Skip to content

Back Disk Encryption

Intro

 

I will go over what is disk encryption, why you should care about it, what are some of the implementations, attacks, as well as what options you can choose from aside from Bitlocker/Filevault.

 

What is disk encryption

 

You know this already, but I will mention it, nonetheless as a sanity check of sorts.

Disk encryption is protection of a logical part of a disk such as a folder and/or partition, or a whole disk with the use of cryptography.

That Disk can be internal or external, a USB flash drive, an SD card, a DVD/CD, an ISO image, and most storage mediums/filesystems/blobs, etc.

 

Software Disk Encryption

 

Disk encryption can be implemented with software. Some of those solutions include:

And many more.

 

Hardware Disk Encryption

 

Disk encryption can also be implemented in hardware. This is usually implemented in modern SSDs and is called self-encrypting drives a.k.a. SEDs.

 

Whole disk encryption

 

Important thing to note here is that this type of encryption encompasses the whole OS and files/data. Even though the name implies that all of the bits found on that disk are encrypted, this is not necessarily true in all cases.

It mostly won’t be true for software-based disk encryption because the boot/swap partitions, MBR (Master Boot Record)  can happen to be non-encrypted. When it comes to hardware-based disk encryption, there are some self-encrypting drives that actually can do a full disk encryption.

On the other hand, just a partition or a container can be encrypted, in which case, the data selected within the partition/container ends up encrypted instead of the entire system.

 

What does disk encryption protect from and how?

 

It is quite important to understand what types of threats can disk encryption mitigate, as well as to not misunderstand the purpose of disk encryption.

First and foremost, disk encryption protects your data in case someone was to obtain physical access to your device. In cases such as you are losing your device, or it being stolen, seized, or if its left unguarded (prevents tampering/accessing the device) … other potential cases where disk encryption can protect you is if the hardware is sent to the repair, or is being shipped, as well as if you want to get rid of your hardware securely.

It’s important to note that disk encryption also protects the integrity of your files/OS, due to built in integrity controls. This prevents a slew of nastiness, such as Keyloggers, Rootkits, and other malware.

Simply put, disk encryption protects you by rendering the files on the disk unreadable without the correct key/password (password, in most cases, actually creates that key). To read the files on your encrypted disk your OS needs to be running, and you have to enter your key.

Remember, even a (complex) password on your OS (lock screen), without disk encryption doesn’t protect you from a case in which someone has physical access to your device. They can simply bypass your password by booting it into another system to explore it. Or they can remove the hard drive and plug it in into another device. This is also where disk encryption comes into play – they can not go through your filesystem if it has full disk encryption.

 

What is not protected with disk encryption?

 

This is important to understand, and, in fact, disk encryption won’t protect you from a wide array of threats, however, it protects against physical access-based attacks against your device. Your traffic can still be observed, malware can still get inside your device, etc.

This is because of the way it works, and after you’ve entered your key (password) and your OS is running, you won’t have any protection. Thus, any malware that slips inside can in theory get access to your data and do whatever it was designed for (it can even steal your key – from memory, or by installing keyloggers, etc).

This is due to the fact that when you punch your password in to decrypt your drive, the key will reside in memory. If someone can access your memory, they can also find your key, thus can decrypt your drive.

You’ve probably heard of the Cold Boot Attack… this is possible because the key can remain in memory for a short period of time after you’ve switched your device off.

There is also something called key disclosure law, you can also check out this site to read a summary of how a specific country handles encryption.

 

Attacks

 

I want to go over some potential attacks against (whole) disk encryption. There’s the breaking of crypto algorithms and brute force attacks, as you might imagine… let’s try and figure out how effective can those be.

Those will usually involve ciphers (like AES, Blowfish, etc.) and a cipher is considered strong as long as a there isn’t any method for breaking it that exists. However, this doesn’t guarantee that in the future we might not develop methods that could break them. Bear that in mind, AES might be strong today, but there’s a realistic chance it will stop being useful for us in the future. AES, Blowfish, and such ciphers should be good for the next decade or two, though, from what we know through our studies of these ciphers.

