Practical CANBUS Reversing - Understanding the Ducati Monster
This article takes a look at reversing the CANBUS on a Ducati Monster 696. The goal is to figure out the protocols in use and allow an aftermarket ECU to play nice with the OEM systems.
Releases
Brute Forcing TOTP Multi-Factor Authentication is Surprisingly Realistic
In this post I’ll show you a neat party trick that can let you easily bypass Time-Based One Time Password (TOTP) multi-factor authentication, and often within just a few hours. If your TOTP implementation doesn’t include brute-force protection, you might be in trouble. Sample code to exploit this can be found here.
ORM, huh, what is it good for?
This article is a look at an example SQL injection in a codebase using QueryDSL (which, inturn, uses Hibernate ORM). ORMs are good for a lot of things, but preventing SQL injection isn’t as automatic as you might think.
Reverse Engineering Golang Malware for Portable Pivoting
Network pivoting is a fancy name we use to describe sending network traffic via one or more hosts that we’ve compromised. It lets us get behind firewalls, access more stuff and is an essential component of serious malware. This is the story of a highly portable network pivot I created. It’s based on (more or less) stealing code from some malware I reverse engineered as part of an incident response engagement.
Hybrid Security Assessment - A collaborative, research-based approach to security assurance
Penetration testing and vulnerability research are not the same thing. At Pulse Security, we’ve taken a different approach to certain penetration and security testing engagements. We’ve begun using a vulnerability-research based approach where we collaborate directly with client staff to understand and assess complex or heavily integrated systems. We’re calling it our “hybrid security assessment” service which can include aspects of threat modelling, attacker analysis, network testing, architecture review, application testing, reverse engineering, source code review, and more, as needed to fully understand and assess the security of large and complicated systems.
Authentication Security Controls You Might be Missing
Authentication design for websites is tricky business, and we’re finding more and more websites are falling behind the times. Let’s talk user login design and how to get decent security without stamping all over your user experience. It’ll be fun, I promise!
SQL Injection and Postgres - An adventure to eventual RCE
An SQL injection bug in an ORDER BY clause came up in a recent engagement, which lead to an interesting rabbit hole regarding exploiting SQLi against a PostgreSQL database. This post details some of that adventure. We’ll look at some useful Postgres functions to make exploiting SQLi easier, some interesting file read/write primitives and a path to command execution as the DB user. I’ve included some sample vulnerable code for those of you that want to try this stuff out first hand.
Expression Language Injection RCE - No Strings Attached
This article explains a technique we discovered for bypassing a web application firewall or blacklist to trigger an expression language injection and get remote code execution, without being able to pass certain strings.
Three things that made our lives as attackers harder in 2019
2019 was a big year for us at Pulse. We found a lot of bugs, compromised a lot of boxes and wrote a lot of reports. This post will provide an overview of three generic things that made our lives as attackers difficult last year. We’ll cover strong password policies, multi-factor authentication and a surprisingly effective phishing control. This post explains how these security controls made a few of our engagements harder for us.
Breaking MSSQL's RAND() function
In this article I’m going to take a look at Microsoft SQL Servers RAND() implementation. We’ll reverse the relevant parts of SQL Server using windbg and Ghidra, replicate the random number generator in C and then look at some attacks and brute forcing methods. This project stemmed from a job I worked on recently where a stored procedure which called RAND() was used to generate session tokens within an API[1].
Application Security Automation - Three Dev Cycle Quick Wins
I recently had the chance to set up a few security automation bits and pieces, and figured I’d go ahead and detail some of my thoughts on a few quick wins. We’ll look at assigning code owners for security sensitive source code, extending linters to keep bugs from re-appearing in the future and automating alerting on third party library vulnerabilities. These techniques give a low-false-positive rate, and provide a simpler way to get started with security automation rather than attempting to cobble together full-fat static and dynamic security analysis right off the bat.
Playing with Namespaces - Writing Docker-Aware Rootkits
Containers aren’t really a thing. They’re a mishmash of Linux kernel-isms like namespaces and cgroups. I wanted to write a rootkit that would make exploiting privileged docker containers easier, and learn about how these kernel-isms are implemented along the way. This post is going to take a look at three kernel-module specific techniques to escape a privileged container, ranging from easy-peasy-lemon-squeezy to difficult-difficult-lemon-difficult.
Extracting BitLocker keys from a TPM
By default, Microsoft BitLocker protected OS drives can be accessed by sniffing the LPC bus, retrieving the volume master key when it’s returned by the TPM, and using the retrieved VMK to decrypt the protected drive. This post will look at extracting the clear-text key from a TPM chip by sniffing the LPC bus, either with a logic analyzer or a cheap FPGA board. This post demonstrates the attack against an HP laptop logic board using a TPM1.2 chip and a Surface Pro 3 using a TPM2.0 chip. From bus wiring through to volume decryption. Source code included.
Office 365 Audit Logging and Email scams
We’re coming across more and more instances of Office 365 accounts with suspicious activity. Unfortunately the logging defaults in Office 365 are unsatisfactory and a little additional configuration is required to improve the effectiveness of the logging, especially in regards to user activity.
Adventures with the Ducati CAN bus
In this article I’ll be taking a look at the CAN bus network in a 2009 Ducati 848. How to find the bus, confirm the high and low lines with a scope and analyse messages with a Linux box and socket-CAN. The aim of the game is to identify a way to get onto the bus, and then analyse the messages going across the bus. We’ll end up figuring out how to log the throttle position and RPM data, how the immobilizer is implemented and how to bypass it.
Extracting JavaScript from Sourcemaps
Sourcemaps are intended to make debugging minified JavaScript less of a pain. This article will take a closer look at Sourcemaps and discuss retrieving the original source code tree from a downloaded Sourcemap file.
Shells - brought to you by the letter 'R'
Can you tell me how to get, how to get shells on OpenCPU…
Red Team vs Pentest
When it comes to offensive security, engagements can be broadly broken up into two categories: Penetration testing and red teaming. Understanding the differences between the two is essential when attempting to verify the security of an application, network or organisation.