Disclaimer: I would never jailbreak a device that was going to carry my personal information. You should not either. It is absolutely at your own risk.
This blog post is about getting started with assessing iOS apps. I had not done this in a few years and so this is notes to bridge the past with modern which may be of use to you.
There is currently a stable root exploit called “checkra1n“. This works at the bootloader level and so long as you prevent your rooted handset from rebooting you will have a rooted handset. There is stable exploitation tools for Linux and now for Windows.
I use Windows as a host OS. I do this for many reasons but the simplest one is because Linux works better in a VM than windows does in my experience. I tried checkRa1n in a kali VM with the phone passed over USB directly to the VM. This was a dead end. The exploit process looked like it was working but it never completed, do not enter this cul-de-sac.
To get around that I could have tried the Windows exploit tools. But I selected to use “bootra1n“. This was a bootable USB Linux distro which included checkRa1n and it worked exactly as advertised.
Install the device via app store
Setup a test account without any of your real personal info.
Sign in to the app store, and then install your target app on the device.
There are other ways to install apps including “3uTools” (see section later). For me this did not work as my target app was not available in the app store they maintain. If your target is available for install then you will find an easier process where you don’t need to dump the IPA file as described in the next section.
Dump IPA file from handset
On Jailbroken Handset
Open Cydia and install “frida-server” as per this guide.
Inside a Kali VM (I used a VM, you can go barebones. Process did not work on Windows).
Install frida
pip install frida-tools
Inside Kali install “frida-ios-dump”
apt-get install libusbmuxd-tools
ssh -p 2222 root@localhost # leave yourself connected to this session
git clone https://github.com/AloneMonkey/frida-ios-dump.git
cd frida-ios-dump
pip install -r requirements.txt
Now all you need to do is run “dump.py” against your target as shown:
python3 dump.py <target_app_name>
To obtain the correct target app name use “frida-ps” as shown:
frida-ps -Uai
Getting MobSF The Quick Way
MobSF is an excellent tool for gathering some low hanging fruit. As a minimum I would advise throwing every IPA (and Android APK) through this for static analysis. It does a good job of finding strings which may be of use, as well as analysing permissions and other basics. This post is about getting you started and MobSF will be an excellent place to end this post.
Install docker as per this guide. Then after you have that up and running you can get access to MobSF using this:
docker pull opensecurity/mobile-security-framework-mobsf
docker run opensecurity/mobile-security-framework-mobsf
This will start an HTTP listener bound to 0.0.0.0 which is great. But you need to know what IP address Docker just gave you. First list your running containers:
docker ps
Then use docker inspect with a grep to get that for you:
docker inspect <container_id> | grep IPAddress
Fire up your web browser at http://YOUR_IP:8000/ you can now upload the IPA file and it will give you that static analysis juice.
3uTools
This is a beast which gets around having to install iTunes. A bit of software I have a ~15 year old past with which I frequently refer to as a “virus”. It is simply not possible for iTunes to be as shit as it is/was. Therefore, it must have been maliciously generated.
3uTools allowing you to dodge the virus that is iTunes
A lot (but not ALL) of apps from the app store are available for install using this. You will still need to supply legit app store creds to use that feature. If you can install using 3uTools then you get a super easy way to export the IPA file. But it only works on apps installed via 3uTools. In my case the app I needed to examine was in the app store, but not in the 3uTools equivalent.
Thats it from me, I am not going to rehash how to test an iOS app here as there are excellent resources explaining how to do that.
Your next steps would be to Google the heck out of these things:
In this post I am going to cover some pitfalls of Penetration Testing. It is kind of three rants stitched together. Loosely around the theme of how we generally interact with customers, as well as the reporting processes that I have seen over the last 15 years.
A person whose job it is to respond to penetration testing findings was asked this question:
What are the pain points you have experienced when responding to Penetration test findings?
