Tuesday, September 17, 2013

how to hack a windows phone

In today’s how to we will be discussing on how to hack a Windows Phone 8. Every hacker should know about the internals of a device and operating system before he could attempt to compromise it. So lets try to understand the underlying hardware and OS security before we try to break it.
To begin, we will try to compromise the hardware so that we can gain access to the hardware and then exploit the OS and ultimately take control of it or at least to steal data from it.
Windows Phone employs UEFI Firmware Hardware at the very low level. In addition to that, every hardware which runs Windows Phone 8 OS has to be certified by Microsoft. Now when we say certified, it also means that all the hardware has to be signed and the chips will be burned with the keys from Microsoft. The “Trusted Boot Chain” component will make sure that all the signatures are in place and if they are valid before and during the process. Every program written in the silicon chip has to be signed including the BIOS, drivers etc. On top of these Windows Phone 8 device will also come with a TPM chip which means your encrypted data it is as good your Windows 7 & 8 PC.
UEFI Windows Phone
UEFI Windows Phone

Lets see what are the options we have to break the security of the device.

Hardware

Now that we know all the components / programs are verified for the signature by the “Trusted Boot Chain”, why don’t we try to spoof the boot chain program itself with our own. If we are able to do that then we could easily make the device load our own components instead of the Windows Phone OS exploiting it completely naked.
Though at the first look it is appears to be a very good idea, unfortunately all the hardware chips which can’t or can be overwritten comes with something called an efuse. The moment when you are trying to write something in these chips without a valid signature which will be there only with Microsoft and the device manufacturer, the efuse will trip. Once the efuse trips off, the boot loader will not be able to boot up your device. Congratulations! now you have a phone which is officially no better than a brick.
For a moment even if we assume that you somehow fooled the efuse, the device still wont boot up just because you don’t have a valid key.

Operating System

Windows NT kernel it is. The Redmond guys have made sure that its sturdy enough. Windows NT kernel along with “Code Signing” makes a killer shield that you will not be able to penetrate. If you think you can get the control of the kernel using some code, wait till you read the “Malicious Code” section.
For now lets think about the Windows Phone updates. Windows Phone does do regular updates just like your PC so what if we can trick the windows phone to install my program? Unfortunately the windows phone is programmed to get the updates only from the Microsoft update servers and no other place. Still its no big deal because I can always trick my network to believe some malicious hardware / software as the update server. Sadly, the update will again need the code signing process to pass. You can never break through it unless you are hacking into the Microsoft update server; definitely not a great plan.

Storage

How about the internal storage itself? Why don’t we break the phone take out the internal storage and may be at least try to steal the data? But wait, the storage again uses a 128 bit Bitlocker for encryption. The drive remains encrypted until the boot loader performs the job completely. The TPM chip which comes with the hardware is the one which manages the key for the encryption which means that once the disk is outside the hardware, you will need the 128 bit recovery key to break in the data. The storage behaves the same way as what your bitlocked hard drive behaves.
Brute force opening a encryption is a very well known procedure to break encryption however its impossible when it comes to a 128 bit encryption. So to understand the quantum of complexity, lets assume that you have 10 million computers where every computer can process 100 billion keys per second (higher than 100GHz) and if you put them all together to crack the key, it will take 1013 years to find the key which is longer than the age of universe itself.
If you are thinking of trying the PIN instead, you can always configure your phone to automatically wipe after a amount of incorrect tries.
Some people try to snoop the data from the disk after it is wiped because it is easier that way since it wont have any encryption constraints. Luckily for the user what Windows Phone, it never decrypts the data but it wipes the encrypted data along with the key. You can be pretty sure that not even NSA can retrieve them.

Malicious Code

We have now almost come to the last and the mot favorite resort of a hacker. Most the hackers disassemble the system instructions and try to inject or alter the commands in the memory location. However the app model which windows phone function is always a sandbox, which means the app will have its own area where it can execute store data and perform actions. Windows Phone with the advantage of Code Signing will sign the apps based on the feature set they are allowed to access. E.g.) If a program does not have a valid signature to access the Camera, it wont be able to. This is true for any feature or hardware access in the device. So even for a moment if we assume that you are able to try writing something into the system memory location of the phone, the “Code Signing” will invalidate the program and unload it immediately.

Starting from the phone to your protected mail message, everything is safe in Windows Phone 8. As a matter of fact there are zero hacks till date. If you think you can, then write to me and yeah its an open challenge.
More information on the security of Windows Phone can be found athttp://www.windowsphone.com/en-US/business/security-us
This how to is written based on Windows Phone 8. Actual functionality might differ from device to device. Some features may not be available with pre-Windows Phone 8.

