Categories
Personal Blog

Socket.io-file <= 2.0.31 – Improper Input Validation in File Upload Functionality

Title: Improper Input Validation in File Upload Functionality
Date: 18/05/2020
CVE-ID: –
Author: Thomas Sermpinis
Websitehttps://cr0wsplace.com
Versions: <= 2.0.31
Package URL: https://www.npmjs.com/package/socket.io-file
Tested on: node v10.19.0, Socket.io-file v2.0.31, socket.io v2.3.0

During one of my penetration tests for a local military equipment supplier while working for Auxilium Cyber Security, I faced a web application running on an embedded device that used web sockets in order to initiate the connection between the server and the client. There are several different technologies that can be used in the backend system in order to make use of web sockets, but the client made use of Socket.io.

The web application was relatively small, with only a few entry points that did not seem to be vulnerable. All the modules were up to date and my enumeration started to go into a dead end. As there were more days for my pentest, I decided to dig deeper and I started analyzing more the request and researching about the npm modules that were included and were in use in the web application.

One of the functionalities was a configuration file upload, that was stored in a folder in the filesystem, by using the Socket.io-file npm module. Socket.io-file (2.0.31) is a node module for uploading files via the Socket.io module. Playing around with the requests I managed to bypass the restrictions and upload a file in a different folder from the expected one (I knew that as I had access to the back-end of the system).

Client and project aside, the upload functionality of socket.io-file is vulnerable to improper input validation, allowing attackers to bypass upload directory restrictions and it allows them to upload files to paths of their choice in the underlying system.

Description of Vulnerability

The default configuration of Socket.io-file comes with an upload functionality handled by websockets. When a user tries to upload a file with the web application, the following client side request is created in order for the file to be created:

Figure 1: Normal websocket request for file upload with Socket.io-file

42[“socket.io-file::createFile”,{“id”:”u_0″,”name”:”testfile.mp3″,”size”:1,”chunkSize”:10240,”sent”:0,”data”:{}}]

In order for this file to be created to the underlying system, the code from index.js of Socket.io-file is executed and the following part of the code, manages to merge the file path (supplied by the socket.io-file configuration) with the file name that was supplied by the user:

if(typeof options.uploadDir === ‘string’) {
uploadDir = path.join(options.uploadDir, filename);
}

As an example, if the user uploads a file with the name “testfile.mp3” and the server is configured to store files in the “/home/Documents/socket-app/data” path the resulting path that Socket.io-file will create the file, will be “/home/Documents/socket-app/data/testfile.mp3“.

Because the aforementioned code makes no check on the file name, the upload request can be intercepted and the file name altered in a way that will move in certain paths of the system. The following example exploits this issue:

42[“socket.io-file::createFile”,{“id”:”u_0″,”name”:”../testfile.mp3″,”size”:1,”chunkSize”:10240,”sent”:0,”data”:{}}]

This request will generate the following path for the file to be stored “/home/Documents/socket-app/data/../testfile.mp3“, which means that the file will be actually be created in the “/home/Documents/socket-app/testfile.mp3” as the ../ characters will move the path one level lower in the filesystem.

Figure 2: File created in the node_modules directory of the filesystem, outside the intended directory.

From this example we can understand that we can write in several sensitive directories like the ~/ home directory (which includes the .ssh folder which allows us to rewrite the ssh configuration), in the root webserver directory (which can help us get a reverse shell under the right circumstances) and the cron directory (where we can inject cron jobs for code execution). Additionally, if the backend system runs with superuser privileges (which is not so uncommon), the attacker can use this vulnerability to create files in even more sensitive paths (e.g. /root and /etc). As an example, we can write the /etc/passwd file of our implementation like the following:

42[“socket.io-file::createFile”,{“id”:”u_0″,”name”:”../../../etc/passd”,”size”:1,”chunkSize”:10240,”sent”:0,”data”:{}}]

Issue Replication

In order to replicate the issue, the following steps have to be executed:

