Security and hacking scene in London

Although London enjoys one of the most vibrant infosec industries in the world, there are not as many hacker and security events and one would think. Meetings-wise, we have organizations such as 2600, Defcon, and Owasp among others. However, the number of attendees needs to be improved. Usually, having a turnup of 20 people on one of these meetings is considered a success in London. Not much for such a big city if you think about it. [...]

more | comments | comments rss | posted by

Owning Outlook Web Access (OWA) users

What is this post about? Well, this is something that pdp and I were playing with a few years ago. As you might already know, although we also do a vulnerability research at GNUCITIZEN, what we like the best is insecurity by design. There is nothing better than finding an attack vector that won’t be resolved by the vendor simply because the product is designed to follow certain behavior. Personally, from a security research point of view, I think that these attacks are the best. [...]

more | comments | comments rss | posted by

Persistent XSS and CSRF on Wireless-G ADSL Gateway with SpeedBooster (WAG54GS)

I really think that web interfaces are the low-hanging fruit of embedded devices. Sure classic attacks such as predictable SNMP community strings, exposed TFTP services and buffer overflows still apply. However, by exploiting the web interface we can steal the data we want, we can enable remote access to the compromised router, we own the victim’s connection. In short, bugs on the web interface gives us all we need! Anyway, enough talking! [...]

more | comments | comments rss | posted by

Strategic GeoIP Hacking and TV Streaming Theft

A couple of weeks ago, my wife pointed out to me this really cool appliance she saw on a magazine. Since she knows I like spending my free time hacking/researching embedded devices, she thought I’d be interested.

In summary, you hookup Slingbox to your TV box, be it digital TV, or cable. Then you can do streaming to your laptop, desktop computer or even mobile/cell phone. [...]

more | comments | comments rss | posted by

BT Home Flub: Pwnin the BT Home Hub (4)

The following are the full details of the vulnerabilities we reported (BID 25972) to BT regarding their Home Hub router. We are going to have a brief detail on all POCs. If you have any suggestions, recommendations or corrections, do not hesitate to contact us. All the vulnerabilities and demo exploits discussed below have been tested on version of the firmware, unless otherwise specified. Have fun and be responsible! [...]

more | comments | comments rss | posted by

Content-Disposition Hacking

In a recent pentest, a colleague of mine pointed out to me a script/html injection vulnerability on one of the hosts we were testing. I then copied and pasted the GET request he forwarded to me on telnet and verified that JavaScript could indeed be injected through the non-sanitized parameter. There were no restrictions on the input length or types of characters. No filtering whatsoever. The attack goes as the following:

This was very interesting. [...]

more | comments | comments rss | posted by

BT Home Flub: Pwnin the BT Home Hub (3)

Here are the news: it seems that BT is restricting/crippling the remote assistance feature as a result of the vulnerabilities we reported. I personally found the following statement interesting:

Something tells me that this separate Remote Access feature will also be open to abuse if not locked down properly. Furthermore, some of the vulnerabilities we found (which we forwarded to BT) can still be exploited even if the Remote Assistance featured is removed. [...]

more | comments | comments rss | posted by

BT Home Flub: Pwnin the BT Home Hub (2)

In this post I’ll elaborate a bit more on our demo video previously released and what the intruder can do to remotely access the Home Hub anytime and from anywhere after it’s been been broken into. You are recommended to read the first part of this post if you haven’t done so yet.

So here is the attack illustrated in the demo video. The victim user is tricked – through Gtalk – to visit a website that contains malicious code. [...]

more | comments | comments rss | posted by

BT Home Flub: Pwnin the BT Home Hub

OK, let me get to the point. The BT Home Hub, which is probably the most popular home router in the UK, is susceptible to critical vulnerabilities.

BT’s plan is to sneak one of these boxes into every UK home. Not only does the BT Home Hub support broadband but also VoIP (BT Broadband Talk), UMA mobile telephony (BT Fusion), and digital TV (BT Vision). Additionally BT will give users the option to use their BT Home Hub to join FON, a community-shared Wi-Fi. [...]

more | comments | comments rss | posted by

Owning Big Brother: Hollywood-style Exploits Included!

I’ve done some research on Axis IP cameras, which now I am able to disclose to you and reveal some of the magic. Although this is not independent research, I am mentioning it here as it may interest some.

The research is made of two components: a purple paper (one of the traditions we follow in GNUCITIZEN) and a video. I promise you that I won’t bore you with PoCs, but actual Hollywood-style exploits. [...]

more | comments | comments rss | posted by