This is what they said:
“…For my part, as an engineer that gets the fallout from these things I can tell you that I really hate that these scans report stuff that’s been fixed by back-porting by the suppliers. I’ve lost count of the number of times I’ve had to explain to SecOps, Managers and developers that the hundreds of “alerts” they have can be ignored because RedHat have already backported fixes not reflected in the reported version numbers. Time to get off one of my soap boxes!..”
— Anonymous fighter in the trenches
It is also worth noting that this was not a customer of ours.
I yelled “preach!”. Whoever this was I really love that they hit the nail on the head. I opened my most recent report where I had tackled that concern , I hope, adequately:
An except from a report
I hope that if the anonymous responder were to have seen my report. That they would at least see that I considered their plight, and that I have given them an easy out when responding to their manager. “Look, this guy even said it is possibly a false-positive”.
The target had a server banner which, if true, was vulnerable to several things. Unfortunately the OS was not listed in the banner (and was not otherwise 100% confirmed) so I could not prove or disprove the versions without either exploiting the issue, or being given more access. Had the banner said “RedHat” then I would most definitely have changed what I said. It would say there is a high potential that backporting was being used.
This set me off thinking again about how our industry often fails the customers we are paid to help.
If our industry has heroes they may or may not wear capes. But they almost definitely work on the blue side in my opinion. The brave souls tasked with the gargantuan task of interpreting penetration testing reports. From multiple consultants, from different vendors. The variability of output is enormous. These warriors have to find someway to make it work regardless of what thing has arrived as the deliverable.
I have seen Pentest companies who try to solve it in two ways:
Dictatorship – Based on one person’s vision you set a reporting standard.
You develop a rigid knowledge base of vulnerability write ups which tells everyone exactly how to report something. This includes fixed recommendations which must be provided.
You retrain every consultant in your team to meet that standard.
You yell at people during QA to remove any sense of individuality in reporting.
You fall out over CVSS risk ratings because “we need to risk this exactly the same way as the customer got an XSS which was 6.5 last week”.
Some Customers LOVE This. They don’t want any variability because the master spreadsheet they have with all vulns exists. They want the exact risk score for every instance of a vulnerability ever. They just like it neat.
The goal is to make every report as identical as possible across any customer and from any member of the team.Robotic Reporting.
Cheerful Anarchy – You set a baseline standard for reporting by providing a structure for the reporting and a style guide. Then you let folks have at it!
You accept that Pentesting is consultancy profession. Which is influenced by the experience of the consultant doing the work along with their understanding of the risk appetite for the customer.
You provide a basic knowledge base of vulnerability write ups which covers a consistent title, background, and baseline risk score. Then encourage the consultant to produce the remaining content just for that project.
You train your consultants to understand risk calculation and expect them to alter the baseline risk considering every instance they see.
The goal of this is to make every report tailored. Therefore inconsistencies will exist such as two consultants finding the same vulnerability with the same impact but providing different risk ratings.
Of the two I have always preferred cheerful anarchy. I know that some customers absolutely want a penetration test to deliver consistent results over time. It helps them sleep at night. I argue that a little anarchy might be good since the consultant should be free to express their opinions SO LONG AS THEY EXPLAIN THEM WELL ENOUGH.
In truth you need to essentially support both in 2020. Big accounts who want the consistency need to get it. Other customers who are perhaps in earlier stages of their security maturity processes should be given tailored findings in my opinion. They haven’t necessarily encountered an SQLi before, so you need to contextualise it a lot more. So I recommend being so flexible that you can be rigid… I suppose?
Places where a penetration tester needs to be super clear is when dealing with potential false-positives. If the only evidence you have is from a vulnerability scanner then you have not done a good job. I implore you to always find some other means of confirmation.
In situations where the vulnerability is raised only based on banners.. Then your flow is to:
Find a working exploit. If you can, then try to exploit a docker container or VM with the same software first to verify the payload works well. Ask the customer if you can use the exploit. If you have done it in your lab first you can explain that it works well without a risk to stability. Otherwise you can warn them that it may trigger an outage. They can then make the decision themselves as it is their risk.