  • Setup a proxy to intercept HTTP and WebSocket requests (e.g. Burp Suite or OWASP Zap)
  • Upload a file using the Socket.io-file web application and intercept the websocket request
  • Change the “name” parameter by adding ../ and specifying the needed path:
    • 42[“socket.io-file::createFile”,{“id”:”u_0″,”name”:”../../../Downloads/testfile.mp3″,”size”:1,”chunkSize”:10240,”sent”:0,”data”:{}}]

    • This example will create the testfile.mp3 file in the Downloads directory of the current user (our test server stores files in /home/ubuntutest/Documents/socket-app/data)

Vulnerability Disclosure Timeline

Following the npm guidelines for vulnerability disclosure (“If maintainers are unresponsive after 45 days, npm Security makes the advisory public”), I responsibly disclosed this vulnerability on 18th of May 2020.

  • Initial Disclosure: 18th May 2020
  • Security Team Validation: 18th May 2020
  • Advisory Release: 2nd July 2020
Categories
Personal Blog

How to secure your corporate VPN Infrastructure during the COVID-19 epidemic?

This post was originaly posted to my LinkedIn profile here, in cooperation with Auxilium Cyber Security.

COVID-19 still affects our everyday life, with companies being one of the weakest links in the chain. Employees get filled with uncertainty for their future which seriously affects people’s judgment and habits.

In our last post, we discussed phishing and how COVID-19 affected people’s judgment when it comes to emails and malicious links. But people’s judgment is not always the weakest link. Some of the vital parts of working from home may be affected by misconfiguration issues or even bad choices of products and one of these parts is Virtual Private Networks used to connect employees securely with the company’s assets. We, in Auxilium Cyber Security, have years of experience in VPN architecture, setup, configuration, and security and we wanted to share our best tips on how to keep your VPN infrastructure secure during COVID-19 days and not.

VPNs are not new technology. People all over the world use VPNs for privacy concerns, censorship and malicious acts amongst others. But now that almost all employees work from home, VPNs seem mandatory and for a good reason. They can create a direct connection from one place another (e.g. from the employee’s laptop to the company’s private network) which will encrypt the communication, so MITM attacks, data leaks from network tampering and other attacks like these can be avoided.

But as with our phishing related issues, VPN choices and set-up can result in serious security implications. Our experience in secure implementations of VPN infrastructures and testing makes us believe that many companies have misconfiguration issues, because of the complexity of such systems and the overload of different options. To strengthen the security of a VPN infrastructure, Auxilium Cyber Security suggests the following moves:

  1. Keep your products up to date. As discussed in our last post, many entry points for malicious users are achieved by exploiting outdated client, or even server, applications. Users will need to follow strict policies when working from home, and one of them must definitely be to update their VPN client application that they use to connect to the corporate network.
  2. Use multi-factor authentication. Multi-factor authentication like SMS codes and hardware keys are usually ignored as they present additional complexity for novice users. But novice users usually use weak passwords or even keep their passwords in unsecure places. This means that a single employee with a weak password can be the way in for an attacker to your corporate network, and even in cases of strong passwords, ignorant and uneducated employees can be easily phished for an easy way into the network. Presenting MFA, can strengthen the VPN implementation and move part of the liability to the company, instead of employees.
  3. Implement scheduled testing. VPN software and services are one of the most targeted technologies currently by malicious users, as more and more people use them every day. This means that updates and security research in this field runs with the speed of light, and proper security testing has to be scheduled. Auxilium Cyber Security has years of experience in secure network architecture and testing of VPN implementations, which can help your company design, implement and test your VPN if it is your first time with this technology or even if you want to comply with current security standards.
  4. Prevent DDoS attacks on your VPN server. Many denial of service attacks can target your VPN server. DoS attacks can result in limited availability or no service at all, and possibly serious implications for many users and positions inside the company, if the network is down. This means that this is a serious issue, and it has to be treated delicately. In order to prevent those issues, a suitable and well crafted DDoS policy has to be implemented which will be the result of real-time visibility and proper tuning of the server. Different devices have to be monitored efficiently and session timeouts have to be implemented according to the requirements of the network.