If we’re talking about (potentially) mitigating these, some encryption systems allow us to combine encryption algorithms – for example, you can have AES(Twofish(Serpent)). This could imply that the attacker would have to devise a method per algorithm so they can break that encryption.

Basically, the only practical attacks (currently) against crypto algorithms are brute force attacks – dictionary/hybrid.

 

What does the future hold? Quantum computers

 

As we all know, quantum computers will become a thing at some point in the future, and there’s been much fuss about how that will bring the end of the world because of their ability to crack all currently used crypto algorithms with ease – such as AES.

The truth is that they will effectively half the strength of symmetric keys, which implies we would have to double the size of our key to get the approximate level of protection as we currently have. This implies that 128-bit keys could be broken with a quantum computer.

However, 256-bit keys would still provide protection from quantum computers. Asymmetric algorithms would need to be replaced, though. Asymmetric encryption isn’t used in disk encryption, by the way.

The reason why 256-bit keys could still hold up against the quantum computer is the fact that if you were to attack the 256-bit key space, you’d have to go against the laws of nature themselves… and in this particular case it means checking for  keys, and even if your computer could check for billions keys per second, it would still take an unimaginable amount of time. It’s just the way it is. This is another interesting article on the topic. Quantum anything really, is always somewhat of a mystery… even though today’s smartphone batteries and the whole advance in that field owes tremendeous debt to Fermi’s levels/Fermi’s energy (part of solid state physics) we still don’t fundamentally understand the topic, as Feynmann so succintly pointed out.

Quantum weirdness is not out of the question and we might uncover something that will indeed be game changing, but 256-bit will still be decently strong, if not totally unbreakable, for a decent period of time to come…

Thus, if you’d like to future proof for a bit, go for more than 128-bits, 156 or more, ideally 256 – why not, if you can? Of course, since passwords are used to generate encryption keys so you would also want to use strong passwords here.

 

Hardware and software encryption systems – implementations vulnerabilities

 

Implementation and configuration vulnerabilities are generally your weakest link. When it comes to these crypto systems, since they can be either open source or closed source, depending on their origin they might rely more on the scrutiny from the community, or on the trust from its creator, for the latter.

Generally, these systems should be audited well, if one were to place actual trust into that specific product, but since this is what we have, I just wanted to mention that so you can take it into consideration, adjust your threat/risk model, and go on about your day!

They could also have implementation weaknesses/backdoors that have been introduced by an adversary (usually of the 3-letter agency level of skill, regardless if it’s a govt or a criminal group… )

Lastly, there are also unknown risks that stem from the features that are unknown, whatever it is that we haven’t accounted for. These aren’t something you can fully prepare against, but you can try and adjust your model so you have some sort of compensating controls, in case something like that ever happens.

 

Conclusion

I hoped you enjoyed my short encryption-themed article and some of the considerations I’ve laid out in the article for you. It’s an exciting topic, as we all know how much our digital world relies on cryptography; while it can also be used by some (maybe not intentionally) to scare people, which is why I included the What does the future hold? paragraph, in hopes of providing a sort of disambiguation on that topic.

Stay tuned!

 

Cover image by Maximal Focus

#encryption #aes #full-disk-encryption #attacks #quantum-computers

Tags

  • #encryption

  • #attacks

  • #vicarius_blog

  • #aes

  • #full-disk-encryption

  • #quantum-computers

” alt=”users/photos/cl09w23tf2efa0mpf8sov0k5q.jpg” data-v-5bf3e860=”” data-v-85c4bf60=”” data-v-0bbc59dc=”” />

Written by

acephale 4w

 

About Version 2 Digital

Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.

Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About VRX
VRX is a consolidated vulnerability management platform that protects assets in real time. Its rich, integrated features efficiently pinpoint and remediate the largest risks to your cyber infrastructure. Resolve the most pressing threats with efficient automation features and precise contextual analysis.

Are Hackers Above the Law?

A woman writhes on a gurney in the back of an ambulance racing to get treatment for her aortic aneurysm. The paramedics radio to the closest hospital to announce their impending arrival. But they’re told the hospital is in the grips of a ransomware attack, critical systems are offline, and they can’t accept new patients. The heart patient would have to go elsewhere. That meant an hour-long drive to the next comparable facility. And by the time she was able to receive treatment, the woman died.


