TockenChpoken - a cookie manipulation attack in Oracle PeopleSoft

Background

There were times when our team performing a pentest and found several organisations that were using Oracle PeopleSoft for their Human Resources (majorly) purpose. In addition to the common weak/default accounts weakness, our team decided to look for other weaknesses. Thus we did a bit of reading about attack vectors that may be less known against this product and found a presentation by Alexey Tiurin at Hack in The Box 2015, Oracle PeopleSoft applications are under attacks!

One of the vulnerabilities shared in this presentation was a manipulation PS_TOKEN in the PeopleSoft application which could lead to a privilege escalation issue.

Interesting.

Discovery

Our team then started to look around on our customers’ assets and available bugbounty programs that have Oracle PeopleSoft as one of their in-scope target. We found several, but we tested few and one of them was vulnerable to this PS_TOKEN cookie manipulation dubbed, TockenChpoken.

The attack

In general, we need to perform the following in order to succeed in manipulating the token.

1. From an unauthorised user perspective or from a low-level user access, grab the PS_TOKEN

2. Obtain all necessary values plus with the signature from the base64 encoded cookie.

3. Brute-force the PS_TOKEN

4. If the brute-force is a success, then we can generate our own PS_TOKEN

We used a plugin for Burp Suite named, PeopleSoft Token Extractor to help us with collecting the token and extracting the necessary information.

We authenticated with a guest access user and captured the PS_TOKEN. The cookie was send to the PeopleSoft Token Extractor for the next steps.

From the tab, we decoded the content and this plugin helped us to extract the necessary information and generate the hashcat format that needs to be cracked.

The following image shows that the current cookie session was belong to a XXX-GUEST user.

The generated SHA-1 hash was then being brute-forced using our cracking-server that internally we called it as Crackcodile.

Crackcodile managed to crack the password within 5 minutes. Results may vary depending on the wordlist and server specifications.

Using the cracked value, we sent it back to the PeopleSoft Token Extractor tab and generated a new token for a new high privileged user in Oracle PeopleSoft such as the PeopleSoft SuperUser = PS.

With the new generated PS_TOKEN for the SuperUser account, we managed to access the restricted directories such as HRMS and etc.

Easy.

We were awarded a handsome amount for this.

This article is a part of our program, #re:educate where we empowering
cybersecurity students and beginners to share their understanding
about anything related to offensive security. For more info, refer to
this link RE:HACK - #re:educate

Author: Adrianus Tristan
University: First City University College

Wi-Fi Cracking with Aircrack-ng

Wireless (Wi-fi) penetration testing is a part of security testing which involves identifying and scrutinising the connections between devices connected to the wifi. This activity could help to identify vulnerabilities and threats within the network by analysing and gathering data about the network.

One of the tools to review the Wi-Fi network security is Aircrack-ng.

About WEP, WPA, WPA2, and WPA3 Security

1. Wired Equivalent Privacy (WEP)

WEP is the oldest (introduced in 1997) and most well-known Wi-Fi security standard. One of the goal of WEP is to ensure the data transmitted over the wireless networks is encrypted. This mainly to prevent Person-in-the-Middle attacks during that time.

Through this authentication, the access point receives an authentication request from the a client and responds by sending the requesting client a 128 bit random challenge in cleartext. The challenge is signed by the client and sent to the access point using the shared secret key. Using the shared secret key, the wireless access point decrypts the signed message and confirms the challenge it previously sent. Authentication is successful if the challenge matches, otherwise it is not.

However, no secret key is exchanged during the authentication process, and the authentication key was shared in cleartext, making it simple to be sniffed. Various vulnerabilities were discovered in WEP over the time due to the rapid changes in computing technology. In 2004, Wi-fi Alliance officially retired WEP. Thus, WEP is now considered obsolete.

Wi-Fi Protected Access (WPA)

WPA was introduced in 2003 to replace WEP. WPA uses the same RC4 encryption algorithm as WEP, but instead of utilising a static pre-shared key, the key was changed dynamically using Temporal Key Integrity Protocol (TKIP) encryption. The base key and IV are also hashed together before the encryption begin.

