Research

Sopelka VS Eurograbber: really 36 million EUR?

Almost one month ago I had the opportunity of giving a talk at Rooted CON for yet another year. Mikel Gastesi and me talked about Sopelka Botnet and the Eurograbber report published by Check Point and Versafe at the beginning of December 2012. You can take a look at the slides here.

 

 

After reading the Eurograbber report and taking into account that there were a lot of similarities with Sopelka Botnet, which I had analyzed some months before, I decided to write a blog post about it. At the same moment, the Rooted CON CFP was closing, so I submitted this subject and then I forced myself to research further to demonstrate that Eurograbber was just a hype. Thanks to the investigations by S21sec and Fox-IT there was more than enough information.

Give me your credit card, the NFC way

More than one month ago I gave a presentation about the NFC credit cards privacy at No cON Name (NcN), a well known Spanish security conference. It's not a new subject and, also, some researchers presented talks about it in other conferences during this year, but, until that moment, there were no proofs of concept with Spanish credit cards (at least public ones). You can take a look at the presentation here (Spanish).

 

 

As I have mentioned in some posts about this subject, NFC payments are a normal part of life in some Asiatic countries, like Japan. However, this technology has arrived this year to Spain and other European countries, supported by banks, mostly. The result is that a person could have an NFC credit card in his wallet without even knowing it. It wouldn't be a problem if data were correctly protected, but we can't assume anything in the security world and this is another proof of that.

NFC CreditCard Reader


 

Language: C

Publication date: 2012-12-21

Description: Program based on readnfccc (by Renaud Lifchitz) to read some private data from credit cards, like cardholder, Permanent Account Number (PAN), expiry date, etc., using NFC technology. It has been tested with Spanish contactless credit cards, but can also be used with other countries cards. Take a look at this post (Spanish) and this video.

Requirements: libnfc (and an NFC reader, of course!)

Download it!

 


Usage


 
After installing libnfc, just compile the code:

$ gcc nfc_creditcard_reader.c -lnfc -o nfc_creditcard_reader

 
Place an NFC credit card close to the reader and execute it:

Checking if reading an NFC tag is that secure

As I mentioned in my last post about NFC, we can use NFC Forum tags to store and share information, normally used by marketing departments. This information must have a specific format called NDEF (NFC Data Exchange Format). Thanks to this format different NFC devices can share NDEF messages between them. Each of these messages can store several NDEF records containing different type of information like plain text, images, audio or video (media in general), URIs, etc. You can take a look at the NDEF specification to learn more about it.

 

 

Here I'm going to focus on the URI records and their possibilities to perform actions in NFC capable mobile phones when reading this type of tags. The URI specification says that these are the supported schemes:

 

URI Identifier Codes

Schemes

How to setup your own NFC lab

NFC is a reality today. A lot of cities in the world want to add this technology to their daily life, using it for transport, payments, access systems and almost all we can think (in some countries, like Japan and Korea, NFC is used years ago). Even reading NFC tags can be used to perform certain actions in our mobile phones like put it in flight mode, synchronize data, etc.

 

 

NFC is based on the ISO/IEC 18092 standard, published at the end of 2003, and it's compatible with other standards like ISO/IEC 14443 A/B (RFID) and ISO/IEC 15693 (FeliCa - Sony). As probably you know, it's a short distance wireless technology (normally < 10cm), high frequency (13'56 MHz) and low speed (normally until 424 Kbps). Unlike RFID, NFC is capable to perform bidirectional communications, and the time to establish the communication is much lower than using Bluetooth.

The aim of this blog post is not explaining how NFC works but giving some advice to setup a lab and start playing with this technology. The first thing we need is a NFC reader/writer. After looking around the most used are the following:

 

WzdFTPD < 8.1 Denial of Service

ID: CVE-2007-0428  BID-22131  BID-22152

Product: WzdFTPD is a ftp server designed to be modular and portable, work under linux/win32/freebsd/openbsd, and to be entirely configurable online using SITE commands. It supports SSL, IPv6, multithreading, external scripts, and it uses Unix-like permissions and ACLs, with virtual users and groups.

WzdFTPD project also supports bandwidth limitation (per user, per group, or globally), group administrators, and per command authorization.

Scope: Remote Denial of Service

Severity: Medium

Timeline:

  • [2006-12-26] Vulnerability discovered
  • [2007-01-08] Vendor contacted (without answer)
  • [2007-01-19] Vulnerability published
  • [2007-01-31] Patched
     

Platforms: Any

Author: Jose Miguel Esparza

Affected versions: WzdFTPD < 8.1

Description: This vulnerability it's due to a bad truncation of blocks and later ruling out of the characters carriage return (\r), line feed (\n) and horizontal tab (\t) after authentication, resulting in a null character that the function chtlb_lookup is not able to handle.

Pwlib/Ekiga Denial of Service

ID: CVE-2007-04897  BID-25642

Product: PWLib is a moderately large C++ class library that originated many years ago as a method to produce applications that run on both Microsoft Windows and Unix X-Windows systems. It also was to have a Macintosh port as well, but this never eventuated. The library is used extensively by many companies for both commercial and Open Source products. The motivation in making PWLib available as Open Source was primarily to support the OpenH323 project, but it is definitely useful as a stand-alone library.

Scope: Remote Denial of Service

Severity: Low-Medium

Timeline:

  • [2007-05-14] Vulnerability discovered
  • [2007-07-09] Vendor contacted
  • [2007-08-15] Ekiga patched
  • [2007-09-11] Vulnerability published
  • [2007-09-27] Pwlib patched
     

Platforms: Any

Author: Jose Miguel Esparza

Affected versions: Pwlib <= 1.10.0 (also the applications which use this library, for example Ekiga <= 2.0.7)

OPAL SIP Protocol Remote Denial of Service

ID: CVE-2007-04924  BID-25955

Product: OPAL (Open Phone Abstraction Layer) is an implementation of various telephony and video communication protocols for use over packet based networks. It's based on code from the OpenH323 project and adds new features such as a stream based architecture, better support for re-use or removal of sub-components, and explicit support for additional protocols.

Scope: Remote Denial of Service

Severity: Low-Medium

Timeline:

  • [2007-06-11] Vulnerability discovered
  • [2007-07-09] Vendor contacted
  • [2007-08-15] Patched
  • [2007-09-17] New version released
  • [2007-10-08] Vulnerability published
     

Platforms: Any

Author: Jose Miguel Esparza

Affected versions: OPAL <= 2.2.8 (also the applications which use this library, for example Ekiga <= 2.0.9)

Description: Thanks to an insufficient input validation of the Content-Length field of a SIP request it is possible to write a null byte causing a denial of service (crash) of the application using this library.

Details:

Syndicate content