This isn’t hypothetical. This exact scenario happened in Germany in September 2020. And when it did, numerous voices in the cybersecurity community (mine included) called it the first death to be directly caused by a cyber attack. Ransomware disabled the hospital. And if the woman had been able to receive treatment sooner, she likely would have survived her cardiac episode. Responsibility for her death seemed to fall squarely on the shoulders of the hackers behind the ransomware attack.


German prosecutors agreed. They saw in the attack an open and shut case of negligent homicide. But, under German law, in order for someone to be convicted of that crime, prosecutors needed to establish legal causation between the actions of the defendant and the resulting death. And that’s where things got tricky.


Cyber Attacks as Criminal Acts


The Computer Fraud and Abuse Act was enacted in the US in 1986 and represented the first major effort to prevent hacks through criminal law. Many other countries adopted similar laws – some later than others – but all realized early on that cybercrime needed (but lacked) an appropriate legal apparatus.


Cybercrime laws around the world have evolved and matured significantly since then. GDPR in Europe drastically raised the bar for data protection and privacy while leveling severe penalties for any infraction. California adopted a similar law, as have other US states, and the recent Strengthening American Cybersecurity Act of 2022 established sweeping cybersecurity requirements for all federal offices and many of the vendors they work with. Never has “cyber” legislation been as expansive as now, and all signs suggest this regulatory framework will only expand further.


One area where it remains immature, however, is in regard to prosecuting offenders for the damage caused by cyber attacks. Most laws measures damage (and thus assign penalties), based on the number of records stolen or the amount of downtime caused. But the law stops there. Most downstream effects of the attack are considered irrelevant.


Which makes sense. For most of history, cyber attacks have been seen as IT issues first and foremost. And while they could certainly cause plenty of damage and disruption, it was seen as confined to the digital realm. Rarely did attacks spill over into the physical world, so there was no reason to contextualize those attacks within existing criminal law.


But that’s changing fast. One example is the attack on the Colonial Pipeline in May 2021. A ransomware attack disabled one of the largest oil pipelines on the Eastern Seaboard, resulting in fuel shortages, panic buying at the pump, and changes to flight schedules due to lack of fuel. President Biden declared a State of Emergency as a result. And while the attack thankfully left no one dead or injured, it nonetheless highlights how cyber attacks can directly affect people’s health and safety. Ransomware directed at hospitals, schools, and police departments has a similar effect. And as we see hackers become increasingly emboldened and unscrupulous, future attacks won’t just disrupt data or apps – they will ruin lives.


Learning From the German Example

It’s telling what ultimately happened in Germany. After a two-month investigation, prosecutors concluded that they couldn’t meet the standard of proof necessary to link the woman’s death with the ransomware attack definitively. Prosecutors needed to show that had the ransomware attack never occurred, the woman would have lived. But after consulting with medical professionals, it was believed the woman would have died no matter where or when she received treatment. So while the ransomware attack made a bad situation worse, the heart condition, not the attack, caused the death.


Lacking any expertise in German criminal law, it seems to me that prosecutors got it right in this case. Nonetheless, it’s impossible to hear this anecdote and not think about a slightly different variation: where medical devices get disabled by ransomware, and patients dependent on those devices die. Unfortunately, it’s only a matter of time before this scenario (or countless similar alternatives) happens. And when it does, will the law be able to prosecute those behind the attack for those deaths? Or will hackers skate by on a lesser charge, signaling to others that devastating attacks don’t come with devastating consequences for the perpetrators?


Time will tell. Until then, however, I hope we draw a lesson from what happened in Germany and start thinking more about cyber attacks as attacks on people, not just IT.

#cybersecurity #ransomware #law #cybercrime #Germany #hospital

 

 

 

About Version 2 Digital

Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.

Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About VRX
VRX is a consolidated vulnerability management platform that protects assets in real time. Its rich, integrated features efficiently pinpoint and remediate the largest risks to your cyber infrastructure. Resolve the most pressing threats with efficient automation features and precise contextual analysis.