WPA has a longer key, it uses a 256-bit encryption key, which is a significant improvement over the WEP. However, even with these improvements, there are still weaknesses in the elements of WPA which can be exploited – thus led to intro WPA2.

Wi-Fi Protected Access 2 (WPA2)

WPA2 is the second generation of the WPA wireless security protocol launched in 2004. It is the most used Wi-Fi security protocol today. WPA2 is based on the Robust Security Network (RSN) mechanism and operates on two modes:

• Personal mode or Pre-shared Key (WPA2-PSK) – Usually is used in home environments or small office. It relies on a shared passcode or passphrase.
• Enterprise mode (WPA2-EAP) – What most businesses and organisations used in their Wi-fi network. It uses the implementation of the 128-bits key using Advanced Encryption Standard (AES) block cipher algorithm for encryption process.

While WPA2 is widely being used, it still has flaws. As an example, WPA2 was told to be vulnerable to an attack known as Key Reinstallation Attacks (KRACK) which allows attackers to mimic a clone network and force victims to connect to a malicious network. However, this can be patched on the devices.

Wi-Fi Protected Access 3 (WPA3)

In January 2018, the Wi-Fi Alliance introduced WPA3. WPA3 uses 256-bit Galois/Counter Mode Protocol (GCMP-256) with SHA-384 Hashed Message Authentication Mode.

Simultaneous Authentication of Equals (SAE) exchange, a technique first introduced with IEEE 802.11s, also takes the place of the pre-shared key (PSK) exchange, resulting in a more secure first key exchange.

WPA3 devices became widely available in 2019 and are backwards compatible with devices that use the WPA2 protocol. Although it is more secure than WPA2, it hasn’t yet gained widespread adoption.

What is Aircrack-ng?

Aircrack-ng is an 802.11a/b/g WEP/WPA cracking program that can recover a 40-bit, 104-bit, 256-bit or 512-bit WEP key once enough encrypted packets have been gathered. It can also attack WPA1/2 networks with some advanced methods or simply by brute force. The ‘NG’ in Aircrack-ng stands for “new generation”. Aircrack-ng is an improved version of the earlier Aircrack tool.

Aircrack-ng is not a single tool, but a whole collection of tools, each of which performs a specific function, which are:

• airbase-ng – Multipurpose tool aimed at attacking clients as opposed to the Access Point (AP) itself.
• aircrack-ng – 802.11 WEP and WPA/WPA2-PSK key cracking program.
• airdecap-ng – Decrypt WEP/WPA/WPA2 capture files.
• airdecloak-ng – Remove WEP Cloaking™ from a packet capture file.
• airdrop-ng – A rule based wireless deauthication tool.
• aireplay-ng – Inject and replay wireless frames.
• airgraph-ng – Graph wireless networks.
• airmon-ng – Enable and disable monitor mode on wireless interfaces.
• airodump-ng – Capture raw 802.11 frames.
• airolib-ng – Precompute WPA/WPA2 passphrases in a database to use it later with aircrack-ng.
• airserv-ng – Wireless card TCP/IP server which allows multiple application to use a wireless card.
• airtun-ng – Virtual tunnel interface creator.
• packetforge-ng – Create various type of encrypted packets that can be used for injection

Aircrack-ng focuses on different areas of Wi-Fi security:

1. Monitoring: Packet capture and export of data to text files for further processing by third party tools
2. Attacking: Replay attacks, deauthentication, fake access points and others via packet injection
3. Testing: Checking Wi-Fi cards and driver capabilities (capture and injection)
4. Cracking: WEP and WPA PSK (WPA 1 and 2)

How does it work?

Aircrack-ng uses (Fluhrer, Mantin, Shamir) FMS/KoreK method. The FMS/KoreK method incorporates various statistical attacks to discover the WEP key and uses these in combination with brute forcing.

For cracking WPA/WPA2 pre-shared keys, only a dictionary method is used. When a client and an access point employ pre-shared keys, the client and access point establish keying material to be used for communication right away. Between the client and the access point, there is a four-way-handshake. Aircrack-ng replicates the four-way-handshake using input from a given wordlist to see if a certain entry in the word list matches the four-way handshake results. If it does, the pre-shared key has been found correctly.

