Nothing to see here. Move along.

[ZF]

This is What We’re Considering and Blasting Out as Vulns These Days? *FACEPALM*

double-facepalm1

Flying back home from SFO, stuck in the 2nd to last row of coach (which they seem to reserve for the crazy, smelly, odd, and last minute bookers), and was catching up on Reddit/r/netsec, when I came across this:

redditcore

Make them cash drawers pop! Brand new vulnerability published for Xpient POS systems.

Tl;dr: By sending “1 1\n” to port 7510, the cash drawer will release and open. Way to go for attention grabbing headlines with no meat behind it.

But yeah, Really Core? Maybe it’s just the Knife Party I’m jamming out to on the plane, but *this* is how we start to get vendors to stop taking us seriously and think of us just as annoying gnats. Where’s the impact? An open cash drawer? This provides near-zero benefit to any kind of attacker as it requires physical access, as well as the locks on these cashdrawers are baby town frolics to pick. We’re not talking about a hardened safe with pick-resistant locks. We’re talking about a 4 pin wafer lock.

So you’re going to report this vuln to the vendor, make them undergo dev, release a patch, deploy a notice, and release an attention grabbing headline that makes them look no the greatest all because you thought it was funny you could open a cash drawer with clear text.

Let’s talk about this from a business perspective, since it seems the disclosers seem to have their heads in the elitist security clouds.

…The POS cash drawer could be remotely triggered to open if a malicious agent has access to the POS network and is allowed to send a crafted message to the POS terminal hosting the cash drawer. The malicious agent could be malware which operates from any device on the POS network or an unauthorized device connected to the physical POS network.

 

No Authentication or encryption layer is required to exploit this vulnerability. As a result, the cash drawer opens and its content is physically accessible.
Core Disclosure

ERMERGERD NO ENCRYPTION TO OPEN A CASH DRAWER?!?! ALERT THE COMMUNITY! Let’s be real here. Working under the assumption that their customer base is primarily food services :

1) If there is malware or an unauthorized device on the network, why on earth would they randomly open cash drawers?? Even if it was someone who installed some program as a prank, there’d be zero remote gain.

2) Employees can always open cash drawers, which is why in nearly all situations, they’re responsible for their individual drawer for accountability as to the amount in the drawer. So the only remaining threat here is an external 3rd party with physical presence wishing to swipe some cash/checks. Again, 5 seconds picking > having to gain network access, determine the IP of the specific cash drawer you want to open, and then opening it. And even if you want to go the route of “but what if they can’t pick?”, they’re going to take the path of easiest exploitation, walk up to the terminal, and click “open drawer” or ring up a quick cash transaction.

Ergo, this “vulnerability” doesn’t introduce any new risk and seriously annoys the shit out of me for being a headline-grabbing attention whore of a vuln. The cash drawer is already at risk to various other attacks, and thus business protect them justly. If they’re not, trust me, it’s not a remote drawer opening vuln that’s going to have them learn their lesson on placing the drawer in a secure, high-traffic, or monitored location. Plus, the risk of getting caught is insanely high.

If you want to argue that there’s an “external threat if connected to the internet”, the same could be argued for most networked Printers. I could just as easily use a reserved CVE and put out a vuln saying “HP UNAUTHENTICATED REMOTELY EXPLOITABLE VULNERABILITY IS KILLING THE PLANET”. Sometimes, it’s ok for things to be unencrypted and unauthenticated….you know, for interoperability’s sake…

So, Core decides to put out a attention-grabbing double-entendre (pop) headline to get attention. You’re pretty and supa 1337sauce. Feel good? Now go back to disclosing vulns that actually fucking matter / have impact.

More to rant about later (especially on the risk vs. reward aspect)….

Random Update: So I just got home and re-read their disclosure. They’re calling it “Input validation error”. So no authentication and no encryption = input validation fail? Sorry, it’s not. It’s a simple lack of not requiring authorization/authentication prior to operating the opening of the drawer. That’s it. Quit trying to put lipstick on the pig.