Is Iran the World’s First Cyber Supervillain?

It was only a few weeks ago that I was writing about a CISA alert warning about the dangers of Iranian-government-sponsored hackers exploiting Log4J vulnerabilities to strike at varied targets across the globe. I argued that Iran’s actions illustrate what the future of cyber warfare will look like as countries increasingly strike at digital rather than physical targets to exert their influence. Hammering home that point, CISA has already issued another alert cautioning against an entirely different kind of attack perpetrated by Iranian hackers.

With this latest action, Iran has shown both a willingness to use cyber attacks to achieve their geopolitical ambitions, along with ingenuity in their methods. Of course, most countries are jockeying with each other in cyberspace, and labeling any of their motivations as “good” or “bad” probably misunderstands the pugilistic nature of international relations. Other countries are doing what Iran does – and putting even more resources behind the effort. But even with those caveats, it’s hard not to see Iran as a country both willing and able to play the role of cyber supervillain – someone who makes digital space more dangerous for everyone.

To help put that claim in a greater context, let’s take a look at the latest attack.

Attack Autopsy

Starting around May 2021, Iranian state cyber actors calling themselves “Homeland Justice” (with nationalistic flair) infiltrated the network of the Albanian government. They hid inside for the next year, maintaining continuous network access while quietly accessing and exfiltrating email content. The attackers conducted lateral movements, ran network reconnaissance, and began credential harvesting beginning in May 2022. And by the middle of that summer, they had everything they needed to launch a devastating ransomware attack. The Albanian government never stood a chance.

Ransomware was launched on their networks in July 2022, accompanied by a threatening message directed at a group critical of Iran’s Revolutionary Guard with several thousand members living in Albania. While simultaneously stealing and encrypting the data with one attack, the offenders were also wiping raw disk drives using a separate attack in a strategy orchestrated to inflict maximum damage almost immediately. Numerous government digital services and websites were temporarily knocked offline. Unfortunately, that was just the start.

Homeland Justice then created a website and social media profiles taking credit for the attacks and publishing proof. Their goal was not just to gloat. They also release the data, first posting a poll to ask what data people wanted, then releasing videos and zip files with the leading responses. So not only was the Iranian government stealing another country’s data – they were offering it up for anyone else to exploit for whatever purposes they wanted. Twisting the knife even more, Homeland Justice struck the Albanian government again in September 2022 with a similar barrage of ransomware attacks.

Understandably enraged, the Albanian government formally cut diplomatic ties with Iran – the first such response to a cyber attack. The Albanian Foreign Minister Olta Xhacka commented, “The aggressiveness of the attack, the level of attack, and moreover the fact that it was a fully unprovoked attack left no space for any other decision.”

Implications of the Attack

The technical details of the attack – plus the prevention CISA suggests – are worth a closer look, especially since Iran has been willing to attack almost any target anywhere. But in this instance, the mechanics of the attack are less interesting than the motivations behind it and the implications for future attacks.

Iran sponsored this attack ostensibly in response to the anti-government sentiment gaining traction in parts of the population. Cracking down on dissent is nothing new for governments. But doing so by launching a multi-month cyber attack on a small, distant country, bragging about it online, then offering to share the spoils has no historical precedent that I can think of. What effect this will have on the ongoing protest movement in Iran remains to be seen. No matter the outcome, though, Iran has pioneered a new way for states to undermine activist movements, and many will not hesitate to deploy similar tactics to maintain their hold on power.

I’m also struck by how this attack weaves together different tactics and techniques, combining a lengthy infiltration effort with a shock-and-awe ransomware attack followed by online data leaks and a surprise second punch. It’s devious. It’s also a little bizarre in its determination. I’m sure an Iran expert could give some important context into why Iran hit Albania so hard. But when they felt compelled to do so, they had both the means and the certainty of success – how many attacks between nation-states can say the same thing?

What will Iran do next? Even if you don’t agree with my “cyber supervillain” characterization, it’s a question everyone’s wondering. And given recent events, they should probably be worrying about it too.

#iran #cyberattack

About Version 2 Digital

Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.

Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About VRX
VRX is a consolidated vulnerability management platform that protects assets in real time. Its rich, integrated features efficiently pinpoint and remediate the largest risks to your cyber infrastructure. Resolve the most pressing threats with efficient automation features and precise contextual analysis.

Privacy and Anonymity – Public Hotspots

Intro

With my newly started series about the Dark web (which will still continue) I had an idea about how I could ‘branch out’ for a bit, as there are some convergent things here that are of interest to us. The shared aspect of someone’s activity on the Dark web and your daily usage of your favorite internet browser does indeed boil down to two things – privacy and anonymity.

I want to expand a bit on that, and I will try to look at it from a few different angles, but for this article I want to talk about the usage of Public Wi-Fi for privacy, and anonymity.

Public Hotspots

When you’re on a public hotspot keep in mind that the owner of that hotspot is in fact Man in The Middle. This means that they can see your traffic, inject into your traffic, other users on the network can as well look at your traffic, attack you, even directly through your open ports. Also, this hotspot doesn’t need to be the hotspot you think you’re connecting to.

That’s a lot of different risks coming at you all at once. But how would you go on about dealing with this? And I don’t mean not using the hotspot; let’s say that for some reason we must use that risky public hotspot.

One good thing to do (as a best practice of sorts) is to disable whatever wireless technology you’re not using, for example, Bluetooth, 3G, etc. It will also save some battery. If you must, try using a hotspot that has WPA2, AES, and avoid any hotspot that’s using WEP, for example. Just run from those.

Also, use SSL and TLS for encryption because without end-to-end encryption a threat actor might inject packets and attack you or your browser. Generally, for anything that’s sent from your device, use encryption. This is somewhere where your VPN might jump in.

The idea here is that the whole OS you’re on is sending data that’s encrypted, because you don’t want some stuff that’s in the background not to go through the encrypted tunnel messing your whole operation up.

One other good thing to do is set up a firewall profile for public hotspots/networks.

Lastly, you can bring hardware into the mix by using a portable router/firewall and connect it to the hotspot. The above ideas are the same as for the hardware, to add a layer of security to your connection, and hardware achieves that through physical separation. Of course, this might not be the best option for you, but in that case, at least try to stick with the bare minimum setup, and use a VPN, close those ports and services you won’t be needing don’t make it easier for your friendly neighbourhood hacker to compromise you.

On the flip side, public networks/hotspots, like internet café’s, airports, hotels, etc, are a good way to protect your anonymity; given, if you set up correctly, and if those networks provide anonymous connection.

Since this internet connection isn’t registered to you, nor should have any connections to you, it is a good way to keep your anonymity.

The things you should do when you’re going to visit one of these public places to access Internet anonymously

 

This whole scenario (somewhat) implies that your adversary has significant resources, and the consequences would be dire for you. Even if that’s not the case, in my opinion, you can’t really overdo this stuff, as you can never be truly 100% risk-free and/or secure which is why this has a place on the discussion panel – in my opinion.

I am very interested in this topic, and for me this is all for educational purposes. Please be careful, know the risks, as well as your limitations, and please don’t do any illegal activity! I don’t want to bore you, nor to digress any more, but I feel the need to say this out loud, just in case.

You will also want to follow your OpSec rules (this is something I covered previously, but as a refresher I will add the list below too – slightly variated)

  • Don’t talk openly about stuff that’s important i.e., mission critical

  • Don’t trust anyone

  • Don’t contaminate your identities

  • Be paranoid (better now, than later)

  • Stay under the radar – if you’re a dissident, don’t tweet your political opinions, etc. – make yourself ordinary as you can

  • Avoid logging whatever you can; if you can – destroy it. It’s better to not have it than to keep it encrypted, no matter the algorithm keeping your stuff secure…

  • Everything should be encrypted, even non-sensitive data

  • Treat your OpSec as a very serious thing, as it is.

To get back on our topic, ideally, you will have no pattern when visiting said public places where you will be accessing the Internet. You will vary your distance, you will choose those places at random, you will look for the busier ones, where more users go through, if possible, also vary the times you visit the said public places. Also, don’t bring a phone that can be tied to your identity that you don’t want to be associated with your internet connection, as it will be.

