Sunday, February 12, 2012

Bypassing (?) End Point Protector 4 blocking of Teensy

One of my friends shared with me a news about some end point protection solution called End Point Protection 4. The news article highlights that Teensy and Teensy++ board can be blocked using this solution. This is the news piece

-----------------------------------------------------------------------------------------------------------------------
Endpoint Protector 4 – one step ahead the Teensy Board threat
The microcontroller Teensy++ 2.0 is one of the latest threats for endpoint security. It can be plugged into a miniUSB port, is identified as keyboard or mouse and is able to emulate every keystroke or move made by the usual input devices. With Endpoint Protector 4 you won’t be a victim of Teensy 2.0 or Teensy++ 2.0. The endpoint security solution identifies Teensy Boards, enabling you to block or allow them without affecting the normal use of your keyboard and mouse.

Get in touch now with your local CoSoSys sales person for more information and customized sales offers."
-----------------------------------------------------------------------------------------------------------------------

I checked out their website and saw Teensy Board in their list of Controlled Device Types.






I have been working on using Teensy for Penetration Tests for much time now and took this up as challenge. Aa dekhein zara kisme kitna hai dum started playing in my ears.

I wanted to test this out and downloaded a trial of their virtual appliance and set that up. I installed client on my test Windows 7 machine and connected my Teensy++ device. To my amazement, the device was not blocked even for the first time. Though, a warning balloon popped up but Teensy++ was still not blocked.I rushed back to the admin console and checked if the policies were correct



On further exploring the admin console, I saw though the device was not blocked (even when it is reported blocked), the device was detected properly. I decided to look how they identify devices to be blocked. Aaaand, I should have guessed this, they are trying to block it based upon Vendor ID and Product ID.



I decided to play with it as that warning balloon is still annoying and I prefer to be as stealthy as possible. I changed the Product ID and Vendor ID for my Teensy++. A valid Product ID and Vendor ID is required, I used that of RIM.

.\arduino-1.0\hardware\teensy\cores\usb_hid\usb_private.h




After this I restarted Arduino Development Environment, recompiled a sketch and uploaded it to Teensy++ board. Now, when I connected the Teensy++ board, bingo! there were no balloon warnings or logs in the console. Mission Accomplished !!

I may include this in Kautilya as an advice to change Product ID and Vendor ID before using Teensy++ in Penetration Tests.

P.S. - Cososys should get web console of End Point Protector 4 tested for common webapp vulnerabilities, in few minutes of playing 4-5 vulnerabilities were discovered. Management console of a product which claims to be "one step ahead the Teensy Board threat" should at least be reasonably secure.

EDIT: This nice list by Stephen J. Gowdy could be used for finding Vendor ID and Product ID.







Saturday, February 4, 2012

Remote Code Execution on SkyMobile VTI Server

Recently, I got access to management web console of a new to me product called SkyMobile VTI Server. The web console itself was enough to allow complete access to the system as it was running with Administrative privileges and allowed file upload. All I needed to do was upload an asp meterpreter to wwwroot and get the work done.



But I wanted to have fun. After browsing through the console for few minutes I saw the unencrypted default configuration file.





In the configuration file, I saw a parameter called "JavaCommand" which calls JRE executable.




I uploaded a meterpreter executable, changed the "JavaCommand" variable to path of the uploaded meterpreter executable and restarted the service (Yes I restarted it, I know its _really_ bad, but I just did that)


And the result was sweet !!