GMX Brute-Force Passwords

“E-Mail made in Germany” – this is quality and security. They claim.

It reminds me a bit of last year’s iCloud hack. You could do the same with GMX. Their response is at the bottom of this post.

The german mail provider GMX Mail accepts plain text connections via POP3, IMAP and SMTP. It allows users to authenticate but when the authentication is successful, they cannot proceed, as the connection is plain text. Below an example for IMAP:

root@kali:~/mail# telnet imap.gmx.net 143
Trying 212.227.17.170...
Connected to imap.gmx.net.
Escape character is '^]'.
* OK [CAPABILITY IMAP4rev1 CHILDREN ENABLE ID IDLE LIST-EXTENDED LIST-STATUS LITERAL+ MOVE NAMESPACE SASL-IR SORT SPECIAL-USE THREAD=ORDEREDSUBJECT UIDPLUS UNSELECT WITHIN STARTTLS AUTH=LOGIN AUTH=PLAIN] IMAP server ready H migmx123 107874 IMAP-0MUPSY-1aMB442ITa-00R1KS
tag login XXXX@gmx.at "wrong"
tag NO authentication failed
tag login XXXX@gmx.at "wrong1"
tag NO authentication failed
tag login XXXX@gmx.at "XXXXXXXXXXXXXXXXXX"
tag NO [PRIVACYREQUIRED] Fehler beim Abruf Ihrer GMX E-Mails. Ihre Verbindung ist nicht verschluesselt. Aktivieren Sie SSL in Ihrem Mailprogramm. Anleitungen: https://ssl.gmx.net

The answer says that the connection is not encrypted and encryption must be activated. Anyway, the credentials have already been sent to the server in plain text which allows an attacker to sniff the credentials and to access the mailbox.

The same applies to plain text connections using POP3 and SMTP.

Furthermore, the provider informs users about unsuccessful login attempts in order to warn users about potential attackers. A warning appears when logging into the e-mail account via the web interface, as seen in the screenshot below, which says “3 unsuccessful login attempts”.

after_3_logins_ssl

These failed login attempts seem to be counted for logins via:

  • webinterface
  • encrypted IMAP (port 996)
  • encrypted POP3 (port 995)

The following authentication vectors are not counted (thus no warning is given), even though the credential validity can be checked, e.g. for brute-force attacks:

  • unencrypted IMAP (port 143)
  • unencrypted POP3 (port 110)
  • unencrypted SMTP (port 25)
  • encrypted SMTP (ports 587 via STARTTLS and 465)

There seems to be no restriction on the number of guesses and no login throttling. So have fun.

GMX was first notified on 16 February 2016. They answered that the product they offer is free and GMX cannot provide free support – unfortunately. And… they are happy if they could have helped me.

Sehr geehrtes GMX Mitglied,

vielen Dank für Ihre E-Mail.

GMX FreeMail ist ein kostenloses Produkt. Wir bitten um Ihr Verständnis, dass wir Ihnen deshalb keinen schriftlichen Support anbieten können. Umfangreiche, kostenlose Hilfe zu allen Funktionen von GMX FreeMail finden Sie unter https://hilfe.gmx.net/.

Gerne sind wir auch persönlich für Sie da. Rufen Sie uns dazu einfach unter der unten genannten Telefonnummer an. Wenn Sie uns über unsere 0900-Servicerufnummer nicht erreichen, kann dies an einer Rufnummernsperre für Sonderrufnummern liegen.
[...]

Wir freuen uns, wenn wir Ihnen weiterhelfen konnten.
Mit freundlichen Grüßen

Ihr technischer GMX Kundenservice

The second notification was sent on 17 February. Their responded on 01 March that this is no security issue.

Sehr geehrter Herr Molnar,

vielen Dank für Ihre Anfrage, die zur Bearbeitung an unsere Fachabteilung weitergegeben wurde. Selbstverständlich haben wir Ihr Anliegen überprüft.

In Anlehnung an Ihre E-Mail teilen wir Ihnen gerne mit, dass es sich bei den von Ihnen angesprochenen Punkten nicht um sicherheitskritische Aspekte innerhalb unserer Infrastruktur handelt. 

Die Gefahr, dass die Zugangsdaten bei der Übermittlung im Klartext abgegriffen werden können, besteht in der Tat. Allerdings ist hierbei zu beachten, dass diese Gefahr vom verwendeten E-Mail-Client ausgeht und in keiner Weise von unseren Systemen. Um dieser entgegenzuwirken, muss das E-Mail-Programm eine verschlüsselte Verbindung aufbauen, bevor die Credentials übermittelt werden. Hierzu empfehlen wir die Verwendung von TLS für POP3 und IMAP.

Dass im Falle einer unverschlüsselten Kommunikation in Verbindung mit einem falschen Passwort im Vergleich zu richtigen Credentials eine andere Meldung zurückgegeben wird, kann auch nicht als sicherheitskritisch eingestuft werden, zumal damit keinerlei Informationen über die Existenz eines Accounts wiedergegeben werden.

