Whitepaper : Security Issues in Android Custom ROM's

Today i am releasing the paper which i presented recently at C0C0N conference at ernakulam. this paper outlines where security misconfiguration that can lead to device compromise, data theft and so on.
Hope this helps in secure development and deployment of custom ROM’s.

http://anantshri.info/articles/android_cust_rom_security.html

The link contains download for both my slidepack as well as the complete whitepaper.

also a crude application is created and uploaded on android market which can help in identifying the issue.

https://market.android.com/details?id=anant.hax.aui

Android : Running Standalone Python

This is not yet another post onĀ  android-scripting project or SL4A or python for android.

This post is for a specific purpose to empower the terminal again and make users again feel the power of terminal.

Current state we can run perl, python, PHP, ruby, beanshell in SL4A interface or as a standalone apk with modifications.

so here is the bad part

1) you can’t run applications on console directly.

2) you have environmental limitations.

3) you can’t pass command-line arguments.

for a normal person these could be some limitations however for some including myself THESE are the limitations.

so while searching for solution i have came across this script

Here is a modified version of the same making sure the awesomeness embedded

#License: GPLv2 or later
#License URI: http://www.gnu.org/licenses/gpl-2.0.html
PW=`pwd`
export EXTERNAL_STORAGE=/mnt/sdcard
export LANG=en
PYTHONPATH=/mnt/sdcard/com.googlecode.pythonforandroid/extras/python
PYTHONPATH=${PYTHONPATH}:/data/data/com.googlecode.pythonforandroid/files/python/lib/python2.6/lib-dynload
export PYTHONPATH
export TEMP=/mnt/storage/com.googlecode.pythonforandroid/extras/python/tmp
export PYTHON_EGG_CACHE=$TEMP
export PYTHONHOME=/data/data/com.googlecode.pythonforandroid/files/python
export LD_LIBRARY_PATH=/data/data/com.googlecode.pythonforandroid/files/python/lib
cd $PW
/data/data/com.googlecode.pythonforandroid/files/python/bin/python "$@"

Line no 1,3,11 are the changes that i made.

These changes allow for following things.

1) allow us to use this shell script to call python.

2) allows for command line argument passing.

3) relative path references are now working

however we also need to understand the importance of Sl4A style project these project provide native applications a direct option to interact / create native UI. (dialog box, button, texts etc)

I have named this script as py and placed it in /system/bin/py location

so basically copying this script in a text file say py.txt

adb push py.txt /system/bin/py

adb shell chmod 04755 /system/bin/py

gives you python shell on your android terminal.

Right now i am working towards making various tools of trade available on terminal.

I will be keeping a track my progress at XDA developer forum thread linked here.

 

MyLife : Hack : Yahoo Open HackDay 2011

Open Hack India

Open Hack India 2011

This was my first time attending Yahoo open hackday the event is all fun and a quick way to hacking onto the yahoo api’s.

I specifically focused on one API YQL, which basically claims to do the following


select * from internet

now that raises an eyebrow, in simpler term this is what is we can call a content scrapper’s dream, we get as less as 1000+ data tables which allow us to interact with various websites using well known sql standards.

here we can keep adding more and more tables if needed otherwise we can always revert back to generic tablees like

select * from rss where url =”http://blog.anantshri.info/feed/”

the thing that i like the most was they have given a direct access in the form of yql console you can check that by clicking the above link

http://developer.yahoo.com/yql/console/

I have been trying my luck to brew something for my self and a long lasting itch came back to me and i thought lets try solving the etch here.

so my hack for open hackday 2011 was : MY Life : a social content feed aggregation widget.

basically what i am doing is listed here in simplest terms.

1) take simple userid/username from users for various social networking sites.

2) create a unified feed based on user inputs

3) provide widget (HTML/JS) and PHP code to be used on site based on the user need.

So here is the hosted version of Hack

http://anantshri.info/openhack/mylife/

Note : YQL has rate limit and hence will only be able to fetch content for 10000 times a day. so if you do find output missing then its a good news for me basically my site has crossed 10000 users .

White Paper : Web Application Finger Printing : Methods/Techniques and Prevention

Today I am presenting my work for past some days in form of a white paper.

This white paper basically outlines the automated finger printing methods, techniques and ideas for prevention automated methods to work on your site.

