A Keyboard Walks into a Barcode | TechSNAP 242

A research team finds various ways to attack LastPass, how to use a cocktail of current Android exploits to own a device & hacking a point of sale system using poisoned barcodes!

Plus some great questions, our answers, a rockin roundup & much, much more!

Thanks to:

Get Paid to Write for DigitalOcean

Direct Download:

RSS Feeds:

Become a supporter on Patreon:

— Show Notes: —

Even the last pass will be stolen

“During one of Alberto’s red team pentests, he gained access to several machines and found that all of them had files with references to LastPass. He came to me and told me it would be cool to check how LastPass works and if it was possible to steal LastPass credentials. 10% of our time is for research so we made that our small project.”
“We found how creds where stored locally and wrote a Metasploit plugin so he could use it to extract vault contents from all the compromised machines. Thanks to the module, he was able to obtain SSH keys to critical servers and the pentest was a success.”
They tested three different scenarios:
Client side attacks: A post-exploitation scenario in which an attacker has certain access to the victim’s machine (no root access needed)
LastPass side attacks: A scenario in which LastPass employees, attackers compromising their servers, or anyone MiTMing the connection is the attacker
Attacks from the outside: Attackers that are not on the client nor on LastPass servers side.
They used a number of different approaches
- Using cookies
- Abusing account recovery to obtain the encryption key
- Bypassing 2 factor authentication
“URLs/Icons are encoded, not encrypted: This means that there is no privacy. If you like shady pr0n or you are registered in questionable forums, anyone looking at your encrypted vault will know it. Also, if you reset your password in some site and update the LastPass vault account when prompted for it, the unique reset password URL may be stored as well. If the webmaster did not a good job of expiring the unique link, you gave LastPass the link to reset your password again.”
“Credentials often encrypted with ECB mode: ECB is a weak encryption method that should never be used. LastPass will know if you are reusing passwords from looking at the cipher text. This is bad because LastPass can go check any of the existing password dumps out there, see if you are registered in one of the hacked sites”
“what would happen if we google “extensions.lastpass.loginpws”. You guessed it! People are sharing their encrypted LastPass credentials with the rest of the world without their knowledge. You can also find credentials in pastebin. The best part is that now you know how to decrypt them and everything you need is right there.”
Recommendations For you:
Use the binary version of the plugin
Do not store the master password
Activate the new Account Recovery over SMS
Audit your vault for malicious JS payloads
Don’t use “password reminder”
Activate 2FA
Add country restrictions
Disallow TOR logins
Recommendations For LastPass
Get rid of custom_js!
Encrypt the entire vault in one chunk
Don’t use ECB
Use PBKDF2 between client and LastPass also
Use cert pinning
Embrace open source
Adopt a retroactive, cash rewarded bug bounty program 😉
Additional Coverage

Google AOSP Email App HTML Injection

The Google AOSP Email App is vulnerable to HTML Injection on the email body.
It allows a remote attacker to be able to send a crafted email with a payload that redirects the user to a target url as soon as he opens the email.
This issue is not related with the email provider configured on the app but with the incorrect filter of potential dangerous tags on the client side.
The researchers sent an email with the HTML tag meta using the attribute http-equiv refresh to redirect the user to the target URL.
This vulnerability has a dangerous potential for phishing attacks. With a bit of creativity, a convincing phishing scenario is plausible.
Other vectors like using intent-based URI are also another possibility. Just this week we learned that in MobilePwn2Own, an exploit was showcased that explores a vulnerability in Javascript V8 engine in Chrome, where a user just needs to browse to a page and it installs a apk without any kind of user interaction.
During the MobilePwn2Own demo of the V8 engine vulnerability, security researcher Guang Gong showed how easy it was to take advantage of an Android device.

“As soon as the phone accessed the website the JavaScript v8 vulnerability in Chrome was used to install an arbitrary application (in this case a BMX Bike game) without any user interaction to demonstrate complete control of the phone.” While a BMX game is relatively harmless in the grand scheme of things, a lot more damage could have been done.

This exploit combined with the Email app vulnerability is a very dangerous combo.
This app is available in all Android versions up to Kitkat(4.4.4). This application exists because up until Gmail for Android 5.0, it was the only way to configure other email providers (Exchange Servers, Yahoo,Hotmail,etc) on Android
From Android Lolipop (5.0) upwards , the AOSP app no longer exists in the system.
Since probably that are still a lot of users using the AOSP Email App the researchers decided to contact Google regarding this issue.
Google replied they don’t have plans for the fix of this vulnerability.
Users from Android Ice Cream Sandwich (4.0.3) upwards, should migrate the accounts from the AOSP Email App to the Gmail App, since the Gmail App version 5.0+ is supported.
Users with previous Android versions should upgrade to Ice Cream Sandwich (4.0.3) or above where possible or use a different email client.

One Barcode Spols the Whole Bunch

This week’s PanSec 2015 Conference in Tokyo where researchers with Tencent’s Xuanwu Lab demonstrated a number of attacks using poisoned barcodes scanned by numerous keyboard wedge barcode scanners to open a shell on a machine and virtually type control commands.
The attacks, dubbed BadBarcode, are relatively simple to carry out, and the researchers behind the project said it’s difficult to pinpoint whether the scanners or host systems need to be patched, or both—or neither.
“We do not know what the bad guys might do. BadBarcode can execute any commands in the host system, or [implant] a Trojan,” said Yang Yu, who collaborated with colleague Hyperchem Ma. Yu, last year, was rewarded with a $100,000 payout from Microsoft’s Mitigation Bypass Bounty for a trio of ASLR and DEP bypasses. “So basically you can do anything with BadBarcode.”
Yu said his team was able to exploit the fact that most barcodes contain not only numeric and alphanumeric characters, but also full ASCII characters depending on the protocol being used.
Barcode scanners, meanwhile, are essentially keyboard emulators and if they support protocols such as Code128 which support ASCII control characters, an attacker could create a barcode that is read and opens a shell on the computer to which the commands are sent.
Yu and Ma said during their presentation that Ctrl+ commands map to ASCII code and can be used to trigger hotkeys, which registered with the Ctrl+ prefix, to launch common dialogues such as OpenFile, SaveFile, PrintDialog. An attacker could use those hotkeys to browse the computer’s file system, launch a browser, or execute programs.
Yu suggest that barcode scanner manufacturers no enable additional features beyond standard protocols by default, nor should they transmit ASCII control characters to the host device by default.
Hosts in IoT environments, meanwhile, should think twice about using barcode scanners that emulate keyboards, and should disable system hotkeys, Yu said.
Slides