Welcome

Technology Blog

5 Dec 2018

Access locked files in Secure Gallery android application without password

Hacking Android Secure Gallery App password from Application Backup data

26 Sep 2014

Understanding Bash Bug or Shellshock vulnerability with examples.


As you all know that Remote Code Execution vulnerability has been identified in Bourne Again Shell as known as BASH which is command line shell in Linux and Unix. This vulnerability affects version 1.14.0 to 4.3, also known as Bash Bug or Shellshock.

CVE is available here for this vulnerability CVE-2014-6271

So far many websites have released the news about this vulnerability, however I though to post on our blog for all our readers. According to CVE this vulnerability allows remote attackers to execute arbitrary code via a crafted environment.

Below I have tried to explain that how Bash Bug vulnerability works. Bash allows user to type commands and then execute them in the terminal in Linux and Unix based systems.

In Bash the user can set "environment variables" and then can retrieve them later when needed. Below is the example of environment variables.


In above example I have set one environment variable which is NAME, later I have used that variable to echo its value in one of sentence. Environment variables are very useful as shown above. This is how environment variables works.

Below is the little bit variation as compared to our first example.


The "env" command in above example sets environment variable NAME=Girishkumar and it executes the command based on the environment.

Like other programming languages Bash has functions but limited implementation, hence it is possible to put Bash functions into environment variables. Let us use the function with env command.

Below is the example.


In above example we have used function with "env" command and then we have executed it and got the output. Here  -c option executes the commands from a string ie. everything inside the quotes.

So how Bash bug or Shellshock works ?


When we add the extra code to the end of the function definitions the flaw is triggered.  Below image gives good understanding of Bash Bug.


 
Above image credit: Symantec.com

Below is the vulnerable code example.



In above example the command "echo test" doesn't use the $XY variable. So if the bash correctly works then the command "echo vulnerable" should be ignored and should not be executed. The output "vulnerable" should not be displayed. But "echo vulnerable" executed and gave the output.

Here malicious input in XY='() { :;}; echo vulnerable' is the reason of this vulnerability. Here the environment variables treats it as a command and executes it rather than treating it as a string of letters and and ignoring it.

How to test whether your system is vulnerable to Bash Bug / Shellshock or not ???

Run below command in Bash terminal

env XY='() { :;}; echo vulnerable' bash -c 'echo test' 

If you are vulnerable the it will give the world "vulnerable" in the output as shown below.


If you are not vulnerable the it will give the output as below. It will echo only "test" but not "vulnerable".


So better to update your bash version as soon as possible as the different vendors have released the patch for this vulnerability..

7 Sep 2014

Account Safety: Make all your passwords strong which you can remember easily.



Friends as you all know that Hacking activities are increasing rapidly day by day. You might have heard that recently hackers hacked into iCloud accounts of celebrities and leaked their personal and nude photos. So it's time to make all your account passwords strong. Most of people set their password as Boy friend name or girl friend name, Mobile number, Vehicle number, Birth Date etc. Your Enemies who is trying to steal your password can guess your password and they can get access to your accounts. Still you are thinking that your password is strong and safe, maybe it’s time to wake up and make your banking, facebook, gmail and other account passwords strong.

What is strong password?

I will not explain this in brief since many sites have already provided lots of information about this topic. The strong password must be as below:

  •  It must contain special characters such as $%#@&^!
  • It must be at least 8 characters long.
  • It MUST NOT be having any common words like 123456, password, your birth date, your name, mobile number and any words that can be found in the dictionary easily.
  • It must contain combination of small and capitalization letters with special characters and numbers.

I would say, even if your password fulfills all the requirements mentioned above, it is still not enough. Your password needs to be totally unique and different for each and every one of your accounts. To make sure that if one of your account is hacked, your other accounts will not be affected.

You must be confusing how you will remember so many passwords when you have a problem remembering your existing password. Below are some steps which are very powerful.

1. I have used the following rules to replace the regular characters with special characters. Even you can make your own rule.

  • Replace the 'a' with @ or digit 4
  • Replace the 's' with $ or digit 5
  • Replace the 'i' with ! or digit 1
  • Replace the 'o' with * or digit 0
  • Replace the 'h' with #
  • Replace space with _

For example Girish@123 will be like G!r!$h@123, and Girishkumar will be like G!r!$#kum4r

2. To check your password strength go to http://www.passwordmeter.com/ and test the strength of your password. Below is the results of above passwords which I have provided in example.


Result for Girishkumar



Result for G!r!$#kum4r


Once you are done, you will be surprised that you have created lots of strong passwords which you can remember easily and with less possibility of guessing your password by someone. If you find this tutorial helpful then don’t forget to share with your friends.

Thank you :)

23 Nov 2013

Microsoft Clickjacking Vulnerability - 22 October 2013

19 Oct 2013

Google Maps Clickjacking vulnerability - 6 October 2013

Hi all, as I told you in my previous video that I will post another Google Clickjacking video and I am here. Using clickjacking vulnerability in Google Maps I was able to update status of Google Plus user. Now this is patched :D

15 Oct 2013

How Email spoofing works ? Detailed tutorial with live demo.