Technical Methodology(bottom-up)

Lesson 8

6-step Process

Step 1: Site SurveyStep 2: Develop a test planStep 3: Build the toolkitStep 4: Conduct the assessmentStep 5: AnalysisStep 6: Documentation

Site Survey

Need to ascertain a number of different things in order to better scope the technical portion of the assessment.Consider also adding wireless to the questionnaire. Take a look at Exhibit 1 pg. 90, use as appropriate

Develop a Test Plan You, as a security professional, will probably be (or at least should be) more “up-to-date” on security vulnerabilities.

New ones occur all the time and it is hard for folks who do not have security as their prime function to stay up on all of the latest problems.

This will be one of the most valuable aspects of the assessment.But, what if they have a system you don’t know much about? How do you find out about what holes exist?

Fortunately, lots of sites exist that will help.

Severity Level:===============High

Technical Details & Description:================================An application update loop that results in a pass code bypass vulnerability has been discovered in the official Apple iOS (iPhone5&6|iPad2) v8.x, v9.0, v9.1 & v9.2. The security vulnerability allows local attackers to bypass pass code lock protection of the apple iphone via an application update loop issue. The issue affects the device security when processing to request a local update by an installed mobile ios web-application.

The vulnerability is located in the iPad 2 & iPhone 5 & 6 hardware configuration with iOS v8.2 - v9.2 when processing an update which results in a interface loop by the application slides. Local attacker can trick the iOS device into a mode were a runtime issue with unlimited loop occurs. This finally results in a temporarily deactivate of the pass code lock screen. By loading the loop with remote app interaction we was able to stable bypass the auth of an iphone after the reactivation via shutdown button. The settings of the device was permanently requesting the pass code lock on interaction. Normally the pass code lock is being activated during the shutdown button interaction. In case of the loop the request shuts the display down but does not activate the pass code lock like demonstrated in the attached poc security video.

In case of exploitation the attack could be performed time-based by a manipulated iOS application or by physical device access and interaction with restricted system user account. In earlier cases of exploitation these type of loops were able to be used as jailbreak against iOS. The vulnerability can be exploited in non-jailbroken unlocked apple iphone mobiles.

The security risk of the local pass code bypass issue is estimated as high with a cvss (common vulnerability scoring system) count of 6.0. Exploitation of the local bug requires pending on the attack scenario local device access or a manipulated app installed to the device without user interaction. Successful exploitation of the security vulnerability results in unauthorized device access via pass code lock bypass.

Proof of Concept (PoC):=======================The new attack case of scenario can be exploited by local attackers with physical bank branch office service access and valid local banking card. For security demonstration or to reproduce the issue follow the provided information & steps below to continue.

Manual steps to reproduce the vulnerability ...1. First fill up about some % of the free memory in the iOS device with random data2. Now, you open the app-store choose to update all applications (update all push button)3. Switch fast via home button to the slide index and perform iOS update at the same timeNote: The interaction to switch needs to be performed very fast to successfully exploit. Inthe first load of the update you can still use the home button. Press it go back to index4. Now, press the home button again to review the open runnings slides5. Switch to the left menu after the last slide which is new and perform to open siri in the samemoment. Now the slide hangs and runs all time in a loop6. Turn of via power button the ipad or iphone ....7. Reactivate via power button and like you can see the session still runs in the loop and can berequested without any pass codeNote: Normally the pass code becomes available after the power off button interaction tostand-by mode8. Successful reproduce of the local security vulnerability!

Video Demonstration:In a video we demonstrate how to bypass with a unlimited loop in the interface the pass code lock settings of the iOS v9 iPad2. The issue is not limited to the device and can be exploited with iPhone as well. The power button on top activates with the stand-by mode the pass code lock for the iOS device. In case of the loop we tricked the device into a mode were we was able to bypass the pass code.

URL: https://www.youtube.com/watch?v=V-9lE1L3nq0

Solution - Fix & Patch:=======================

The loop issue needs to be patched in the main interface by the dev team. The issue can be prevented by a locate of the stack with a restriction.

Additional Web Sites

http://www.cerias.purdue.edu/about/history/coast/http://www.packetstorm.org

Building the ToolkitZero-Information-Based Tools

Basic information about the company and the network Goal is to “map out” the networkIncludes tools to examine a target’s Internet presence.

Network Enumeration ToolsTrying to determine hosts actually connected

Operating System Fingerprint ToolsAttempt to determine the type of OS(s) used

Application Discovery ToolsTry to find what applications systems may be running

Vulnerability Scanning Tools“one stop shopping”, tools may list specific holes

Specialty ToolsDesigned to look for specific problems (e.g. wardialing, web scanners, password crackers, …)

NVA tools

Final TwoApplication tools: check for things like cookie manipulation, URL modification (web apps)Host Testing tools: Stop running tools over the network, run them on individual hosts

Exhibit 57, pg 148 from Peltier text

Conduct the AssessmentNow is the time to run all of those tools you collected in the previous step (note, in reality you may discover something with one tool that will require you to find another tool to test some aspect of the network’s security)Two types of tests:

Active which will impact network service (although it may be minor)Passive which will not impact service

DoS tests – often not conducted since client will not want network service haltedYou must also be careful as some active tools may cause a DoS or may actually crash some systems.

TEST YOUR TOOLS BEFORE YOU USE THEM!!!

Analysis and Documentation

AnalysisTime to take a look at the results of your tool use. Don’t wait until the end, start analyzing as soon as the tool has completed its test.Results from one tool may prompt other testsKeep all of the raw data.

Document every step of the way, this will become part of the final detailed report.

You want to know exactly what your tools do and you need to be able to tell the client exactly what test you ran when.

You don’t want to be blamed for system problems that you had nothing to do with.

Report

Chapter 7 of text has sample reportProbably will have 2 or three reports

Executive summary (may be part of Final or separate report)Final Report – includes recommendations.Technical (detailed) report, will include as appendices the raw data files (often on CD)

Summary

What is the importance and significance of this material?

How does this topic fit into the subject of “Security Risk Analysis”?