Weiterhin wird in Ihrer E-Mail aufgeführt, dass keine Informationen bezüglich fehlerhafter Logins über SMTP, POP3 und IMAP kommuniziert werden. Ein Sicherheitsrisiko bringt dies nicht mit sich.

Mit freundlichen Grüßen

[Name removed]
Ihr GMX Kundenservice

E-Mail made in Germany. I feel secure now. Do you?

EDAS Conference Manager Information Disclosure

Recently, I ran into quite an interesting information disclosure issue at a large platform. I contacted the maintainers three times but unfortunately they will not fix it.

The EDAS conference manager, available at www.edas.info, is a platform for organizing conferences, including paper submission and review, registration with payment and program management.

At the moment of writing, there were 310 conferences processed on EDAS for year 2016.

The website’s registration system obviously tries to avoid duplicate registration. It therefore presents a list of already registered accounts, including full name, organization and „partial“ e-mail address in order to verify if a user may already be registered.

edas1

E-mail addresses are presented in censored form but the source code contains the full address in order to be able to contact that person.

edas2

Results are delivered when the surname matches given name or surname of an already registered member. Depending on the name, the system displays up to several hundred entries.

This can be abused in order to collect e-mail addresses with corresponding organizations and names. This makes it also possible to find contact data of certain people.

As an example, we found out that Mr Frank Sabath from the german Bundeswehr Research Institute will hold a keynote on the 2016 International Conference of Consumer Electronics in Berlin. So we tried to register the person „Peter Sabath“ and his dataset was presented.

edas3

The platform also provides a search by e-mail address. When using Frank Sabath’s e-mail address for registration, the platform informs the user that this e-mail address is used already by Frank Sabath.

edas4

Anti-forensic techniques: Filename “.”

The aim of this approach is to rename a file to the filename “.”. Due to a bug (http://sourceforge.net/p/sleuthkit/bugs/203/) in an old version of the forensics suite “The Sleuthkit” these files were not displayed in the directory listing of the command “fls”. The bug was fixed in version 4.0.2.
It is not possible to name a file “.” with operating system resources, as this file name is reserved for the “current directory”. Therefore a methodology at a lower level has to be applied.

Preparation
Creating a 100M file as image:

root@kali:~/antiforensik# dd if=/dev/zero of=img bs=1M count=100
100+0 records in
100+0 records out
104857600 bytes (105 MB) copied, 0.801951 s, 131 MB/s

Creating a FAT32 file system:

root@kali:~/antiforensik# mkfs.vfat -F 32 img
mkfs.fat 3.0.26 (2014-03-07)

Mounting the image:

root@kali:~/antiforensik# mount img mnt

Hiding files on the image
Creating directory structure:

root@kali:~/antiforensik# mkdir -p mnt/nothing_here/secret

Creating the secret file containing username and password:

root@kali:~/antiforensik# echo "root:root" > mnt/nothing_here/secret/password

Unmounting the file system:

root@kali:~/antiforensik# umount mnt

Open the image in a hex editor:

root@kali:~/antiforensik# hexedit img

Rename the "secret" directory by changing …
0018E240   41 73 00 65  00 63 00 72  As.e.c.r
0018E248   00 65 00 0F  00 51 74 00  .e...Qt.
0018E250   00 00 FF FF  FF FF FF FF  ........
0018E258   FF FF 00 00  FF FF FF FF  ........
0018E260   53 45 43 52  45 54 20 20  SECRET

… to …

0018E240   41 2E 00 00  00 00 00 00  A.......
0018E248   00 00 00 0F  00 51 00 00  .....Q..
0018E250   00 00 FF FF  FF FF FF FF  ........
0018E258   FF FF 00 00  FF FF FF FF  ........
0018E260   2E 20 20 20  20 20 20 20  .

The “secret” folder is now named “.”. This can be demonstrated by remounting the image and using the command “ls”:

root@kali:~/antiforensik# ls -lah mnt/nothing_here/
total 1.5K
drwxr-xr-x 3 root root 512 May 16 16:18 .
drwxr-xr-x 3 root root 512 May 16 16:18 .
drwxr-xr-x 3 root root 512 Jan  1  1970 ..

Using an affected version of the forensic suite “Sleuthkit” and its command “fls”, the renamed directory cannot be detected.
The following command lists the files in the root of the file system:

root@kali:~/antiforensik# fls -a img
d/d 4:    nothing_here
v/v 3225859:    $MBR
v/v 3225860:    $FAT1
v/v 3225861:    $FAT2
d/d 3225862:    $OrphanFiles

Listing the files in the directory “nothing_here” (that has the inode 4) – the “.” directory is not listed. The listed directory “.” is only the current directory with the same inode. The contents behind that directory stay undisclosed.

root@kali:~/antiforensik# fls -a img 4
d/d 4:    .
d/d 2:    ..