If no exploit is available. If you can, then execute OS commands to verify the installed patch. In most cases you do not have this access. You can either document the finding with caveats (as my report did), or.. and I appreciate this is a revolutionary idea. You can ASK the customer to confirm the installed version themselves and provide a screenshot. In my case the time was not available to do so and I was forced into the caveat approach.
I know, I know. I suggested you speak to the customer! Worse still I say you should ask them to support you improving the quality of how you serve them. You should not forget that a Penetration Test is a consultation, and that you are on the customer’s team for the duration of the engagement.
They say you should never meet your heroes. But it has been going really well for me when I speak to them so far.
I needed to send an encrypted file to a user with a Mac. They were unable to install additional software on their machine, and I have no Mac to verify things on.
By default Mac’s roll with openssl installed (thanks Google), so the solution seemed to be to use that.
You can debate the encryption algorithm choice and substitute as appropriate. But the basic syntax for encryption and decryption using AES-256 is shown below:
Note: again this command will prompt for the password to be entered before extracting.
Warning; running with scissors
This is securing with a password. Go big or risk exposure here. Someone could always try brute force and you want to make sure that takes way way longer than the validity of the information you are protecting. I recommend 72,000 characters long as a minimum to be sure.
Now you have a key distribution problem though. How to get the password to the other person securely? You cannot email them the password since this is the same delivery mechanism for my scenario.
Generally WhatsApp (or other end to end encrypted chat client to a mobile phone) is good.
Phoning and saying a long password can be awkward but works (so long as they promise to eat the paper they write the password on immediately).
SMS is less secure but still verifies that the user is in possession of that person’s phone.
Little bit of charity – The #BoycottYourBed charity was raising money for Action for Kids. The idea was simple; go sleep someplace other than beds in your home. I could not get the kids to focus on the live stream. Because they were too excited about a massive den that was being built to sleep in. It came to a sticky conclusion when a kid prodigiously vomited over much of the den… So.. I scrubbed, cleaned, and then relocated to the kids room on the floor in a snuggly pile. Until that point it was probably the most fun the kids have had in months.
Back to School – The return to school has been amazing. They were so bored at home for such a long time that no amount of amusement seemed to do. Now we are having a much happier kid and much better weekends together since everyone isn’t knackered.
Adventures Outside – We made it to the park together at weekends because, as I said, everyone wasn’t totally knackered by my days off. It has been a long lock down and a struggle to get everyone outside at the same time. This was very good. More of this.. oh. whoops its winter. The leaves are falling 😀
10k steps rolling on every single day – All the way back to Christmas Eve 2019. Some seriously… Seriously tough days in August. Early in the month Kid A succumbed to food poisoning and I basically didn’t sleep for 7 days while sitting up with them. But here I am another month more into this stupid goal!
TV – Ashes to Ashes – What a show. It has taken quite a while to re watch but it is such an excellent programme. That ending is absolutely sublime and you should not read the rest of this blog post if you have not watched Life on Mars and Ashes to Ashes. Drop whatever you are doing and start watching them. They really pay out.
Audiobook #1 – Rama II by Arthur C Clarke – Listening to the first one has really lit up my brain for thinking about the cosmos again. Getting the second one the moment the first one ended to continue the story was *obvious*. This time we are given characters and tension based on them interacting which is interesting. The first one now seems like some idyllic jaunt now by comparison. Very entertaining.
Audiobook #2 – The Garden of Rama – In for a penny eh? Straight into the 3rd part. Anything at this point is probably spoilers.
Gaming – Rise of the Tomb Raider was this months PS Plus title. I devoured that. I like single player titles with a story. It basically was like “tomb raider does Arkham Asylum”. The mechanics are all giving off super batman vibes. That is a good thing because it is possible to play stealthily. The game says I have approximately 97% completed it. Given that is based on collectables that are not on the map I am considering is it really worth walking every area to go further? After completing games they should just mark things on maps in vague areas with circles to search in.
