CVE-2018-5559 my first CVE

TLDR

CVE-2018-5559 is a information disclosure security vulnerability in Komand Security Orchestrator (v0.40.2) that has been disclosed responsibly to Rapid 7 and has been mitigated and patched within days (version >0.42.0). The vulnerability itself is not worth to have a logo.

Introduction

Being a security professional I happen to hear a lot of people complaining about companies handling responsible disclosure in a way that is not appreciated by customers (by sitting on patches to long) or by the disclosure (by not reacting etc). The following blog post is report about a very positive case that I happen to have by disclosing my very first security vulnerability. I really hope this one is being shared and that companies adopt some of the positive aspects. At the very end of the post I will also try to lead to further points where either researchers or companies can read further about the topic.

The stage

Being interested in various APIs that are interesting to security people (eventually turning into dedicated list of APIs on Github) I stumbled across Komand Security Orchestrator. As there was no documentation available (heads up Rapid 7, that fact needs some love!) I spent some time to reverse engineer and discover APIs with Google Chrome developer tools and Python and actively sharing my results on github.

One of the API endpoints was /connections:

https://komandurl/v2/connections 

Connections

Komand Security Orchestrator is made to interact with various (security related) tools to interact and create so called workflows. To achieve that goal, Komand needs credentials to those tools. Every set of credentials is stored in a central keychain that is accessible for workflows. Most connections store some kind of URL, Username and password.

Given this nature, credentials stored in this keychain have either higher Privileges to accomplish tasks or are able to see more than the regular user.

Every Plugin can have it’s own set of credentials, so let’s say you have the LDAP plugin to connect to Active directory, there could be a dedicated set of credentials for prod and qual active directory.

Surprise

After my first GET request to the connection API endpoint something got my attention. While most of the connections have the password field *****ed out, some did not – WTH?
Most look like the following:

"name":"VT Private API","type":"plugin","parameters":{"api_key":"********","url":"https://www.virustotal.com/vtapi/v2/"} 

But OTRS looks like the following:

{"connection_id":36,"plugin_id":75,"name":"OTRS Dev User:komand_test","type":"plugin","parameters":{"server":"https://`EDUCTED","credentials":{"password":"REDUCTED","username":"komand_test"}},"created_at":"2018-08-08T10:56:54Z","updated_at":"2018-08-08T10:56:54Z","deleted_at":null,"deleted_by_id":null} 

And LDAP:

{"connection_id":39,"plugin_id":72,"name":"ÀD","type":"plugin","parameters":{"host":"ldaps://LDAPURL","port":636,"use_ssl":true,"username_password":{"password":"CLEARTEXTPASSWORD","username":"AD\\USER"}},"created_at":"2018-10-05T11:53:47Z","updated_at":"2018-10-05T11:53:47Z","deleted_at":null,"deleted_by_id":null} 

Scope – pre-requisite

To get the above mentioned list of connections you need to have a to be an authenticated admin, so it is not open to everyone.

Scope – affected plugins

As not every password was visible, several plugins have been tested (not every plugin!) and thus two Plugins seem to be affected:

LDAP plugin and OTRS plugin

Impact

To score the vulnerability, the best way to go for is leverage CVSS, and the rating for this vulnerability is a CVSS Score:3.1

CVSS Base Score:3.4
Impact Subscore:1.4
Exploitability Subscore:1.7
CVSS Temporal Score:3.1
CVSS Environmental Score:3.1
Modified Impact Subscore:1.4
Overall CVSS Score:3.1

Responsible disclosure process

October 25, 2018 14:42 created issue with Rapid 7 online portal / Mail to Circl.lu

So I found the issue and wanted to get it fixed as soon as possible and have a CVE assigned, my first reaction was to reach out to my friends from CIRCL.lu to assist and assign a CVE, so I sent them a pgp encrypted mail to info@circl.lu.

Side-note: By accident I had a local mail rule, filtering out all mails from info@circl.lu to a sub folder and marked them as read, that is a stupid thing to do if you expect an answer from them and caused some confusion afterwards, so for clarification, they were very responsive and their reaction time is in hours, so if you do not know who to disclosure with a 3rd party, CIRCL is a great way to get it started and they have a profound network of contact points.

Then I looked on rapid 7 webpage and found that they have a responsible disclosure statement and procedure in place as well so I gave it a shot with opening an issue there.

The portal is very well done and requesting information that are good for engineers to assess the impact as fast as possible, it is even possible to propose a CVSS rating (more to that later)

October 26, 2018 First reaction of Rapid7

Rapid7 gave a SYN / ACK to have received the issue and that Engineering and Support is working on scoping and verifying the issue.

October 26, 2018 Rapid7 verifies it is an issue

On the same day the designated person made a note in the online portal to verify it is an issue and that they are working on fixing it.