Sunday, September 01, 2013

Delete any Photo from Facebook by Exploiting Support Dashboard

Hi,
I would like to share one of Critical Bug in facebook which leads to delete any photo from facebook without user interaction. At first,Facebook Team Could not able to recognize this bug.So I have sent them Video Proof of Concept & I have clearly Explained this bug with the help of demo accounts.So Facebook team has recognized my bug after sending Video POC.Interesting Part is,In that Video I have Exploited Mark Zuckerberg's Photo from his Photo Album & I did not remove his photo.Now it has been fixed fully & Facebook has rewarded me 12,500$(US Dollars) for finding this Critical Bug.In 2013,This is second time I am going to receive bounty from facebook.Already Facebook has approved my 3 Open Redirectors which is eligible to get bounty of 1500$. 

Dismissal Response:

 
Bug Approval:

 
Bounty Details:

 

Before going into Bug Explanation, Just think a second about this ???
How do you feel if anybody removed your photos from your facebook Profile which is having more likes & comments?

How do you feel if anybody removed important photos which you have tagged & Shared?

How do you feel if anybody removed your Suggested Posts?

Bug Details:
[#] Title:  Delete any Photo from Facebook by Exploiting Support Dashboard.
[#] Worth: 12,500$ (US Dollars)
[#] Status: Fixed
[#] Severity : Very High
[#] Works on: Any Browser with any Version
[#] Author: Arul Kumar.V
[#] Email: vulnerable2arul@gmail.com

Description:
The Support Dashboard is a portal designed to help you track the progress of the reports you make to Facebook. From your Support Dashboard, you can see if your report has been reviewed by Facebook employees who assess reports 24 hours a day, seven days a week.

Mainly this Flaw exists on Mobile domain.In Support Dashboard,If any reported photo was not removed by facebook team,user has the other option to send Photo Removal Request to owner via messages.If users sends a claim message,Facebook Server Will automatically generate Photo removal Link & it will send to the Owner.If Owner clicks that link,Photo will be removed.

This flaw exists while sending message.I can manually modify Photo_id & Owners Profile_idso that I can able to receive any photo removal link to my inbox.It would be done without any user’s Interaction.And also Facebook will not notify owner if his photo was removed.

Impact of this Bug:
1)      We can remove any photo from verified real users & Pages such as
     Mark Zuckerberg,Eminem,Rihanna and so on.

2)      We can remove any Shared & Tagged photos.

3)      We can remove any User’s photo from his Status & Photo album.

4)      We can remove any photo from a Page,Group and so on.

5)      We can remove Photo from Suggested Post & also from Comments.

Requirements:
These are the things that we need to exploit this bug:

1)       We need two Facebook accounts to delete anyones Photo Permanently.
One account will act as "Sender" to send claim message.Another account will act as"Receiver" who receives Photo removal Link from sender.

2)      Before deleting a Photo,We should gathert photo_id (fbid) which we need to remove and also profile_id of receiver to receive Photo Removal message.

How this Exploit Works:




Steps to Reproduce:

1)      As I told before,You should have use two real accounts to exploit this.
Consider one as "sender" & another as "Receiver".Make sure both are logged in at same time.

2)      For every photo there is having "fbid" Value.Click a photo at anywhere in facebook such as status updates,pages,groups,etc.Then look at the URL, You can able to find Photo_id value & copy it (i.e) Just copy down numerical "fbid=" Value.

3)       After that we should gather "Profile_id" Value of receiver profile.You are using two facebook accounts. Choose one profile as receiver to receive Photo Removal Link.
By Using this http://graph.facebook.com/  you can find "profile_id" of receiver. Just copy down Numerical profile id of receiver profile. 

4)      So we have gathered two values:
         a)Photo_id  (Target Photo to remove without user’s interaction)
         b)Profile_id  (To receive Photo Removal Request from sender)
               
Vulnerable URL & Parameters: 

https://m.facebook.com/report/social/?phase=0&next_phase=8&pp={"first_dialog_phase": 8,"support_dashboard_item_id":396746693760717,"next":"\/settings\/support\/details\/?fbid=396746693760717","actions_to_take":"{\"send_message\":\"send_message\"}"}&content_type=2&cid=PHOTO_ID&rid=PROFILE_ID

Look at the URL You can able to find "cid" & "rid" Parameters at end.These are vulnerable parameters from which we can able to send Photo Removal Link of any photo to my receivers inbox by modifying value of "photo_id" & "profile_id". 

where,
    cid=  Photo_id (Just include your target photo’s Id value as "cid" input )
    rid=  Profile_id (You need to include receiver’s Profile ID as "rid" input )

After Including those values ,Press enter.Then If you click "Continue" Button Facebook will automatically send photo Removal Link to your Receiver Profile.From your Receiver Profile,You can able to remove photo which you have added in that Vulnerable Parameter.Now this Bug has been Fixed fully.

Video POC:
Kindly Watch this Video in HD  for Best  Quality.





Screenshots:




 

 

 

 

 

 

 

Now this Bug has Been Fixed Fully :) Here is the Screenshot :)