VPN security is mostly a company’s issue with many critical options to be taken. The most popular and widespread implementations are highly customizable, which opens a huge conversation about security, privacy and cryptography, something that can really mess up a VPN implementation. Leaving unrelated to IT employees aside, companies and IT departments are also in need of proper education, especially in times of crisis, where security implications become more and more common.

It may seem huge, alongside all the other issues that surfaced with the pandemic, but with those simple steps, a company can remain secure and be more sure about the mandatory measures that most of us are obliged to follow for the common good. We hope that these tips will help most of us stay secure, but for the ones that are uncertain about it, we strongly believe that our experience can benefit you. For VPN architecture, design, implementation, security testing, and others, feel free to contact us. Stay safe, stay home, stay secure.

Thomas Sermpinis for Auxilium Cyber Security

Categories
Personal Blog

How to secure your corporate ICT during the COVID-19 epidemic?

This post was originaly posted to my LinkedIn profile here, in cooperation with Auxilium Cyber Security.

With novel coronavirus cases on the rise, people get filled with fear and uncertainty. This seriously impacts all the aspects of our everyday life, and as a result, that of our working life.

Auxilium Cyber Security has a long experience with simulated phishing campaigns, testing the readiness of its clients at regular intervals, which resulted in a good understanding, and a good amount of data, to support the understanding of the human factor in the cybersecurity aspect of a company.

Watching the huge increase of Covid-19 related malicious emails, targeting individuals and companies, it seemed like a necessity to run Covid-19 related tests and see how this situation can affect employee’s readiness and reflexes.

The results were surprising. With an average of less than 5% of users marked as phish-prone on the last, unrelated to Covid-19 tests, now the percentage skyrocketed to almost half of its users, which is a huge topic of discussion that every company using web technologies and online communication, has to consider. This is an expected outcome, which derives from the current world crisis, but supporting data and this kind of results help us better understand the situation in deep and have a clear and detailed view of what policies we need to apply and the additional steps that companies have to follow.

Previously discussed topics about phishing apply to the current situation too, but the following simple steps can help any company lower its phish-prone stats, and be more secure.

  1. Keep your employees updated. The human factor is the most vulnerable part of your infrastructure. Even with the most updated systems, the strongest security policies and security tests all over the place, a single employee that is not well educated can create a huge security issue. And because of the effect that crisis periods have on employee judgment, like the one that we are experiencing right now, companies have to update their education policies and adapt to the needs of each crisis.
  2. Update your stats. Running scheduled simulated phishing campaigns can help companies have a better understanding of how their staff performs on a frequent basis and understand the impact that a crisis situation can have. Auxilium Cyber Security with years of experience in simulated phishing campaigns and social engineering can help you perform this kind of tests and interpret the results in real-world impact on each company and its assets.
  3. Educate your employees regarding each scenario. Even if employees are updated and secure, crisis situations may affect them in ways that no one can imagine. This is why education has to be adapted to each situation, and companies need to act fast, in order to lower the impact of unexpected factors. Auxilium Cyber Security has years of experience in employee security education, which is customized in each customer’s needs and assets, which is based on years of tests and statistics.

It is common for companies to ignore cybersecurity when other factors can impact a company’s existence, but there may be a huge economic impact if they do not get used to act proactively and plan for the risk management. We have seen until now that the biggest effect that Covid-19 had to companies, was for them to change their way of working to “work from home”. Many companies were not ready for this either, with many of them struggling to find a way to communicate, connect to their networks, access files securely, etc.

Looking at the big picture, and covering the topic of securely working from home at a high level, some simple tips that every company can follow are the following:

