The LogicalTrust Expert Team
have been testing security for over 17 years.

Recently we performed a non-profit penetration test of OPNsense - an open source, FreeBSD based firewall and routing platform with ~51.47K active instances according to censys.io. The assessment was focused on web GUI and API as well as some parts of the system backend. Work has been carried out in a period from June 12 to June 26, 2023. In total, around 120 hours were committed to the project.

In an internal training, we discussed various threats to DNS. Below is a list that may be of use to someone:

Wizyta na stronie Wikipedii zawierającej listę gmin w Polsce przerodziła się w przegląd tego, co - bazując na automatycznym zbieraniu danych - można wywnioskować o praktykach bezpieczeństwa i prywatności stosowanych przez polski samorząd na swoich stronach. Opracowanie zawierające informacje zbiorcze, przedstawia statystyki użycia popularnych metod zabezpieczeń, bez odwoływania się do konkretnych przypadków.

The idea behind Socket Injecting Fuzzer is simple - fuzz applications working in the client-server architecture by mutating real data packets that are exchanged by them in real usage scenarios. Implementation is also simple because it is based on hooking network-related functions on one side (or both) of a connection and modifying outgoing data. Thanks to this approach, it is not required (but still may be helpful) to understand communication protocol or to prepare initial input for targets.

TuxGuitar is an open-source tablature player and editor, that supports many different file formats, including proprietary Guitar Pro’s formats. As I play the guitar from time to time and use TuxGuitar for practice and learning songs I couldn’t resist peeking into it. By looking at the source code I noticed usages of XML parsers without anti-XXE configuration. I decided to dig into it to find out whether it is exploitable.

GWT is a Java web framework and GWTUpload is a library extending it with easier file upload. We found a vulnerability allowing to abuse the upload process and cause a denial-of-service of a web application.

FreedroidRPG is an open source hack and slash game. In other words, it’s a Diablo clone available on Linux. I became interested in how the game handles untrusted user input, but as it’s a single player game supplying malicious input is limited. So I decided to analyze the parser of saved games and whether it may be somehow abused. I found a few memory corruption vulnerabilities and a way to execute arbitrary code.

LogicalTrust is excited to announce our newest award: Top Cybersecurity Consultant! As a small firm located in Wroclaw, Poland with over 16 years of experience, we specialize in keeping your business and information safe (penetration tests, security audits, security awareness). Did you know that cybersecurity costs the global economy $2.9 million per minute? Don’t get stuck trying to take your identity back, contact us today!

Documents is an iOS file manager app developed by Readdle. It has an HTTP server feature, which allows easy file transfer between the device and a computer in a local network. It’s also very interesting from the security perspective because we can expect a wider attack surface than in a typical mobile application. Running an HTTP server may expose the application to many kinds of web-related attacks.

For the letter c we chose Cherokee project. It is a web server written mainly in C language. What’s interesting, this server may be met on IoT devices including GoPro cameras.

As in the previous post, I was digging in PrBoom-plus’s code. When I was going through hu_stuff.c these two variables caught my eye:

PrBoom-plus is a Doom source port based on PrBoom (which itself is based on other projects). It supports Windows, Mac, Linux and BSD systems. As I’m a Doom fan by myself I decided to get PrBoom-plus and analyze it from security perspective.

What’s as?

as is a pretty standard assembler widely used in the UNIX world. Probably no further explanation is needed. It reads assembler code and produces compiled objects, no magic in here.

A-Z project

Some time ago we got the idea to select projects alphabetically, pick a project for each letter from a to z and find at least one bug in it. We don’t have a strict plan, rules or deadlines. We treat it is a freestyle battle and we just test whatever we want to. Our goal is to try different approaches including many flavours of fuzzing, code review, static analysis, dynamic analysis, divination etc. We’re going to write not only about what worked for us, but also about our failures. We plan to issue posts on each letter randomly, so here’s the first post for the letter A!

Bluetooth Low Energy (BLE) is a wireless standard, widely used to communicate Android and iOS mobile applications with devices of many kinds. These include home security, medical and other which may exchange sensitive data or perform sensitive operations. It’s critical to establish a secure communication using a proper pairing mode. However, despite the fact that MitM attacks will be prevented, the mobile device may be a weak link and expose the BLE peripheral to some sort of attack.

Posiadając aplikację tylko w formie pliku APK, na przykład po zainstalowaniu jej z Google Play Store, niemożliwe jest debugowanie jej w standardowy sposób. Wynika to z braku dostępu do kodu źródłowego. APK zawiera jedynie bajtkod dla maszyny wirtualnej Dalvik i ART, przechowywany w plikach o rozszerzeniu dex.

Needle wspomaga analizę bezpieczeństwa aplikacji na platformie iOS. Składa się z modułów, które korzystają z wielu dostępnych na tej platformie narzędzi, znacznie upraszczając pracę z nimi. Został stworzony przez MWRLabs, czyli twórców popularnego w androidowym środowisku Drozera. Podobnie jak Drozer, działa w architekturze klient - serwer. Uruchamiany na komputerze klient przesyła polecenia do serwera działającego na urządzeniu mobilnym.

Zapoznamy się ze sposobem na stworzenie backdoora oraz umieszczenie go w dowolnej aplikacji na platformie Android. Będzie on wykorzystywał narzędzie Drozer, które służy przede wszystkim do testowania bezpieczeństwa mobilnych aplikacji. Drozer działa w architekturze klient-serwer, a my użyjemy jego dwóch komponentów:

• Drozer (.deb albo Python .egg) - pełna wersja narzędzia, do zainstalowania na komputerze. Będzie pełnić rolę serwera, który posłuży do wydawania poleceń.