The bad
Had a bit of a panic attack over the last weekend of August. As before the triggers seem clear. Not sleeping well again and having rather a lot of things going on at the moment. Even when the things are awesome and well worth it. It is still a reminder to get more sleep.
Highlight of the month
Work highlight: I delivered a job and got some amazing feedback from the customer. Never underestimate the value of feedback (positive, and negative). Be kind, stay constructive. Other than that tell everyone all of the things all of the time!
Life highlight: I said I couldn’t sleep right? I made a stupid short film because I was asked to make a single monstrous slice of toast. I mostly wanted to document the horrible slice of toast existed.
Ever wanted to use 3rd party python libraries when making a Burp Extender? I had somehow avoided it until recently.
Warning: Be aware before pasting in the commands below that I think they configure your new pip environment and store all dependencies inside a new folder within the current directory.
There I was finding a lovely Cross Site Scripting (XSS) vulnerability in a customer site today. Complete beauty in the HTTP 404 response via the folder/script name. So I started to write that up.
I peered at the passive results from Burp Suite and noticed a distinct lack of a vulnerability I was expecting to see:
I looked at the HTTP headers and saw this peering back at me:
X-XSS-Protection: 1; mode=block
Burp was correct not to raise that issue because it detects where that very header is insecurely set or non existent.
For the uninitiated the “X-XSS-Protection” header is supposed to tell web browsers to inspect content from the HTTP request which is then present in the immediate response. It had a laudable goal to make reflected XSS a thing of the past, or at least harder to exploit.
Chrome liked it so much it defaulted to having it enabled. Even if the server didn’t bother setting it. This caused much consternation.
Stawp making the world safer Google… Jeez!
I thought ah this is my testing browser (Firefox) I must have overridden the XSS filter.
So I try in Chrome.. *pop pop*.
So I try in Edge.. *pop pop*.
I think I google “Is X-XSS-Protection still a thing?” and stumble across this nugget:
No. It is not a thing. Has not been a thing for a little while.
The modern approach is to ensure that you use robust Content-Security-Policy settings. The radical approach is to prevent XSS by secure coding practices which will just never ever catch on.
Security tools and scanners including: nikto, burp suite, and nessus all still pull this header out as something to be reported on. Does it have any real relevance if user-agents simply ignore it now?
It may impact older browsers. But generally when you are talking about any web browser that is old. There will be some way to completely control the victim’s computer. Logically you should only concern yourself with where the herd is running at today.
My approach is to take this out the back to put it out of its misery with a few rounds through the head(er). Then I will stuff it and mount it onto my wall next to “Password Field with autocomplete enabled”. Which is itself deprecated based on browsers also choosing to ignore it.
Time rolls on and standards change. Lets have a round of applause for good old “X-XSS-Protection”. It has been a good sport. A brilliant contender but sadly it never truly saw its potential realised because Arsenal kept buying replacement wingers. It never got any game time.
10k steps rolling on every single day – I have worked in a few jogs a week this month to get the heart rate elevated more regularly. It comes with the obvious benefits for doing so. My resting heart rate has gone down around 6 BPM which isn’t to be sniffed at.
Calorie Calculator – I know what helps me to lose weight. My level of activity has been fine but really the key is to stop ingress of breaded or cakey items. In lockdown my cupboards suddenly got flooded with tonnes of food because the uncertainty of delivery slots made us guess what was needed for a week+ at a time. In the general meh mod alcohol went up, food went in, and the natural impact was weight gain. For the last week of July I went back to tracking calories. A process I find so dull it unilaterally stops me snacking.
Bid on houses – I have always wanted a house with a garden. I was not fortunate enough to grow up with that and it is something I clearly aspire to. Lockdown certainly made me not want to wait anymore so co-incidentally when the market opened in Scotland again I went to view a property. I bid on it but it went for silly money beyond the valuation (50k or so more). The positives are that we got familiar with the process, someone came and valued our place, and I spent a long weekend cleaning and now love my flat more.