For WPA handshakes, a full handshake is composed of four packets. However, aircrack-ng is able to work successfully with just 2 packets. EAPOL (Extensible Authentication Protocol Over LAN) packets (2 and 3) or packets (3 and 4) are considered a full handshake.

Installation on Linux

sudo apt install aircrack-ng

To see the overall manual, simply type aircrack-ng -h

Crack WPA2 Wi-Fi password

Verify that network adapter is recognised by Linux with: iwconfig

Check for any conflicting processes that might interfere the process and kill them using: sudo airmon-ng check kill

Enable monitor mode with airmon-ng: sudo airmon-ng start wlan0

Monitor mode is a data capture mode that allows using a Wi-Fi adapter in listening mode without connecting to the router or access point. You can start the wlan0 or depending on which interface you use.

Note: Not every Wi-Fi adapter support monitor mode. The adapter used in this demonstration was Realtek RTL8723BE 802.11. It can be used for monitor mode. If your adapter doesn’t support this, you might want to purchase an external USB Wi-Fi adapter that support monitor mode.

Discover the access point or Wi-Fi network using airodump-ng: sudo airodump-ng wlan0

The command above will show a bunch of wireless networks with their BSSID, ESSID, channel used, and many more. Suppose the network we want to use is the one inside the red box. Detailed explanation of each parameter can be found here.

Then we can look into more detail on the network chosen with this command:
sudo airodump-ng wlan0 -d B0:95:75:53:F7:92

The -d option is to select the network followed by its BSSID. The figure above shows four clients that connected to the chosen network.

Capture the WPA2 four-way-handshake:
sudo airodump-ng -w captureFile -c 11 --bssid B0:95:75:53:F7:92 wlan0

The -w captureFile is the name of the file that we are going to store the captures in. The -c or channel that we are going to attack is 11. The BSSID is the MAC address of the Wi-Fi target. And the interface we use is wlan0.

Deauthenticate clients:
sudo aireplay-ng –deauth 0 -a B0:95:75:53:F7:92 wlan0

We need to deauthenticate clients from the network so that once the client reconnects again to the network, we can capture the handshake that happened between the client and the access point.

Before deauthenticate the clients, notice that the handshake inside the yellow box is empty. But as soon as we deauthenticate the clients and capture the handshake, it will appear.

Once handshake is captured, we can list out the file in our working directory. Notice that we have got the captured file and we can analyse it using Wireshark.

As you can see, we just found the WPA Key Data on the four-way-handshake packet that sent from a client to the access point, and that is what we are going to crack.

To crack the WPA2 password, we need to use aircrack-ng and run this command followed by the .cap file and a wordlist,
aircrack-ng captureFile-02.cap -w /usr/share/wordlists/rockyou.txt

In this example, I used rockyou.txt and able to crack the password - Trade123.

References

https://www.kali.org/tools/aircrack-ng
https://www.aircrack-ng.org
https://www.avast.com/c-wep-vs-wpa-or-wpa2
https://www.netspotapp.com/blog/wifi-security/what-is-wpa3.html
https://www.wifi-professionals.com
https://www.kaspersky.com/resource-center/definitions/wep-vs-wpa

PrintFriendly is a tool used by millions of people everyday to help them save paper and ink when they print and generate PDFs. The tool is available as a browser’s plugin (Chrome , Firefox and more) or as an external plugin for CMS such as Wordpress and Drupal

While performing security testing against one of our customers, we noticed that they were using PrintFriendly’s plugin to allow their users to generate PDFs from their website. We explored the functionality and found it to be simple. After clicking on the PrintFriendly button, the PDF of the desired page will be processed on https://www.printfriendly.com/ and a link to the generated PDF will be produced, for example, https://www.printfriendly.com/p/g/HyPaUT. The view looks similar to the following:

As we observed, the same thing happened on PrintFriendly’s browser extensions and through their preview tool on their main site.

Users can download the PDF file by clicking on the PDF icon at the top header, as shown in the screenshot above. As a result, a download link will be generated for the content, which can be retrieved as a PDF document.