That Many Rules for a CTF??

cityscape_skyline_chicago_sculpture-wallpaper-2560x1600

Trigger Warning: Hacker Drama, Fasel Rage, Newbs

Last week was the hacker con palooza in Chicago with both THOTCON and BSidesChicago (or is it SecureChicago now?). I won’t go on too long with my list of issues from this weekend (there was quite a bit, but obviously I’m a bit biased and have more visibility than others), but there was one major BSidesChicago event that made a lot of us Chicago technical folk double facepalm in shame as it being a representation of the Chicago crews.

You guessed right. The CTF.

Don’t get me wrong, I appreciate the effort by individuals to donate their time and resources to provide an experience for people. It takes a HUGE amount of effort to build one out (from developing the challenges, creating the environment, and protecting it from certain attacks while allowing others). I also get there’s also really no single right way to do a CTF – They’re all different with different formats, targets, and goals. But there’s some definite wrong ways to do one.

Why this lengthy public post instead of a private email? Frankly, there’s a large amount of the hacker “community” giving gold stars and trophies to everyone as participation awards. I’ll rant more about this in a later to clarify more, but if we dont start holding each other to a higher standard, we’ll soon end up with mediocrity all around.

So the WTF!?! Moments…

The Theme

I took an interest in the CTF before the day of BSidesChicago as I haven’t had much free time to do any reversing or crypto for fun and wanted to see what was being displayed as a representation of the Chicago community. A few weeks before the conference, I noticed this as the only paragraph describing their CTF:

Hacker Drama. It has nuclear potential to destroy an entire afternoon for everyone. From tweet insult battles, to blog posts, to podcasts, hacker drama can DDoS productivity for all security people. You are being recruited into the BSides Joint Task Force to stop a rogue agent who is bent on creating an immense amount of Hacker Drama……. 

 …….The BSides Joint Task Force needs your help! Don’t let this rogue agent destroy the emotional happiness of the security community! Your community needs you!
- https://securechicago.org/upcomingevents/ctf/

I can’t even make this shit up. Day of BSidesChicago, it continues on their registration portal…

 WE HAVE RECEIVED INFORMATION THAT A ROGUE AGENT HAS BEEN UTILIZING RESOURCES FROM BSIDES CHICAGO AND BSIDES DETROIT IN AN EFFORT TO CREATE AN IMMENSE AMOUNT OF HACKER DRAMA FOR THE INFORMATION SECURITY COMMUNITY. WE BELIEVE THAT THIS ROGUE AGENT MAY BE A HIGH RANKING OFFICIAL WITHIN THE ORGANIZATION. IT IS POSSIBLE THAT THERE IS MORE THAN ONE ROGUE AGENT, BUT OUR INFORMATION SO FAR IS POINTING TO A SINGLE AGENT WORKING ALONE. 
- https://ctf.securechicago.org/

Derp derp.

For those of us who have been in the community / scene / industry for some time, we’ve seen our fair share of unnecessary “Hacker Drama” bullshit. With that said, our community is no more plagued by this than any other group of like minded individuals who are passionate about what they do. But seriously, we’re making this a theme of a CTF? That doesn’t shine greatly on the Chicago hacker community as a whole. In fact, it makes us look like a bunch of pussies.

I’m going to work on the assumption they were serious with their theme based on the various wording. If you think it’s benign and a stupid point to bring up, feel free to skip this rant.

I’m extremely curious as to what their definition is of “Hacker Drama”. I honestly can’t tell if the organizers are serious or are joking with this theme. From the wording, it really seems like they’re serious. If it’s a joke, I honestly don’t get what’s funny or satirical about it.
tumblr_li2c69qNgN1qgnsnbo1_500With the theme being about a “rogue agent” amongst a group of like minded individuals using the theme of hacker drama makes the definition appear to be “someone who doesn’t agree with us”, “you’re either with us, or against us”, and “you shouldn’t say speak your mind in fear of causing drama”. This is compounded by the idea that the goal of the CTF is concerned about preventing the destruction of “the emotional happiness of the security community”. Really!?!? The security community is happy feel good fun time? And “DDoS productivity for all security people”. Really!??! Productivity is what we’re concerned about now??? And we’re not going to reference what this rogue agent has done and speek in over generalities so people can draw their own conclusions. REALLY. IS it just me or is this the biggest form of creating drama?