DIY in the flat – With a house move unlikely it means I get to focus on the flat some more. I hung some blinds in the kitchen which stops the massive stream of sunlight in the morning taking the sting of the sun out. We have also sought some quotes to finally tackle the horrible part of our flat – the central heating plumbing. Since we will be here for a few more years most likely I don’t want to go into another winter with the kids bedroom being cold. Also finally being able to decorate after this would be amazing.
Reading/Audiobooks #1 – I completed White Fragility by Robin DiAngelo over many morning walks in June and early July. The biggest revelation to me was how we allow “racist” to be so narrowly defined. It is conflated to mean “is a bad person” and to mean discrete individual acts of hatred which are both intentional and overt. Really we can deal with those incidents as being perpetrated by assholes. We pat ourselves our backs for not being those guys. While remaining oblivious to the underlying societal problems. Thought provoking read. Well worth an audible credit.
Reading/Audiobooks #2 – Several people have recommended the subtle art of not giving a fuck by Mark Manson. It is entertainingly written. It however feels like “bro” science and thus far seems pretty obvious to me. Don’t care about the things you cannot change. Pick your battles. Rather than saying anything new it appears to be a love note to tell you to not bother with any self improvement techniques at all. But look at me. Accusing something of merely being snide by being snide. It has helped more people than I could ever hope to. There has been some bits encouraging me to think about some of my choices. Not an absolute train wreck, but I was not bowled over.
Reading/Audiobooks #3 – Randevous with Rama by Arthur C Clarke. A legend of a friend of mine recommended it. I have been entirely captivated by this and it represents a triumphant first fiction book of 2020.
Gaming – I completed the Last of Us Part II. It is hard to say you “enjoyed” it unequivocally. Because I think if you are doing it right this game is toying with you the player. The narrative arc has a few fixed set points where you MUST behave in a certain way. In an otherwise open world you simply MUST do some questionable things to proceed. They are not glorified though they are horrific. To survive the post apocalypse you have to develop emotional calluses which first means taking a few bruises. THIS IS AMAZING. Any thrill for vengeance was totally and absolutely wrung out of me before the final act.
Gaming #2 – I fired up the original XCOM game from way back in 1994. This game has captivated me most summers since 1994 and I give it a play through in a couple of evenings. It is an absolute classic.
Work – A customer project saw me do an architecture review. I really enjoyed it. It has been a while but I was just in love with the full adoption of Devops/Secops/Psyclopses/Containers etc. So many of the tools and technologies required to make something which starts secure are free and relatively easy to use. What a time to be alive?
Music – I ordered a new practice amp from Positive Grid before lockdown. It took 4 months to arrive. The product has been fun and I have not had more than an hour to play with it. I can easily see how this would help me improve my playing by giving me automatic backing tracks to learn to solo over. I have put the day back but now it may be the time to learn scales instead of the “by feel” approach I have. Humans implicitly hear the bum notes. So you can cobble together what sounds right without formality. Just eventually I guess I should grow up and learn the instrument!
Music #2 – as a satire on the need to run Doom on any device or it hasn’t been “hacked” I did this moments after getting it out the box :D. The tone is a default one on the amp I don’t think I used the app to get that. It makes some gorgeous tones.
— ℙ𝕒𝕦𝕝 ℝ𝕚𝕥𝕔𝕙𝕚𝕖 🏴 (@cornerpirate) July 25, 2020
The Bad
End of July blues. While the month was running along very positively it hit Thursday 30th and suddenly I was just completely “meh” about life. I didn’t get to sleep on time on Wednesday finally getting about 4h30m sleep according to my tracker. Add into the mix that I was calorie counting and it is probably just a huge energy dip.
I am not overly concerned since a day of being depressed when you are better at recognising why is probably a sign of progress.
Did you know that Dr Who has no officially been back in production longer than it was taken off air? The tipping point was July 2020. The Glasgow Dr Who meetup group were looking to celebrate that fact socially distanced so I knocked that monster out in a wonderful 30 minutes or so. Fun but it was way pasta my bedtime to do it.
