Jacob Riggs

UK ISPs prohibit ethical security research activities

General
by Jacob Riggs
26-08-2022

4.93 of 125 votes

All major UK ISPs seem to stipulate contractual terms which specifically prohibit their customers from employing the use of their home broadband service for security testing activities, regardless of the lawful basis for those activities (such as when penetration testing and bug bounty engagements are authorised). Below are the relevant extracts I pulled from those associated policies. If you're a UK customer of these services and engage in any bug bounty or penetration testing activities, it's likely you've already agreed to comply with these terms, and may therefore be at risk of having your home broadband service suspended for violating them. POLICY EXTRACT Source: Vodafone Acceptable Usage Policy 2. Your use of the Service ... 2.9 You must not use the internet to send information that has forged addresses or are deliberately constructed to adversely affect remote machines or other computer systems. 4. Network security 4.1 You must not take any action that could inhibit or violate the network security of any person or company (including Vodafone) or that could adversely affect their use of the internet. POLICY EXTRACT Source: BT Acceptable Usage Policy Security Violations The BT Network may not be used to violate the security of a network, service or other system. Examples of security include hacking, cracking into, monitoring, or using systems without authorisation; scanning ports; conducting denial of service attacks; distributing viruses or other harmful software; smurf attacks; and unauthorised alteration or destruction of websites or other information. POLICY EXTRACT Source: Virgin Media Acceptable Usage Policy 5. Your responsibilities - Virgin Media’s systems, services and equipment ... 5.2. Specific prohibited acts in relation to Virgin Media’s systems, services and equipment are: ... 5.2.5. attempting to circumvent user authentication or security of any host, network, or account (also known as “cracking” or “hacking”). POLICY EXTRACT Source: Sky Acceptable Usage Policy Do not violate anyone's systems or network security You must not use Sky Broadband, or allow someone else to use Sky Broadband, to violate Sky’s networks’ security or any third party’s system or network security by any method including: ... You must not send, receive, store, distribute, transmit, post, upload or download any materials that are designed to violate Sky Network’s security or any third party’s system or network security. Examples of such prohibited material may include (but are not limited to): ... • tools designed to compromise the security of other sites; These terms make up the components of valid contracts, and as ISPs are in the business of making money, this raises a few questions. Do ISPs actually care what their customers do with their service? How enforcable are the relevant legal obligations in practice? Are ISPs actively monitoring customer traffic for attack characteristics? Do reports of abuse ever result in ISPs terminating services? Such unanswered questions might incentivise security professionals to consider the wider use of commercial VPNs.

The Royal Mint sent me a limited edition gold coin

General
by Jacob Riggs
25-07-2022

4.99 of 157 votes

For some voluntary cybersecurity related work I did, The Royal Mint sent me a limited edition 22 carat gold coin which commemorates the life and legacy of the great mathematician and codebreaker Alan Turing. This included bespoke packaging that contained a small 'Innovation in Science' series booklet detailing Turing's remarkable achievements, and featured one of his most famous quotes: We can see only a short distance ahead, but we can see plenty there that needs to be done ~Alan Turing I would like to express my thanks to The Royal Mint for this thoughtful gift.