October 30,2018 Rapid7 case update

Note on the online portal, Rapid 7 team is working on a fix and providing a rough timeline that a patch should be available the same week and that assigning an CVE is in progress as well.

November 1,2018 Rapid 7 case update

Another note that fix is on the horizon

November 1,2018 Komand Release Notes

On that day a Mail was sent out announcing a new version „Komand Release Notes“. In the Bug fixes area this was mentioned:

v0.42.0: Certain endpoints that are able to list the always encrypted-at-rest connection data could return some configurations of connection data without obscuring sensitive data from the API response. We fixed this issue, and all configurations of connection data are now correctly obscured.

November 1,2018 Komand slack

Via Slack, Komand engineers are asking for my feedback if the patch is indeed fixing the issue I reported, after updating I was able to confirm that.

November 2,2018 pro assigned CVE

Rapid7 reached out to me and CIRCL (who seems to have reported the issue in parallel but I had no SYN ACK from them but told them that they did not need to further disclose as soon as I discovered the Rapid 7 portal.
In this mail I was told the pre assigned CVE for the issue and the CVSS rating their engineering team came up with. They also asked if I plan to write a blog post or other coverage (which you can read at the moment).

Affected?

All versions below 0.42.0 is affected. Afaik it is only the OTRS and the LDAP plugin.

Mitigation

Patch to Komand version 0.42.0 or later. I would recommend to reset the password to all accounts stored for LDAP and OTRS plugins.

Exploited?

Most people might ask – alright, so how can i find out if someone with bad intention has used this vulnerability. The only way to tell is to check the web logs of Komand and look for GET requests to /v2/connections from unusual source IPs.

Feedback

The way this issue was handled was straight forward, at any point I had the impression that my issue was treated on the right level, no over hyping and no „we don’t care“ just the right balance.
It is notably that the online form used by Rapid7 is supporting this process a lot, I assume it makes it easy to scope issues on engineering site as well as easy for the researcher who wants to know what the current status of the reported issue is.

It is also good to see that the work from the FIRST CVSS sig is adding value in such issues as it helps both sides to rate the vulnerability.

Links

https://nvd.nist.gov/vuln/detail/CVE-2018-5559

https://github.com/CVEProject/cvelist/pull/1303

Further reading

To lean more about best practices in responsible disclosure I would recommend:

https://titanous.com/posts/security-disclosure-policy-best-practices

 

timesketch-tools

Overview

I am happy to say that a new tool made it to github called „timesketch-tools“.
It is basically a way to interact with Timesketch via CLI. For those who don’t know Timesketch, it is an amazing opensource tool developed by Johan Berggren and is used to create timelines for forensic investigations as well as incident response cases.

Reason

Back in 2017, Johan tweeted:

Why is the WebUi not enough? Well in some cases you might want to automate stuff, have no browser or other reasons, so it is not „Why“ but „why not“.

So I did during the last few days and built a client for it: timesketch-tools

Capabilities

At the moment only two methods do work, but it should be enough to show the power of it.

List sketches

timesketch-tools.py -ls
     
         _______               __       __      __ 
        /_  __(_)_ _  ___ ___ / /_____ / /_____/ / 
         / / / /  ' \/ -_|_-</  '_/ -_) __/ __/ _          
        /_/ /_/_/_/_/\__/___/_/\_\__/\__/\__/_//_/-tools v0.1

            
+-----+-----------------------------+
|  id |             Name            |
+-----+-----------------------------+
| 130 |     test1Untitled sketch    |
|  3  | The Greendale investigation |
+-----+-----------------------------+

Add event

timesketch-tools.py --add_events
     
         _______               __       __      __ 
        /_  __(_)_ _  ___ ___ / /_____ / /_____/ / 
         / / / /  ' \/ -_|_-</  '_/ -_) __/ __/ _          
        /_/ /_/_/_/_/\__/___/_/\_\__/\__/\__/_//_/-tools v0.1

            
Please provide the sketch id you want to add events to as (an integer): 3
Please provide informations to the event you would like to add timestamp, timestamp_desc, message will be promted

Timestamp (use Format: YYYY-mm-ddTHH:MM:SS+00:00 2018-01-15T10:45:50+00:00) use c for current time c
timestamp_desc this is the description
message something was hacked
Event added, ID: 18 Date:2018-10-31T14:49:41+00:00 timestamp desc this is the description messagesomething was hacked
Add another event? (y/n)n

I have a lot of ideas to improve, so expect some more functionality added soon…

curl -u in python

Problem

Sometimes you might want to authenticate against an API with username and password where examples are only listed with curl:


curl -u username:password https://127.0.0.1/foobar

Solution

If you want to implement the same in python you can use the following


import requests
from requests.auth import HTTPBasicAuth
username = "username"
password = "password"

request_url = "https://127.0.0.1/foobar"

result = requests.post(request_url, auth=HTTPBasicAuth(username, password))

Hope it helps, let me know

Preis: EUR 42,99
statt: EUR 44,63

Security API collection

While working on different stuff I was searching for a collection of APIs that are related of useful for security researchers, incident response people or threat intel.