As soon as we checked the requests in Burp Suite, we realised there might be a problem. The request showed that the PDF was generated by parsing the HTML content from the code and processed at the server-side.

We further explored the likelihood and noticed that the <script> tag was filtered and common JavaScript onevent handler did not work. We assumed there might be a denylisting enabled from the application side. Luckily, the <iframe> tag was possible. Using this tag, we could pointing the iframe’s source to the local file such as /etc/passwd. While attempting that, we noted that by simply pointing the src to the file:///etc/passwd was blocked. This was bypassed by supplying a URLencoded ? and then traversed it back to the passwd file.

<iframe src='file:///etc/%3F/../passwd' />

Timeline:
29 July 2022 : RE:HACK sent a brief discovery information to PrintFriendly team
29 July 2022 : RE:HACK received a reply from their technical person and was asked to provide detail POC
29 July 2022 : RE:HACK provided the POC
29 July 2022 : Their team received the POC and validated the issue
16 August 2022 : RE:HACK asked for a status update
18 August 2022 : Their team told the fix will be deployed on the 24th of August.
22 August 2022 : Their team emailed and informed the fix has been deployed.
22 August 2022 : RE:HACK requested to publish the writeup and was permitted. Published.

This article is a part of our program, #re:educate where we empowering
cybersecurity students and beginners to share their understanding
about anything related to offensive security. For more info, refer to
this link RE:HACK - #re:educate

Author: Wan Muhammad Khairuddin
University: Universiti Teknikal Malaysia Melaka

Hi readers! This is a step by step, in basic, on how to reverse engineer an executable files that is written in C language. Reverse engineering is simply a process of understanding how a program works. When we got the end product, we disassemble and poke it around to see the behaviour of the product and then get some idea how the program works in the background. But in our context, we disassemble a binary executable files, run it and do analysis to understand the behaviour of the executable files.

In this walkthrough, we will use some program that will help us to reverse engineer the executable files. Reverse engineering can be overwhelming for beginners but we will try our best to explain and share tips on how you can easily understand the flow of the program just by reading the assembly code (static analysis).

What is Reverse Engineering ?

Reverse engineering is a process or method through which one attempts to understand how an application works when we don’t have the source codes. We understand it by disassembling the application and look at each function’s implementation.

Prerequisite

The most important things that need to be understood before we can start reverse engineer an executable file are:

• Assembly language
• Registers

We would not be able to get the source code of an application written in C or C++ because it will be converted into assembly language once compiled. You don’t have to be a master or can write a program by using assembly language to do reverse engineering. The code can be understood simply by knowing a few basic instructions and keywords.

Register is one of a small set of data holding places that are part of the computer processor. A register may hold an instruction, a storage address, or any kind of data (such as a bit sequence or individual characters). Some instructions specify registers as part of the instruction. Register is like a variable that stores data. It is also used to perform mathematical calculations. You can learn about common registers here. We would not explain much about register in this article.

Reverse Engineer a Simple Program

Now we will start the main purpose of this article. We will reverse engineer this file from Crackmes. Let’s get started.

Tools needed (for Windows):

• IDA Freeware - https://hex-rays.com/ida-free/
• Git Bash - https://git-scm.com/downloads

First we need to know what file we are dealing with. I will use file command in git bash to find out the type of the file.

From the command, it says the file is a 32-bit PE executable file. Thus, we know that it is for Windows environment. We would not need a Linux machine in this case.

Next, we can try run the file through our terminal (cmd.exe).

What the program does above is, it asks the user to enter a password and then display a message if the entered password is wrong or correct. From this behaviour, we can conclude that our goal is to find out the correct password. So let’s disassemble this file and figure out how the password checking functionality works.

Open our IDA > Choose new > Drag our file into IDA.

Complete the importing process and then it will look like this.

It does look overwhelming, but rest assured, we will walk you through each process to reverse engineer this file and collect the correct password.

First let us look at the top section.

You’ll see a lot of instructions here. It is easy to understand what is happening in it by focusing at the most significant things which is the function.

First we look at the call instruction. This instruction calls a function ; printf, gets and strcmp.

printf is when the program is printing something on the screen. In the beginning, we noted that the program displays a welcome message. So now we know our position or which part of the program we are looking at.