How to access and trade on darknet markets

Tutorials
by Jacob Riggs
23-06-2022

4.96 of 114 votes

Welcome to my first counter-economics walkthrough, featuring the darknet. The darknet is not just a domain for illicit activities, it also serves as a space that offers unparalleled opportunities for discourse, free market trade, and collective and communal discovery. It’s occupied by people from all walks of our complex and layered lives - from outright criminals and troublemakers, to journalists, dissidents, and security researchers (like myself). Whilst I can appreciate that the darknet is widely associated with illegal activity, it’s important to note that simply accessing the darknet is perfectly legal. There’s a lot of advanced cryptographic protocols and processes behind the workings of what I’m about to explain, but for the purpose of keeping this post short and tailored for a wide audience, I’m going to simplify everything as best I can. 1. Tor To access the darknet you’ll need to download and install the Tor (the onion routing) browser. This is an open source purpose-built and completely free browser based on Firefox that enables anonymous web surfing, by ensuring that all traffic it processes is heavily protected against traffic analysis. Download Tor Tor establishes a secure network circuit for each browser session, which connects Tor nodes deployed around the world at random. These nodes encrypt your browser traffic in layers at each node hop on its way to/from the source (your browser) and the destination (a hosted hidden service). 2. Darknet markets With Tor installed, you’ll next need to find a darknet marketplace domain to visit. The Tor network mandates that Tor clients (such as the Tor browser) can only access sites using the .onion TLD. However, these domains are not easy to distinguish, and are usually represented in long, often randomly generated alpha-numeric strings. Finding the correctly represented URL for a particular domain in the first instance can be a challenge. There are hundreds of marketplaces to choose from, each with their own set of communities, politics, and socio-economic motivations. I wont list them all here, as unfortunately not all survive long enough to outgrow the impulse of real-world influence and fallible human desires. Some get hacked, some get shut down by law enforcement, and some succumb to their own greed - whereby the operators 'exit scam' entire communities. This is why there’s no specific endorsement for any particular marketplace I can make, but I’ll include a few of the most common below for reference. Please beware of the many fake .onion addresses that frequently circulate the web and are set up as convincing phishing sites. The above hidden service URLs were validated as accurate at the time of this blog post being made, though may require further validation if they are to be relied upon in the future. 3. What you can buy Most darknet marketplaces have a large selection of categories populated with listings from reputable vendors. These are varied, and can include both legal and illegal listings.In no particular order, I’ve added a table featuring some of the most common categories I’ve observed below: Drugs Doxxing Malware Hacking Software Hosting Electronics Ebooks Firearms Graphics Databases VPNs Jewellery Fraud Passports Programming 4. Buying Bitcoin (BTC) The first step, if you’re new to this space and want to facilitate a trade, is to buy yourself some cryptocurrency.This process, in summary, is to trade a value of what you own in digital fiat currency (GBP, USD, AUD, etc) for a value of what you desire in BTC, and can most easily be achieved by registering to a centralised platform, like one of those I’ve included below. Coinbase Binance Bitfinex Poloniex Many darknet marketplaces employ the use of specific cryptocurrencies (such as XMR) that use technologies such as stealth addressing and ring signatures to evade traceability. However, these currencies, due to their decentralised and counter-economic nature, are often restricted by centralised platforms from purchase and practical use. This means it’s sometimes possible to buy these currencies (such as XMR) in exchange for fiat (GBP, USD, AUD, etc), but you may find yourself prevented from transferring such currencies outside of the platform you’ve purchased them from. 5. Exchanging Bitcoin (BTC) for Monero (XMR) A logical and convenient method I’ve seen adopted to get around this problem is to purchase another mainstream currency (such as BTC) via a centralised platform, then to use a third-party service to facilitate an exchange into a darknet marketplace supported currency like XMR.Below I've added an embedded interactive exchange utility that runs off a secure third-party API, and connects each transaction request with the best real-time market rates offered across a wide number of centralised trading platforms. If you'd like to use it to exchange currencies, please feel free. 6. Making a purchase Most reputable darknet marketplaces employ the use of escrow systems for mutual buyer and seller protection, with step-by-step client-side encryption features leveraging PGP to ensure end-to-end privacy and anonymity is preserved. This usually (but not always) means that when you supply potentially identifiable information, such as an email address or postal address to receive goods, the marketplace usually auto-encrypts your data to the vendor’s public key in your browser at the point of sale. This is to prevent your data being inadvertently disclosed at any time in the future to anyone other than yourself and the vendor, and ensures that trade participants can remain confident that marketplace transactions are provably private.Understanding PGP usage in this context is important, but can be overwhelming for newcomers. A while back I made another blog post on PGP keys which helps explain what PGP is and how it works.