Unable to find a good list of REST APIs decided to start it. The collection is hosted on a Security API list, and pull requests or issues mentioning missing APIs are highly welcome.

Why did I produce such a list? More and more people want to automate their workflows, Security Orchestration is the new Buzzword after last years Threat Intelligence, but basically containing the same, they both have in common to facilitate already available data, with Orchestration not storing that much data but enriching dots collected.

However the challenge is, what to integrate, everyone has their „go to“ tools they use on a daily base risking to miss some golden nuggets that are handy.

The list is divided (at the moment) in tools that are mostly on prem., online tools, SIEMs and various. With an increasing number of APIs that ordering might change of course.

So I really hope the list is useful and people can use it and that it can grow.

Python PyDev Eclipse Ubuntu

To Use PyDev Eclipse Plugin on Ubuntu:


apt-get install eclipse
open eclipse
help --> Install New Software
add button
insert: PyDev
Position: http://pydev.org/updates
check all
accept license
Next
Window -> Preferences -> PyDev -> Interpreter -> Python
New -> link to python interpreter (default: /usr/bin/python)
finish

Infos zu einer App: Version – Sprache

Eine App für eine breite Kundschaft zu entwickeln bedeutet auch, eine Vielzahl an Variationen von Problemmöglichkeiten zu kreieren. Wenn dann wirklich ein Problem auftritt, möchte man vom Kunden möglichst genau dessen Rahmenbediengungen kennen.

Dazu zählt bei einer iOS App insbesondere:

Quelle:

Welche App hat er genau genutzt?

Version:

Welche Version der App wurde verwendet? Wurde evtl. eine alte Version genutzt und ein reines Update würde helfen?

Sprache:

Welche Sprache ist eingestellt? Kommt das Problem evtl. von einem Übersetzungsfehler / einer fehlenden Übersetzung?

iOS Version:

Apple verhindert zwar recht gut, Funktionen zu verwenden, die in bestimmten iOS Versionen noch nicht oder nicht mehr verfügbar sind, nichts desto trotz, ist es bei Fehlern wichtig, zu wissen, welche iOS Version verwendet wird.

Die meisten der Informationen sind über [[NSBundle mainbundle] infoDictionary] erreichbar:

App Identifier: [[NSBundle mainBundle] infoDictionary] valueForKey:@“CFBundleIdentifier“]
App Version: [[NSBundle mainBundle] infoDictionary] valueForKey:@“CFBundleVersion“]

Die Sprache erhält man über: [[NSUserDefaults standardUserDefaults] objectForKey:@“AppleLanguages“] objectAtIndex:0]

Und zu guter letzt die iOS Version:
[[NSProcessInfo processInfo] operatingSystemVersionString] Hierbei ist darauf zu achten, dass im Simulator als Betriebssystem die OSX Version angegeben wird.

Mit den aufgeführten Angaben lässt sich schon recht genau das technische Umfeld des Nutzers eingrenzen und diese Informationen können automatisch beispielsweise in einer E-Mail angehängt werden.

Dabei bietet es sich an, die ankommenden E-Mails automatisch in ein Ticket System laufen zu lassen um auch keine Meldung zu vergessen. Als praktisch hat sich hierbei die OpenSource Ticket Verwaltung OTRS erwiesen. Auch für den professionellen Einsatz lohnt sich das System, da hinter den Entwicklern eine Firma steckt, die auch professionellen Support anbietet und Unterstützung bei der Umsetzung anbieten kann.

iPhone ADHoc build save to disk problem

Mit XCode können nicht nur Apps an den Apple App Store geschickt werden, registrierte Entwickler können auch an registrierte iOS Devices so genannte ADHoc Builds verteilen.

Dabei wird die Datei vom Ersteller signiert und dann lauffähig. Wie das ganze erledigt werden kann, habe ich in diesem Artikel beschrieben: ios-betabuilder-version-1-5-released. (Der BetaBuilder ist mittlerweile übrigens im MacStore erhältlich).

Was nun wenn es bei dem beschriebenen Vorgehen Probleme gibt? Beispielsweise kann es vorkommen, dass der Organizer bei dem Klick auf „Save to disk“ einfach nicht reagiert, ohne Fehlermeldung etc. Ein Blick in die logs mittels:

tail -f /var/log/system.log

bringt ein

header check failed

um Vorschein.