Moving about – 10k steps achieved again! Every day since Christmas eve 2019. Some days it has been exceptionally difficult. Still.. Clinging on to this one achievement belligerently. I did do a few mornings of light jogging to improve the heart rate zoning so probably better than last month. Otherwise the quality of the movement is pretty low.
Content – A blog post! – Like an actual one about technical stuff that is hopefully useful. Mainly about development but shows some of the impact of a pentest report landing and making wild claims about how simple it is to just patch things. I like to try and replicate responding to a report. It helps me make better recommendations which have a dash of empathy when I know it is going to be an absolute pain to implement.
Decorating – bought a new TV stand, threw out a tonne of things and made the living room look infinity nicer. Much better for the psyche looking at nice clean walls. Lockdown seems to have prevented me buying accessories for trunking I am looking at. So I will have to wait to finish the basic human level of decoration I want. But as I said infinitely better. Following a philosophy of doing one thing a weekend at the moment.
Gaming – Completed Uncharted 4 – Obviously an excellent title. Discovered that there was Uncharted: The Lost Legacy for extra stories which I am working on now. Also a great game. Last of us Part II came in and I am absolutely loving it so far. 5 hours in I realised the last 5 games I have played have all been NaughtyDog. They seem to be cornering the single player story genre.
Security Research – I worked for several days on my tools RDPUpload and RDPDownload with the blessing of my employer. Both came out of projects I have worked on but I took the time to formalise them and put them in a blog post. If you see the highlight of the month you can also see I pushed myself to publish it perhaps a bit earlier than they were ready. The official work blog and tool release hasn’t happened yet though.
The Bad
Panic attack. First one since early February. Despite everything that has been going on in the world I have remained amazingly unfazed. It goes on to prove that my particular problem is a lack of sleep. After the kids stopped going to bed before 10pm for a solid couple of weeks I had a sudden panic attack at 2am and couldn’t get to sleep. It had less of an impact than previous bouts, but I was still knackered for a day or two after.
Result: Going to bed for a few nights in a row when the kids did instead of sitting up to get some adult media content time. Not the wholesale changes to lifestyle I was managing at the start of the year. But I have definitely let all the things I was doing go during lockdown.
Highlight of the month
Talking to the beautiful people at Abertay Hacksoc. I had been doing research and making tools to release a blog post for work. When asked to speak to the students on the Monday I said “lets do it!”. It led to a panicked two days trying to make some content and a practical demo. Here is part of the talk via a tweet:
In this blog post I discuss how I migrated an old Netbeans project (Specifically ReportCompiler) to retrofit Maven and to integrate OWASP’s dependency check into the build process.
I made ReportCompiler a long time ago (long enough that Java was a sane choice). It is in no way complete and has adorable missing or half implemented thoughts throughout it.
It will import “.nessus” XML files and various other vulnerability scanners too. I use it mostly as a Nessus viewer since my gripes with the UI experience in browser are legion. I have a love affair with it in particular though because it has saved me an unbelievable amount of time over the years even accounting for the initial intense development time.
I do not use it every day like I used to and so the project is only lightly supported by me.
Getting up and running
Open up netbeans (I originally designed the GUI in this so it kind of needs to be netbeans unless another GUI editor works just as well?).
Create a new “maven” project.
Copy the source code from your previous project into the source folder.
Deal with any package renaming because of this movement. They will be highlighted in red at the top of every class file.
Check import statements for warnings. Each underline here points to a dependency we will need to include using maven now.
For each import error copy the package name for example “org.python.util.PythonInterpreter” and google it with the word “maven”. This will find the package that you need to import. For example:
Google Hacks Confirmed!
Clicking on the top result will show you the information about the relevant maven package:
Found Jython Package
Notice that in this example the latest version was newer as highlighted. Click on the newer version. Then copy and paste the “<dependency>” tag into your projects “pom.xml”.
After adding each dependency build the app again and watch that import statement fix itself. Repeat until all the red underlines have vacated your project.