But let me guess. It’s a fictional theme designed to hit close to home to the community to spark discussion and thought, right? It’s the same bullshit as the cop out of posting some crazy ass shit and at the end trying to justify it by saying “I appreciate everyone’s input and value the fact that this started a discussion”. No. You were wrong and everyone called you out. That’s what happened.

Sure. There’s overboard in criticism and trolling, but if someone’s not super warm, fuzzy, and super positive, they’re causing drama?

If by being critical of someone or something in an attempt to push them to reach a certain level of standard we hold each other in the community to destroys their emotional happiness, (a) grow up, and (b) I will proudly declare myself as a Rogue Agent and will announce it from the roof top. Again, I’ll have a post later about the “give everyone a gold star for mediocrity” pattern we’re starting to slip into.

Again, I could be over analyzing the theme, but I’ve had a large number of people i’ve talked to look at it and go “wat?”.

A Required Non-Disclosure Agreement

Register an account for the competition, and you’re presented with the following:

 By completing the registration process, you agree to not disclose any information about the challenges or information contained in this site to any public forum, mailing list, phone tree, bulletin board, semaphore competition or any other public forum nor to any person not registered with this site. Consider this an NDA on all content contained within. 

Yeah… good luck having *any* enforceability with that statement. Legal or even on a warm-fuzzy level…

So the BSidesChicago and Detroit Crew doesn’t want anyone talking about their small, free, public, and open registration CTF. So if someone wanted to share their experience with others (i.e. walkthrus) and the skills or tools they needed, nope! Verboten. Talk about your experience with it? Sure, as long as you don’t reference ANY details regarding the challenges (such as type, points, results, anything). Better speak in vague generalities that provide no valuable detail whatsoever.

Thanks BSidesChicago/Detroit CTF – there goes the hacker spirit of making knowledge open and free.

Honestly, I can’t think of a single credible CTF that tries to enforce the NDA “keep this secret” bullshit. The only reason the weak ones seem to do this is because they don’t feel confident in coming up with enough unique challenges to keep their sponsor-funded projects moving forward. Example: National Cyber League. A college defensive competition (spun off of various CCDC regions) that posted this b.s. in their agreement for colleges AND RED TEAM MEMBERS:

Whether feedback is positive or negative, participants are forbidden from publishing, posting on the internet, or publicly communicating details of the competition other than what is available at www.nationalcyberleague.org. They are also forbidden from publishing, posting on the internet, or publicly communicating assessments of the NCL Pilot, nor assessments of the performance of any team, nor speculations concerning different possible outcomes. Institutions that fail to adhere to this rule may be refused participation in future competitions.

Someone’s afraid of review and criticism.

But I digress – the point is, one of the key points of hacker ethic is freedom of information. Seems BSidesChicago and BSidesDetroit don’t believe in this as much as they say they do…

The “Rules” 

What’s the goal of any hacking competition? That’s right. To break or bypass the rules that were put in place. Whether it’s the rules of access control, crypto, or binary obfuscation, the goal is to break rules. So placing a large number of rules in place makes it seem you didn’t consider the security of the competition at all and are going to be broken. Plus, if you’re going to put rules in place to govern a competition, they better be realistic.

Let’s look at these rules that raised major WTF moments.

MUST NOT ATTEMPT TO HACK CTF SERVER OR APPLICATION! You will be penalized and/or disqualified! 

Let’s look at the webapp challenge:

ctfhack0

So notice some key things here. The scoreboard and list of challenges is located at ctf.securechicago.org. Let’s click the link of the URL we’re supposed to hack by following the “here” link:

ctfhack1

 

Still ctf.securechicago.org…. And I’m supposed to attempt to hack this or addendum.php? Any attempt to solve this challenge would be a direct violation of the rules! Oh no! Looks like I can’t complete this challenge as I “will be penalized and/or disqualified!”. And seriously – if people are tinkering with the score board and find issues, you should be rewarding them with bonus points, not penalizing them! Don’t you want to improve the system? Haven’t you ever heard about the successes of bug bounty programs? The only time I’d recommend someone being drop kicked is if their fucking with the ctf system was causing any kind of DOS. That’s just a dick move.

And to add to that:

 Physical attacks are NOT in scope. DO NOT attempt them or you will be removed from event! 