How I found a vulnerability giving me infinite CPE credits

Write Ups
by Jacob Riggs
10-06-2022

5.00 of 137 votes

This is my write-up on a vulnerability I identified which allowed me to credit my ISACA CISM certification with unlimited CPE credits. During my day off I was looking at ways to earn myself some CPE credits towards my CISM certification. For context, 1 hour of eligible activities translates to the accrual of 1 CPE credit, and for my CISM certification, I require at least 120 CPEs over a three year period. Quiz Night! First I logged into my ISACA account and completed an archived quiz from here. For ISACA members (if you have a valid ISACA membership), the successful completion of each archived quiz awards 1 CPE credit. Once I had successfully completed a quiz, I visited my Manage CPE portal to apply the newly earned CPE credit to my account. The first step was to take note of the unique CPE ID and proceed to apply it to my account. Here I noticed that when attempting to apply CPE credits from this type of eligible activity, the forms on the ISACA web app seem to restrict the numerical 'max hours allowed' value. However, this restriction appeared to only be enforced client-side, which meant that an attacker could change this numerical value before submitting it to the server. I was curious how the server would validate any modified input value (if at all), and what response the server might provide if this value was changed to extend or nullify the 'max hours allowed' limitation. Enter Burp I opened Burp (my intercepting proxy) and captured the request. I could see that the request was submitted in a JSON format, with a number of expected parameters that relate to the web form. The server considered the request valid, and issued a response which echoed a 'true' boolean statement. I took note of the request and response values, then saved the request to Burp's repeater module (we'll come back to this shortly). I then revisited the archived quizzes and successfully completed a different quiz. I again visited my Manage CPE portal to apply the newly earned CPE credit to my account. I again took note of the unique CPE ID. I then went back to the previous request saved in Burp's repeater module, and modified the values of the request to reflect those of the newly completed quiz, but this time I manually set the 'MaxHoursAvailable' parameter to 100 and the 'CismHours' parameter to 100. I submitted this request to the server, and received a 'true' boolean statement in the response. I then navigated back to my certifications dashboard and could see that 100 CPE credits were successfully applied. I was able to confirm this was as a result of the modified request being made by viewing the applied CPE records within my Manage CPE portal. This finding was duly reported to ISACA within 4 hours of being identified. It took 134 days for my report to close with an agreement for public disclosure. ISACA responded on 10/06/2022 with the following statement:We do not view this particular occurrence as having a major impact on our website or operations. Additionally our ability to audit member's CPE's would allow us to correctly identify those who made use of this or a similar technique and take the appropriate steps upon discovery.

