Praetorian Security Blog

When you're constantly advancing your industry and helping secure today's leading organizations, people notice. Explore our cutting-edge information security news and research.

Man-in-the-Middle TLS Protocol Downgrade Attack

Posted on Tuesday, August 19, 2014 by Hayden Blauzvern

A flaw was recently found in OpenSSL that allowed for an attacker to negotiate a lower version of TLS between the client and server (CVE-2014-3511). While this vulnerability was quickly patched, an attacker that has control of your traffic can still simulate this attack today. Let’s explore how this is possible through looking at man-in-the-middle attacks and how browsers handle SSL/TLS connections. In addition, we will see the implications of the attack on cryptographic security.

read more »
Hayden Blauzvern

PHP-CGI Remote Command Execution Vulnerability Exploitation

Posted on Tuesday, August 12, 2014 by Josh Abraham

During a recent penetration test, our team found a few web servers that were vulnerable to a PHP-CGI query string parameter vulnerability (CVE-2012-1823). This vulnerability allows an attacker to execute commands without authentication, under the privileges of the web server. The target environment had very strong egress controls in place. All outbound ports were blocked and only ports 80 and 443 were allowed inbound. This made it difficult to obtain an interactive shell. Therefore, we decided to build a proof of concept exploit script using cURL to execute commands and then take it to the next level by authoring a new Metasploit Module.

read more »
Josh Abraham

The Top 5 Most-anticipated Talks at Black Hat USA 2014

Posted on Wednesday, July 30, 2014 by Kelby Ludwig

Another year, another Black Hat. The massive security conference in Las Vegas draws the best hackers from around the world to speak about what they do best—breaking everything. Black Hat USA is a major attraction for the InfoSec community and certainly one of the big events the Praetorian team anticipates each year. To unleash some of our pent-up excitement, we are sharing our countdown for the top five most-anticipated talks at Black Hat USA 2014.

read more »
Kelby Ludwig

MAC Cryptographic Errors and Vulnerabilities in SSO Authentication

Posted on Friday, July 25, 2014 by Anthony Weems

In-house crypto is often a goldmine of cryptographic errors and vulnerabilities. In this post, I'll describe one of the glaring errors discovered in an online customer support and help desk solution we were considering for use in Praetorian's cloud-based password cracking service, Project Mars. Hopefully, this can serve as a warning to anyone thinking about writing his or her own crypto libraries.

read more »
Anthony Weems

CRITICAL: New Internet Explorer Zero-day Vulnerability

Posted on Sunday, April 27, 2014 by Paul Jauregui

Only a few weeks after Heartbleed hit the Internet by storm, reports of another serious zero-day vulnerability are starting to circulate within the security community. Over the weekend Microsoft released Security Advisory 2963983, which details a new remote code execution vulnerability impacting ALL versions of Internet Explorer (IE6-IE11). Microsoft is aware of “limited, targeted attacks that attempt to exploit the vulnerability.” The company is currently investigating public reports of the vulnerability and it has yet to publicize details to the reserved CVE-2014-1776, but there are steps organizations can take to protect against this threat.

read more »
Paul Jauregui

Exploiting Mobile Banking with HeartBleed Vulnerability

Posted on Friday, April 11, 2014 by Paul Jauregui

For anyone who has not heard, a critical SSL vulnerability called HeartBleed was made public earlier this week that affects a widely used version of OpenSSL. In this post, I will demonstrate the HeartBleed vulnerability being exploited on a vulnerable mobile banking application and backend server within our test environments.

read more »
Paul Jauregui

CRITICAL: HeartBleed Vulnerability

Posted on Tuesday, April 08, 2014 by Paul Jauregui

There is a new critical vulnerability affecting a widely used version of OpenSSL called HeartBleed (CVE-2014-0160). This new bug allows an attacker to read system memory remotely, without authentication. It has been reported that 60-70% of the Internet is affected. Immediate action should be taken to identify vulnerable systems within your environment and take necessary steps to mitigate risk associated with this critical vulnerability.

read more »
Paul Jauregui

Whats up with WhatsApp’s Security?

Posted on Thursday, February 20, 2014 by Paul Jauregui

Facebook’s acquisition announcement coincided with the starting week of Project Neptune’s beta program. Project Neptune is Praetorian’s new mobile application security testing platform that allows companies to keep pace with rapid mobile development cycles by incorporating continuous, on-demand security testing. And what’s a better way to properly kick off our beta program than to test a publicly available mobile app worth $19 billion? Within minutes, Project Neptune picked up on several SSL-related security issues affecting the confidentiality of WhatsApp user data that passes in transit to back-end servers. This is the kind of stuff the NSA would love. It basically allows them—or an attacker—to man-in-the-middle the connection and then downgrade the encryption so they can break it and sniff the traffic. These security issues put WhatsApp user information and communications at risk.

read more »
Paul Jauregui

How to Identify and Prevent UIWebView Cross-Site Scripting

Posted on Wednesday, January 08, 2014 by Travis Emmert

Cross-site scripting occurs when malicious scripts are injected into an otherwise benign or trusted website. Within the mobile security field, cross-site scripting can occur in unlikely places, such as the UIWebView on iOS. For purposes of illustration, we’ll discuss a recent instance of UIWebView cross-site scripting we came across in a test. We’ll also discuss a similar app that does things correctly. Then we’ll cover why problems like this occur and how it’s difficult for developers to foresee these security issues.

read more »
Travis Emmert

How To Identify and Prevent LDAP Injection (Part 2)

Posted on Friday, December 06, 2013 by Nathan Sportsman

LDAP injection occurs when an application fails to neutralize characters that have special meaning in LDAP. Closely, resembling SQL injection, LDAP injection occurs when LDAP statements are constructed with unverified user-supplied data. This can result in the execution of arbitrary commands such as granting permissions to unauthorized queries as well as content alterations within the LDAP tree. The same advanced exploitation techniques leveraged in SQL Injection can be similarly applied in LDAP injection.

read more »
Nathan Sportsman