope at: https://blogs.securiteam.com/index.php/product_scope

The creator of Radare2, vulnerability researcher, chef and a family man – meet Sergi Alvarez also known as Pancake!

Continue reading Know your community – Sergi Alvarez AKA Pancake

SSD Advisory – Livebox Fibra (Orange Router) Multiple Vulnerabilities

Want to get paid for a vulnerability similar to this one?
Contact us at: sxsxdx@xbxexyxoxnxdxsxexcxuxrxixtxy.xcom
See our full scope at: https://blogs.securiteam.com/index.php/product_scope

Vulnerabilities Summary
The following advisory describes four (4) vulnerabilities found in Livebox Fibra router version AR_LBFIBRA\_sp-00.03.04.112S. It is possible to chain the vulnerabilities into remote code execution.

The “Livebox Fibra” router is “manufactured by Arcadyan for Orange and Jazztel in Spain”

The vulnerabilities found in Arcadyan routers are:

  • Unauthenticated configuration information leak
  • Hard-coded credentials
  • Memory leak
  • Stack buffer Overflow

Credit
An independent security researcher has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program

Vendor response
Arcadyan and Orange were informed of the vulnerabilities and patched them.
Continue reading SSD Advisory – Livebox Fibra (Orange Router) Multiple Vulnerabilities