Anti-forensic techniques: Slack Space

by Aron Molnar and Alexander Kolmann

Slack Space can be categorized in partition slack and file slack. The partition slack consists of parts of the hard drive that are not allocated by a partition in the hard drive’s partition table. The file slack consists of allocated bytes within a file system that are not needed by a file. Its size depends on the cluster size of the file system and the file’s size.
File carvers can recover files hidden in slack space. Text passages can be disclosed by the “strings” command.

Partition Slack

root@bt:~/part# mmls dos
DOS Partition Table
Offset Sector: 0
Units are in 512-byte sectors

Slot    Start        End          Length       Description
-----   0000000000   0000000031   0000000032   Unallocated
Meta    0000078126   0000078126   0000000001   Extended Table (#1)
-----   0000078126   0000078157   0000000032   Unallocated
-----   0000117188   0000117188   0000000001   Unallocated
-----   0000156251   0000156251   0000000001   Unallocated

On this file system, there is one allocated sector (see Meta-slot) that is used for the partition table. The other sectors are unallocated.
We have a pdf file of 11K that can be hidden in the partition slack.

root@bt:~/part# dd conv=notrunc if=testfiles/FileToHide.pdf of=dos bs=512 seek=78127

File carving tools like foremost can recover this hidden object easily.
The recovery of the file can be done via:

root@bt:~/part# dd of=recovered.pdf if=dos bs=512 count=32 skip=78127

This command writes the hidden file to recovered.pdf

File slack
We used an NTFS file system for hiding data in the slack space of a file.

root@bt:~/part# fsstat /dev/loop0
CONTENT INFORMATION
--------------------------------------------
Cluster Size: 4096

root@bt:~/part# fls /dev/loop0
r/r 71-128-2:    file5_overwriteme.docx

root@bt:~/part# istat /dev/loop0 71
Type: $DATA (128-2)   Name: N/A   Non-Resident   size: 350990  init_size: 350990
834 835 836 837 838 839 840 841
842 843 844 845 846 847 848 849
850 851 852 853 854 855 856 857
858 859 860 861 862 863 864 865
866 867 868 869 870 871 872 873
874 875 876 877 878 879 880 881
882 883 884 885 886 887 888 889
890 891 892 893 894 895 896 897
898 899 900 901 902 903 904 905
906 907 908 909 910 911 912 913
914 915 916 917 918 919

We have a cluster size of 4096 bytes. The file system allocated 86 sectors for the file. The total allocated size is 86*4096= 352256 bytes. The real file size is 350990 bytes. The file system consequently allocated (352256-350990=) 1266 bytes that are not needed for saving the file. This is the file slack that can be used to hide contents.
The last allocated block is block number 919.
Start of the slack space = 919*4096+(4096-1266)= 3767054
Offset in bytes of the following sector = 920*4096=3768320=0x398000

root@bt:~/part# dd conv=notrunc if=testfiles/FileToHide.pdf of=/dev/loop0 bs=1 seek=3767054

Caution: If “FileToHide.pdf” is greater than 1266 bytes, the subsequent sector is overwritten. This may cause the corruption of other files or the loss of data of the hidden file.

upribox – Usable Privacy Box

The sources of the project upribox – usable privacy box – which I participated in were published at github recently.
The upribox is a Raspberry Pi running Raspbian and using a USB WiFi-dongle. It opens the SSID “upribox” that filters trackers and advertisements from the network traffic, either via HTTP or by blocking DNS responses. This makes it possible to surf the web on any device without the need of an ad-blocker. It also works for ads embedded in apps.
A second SSID “upribox-ninja” not only filter advertisements and trackers but also redirects traffic via Tor in order to surf anonymously.
There is also the possibility of providing an OpenVPN service (ports are opened via UPnP) for a secure and tracker-free connection on the move. Check out the upribox web-interface at upri.box.

upribox
Picture: Raphaela Raggam, St. Pölten UAS

HPARemove

Download ZIP

The Host Protected Area (HPA) is an invisible area on a hard drive which can be created or removed via ATA-commands (see Wikipedia).

This tool can set or remove the Host Protected Area of your hard drive (volatile or permanent) on Windows operating systems.
Hard drives connected via USB or SCSI are not supported.

Device Configuration Overlay (DCO) is not supported by this tool.

The usage of this tool can cause severe damage and data loss.
Use it at your own risk! No Warranty. Use it only if you know what you’re doing!

Usage "HPARemove [-h] [-i] [-c] [-s <#> [-p]] "

Options:
        -h                      Show this help.
        -i                      Get basic information about the drive.
        -c                      Check if HPA exists.
        -s <#>                  DANGEROUS!
                                Set maximum visible number of sectors.
                                '0' sets it to the maximum size.
                                DANGEROUS!
        -p                      Makes changes permanent.
                                Only valid with '-s' option.

For enhanced usability, HPARemoveGUI is provided.