Given the age of ReportCompiler there were a few deprecation warnings around the use of Vectors etc. I did not massively feel the need to redo the code for that since it has Vectors in pretty much every single area of the application. Now I feel the developer pain. Some day the rug will be pulled but for now we are golden. Vectors survive for now.
By the end of this my application compiled and executed. The only thing that did not seem to work was the resources folder including the risk icons. I wrapped the code loading these icons in a “try catch” statement to see a more verbose error message and to ensure the app loaded despite the wonky icons.
Bundling the app and dependencies into a single Jar
To fix the wonky icons I needed to ensure the resources were included inside the Jar file or otherwise copied during the build. The simplest route I found was to use the “maven-assembly-plugin”. Adding this to the “pom.xml” file resulted in a self-contained single jar file with all resources:
In my new project the image icons were located under the “src/main/resources” folder. Maven tutorials all say this is where to put them:
resources folder
To access these resources I modified my code to use “getClass().getResource()” as shown:
try {
this.critical_risk_icon = new ImageIcon(getClass().getResource("/critical-icon.png"));
this.high_risk_icon = new ImageIcon(getClass().getResource("/high-icon.png"));
this.medium_risk_icon = new ImageIcon(getClass().getResource("/medium-icon.png"));
this.low_risk_icon = new ImageIcon(getClass().getResource("/low-icon.png"));
this.info_risk_icon = new ImageIcon(getClass().getResource("/info-icon.png"));
this.no_risk_icon = new ImageIcon(getClass().getResource("/none-icon.png"));
this.computer_icon = new ImageIcon(getClass().getResource("/computer-icon.png"));
this.show_highlights = showHighlights;
} catch (Exception ex) {
ex.printStackTrace();
}
Terrific. Now the risk icons were loading beautifully.
Integrating OWASP’s Dependency Check
The reason I was moving to maven was to add sanity into the dependency management. The version of ReportCompiler to date was stuck with whatever jar files I downloaded back when I wrote the project. I consoled myself with the fact that none of the code is remotely accessible which reduced the threat profile.
But here was a Pentester clearly not practising what they preach. Yelling “patch all the things” by day while my barn was on fire. This gave me an opportunity to experience life from the other side of the fence for a bit. Which we should all practice regularly.
OWASP’s Dependency Check does an excellent job of listing known vulnerabilities in dependencies. I have tried it out in a few different contexts over the years and wholeheartedly recommend it to customers. It will not solve security problems on its own. But it will highlight easily fixable weaknesses from third party libraries.
I added this to my “pom.xml” to add it into my build process:
The goal was set to “check”. In this configuration dependency-check runs when the application is built and an HTML report will be created in the target folder next to my jar file. You can set the build to halt if risks over a certain CVSS score appear which I would recommend for an actively maintained project which is mission critical.
Below is an example report kicked out during a build with some CVE’s to show:
Dependency-Check Report Containing 55 known vulnerabilities
I went through all my maven dependencies and ensured the most recent releases were included (or so I thought). By running “clean and build” again the vulnerabilities related to Apache POI disappeared. Partial success!
My “pom.xml” did not point specifically to any of the remaining vulnerable libraries meaning that they were most likely “dependencies of my dependencies”. I shook my fist at the sky and cried out about how the supply chain will always get you.
I found that netbeans will draw a handy dependency graph. In “Project” view expand the “Project Files” folder and click on “pom.xml” and then on the tab labelled “Graph” along the top to see this:
Netbeans POM.xml dependencies graph
I could now throw shade at “docx4j” 6.1.2 which was build with Apache Commons Compress version 1.12 when version 1.20 is available. On looking into this 6.1.2 was nowhere near the latest version of “docx4j”! There were newer ones with slightly different names available. Hot swapping that out solved the “apache-commons-compress” related CVEs.