Looking at the score board, there were a few lock picking challenges. A quick screenshot of the scoreboard shows:

physical

So the category is physical. And lock picking would be considered an attack in pretty much anyones definition. Another rule violation for following their challenges! *facepalm*

If you were worried about people physically going after your on-site hardware (i.e. walking over to the server and screwing with it), maybe you need to better physically secure your server.

 Any attempt at cheating of ANY form will not be tolerated 

Isn’t hacking cheating system controls, designs, and crypto algorithms? What’s the definition of cheating? But let’s go beyond that and see how they actually penalized people for “cheating”. Look at one of the first challenges screen shot below:

network

Again, I re quote it: “Take risks. Throw caution and wisdom out the window. Just start answering these things.” The attached file to the challenge was a pcap of a FTP transfer containing a pdf file. Being easy, I reconstructed the PDF, and it contained basically 15 words. Nothing in the meta data. Tried the various words, nothing. So threw caution to the wind like I was advised and looked at the source code of the challenge page. In the HTML source was:

<div style="visibility: hidden">Look_What_I_Found</div>

So hey, why not throw caution to the wind and submit that as a flag. I kid you not. The response i got back was:

Did you read the rulez? No cheatz for u! -100 points!

Um, WAT!?!?. I just lost 100 points for looking at the HTML source of the challenge and submitting it, and THAT’S CLASSIFIED AS CHEATING?!???!?! The flags followed no single format (some were hex, some where alpha/num/sym, some were case sensitive, some lcase), and yet I’m cheating for trying something in html source?

I had to double check to make sure i wasn’t insane. I created another account from a different source IP and session to see if it was a rate issue of the previous submissions. NOPE. First submission and viola. -100 points. Cheater. You looked at HTML source and tried a flag when there was no flag format!

To make matters worse, it marked the challenge as complete and it hid the submission (granted, you could hack it to resubmit the right one, but ermergerd rule violation)

To put things in perspective, first place got 180 points and second place had 110 points. Yup. 0 way you can win if you tried that once. Dicks.

 DO NOT sniff wireless traffic period 

…Really? You’re going to tell people “don’t sniff the wifi”. Here’s a protip: Don’t make it sniffable! If someone uses clear text to search for stuff or submit their entries when SSL is provided, then it’s their own damn fault. And how are you going to police this? Shoulder surf everyone in the CTF?

The Good

So as much as I rant, it wasn’t all bad, but the majority of people won’t see the challenges… since again… we’re not allowed to talk about them.

You know what. Fuck it. Enjoy kids.

Download Challenges

Here’s the details on the challenges. I dare them to try to issue a takedown for this info as they’ll become the laughing stock of the security community. Sorry they weren’t in HTML and are just PNGs. I was only able to stick around BSidesChicago for a few minutes and pulled the downloads and ScreenShots as fast as I could. Missing is the “Lost Keys” challenge as I accidentally didn’t pull it.

Diverse Set of Challenges

challenges

While I wish they had more active exploitation challenges, there was a sufficient spread of challenges. Crypto, reversing, pcap analysis, and forensics provided a good spread for people to look at. However, they didn’t list what the point values were for any of the challenges, so it was impossible to actually game it like a game.

Quick to Respond to Scoreboard Vulns

So the scoreboard was riddled with vulnerabilities including the ability to pull the source info from the web accessible .git folder (props to @thekos for that one), CSRF on submissions (including the cheat one to cause other teams to get negative points), ssl but cookies weren’t set for secure, PHPSESSID not regenerating at login, and numerous logic flaws (including the ability to resubmit results numerous times to increase points and submit after the competition closed). Any time someone *cough* took advantage of these, they were quick to detect and respond to them and patch the ones that were being exploited.

Wrapping it Up

Like I first said, I fully understand the amount of work required to create a CTF. My issue hasn’t been with the challenges I had time to look at, but everything around them. And all those surrounding issues give the Chicago hacker community a shitty image. Derp.

And We’re Back

faselhead2

Research, Reviews, and Rants

Life gets in the way some times and we get too busy to keep up with stuff. It’s been a while since I’ve been posting, but I’ve decided to start blogging (v. fasel ranting) a bit again.