CVE-2021-26084 PoC write-up

Write Ups
by Jacob Riggs
19-02-2022

5.00 of 98 votes

This is my PoC write-up for CVE-2021-26084, which amounts to RCE and affects certain versions of Confluence Server and Data Center instances. I've come across this vulnerability a few times during the course of my research, so decided to add a brief PoC write-up for ease of future reference. Summary CVE-2021-26084 is an OGNL injection vulnerability allowing an unauthenticated attacker to execute arbitrary code on the targeted instance. It may be worth noting that statements from the vendor indicate this vulnerability is being actively exploited in the wild and that affected servers should be patched imediately. Steps to Reproduce I have included a downloadable PoC (proof-of-concept) Python script below, which enables owners of vulnerable instances to safely (and remotely) reproduce the necessary steps to validate this vulnerability themselves. Download Python Script Example Usage: python3 poc.py -u https://[TARGET HOST HERE] -p /pages/[PAGE VARIABLE HERE].action?SpaceKey=x The Vulnerability Atlassian Confluence is a widely used platform written in Java for managing project documentation and planning, typically deployed in corporate environments for teams to collaborate in shared workspaces. Back in 2017, security researcher Benny Jacob discovered that unauthenticated users could execute arbitrary code by targeting HTML queries with ONGL injection techniques. HTTP is a request/response protocol described in RFCs 7230 - 7237 and other RFCs. A request is sent by a client to a server, which in turn sends a response back to the client. A HTTP request consists of a request line, various headers, an empty line, and an optional message body: Where CRLF represents the new line sequence Carriage Return (CR) followed by Line Feed (LF), SP represents a space character. Parameters can be passed from the client to the server as name-value pairs in either the Request-URI or in the message-body, depending on the Method used and the Content-Type header. For example, a simple HTTP request passing a parameter named "param" with value "1", using the GET method might look like: A corresponding HTTP request using the POST method might look as follows: Confluence uses the Webwork web application framework to map URLs to Java classes, creating what is known as an action. Action URLs end with the '.action' suffix and are defined in the xwork.xml file in confluence- .jar and in the atlassian-plugin.xml file in JAR files of included plugins. Each action entry contains at least a name attribute, defining the action name, a class attribute, defining the Java class implementing the action, and at least one result element which decides the Velocity template to render after the action is invoked based on the result of the action. Common return values from actions are "error", "input";, and "success", but any value may be used if there is a matching result element in the associated XWork XML. Action entries can contain a method attribute, which allows invocation of a specific method of the specified Java class. When no command is specified, the doDefault() method of the action class is called. The following is a sample action entry for the doenterpagevariables action: In the above example, the doEnter() method of the com.atlassian.confluence.pages.actions.PageVariablesAction class handles requests to doenterpagevariables.action and will return values such as "success", "input";, or "error". This results in the appropriate Velocity template being rendered. Confluence supports the use of Object Graph Navigational Language (OGNL) expressions to dynamically generate web page content from Velocity templates using the Webwork library. OGNL is a dynamic Expression Language (EL) with terse syntax for getting and setting properties of Java objects, list projections, lambda expressions, etc. OGNL expressions contain strings combined to form a navigation chain. The strings can be property names, method calls, array indices, and so on. OGNL expressions are evaluated against the initial, or root context object supplied to the evaluator in the form of OGNL Context. Confluence uses a container object of class com.opensymphony.webwork.views.jsp.ui.template.TemplateRenderingContext to store objects needed to execute an Action. These objects include session identifiers, request parameters, spaceKey, etc. TemplateRenderingContext also contains a com.opensymphony.xwork.util.OgnlValueStack object to push and store objects against which dynamic Expression Languages (EL) are evaluated. When the EL compiler needs to resolve an expression, it searches down the stack starting with the latest object pushed into it. OGNL is the EL used by the Webwork library to render Velocity templates defined in Confluence, allowing access to Confluence objects exposed via the current context. For example, the $action variable returns the current Webwork action object. OGNL expressions in Velocity templates are parsed using the ognl.OgnlParser.expression() method. The expression is parsed into a series of tokens based on the input string. The ognl.JavaCharStream.readChar() method, called by the OGNL parser, evaluates Unicode escape characters in the form of uXXXX where "XXXX" is the hexadecimal code of the Unicode character represented. Therefore, if an expression includes the character u0027, the character is evaluated as a closing quote character ('), escaping the context of evaluation as a string literal, allowing to append an arbitrary OGNL expression. If an OGNL expression is parsed in a Velocity template within single quotes and the expression's value is obtained from user input without any sanitization, an arbitrary OGNL expression can be injected. An OGNL injection vulnerability exists in Atlassian Confluence. The vulnerability is due to insufficient validation of user input used to set variables evaluated in Velocity templates within single quotes. By including the u0027 character in user input, an attacker can escape the string literal and append an arbitrary OGNL expression. Before OGNL expressions are evaluated by Webwork, they are compared against a list of unsafe node types, property names, method names, and variables names in the com.opensymphony.webwork.util.SafeExpressionUtil.containsUnsafeExpression() method. However, this list is not