The most recent maven release of “docx4j” (version notes for 11.1.8) was compiled with several outdated dependencies. Unfortunately “jackson-databind-2.9.9” was included and vulnerable to 26 known CVEs. There was no danger of fixing this soon and it would most likely require opening a ticket on the docx4j project.
Drilling into the others I found that “jexcelapi” had a vulnerable version of “log4j” as shown in the graph below:
Log4j 1.2.14 baked into jexcelapi
Looking into it the project for “jexcelapi” was no longer supported since it was last released in 2009. A prime candidate for being entirely replaced. A quick google found that Apache POI is the new hotness. I cutout the old library and went for something that was supported.
At the end of this process I had tried my best but ended up with vulnerabilities via docx4j’s jackson-databind dependency. C’est la vie.
Fixing vulnerable Dependencies is Hard
After thinking about it I can see four ways to proceed with fixing all known CVEs in my dependency chain:
Do I really have the most recent release of my dependency? Look up the actual project’s page and see if there is a later release.
Can I contact the maintainer and get them to update their public build with the newer dependency baked in? This would fix the issue and eventually filter back into the maven ecosystem. Probably need to do that for docx4j.
Do I need that dependency? If it is a minor feature and you are all up to date maybe you can remove the feature or implement it another way. As per jexcelapi.
Can I build my own version which is secure (recompiling with the latest libraries)? However, this instantly breaks the mavenness of the dependencies
Now I imagine what it is like when a Pentest report lands heartlessly saying “update your dependencies”. It is clear that this is still a tricky problem in 2020.
This is the end
That was the end of the process. The application compiled and had the same bugs it had before but now had more up-to-date dependency management. Folks may now be more inclined to contribute to the project, and I am more inclined to support it.
Hopefully you found something of value in the tale.
Activity – 10k steps… every day.. Going all the way back to Christmas Eve 2019. I have brought an old treadmill back into service during lockdown. I go outside for a decent walk a couple of times a week.
Uncharted Games – the remastered 1-3 and 4 have all been given out for “free” with PS Plus over the last few months. I have waded my way through 1-3 and am onto 4. They tell really fun stories even if I find the shooting a bit repetitive at times. The puzzles are often worth it.
Life on Mars/Ashes to Ashes – if you have not seen LOM/A2A before then I envy you because you have a hell of a ride to go on. I encourage you to do so.
Security Research#1 – Work gave my team an opportunity to take on security research against some open source projects. We had a lot of fun and found a tonne of vulns that we are in the process of disclosing.
Security Research #2 – I had time to implement a process for data exfiltration using QR codes (RDPDownload). This is the opposite of my RDPUpload tool that I made a few years ago. While not a brand new technique I enjoy building exfiltration tools to see the trade offs involved and yes this worked on a genuine project. I am working on releasing that tool this month.
Decoration – Given lockdown makes me stare at my walls I realised I am not in-love with my flat anymore. I have gone on a programme of doing a minor bit of decorating every night for two weeks. Filling holes here. Sanding and painting there. While I am no expert at this the results are sufficient to mean my eye isn’t drawn to various defects that were driving me mental. The benefits of this for mental health has been huge.
Audiobooks – I was unable to get through any in May 😦
The Bad
In 2019 I was immobilised for months and was unable to get out of the house. I gained a lot of weight as a result and felt like crap. Indeed the whole point behind this “Captain’s Log” series was to show the positive steps I was taking to avoid a repeat of that period of my life and to get physically and mentally fitter.
Under lockdown my mental health has remained robust. By the end of May I decided to weigh in to discover indeed I had put on all the weight I had lost pre-lockdown. Not shocked but it is also a little annoying.
Kids out of their routine == Cranky days, late nights, and early waking.
When you are not sleeping right then weight gain is basically inevitable. Fortunately, the kids have started to sleep more regularly in the last week. So light at the end of the tunnel.
Highlight of the month
I think the decorating has really been the highlight. While there is still absolutely tonnes to do. It feels positive like I have stopped treading water and gone on to exert control over my domain. Plus I guess it provides a bunch of exercise to get it done which helps generally with everything.