Mögliche Lösungen:

– „Project clean“ und neu builden

– XCode neu starten

– Rechner neu starten

– XCode neu installieren, Projekt cleanen, Projekt builden

Xcode 4 refactoring deaktiviert

Mit der neuen Version von Xcode hat Apple einige Neuerungen und Verbesserungen gebracht. Einige Dinge fallen jedoch negativ auf.

Da wäre die beliebte Refactoring-Funktion. Refactoring bezeichnet:

Refactoring (deutsch auch RefaktorierungRestrukturierung oder Umgestaltung) bezeichnet in der Software-Entwicklung die manuelle oder automatisierte Strukturverbesserung von Programm-Quelltexten unter Beibehaltung des beobachtbaren Programm-Verhaltens. Dabei sollen die Lesbarkeit, Verständlichkeit, Wartbarkeit und Erweiterbarkeit verbessert werden, mit dem Ziel, den jeweiligen Aufwand für Fehleranalyse und funktionale Erweiterungen deutlich zu senken.

Quelle: Wikipedia

D.h. über Refactoring kann beispielsweise eine Variable umbenannt werden, wobei die Entwicklungsumgebung dafür sorgt, dass diese Variable überall wo sie vorkommt, umbenannt wird. Auf das extrahieren von Quellcode in eine Extra Methode mit entsprechendem Funktionskopf fällt unter das Refactoring.

Wo hat Apple hier aber nun geschlafen? Wer ein „altes“ Xcode 3Projekt hatte, und dies in Xcode 4 öffnet, wird sich bei einem Rechtsklick wundern, alle Refactoring Optionen sind ausgegraut.

Mit dem Update 4.0.1 hat Apple das Problem behoben, nach einem Project-Clean kann wieder die Refactor-Funktion genutzt werden.

Neuerungen in XCode 4.0.1:

– Improved Assistant editor logic when switching among different file types
– Fixed a bug in „Install Xcode.app“ that hangs at 99% complete, never finishing
– Fixed a bug that prevented indexing of some projects
– Fixed a bug related to nil settings in the Core Data model editor
– Fixed a bug that prevented automatic download of iOS documentation
– Fixed a bug in LLVM GCC 4.2 and LLVM compiler 2.0 for iOS projects
– Additional bug fixes and stability improvements

Update 2014: Mittlerweile ist XCode bei Version 6 angelangt.

Wie erstelle ich meine erste iPhone Applikation

iPhone – das immer noch aktuelle Trendgerät hat gerade durch den AppStore und XCode eine große Fangemeinde, bei der die Hürde, vom Konsumenten zum Entwickler zu werden, so niedrig wie wohl noch nie gelegt wurde.

Wer viel mit dem iPhone arbeitet oder spielt, bekommt früher oder später den Gedanken „xyz wäre doch eine super iPhone Anwendung“.

Welche Schritte sind aber notwendig, um von der Idee zum fertigen Programm zu kommen?

Die Idee

Ohne eine Idee kein App.Ohne gute Idee keine gute Applikation! Aber, was macht eine Applikation gut?

  • löst das Programm ein bis dato ungelöstes Prolem?
  • geht das Programm in eine bestimmte Niesche? / betrifft es eine Randgruppe?
  • bringt es Leute zum lachen?
  • eine Verbesserung eines bereits vorhandenen Programms?

Wenn eine der Fragen mit Ja beantwortet wurde, ist man auf dem richtigen Weg!

Tools

Die folgenden Dinge sollte man sich besorgen um eine Applikation zu entwickeln

Was kann man gut?

Wie bei jedem anderen Unternehmen, welches man gründen möchte, muss man selbstkritisch sehen, in welchen Dingen man gut ist. Eigene Schwächen zu kennen ist wichtiger als eigene Stärken zu kennen, denn die Schwächen können durch andere professionelle Mitarbeiter ausgeglichen werden. Diese Schwächen nicht zu kennen kann später bares Geld kosten.

Notwendige Skills:

  • Unterscheidung zwischen „Was geht“ und „Was geht nicht“ in Bezug auf bestehende iPhone Apps
  • Markt Analyse
  • Sitemap der Applikation erstellen / Funktionalität abstakt darstellen
  • Zeichnen
  • GUI Design
  • Programmierung (Objective C, Cocoa)
  • Vermarktung und Werbung für die Applikation

Nach Abarbeitung dieser Liste, sollte klar sein, was man selbst kann, und was nicht, für die Schwöchen sollten Kollegen zugezogen werden.

Markt Analyse

Um eine Applikation zu vermarkten, muss der Markt bekannt sein. Der Markt teilt sich dabei in Programme, welche gute Lösungen haben und die, die schlechte Lösungen haben. Die perfekte Applikation wird man dabei nicht finden, jede hat Stärken und Schwächen. Ziel sollte es sein, gute und schlechte Funktionalitäten und Ideen zu assimilieren.