Try to fit in, avoid talking too much, and avoid standing out. Try to sit where you can see everything, ideally keep your back to a wall. You want to see everything/everyone coming at you so you can theoretically react in time.

For an extra-paranoid option, wipe the prints from the table, glasses, whatnot, basically don’t leave your DNA.

Also, remember – if you don’t own the machine you’re on – you’re fully vulnerable if you’re using your own accounts or stuff like that! (In case of the Internet café’s where you use their computers, as everything can be logged). There are mitigations for this (like pre-encrypting your stuff before using the public PC for that), but I would advise you to just not opt for going this route. Just avoid this option like the plague, if at all possible.

Summary/conclusions/musings

Another thing to note is that you can access hotspots from a distance, and I intend to expand on that a bit more, but don’t mistake public hotspots for anonymizing services. You should still send your traffic through an encrypted tunnel and follow all the OpSec rules that are relevant for your own threat model.

Conclusion

 

This has been a short intro on public hotspots and how to behave when you’re out there in the wild and you care about your privacy, security, and anonymity. I will expand on this for quite a bit, as I intend to cover the above mentioned accessing of the hotspots from a distance, as well as many other tips and tricks you might find useful on your privacy, security, and anonymity journey.

Stay tuned.

Cover image by Parker Coffman

#privacy #anonymity #public-hotspots

About Version 2 Digital

Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.

Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About VRX
VRX is a consolidated vulnerability management platform that protects assets in real time. Its rich, integrated features efficiently pinpoint and remediate the largest risks to your cyber infrastructure. Resolve the most pressing threats with efficient automation features and precise contextual analysis.

Research: Exploiting Jsonpickle to Get RCE

Introduction

Jsonpickle is a python library which is widely used to serialize and deserialize python objects. Serialization is very useful to save state for an object and reconstruct the object from that state.

In this post, we will exploit the latest jsonpickle library to get remote command execution. 

Installation

Jsonpickle is available on the Python Package Index (PyPI), a repository hosting over 10TB of packages that programmers use to build their applications. We install the library with the command, pip3 install jsonpickle.

Setting Up Jsonpickle

For the scope of this article, we will focus on only two functions from the jsonpickle library: encode and decode.

First, we define a class named “zoo” and create an object for it.

Figure 1: Creating a class and an object for it

Now if we want to save the state of the object, we can encode the object with jsonpickle and print the byte stream, which can be used later to reconstruct the object with its state included.

Figure 2: Encoding the object with jsonpickle

Conversely, we can reconstruct the object with a decode function.

Figure 3: Decoding the object with jsonpickle

Attack Scenario

Now that we’ve demonstrated the two functions and how they work, we are ready to move forward with the attack.

Since we are attacking the jsonpickle library, we create a sample web application with jsonpickle to attack.

Our simple web application takes the base64 encoded serialized data and then decodes the base64 to jsonpickle object. And finally convert the jsonpickle object to actual object

Figure 4: Demonstrating encoding and decoding jsonpickle object

So, when we run the application with flask run, we can pass our data to http://127.0.0.1:5000/data?serialized= to interact with jsonpickle library

Creating the Exploit

So, we create a class RCE with member function reduce which will execute our payload.

After creating the object, we need to serialize the object and encode it with base64 so it can be passed to our web application.

Figure 5: Creating RCE and a serialized object

Now we copy the base64 payload and pass it to our web application, and we see that the command execution is successful and we have compromised the application.

Figure 6: Compromised application from base64 payload

Key Takeaway

The vulnerability is in the latest version of the jsonpickle library. As there are no fixes available, use of this library should be avoided. If the need to use jsonpickle still arises, ensure that jsonpickle does not handle unprocessed user data.

#jsonpickle #python #exploit

About Version 2 Digital

Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.

Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About VRX
VRX is a consolidated vulnerability management platform that protects assets in real time. Its rich, integrated features efficiently pinpoint and remediate the largest risks to your cyber infrastructure. Resolve the most pressing threats with efficient automation features and precise contextual analysis.

×

Hello!

Click one of our contacts below to chat on WhatsApp

Social Chat is free, download and try it now here!

×