Remote Code Execution in CCTV-DVR affecting over 70 different vendors

This post is going to be a follow up from a research which dates back to December 2014, called "The Backoff POS Trojan operation". Back then, one of the key conclusions highlighted from the report is that fraudsters are adopting new tactics in order to attack retailers. This new attack vector is to compromise DVR boxes, which is the heart component of any CCTV system. This was allowing them to achieve two goals at once-

1. Verify a targeted host actually belongs to a retailer.
2. Get a foothold inside the local network, one step closer to the POS station.

Surveillance cameras, the first line of security in the physical world, are the virtual's weakest link?This sparks an amusing irony. When the old fashion thieves used to physically break into stores, on their way to the cashier they had to try and avoid or neutralize any surveillance equipment. The digital thieves are entering the store through them. Truly Hollywood  material.

Timing attack vulnerability in Zeus server-sides

Timing attacks has proven practical since 96' as shown in a paper by Paul C. Kocher. In his paper Paul demonstrate how, by effectively measuring the amount of time required for private key operation, one could completely uncover the private key. This attack was shown to be effective against widely known crypto-systems such as Diffie-Hellman, RSA and DSS.

Almost ten years later on 2004, another research paper was published by Dan Boneh and David Brumley, entitled "Remote Timing Attacks are Practical" claiming that timing attack as shown in Paul C. Kocher paper are also practical remotely. Their research shows a successful attack against a remote instance of Apache server using OpenSSL running on local network.

Then, in Crosby paper and also in Daniel Mayer & Joel Sandin paper they documented an  extensive bench-marking work to determine what is actually the smallest processing time frame that can be measured across the different hardware and networking setups.

Now, to tell you the truth, I didn't know a thing about these publications or much of the existence of timing attacks when I found this vulnerability in Zeus botnet's server-side about three years ago. Even though i didn't use much of the mentioned knowledge in my research, I decided to give this intro for people who would like to expand their knowledge about these attacks.

The vulnerability I've discovered is basically a timing attack which enable a remote attacker to resolve the length in characters of the reports directory name by carefully measuring the response time of the server. While this vulnerability maybe considered as low risk, as well as found on fraudulent piece of software, I find its nature to be a very interesting and intriguing case-study which could be of a good use for future researchers.

A Walkthrough of the “APT” Intelligence Gathering Process

Every meticulous APT attack starts with a comprehensive intelligence gathering that includes getting to know the target before proceeding to a more invasive act. In this research paper, I shall discuss the reconnaissance process performed on a potential target from the perspective of the adversary.

This demonstration will show how much information can be harvested from a hypothetical targeted entity, using techniques, tools, and procedures (TTP) which are available to literally anyone.

Some may suggest that certain threat actors do not necessarily use conventional means/sources since they can afford more elaborate means for collecting their intelligence (“intel”). While this may be  true, such means are generally unnecessary due to the amount of intel that can be gathered by open source intelligence (OSINT).

Full research paper

Backoff Point of Sell malware

On July 29, 2014, the US-CERT (Computer Emergency Readiness Team) issued an alert regarding a new Point of Sale malware it dubbed Backoff - the first public disclosure of this threat. The name was probably coined after a string found in the code of one of the versions of the variant that was analyzed by the US CERT.

The Backoff threat is currently targeting mostly US businesses, and has managed to compromise more than a thousand different business entities. Its main target as POS malware is to obtain the magnetic data gathered from credit/debit cards swiped in point of sale stations. The data is then sent to a Command & Control (C&C) server operated by the fraudster.

The product of a private financial fraud group, this threat is continuously being developed, and has been operating since October 2013 according to evidence collected in the wild. In this report I provide the full story of the Backoff operation, including: bot analysis, a behind- the-scenes look at the Backoff server-side and how it operates, background information on its operator, and statistics on the geographic distribution and reach of the malware based on my research.

Full research paper

LiteSpeed Admin Panel XSS

A vulnerability I’ve found quite some time ago in LiteSpeed <= 4.1.11 HTTP server. Basically a simple reflected XSS(Cross Site Scripting) in the administrator panel which is another instance of the HTTP server running on port 7080.

If an attacker succeed in convincing an administrator with an active session to enter a maliciously crafted link using this vulnerability an attacker may perform malicious act such as creating a new user with administrator privileges or in other words – Pwnage.

To reproduce:
http://lightspeed-server:7080/service/graph_html.php?gtitle=VHOSTa%3Cscript%3Ealert%28document.cookie%29%3C/script%3E

Desert Scroll Cypher

[RECOVERED FROM MY OLD BLOGS]

Overview:
Desert Scroll is an old project of mine which i wrote in perl couple of years ago
and basicly its an implementation of a Book encryption

Loading && Mapping the key file:
at first before every encryption/decryption of plain text a key is being loaded into the memory of the script/program and then mapped into a bi-dimensional array while the first dimension is used to map all ASCII numeric values that exists in the key and in the second dimension there are all the offsets of the same ASCII value which exists in the key file

Encrypting process:
the process of the encryption is basicly a replacment of the original characters in the plaintext with the one of the offsets which lays under that ASCII value in the array
its worth mentioning that no addition steps has been taken to camouflage and prevent from the third side to understand the mechanisem of this encryption

1. perl Desert_Scroll-v1.0-recode.pl dec.txt mentor_crpyt.txt http://www.blackhat.org.il/uploads/hackermanifesto.txt -e

output:

2. 836 1465 431 2199 253 848 1539 358 566 1350 733 25 930 1689 1009 2759 1645 1357 2695
3. 143 469 278 395 74 106 2954 2661 3127 87 2775 922 2207 1876 2637 1794 2279 3098 103
4. 48 801 1394 1190 1497 2055 3123 773 3140