  1. Use encrypted channels of communication and VPN connections. Working from home companies lose control of the network that their employees are connected to. In such cases, the first thing that has to be established is that employees use encrypted channels of communication, in order to avoid adversaries trying to steal information in not well-secured networks, like a home or shared one.
  2. Implement a web filtering policy. Devices used specifically for company reasons, have to be restricted in what they can browse and what they can do, in cases of work from home situations. This can be achieved with a mandatory VPN connection to the company that will filter the connections and restrict malicious and unwanted traffic.
  3. Encrypt work devices. Devices that are meant for work, like laptops and smartphones, can easily land in the hands of malicious users, when employees work from home for long periods of time. Having a drive encryption policy (even the default OS one, like FileVault for MacOS and BitLocker for Windows) can help a company secure its assets, and avoid pointless data leaks.
  4. Use a secure and shared cloud storage. Sharing files remotely becomes mandatory when working from home. This means that a secure cloud solution has to be used in order to share files fast and efficiently. When searching for your next cloud solution consider SSL encryption in the cloud provider’s website as a must, file encryption capabilities for private documents and a highly editable group policy for your users.
  5. Implement mandatory scheduled security scans. Devices that are not located in the work environment, can be used for many things other than work. This means that the attack surface can be wider with hardware devices, malicious downloads and physical access from malicious users being the biggest issues. For that reason, implement scheduled security scans (for example once a week), in order to manage potential security risks.
  6. Implement a more strict update policy. Client devices tend to stay outdated for long, which means that they can get vulnerable really easily and from one day to another. Implement an update policy and remind employees to keep their OS and all their applications up to date, in order to avoid security implications.

The current crisis situation can be overwhelming for everyone. IT departments get overloaded with requests and new tasks get created to support working from home. At the same time, working from home creates a whole new attack surface for companies, that malicious users can easily exploit. As big as it seems, there is only a handful of easy steps that a company has to follow in order to up its security game and be more sure about its assets and the headaches that a crisis can create. Stay safe, stay home, stay secure.

Thomas Sermpinis for Auxilium Cyber Security

Categories
Personal Blog

Changes, changes and more changes!

Hey you, hey you,

I am still here, yes. I am still strong and continue to “hack” around. I do not want to apologize for leaving you alone for so long. I try to do my best for the community and for self-improvement, and today seems like a great day to give you an update. {sunny day in Berlin}

So, lets start from the end. I am currently in Berlin. I left my job as a Blockchain engineer and some really good proposals back in my home country, in order to get to know the “world” better and learn from the best. I am writing this post from a nice and huge wooden library, in the center of Berlin and it is a really good start. I am actively searching for a job, both in decentralization/blockchain/privacy and security sectors, so feel free to give some tips if you are from around, or contact me to grab a beer.

In other news, this was a hell of a year. I completed my academic life (yes I am leaning towards not starting a PhD), I got more into development because of my job and really liked it (Go, Solidity and other languages related to blockchain development), I developed some courses for Hakin9 including Attack and Defense in Blockchain technologies and Penetration testing with Raspberry Pi, I did some great talks in meetups and conferences regarding blockchain and decentralization (you can find my talks in my youtube channel) and released some articles in the BAD-ASS 2600 magazine.

OK, this not at all my whole year, but this is the stuff that stood out and that I want to share with you. As I said, I am now in Berlin, zeroing down the counter, and searching for the next big thing. I don’t know if I will work, if I will create a team, or start a PhD. I just know that I want to create things, share with others and get to know the world. And I don’t mind if one does not know me in the end. Because you will know me.

 

All great changes are preceded by chaos.
Deepak Chopra

 

Cr0wTom

Categories
Personal Blog

Introduction to Bitcoin and Blockchain Technologies (Greek)

Are you still here,

As I told you in an earlier post, I have many things that I currently work in! One of them is my recent engagement with Blockchain and Decentralized Ledger Technologies. I started around a year ago with my master degree thesis, with title “PKI Decentralization with Blockchain Technologies” and after that I started working as a Blockchain Engineer in the Aristotle University of Thessaloniki.

This sector is really interesting, with many challenges at its current state, and that’s what I like about it. I also work with a great team of people, and this week I was lucky enough to talk in the Machine Learning and Blockchain join meetup in Thessaloniki about Bitcoin and Blockchain topics. Suddenly, the talk was in Greek and I upload a video capture of it on YouTube. In case I see interest in the video, I will try to add subtitles to it, but it needs some work, so we will see.

I want to thank the people that helped me reach this stage and make this talk, especially Dr. Karasavvas, and I will keep you updated for future talks and events. Also, thanks to everyone that joined me in this meetup, and if you have any questions please add it to the comments bellow or in the YouTube video.

Cr0wTom