$natch

$NATCH

Sergey Scherbel& Yuriy DyachenkoPositive Technologies

Positive Hack Days 2013

Some history

The competition took place for the first time at PHDays 2012.$natch aims at demonstrating typical vulnerabilities of the online bank systems.

Positive Technologies performs security tests of the online bank systems on the regular basis. We are really into this.

The most interesting, dangerous and simply typical vulnerabilities are integrated into PHDays iBank right away.

Last year results― 9 participants― 4 winners― biggest prize of 3.500 roubles

― Some winners got into positive community

after an extremely scary interview of course

PHDays iBank 2

PHDays iBank 2 is NOT a real online banking system that is used by actual banks.

System had been developed exclusively for the PHDays 2013 competition.

PHDays iBank 2 employs typical vulnerabilities of the online banking systems.

Competition rules

― 100 bank clients― 10 participants― 20.000 roubles of prize money― 1 day for source code analysis― 30 – 40 minutes of the actual competition― a participant will get as much money as he will

manage to transfer to his or her account― Participants can steal money from each other

At the workshop

― You will be able to examine each vulnerability in detail

― Exploit vulnerabilities by yourself

― Exploit vulnerabilities with tools

― All is done on a special copy of the competition system

Accounts

100001:PKAC1y

100002:RNrlO9

100003:Ndl1Ix

100004:hQPuJw

100005:kpgtCI

Authentication

Code on the image needs to be entered

Mobile bank authentication

The code is not needed, thus account bruteforce is possible

Accounts with simple passwords

100011:password

100012:phdays

100013:qwerty

100014:password

100015:123456

100016:12345

100017:11111

100018:ninja

100019:123123

100020:sex

100021:asdzxc

100022:654321

100023:iloveyou

100024:root

100025:master

100026:superman

...

Transaction confirmation

Confirmation bypass in mobile bank

Payment templates modification

Payment templates modification

A template is not checked if it is owned by the current user

Payment templates modification

$$

Payment templates modification

$$

Contacts import

Most online banks have a feature that allows to import/export data

XML External Entity

External entities loading is not disabledhttp://php.net/libxml_disable_entity_loader

XML External Entity<?xml version="1.0" encoding="utf-8"?><!DOCTYPE contact [<!ENTITY x SYSTEM "php://filter/read=convert.base64-encode/resource=logs/changePassword.log">]><contacts> <contact> <name>name</name> <account>90107430600712500003</account> <description>&x;</description> </contact></contacts>

http://www.php.net/manual/en/wrappers.php.php

XML External Entity

File contents in base64

Debug mode

Thanks for your attention

Sergey Scherbel

[email protected]

Yuriy [email protected]