BTW those who are having wappalyzer on there browsers just enjoy visiting my Joomla Powered Website. :D

Here is the link for HTML version of the paper which also includes the PDF version for download.
Web Application finger printing : Methods/Techniques and Prevention
Waiting to hear from the fellows (I am expecting rebuke, criticism, and a bit of appreciation if its worth it)

Chrome Extensions for Security Professionals

Google Chrome Extensions

During Recent days we have seen a phenomenal increase in usage of Google Chrome Browser, however Security Professionals are still looking at Firefox for there day to day life usage, the basic reason behind it is large set of firefox extensions backing it up, we have also custom builds like OWASP Mantra doing the round.

So for those who love using Google Chrome and still miss the large plugin base here is a list of must have plugin set for the Security professional’s.

Note : Usage could be offensive and defensive both, its upto the user to decide. the content here is for informational purpose only

CAUTION : LONG POST …. continue below only if you can give time coz this post is large.

Continue reading

Database protection Techniques : a different prespective

Tips for Db Security

Disclaimer : This post keeps in mind the web frontends and web applications based attacks on DB Servers in mind.

  1. Any Userid used for web application connectivity should be clipped to specific ip addresses that could be localhost in case of same server usage for Db and App server. If two separate servers are used then clip the user id (s) with the application server ip address / hostname. Keep a strick log of who access the id and when.

  2. 1st entry in user /password data base should be a dummy entry with zero privilege and could be used to act as honeypot too.

  3. Default accounts to be removed / blocked.

  4. User Input validation should be a 3 step process.

    1. Web Page / Client Side validation : Jscript.

    2. Server (Application) : OWASP ESAPI or custom functions ocould be used.

    3. DB: use PL/SQL functions to strip input data.

  5. Another good utility to keep in mind is DBA_USERS_WITH_DEFPWD : contains list of users with default passwords, and with 11g all default accounts are locked.

  6. Web application developers should be provided with 3 different user level access to be used inside web application.

    1. Read Access : user with access to select query only.

    2. Write access: User with select update and delete access

    3. App_mod : access to write access plus drop and trunk.

Developers need to make sure the proper user access is used as and when required.

Note : I know a large number of developers might start crying on this that this will increase their headache but then in long run this could turn out to be a life saver.

Please share your opinion is this a good approach, is it going to help you. What do you thing should be added to this.

Tips for Db Security

  1. Any Userid used for web application connectivity should be clipped to specific ip addresses that could be localhost in case of same server usage for Db and App server. If two separate servers are used then clip the user id (s) with the application server ip address / hostname

  2. Web application developers should be provided with 3 different user level access to be used inside web application.

    1. Read Access : user with access to select query only.

    2. Write access: User with select update and delete access

    3. App_mod : access to write access plus drop and trunk.

Developers need to make sure the proper user access is used as and when required.

Note : I know a large number of developers might start crying on this that this will increase their headache but then in long run this could turn out to be a life saver.

  1. 1st entry in user /password data base should be a dummy entry with zero privilege and could be used to act as honeypot too.

  2. Default accounts to be removed / blocked.

  3. User Input validation should be a 3 step process.

    1. Web Page / Client Side validation : Jscript.

    2. Server (Application) : OWASP ESAPI or custom functions ocould be used.

    3. DB: use PL/SQL functions to strip input data.

  4. DBA_USERS_WITH_DEFPWD : contains list of users with default it.

    1. 11 g : all accounts will be locked and expiered byt default.

Nullcon CTF BattleUnderground 2011 Walkthrough

Finally after nearly 3 months i have been able to compile the complete walkthrough.

So presenting the walkthrough for Battle underground.

Please keep some notes in mind
1) Most of the stuff is done after servers were shutdown so i have to manage with directions only and not screenshots.
2) Feel free to ask questions or suggest alternative approach if you have any.

As usual PDF uploaded @ Slideshare
Embedded Version here.

Direct download link

View the slides @ slideshare

protection wordpress username enumeration

After my last post exploiting username enumeration i have looked deep and found a simple workaround to patch your blog for this vulnerability till wordpress has something to add to it.

I am right now using a wordpress plugin : Redirections
https://wordpress.org/extend/plugins/redirection/

Inside the plugin page which comes under : tools -> redirections

Add a new rule with following settings.

Source url : ^(.*)/?author=(.*)
target url : /
Reg Exp : Yes
Match : url only
Action : Redirect to url

and Add Redirection

all done… just try any url with ?author=no

now this url will be redirected back to your main page effectively nullifying the effect of user name enumeration.