Move on to the next function is printf again. But this time, it displays the password: before the program asks for the user input.

Next is gets function. As we know gets function takes user input so what this assembly instructions do is taking the user input.

The instruction above says that it takes the address of szPassword variable and store it inside $eax register. Then after gets function finishes, the user input is stored inside whatever address the $eax holds. In this case $eax holds address of szPassword. So the user input is stored inside szPassword variable.

Last function is strcmp. This function compares two strings and check if these two strings are equal or not.

As you see above, before strcmp was called, the instructions push something onto the stack. The first one is szPassword, which stores the user input and then the instructions push str1onto the stack. Then strcmp is called. These two strings, szPassword and str1 are compared by the strcmp function. So basically our input is being compared to str1.

Next, let’s take a look at what happen after our input being compared.

There are two paths here; the red path and the green path. If the strcmp return 0 (which means if our input is equal to str1), we will be following the red path. Otherwise, we will be following the green path. Since we are looking for a correct password, we must follow the red path (look at the final message shown in the printf)

Further digging the file, we can see there’s a value set at the str1 which is LiL2281337.

Let’s try if LiL2281337 is the correct password.

Success! It seems we have found the correct password!

Additional notes

Some may ask, how do I know that szPassword and str1 are the strings that are being compared by strcmp? Let me explain in-depth how function calls in assembly.

strcmp is a function that takes two parameters.

int strcmp (const char* str1, const char* str2);

In 32-bit assembly, before a function with parameters being called, the value of the parameters will be pushed onto the stack first. Then when the function is called, it will take whatever value from the top of the stack as its parameter value. Let’s take a look at this instructions again.

As you can see there are two push instructions, push ecx pushes our input onto the stack and push offset str1 pushes the correct password onto the stack. Now our input and the correct password are placed at the top of the stack.

Then strcmp is called, it will take two items from the top of the stack to fulfill its two empty parameters. That’s is how function with parameters being called in 32-bit assembly.

Similarly to the printf. printf takes string to be displayed as its parameter. So the string must be pushed onto the stack first before printf is called.

Conclusion

Reverse engineering is quite complex for a beginner but with the right mindset and methodology, anyone can understand the flow of the program even though they have only a little knowledge about assembly language. The most important thing is to find a suitable methodology and know what to look for.

To anyone who wants to explore reverse engineering, I suggest reading as many reverse engineering writeups, articles, and research papers as possible. We will be able to learn more about reverse engineering as a result of this.

What is a thick client application

Thick client applications generally installed on a user’s local desktop/laptop/workstation. They sometimes called as Desktop Application.

These applications can run own its own (independently) without need to be connected to the internet. Best examples are desktop chat applications such as Teams, Zoom, Slack, etc.

Types of thick client based on proxy configuration

There are two:

1. Proxy aware: The type that have an option to configure the proxy settings in it so a user could monitor the outgoing and incoming communications through the proxy server/tool.

2. Proxy unaware: The type that have no option to configure the proxy settings. To monitor the requests, the user needs to make changes on their own machine’s host file.

How to configure

We had a situation where we required to perform a security assessment against the proxy unaware type thick client. To ensure we were able to collect all the incoming and outgoing requests, we configured our machine as the following:

Initial process

After configuring

Steps

1. Edit the /etc/hosts file as the following (you may need to be a superuser):

##
# Host Database
#
# localhost is used to configure the loopback interface
# when the system is booting.  Do not change this entry.
##
127.0.0.1       localhost
127.0.0.1       targetapi.io

2. In BurpSuite, navigate to your Proxy setting and add configure the Proxy Listeners to bind to the actual targetapi.io port (in this case is 443 and set it as “Loopback only”

3. In the Request Handling, add the actual IP address of the targetapi.io and port 443. Tick on “Force use of TLS” (if it communicates over TLS) and enable invisible proxying. You may need to play around with the invisible proxying sometimes.

That’s all. Now you should be able to capture the thick client’s upcoming and outgoing requests in your BurpSuite.
Worth noting that if you are using port below 1024 in Burp’s proxy setting, you may need to run it as a superuser.