exhaustive, and arbitrary Java objects can be instantiated without using any of the unsafe elements listed. For example, the following expression, executing an OS command, would be accepted as a safe expression by this method: A remote attacker can exploit this vulnerability by sending a crafted HTTP request containing a malicious parameter to a vulnerable server. Successful exploitation can result in the execution of arbitrary code with the privileges of the server. Remote Detection of Generic Attacks To detect this attack, you should monitor all HTTP traffic requests where the path component of the request-URI contains one of the strings in the "URI path" column of the following table: URI Path Vulnerable Parameters --------------------------------------------------------------------- --------------------------------------------------------------------- /users/darkfeatures.action featureKey /users/enabledarkfeature.action featureKey /users/disabledarkfeature.action featureKey /login.action token /dologin.action token /signup.action token /dosignup.action token /pages/createpage-entervariables.action queryString, linkCreation /pages/doenterpagevariables.action queryString /pages/createpage.action queryString /pages/createpage-choosetemplate.action queryString /pages/docreatepagefromtemplate.action queryString /pages/docreatepage.action queryString /pages/createblogpost.action queryString /pages/docreateblogpost.action queryString /pages/copypage.action queryString /pages/docopypage.action queryString /plugins/editor-loader/editor.action syncRev If such a request is found, you should inspect the HTTP request method. If the request method is POST, look for the respective vulnerable parameters from the table above in the body of the HTTP request, and if the request method is GET, you should look for the parameters in the request-URI of the HTTP request. Check to see if the value of any of the vulnerable parameters contains the string u0027 or its URL-encoded form. If so, the traffic should be considered malicious and an attack exploiting this vulnerability is likely underway. Remediation If you are running an affected version upgrade to version 7.13.0 (LTS) or higher. If you are running 6.13.x versions and cannot upgrade to 7.13.0 (LTS) then upgrade to version 6.13.23. If you are running 7.4.x versions and cannot upgrade to 7.13.0 (LTS) then upgrade to version 7.4.11. If you are running 7.11.x versions and cannot upgrade to 7.13.0 (LTS) then upgrade to version 7.11.6. If you are running 7.12.x versions and cannot upgrade to 7.13.0 (LTS) then upgrade to version 7.12.5. If you are unable to upgrade Confluence immediately, then as a temporary workaround, you can mitigate the issue by following the steps outlined in the official advisory: Confluence Server or Data Center Node running on Linux: If you run Confluence in a cluster, you will need to repeat this process on each node. You don't need to shut down the whole cluster. Shut down Confluence. Download the cve-2021-26084-update.sh to the Confluence Linux Server. Edit the cve-2021-26084-update.sh file and set INSTALLATION_DIRECTORY to your Confluence installation directory, for example: INSTALLATION_DIRECTORY=/opt/atlassian/confluence Save the file. Give the script execute permission. chmod 700 cve-2021-26084-update.sh Change to the Linux user that owns the files in the Confluence installation directory, for example: $ ls -l /opt/atlassian/confluence | grep bindrwxr-xr-x 3 root root 4096 Aug 18 17:07 bin# In this first example, we change to the 'root' user# to run the workaround script$ sudo su root $ ls -l /opt/atlassian/confluence | grep bindrwxr-xr-x 3 confluence confluence 4096 Aug 18 17:07 bin# In this second example, we need to change to the 'confluence' user# to run the workaround script$ sudo su confluence Run the workaround script. ./cve-2021-26084-update.sh The expected output should confirm up to five files updated and end with Update completed! The number of files updated will differ, depending on your Confluence version. Restart Confluence. Confluence Server or Data Center Node running on Windows: If you run Confluence in a cluster, you will need to repeat this process on each node. You don't need to shut down the whole cluster. Shut down Confluence. Download the cve-2021-26084-update.ps1 to the Confluence Windows Server. Edit the cve-2021-26084-update.ps1 file and set the INSTALLATION_DIRECTORY. Replace Set_Your_Confluence_Install_Dir_Here with your Confluence installation directory, for example:$INSTALLATION_DIRECTORY='C:Program FilesAtlassianConfluence' Save the file. Open up a Windows PowerShell (use Run As Administrator). Due to PowerShell's default restrictive execution policy, run the PowerShell using this exact command:Get-Content .cve-2021-26084-update.ps1 | powershell.exe -noprofile - The expected output should show the status of up to five files updated, encounter no errors (errors will usually show in red) and end with:Update completed! The number of files updated will differ, depending on your Confluence version. Restart Confluence. Remember, if you run Confluence in a cluster, make sure you run this script on all of your nodes.

I hacked the Dutch Tax Administration and got a trophy

General
by Jacob Riggs
12-02-2022

5.00 of 218 votes

The Dutch Tax Administration (Belastingdienst) sent me a trophy and formal letter of appreciation on behalf of the Dutch government. The front engraving on the trophy playfully reads, “I hacked the Dutch Tax Administration and never got a refund”. Together with the trophy was a formal letter of appreciation.On behalf of the Dutch Tax and Customs Administration, we would like to thank Jacob for participating in our Coordinated Vulnerability Disclosure program. For that, we present this letter of appreciation to Jacob.At the Dutch Tax and Customs Administration, we consider the security of our systems a top priority. But no matter how much effort we put into system security, there can still be vulnerabilities present. For that, we warmly welcome people like Jacob as a particpiant in the Coordinated Vulnerability Disclosure program.We appreciate not only that you have reported a security issue to us, but also that you have professionally done this. I would like to extend my thanks to the Belastingdienst Security Operations Center for sending me such a kind gift.

Blog