I decided I wanted to play around with QR codes and I thought I would make a blog post while I was playing around with them. A QR code (quick response code) bar-code a matrix bar-code which is readable by computers and other devices to extract information stored within the bar-code. The information that can be encoded by one of these bar-codes are broken up into four standard types:
Using the Reed-Solomon error correction process, I am not going to go into describing the process, a camera or other imaging devices can scan the QR code bar-code which consists of black squares on a white background generally until the image is able to be interpreted by the device.
There is currently 40 versions of the QR code bar-codes, version 40’s storage capacity is broken down below:
|Input Modes||Max. Characters||Bits/Char||Possible Characters/default Encoding|
|Numeric||7,089||3 1/3||0, 1, 2, 3, 4, 5, 6, 7, 8, 9|
|Alphanumeric||4,296||5 1/2||0-9, A-Z (upper case only), space, $, %, *, +, -, ., /, :|
|Kanji||1,817||13||Shift JIS X 0208|
Because of the spread of these bar-codes, users have started creating bar-codes for malicious intent. In this blog post I will attempt to embed a link to a webserver that I own and operate into a QR code bar-code and have a machine under my control navigate to the webserver via scanning the bar-code to show how an attacker could potentially have you redirected to a malicious webserver without you knowing. I will also attempt to demonstrate embedding shellcode into QR code bar-code to send a reverse TCP bindshell from my victim machine back to my attacking machine.
Using QR Code for Website Direction
Using QR code bar-codes an attacker would be able use the QR codes to have unsuspecting individuals directed to any webserver that the attacker wants too. An attacker could set up a webserver which serves exploits to a target’s browser when an individual scans a QR code image. This could be done by using exploits such as the auxilary/browser_autopwn module from Metasploit Framework which loads all the browser exploits currently in the framework to a webserver, the attacker then creates a QR code bar-code containing a link to the malicious webserver and releases the QR code bar-code into the “wild” for unsuspecting victims to scan and trigger the exploits.
Using an old iPhone 3Gs of mine to scan a QR code and netcat as a webserver I will demonstrate how a unsuspected individual can scan a QR code bar-code that has been generate for malicious intent, though I am not demonstrating malicious intent just how it could be done.
The first part of this demonstration is to generate the QR code bar-code, I found a free QR code generator online, I selected the data type I want to place within the bar-code which was a URL link and then entered the actually URL link I wanted, the link entered was the link to my demonstration webserver. After the bar-code was generated I used my iPhone to scan the barcode, the webserver I had created with netcat captured request made by the iPhone to the webserver as the iPhone connected to it.
I will repeat the process I did before with an Android device, using the Android emulator software created an Android 2.1 device in the emulation software and sent it to my listening webserver after restarting the netcat listening service.
In this demonstration I showed how an attacker could generate a QR code bar-code containing a URL to any webserver they would like. An attacker could be able to direct the individual scanning the QR code to a webserver which would attempt to launch any exploit they wanted against the victim.
Using QR code to gain a shell
Using the information I learnt in the section above I did a Google search to see if any known vulnerabilities have been identified in the browser’s of either of these two devices. I quickly learnt about the a potentially useful vulnerability, CVE-2010-1807, I downloaded the exploit code to learn its use and purpose, cve-2010-1807-exploit this is a link to a PDF file that contains specially created HTTP message which is used to exploit a vulnerability in the Webkit engine 1.2.6. This can potentially lead to arbitrary code being executed by a remote attacker. Even though it is listed in the Offensive Security database as Android exploit, http://www.exploit-db.com/exploits/15548/, apparently this exploit works on iPhone devices as well that use the WebKit engine prior to version 1.2.6. Following this link will provide more information on the CVE-2010-1807 vulnerability, link.
In this part of the blogpost I will attempt to gain a shell of an Android mobile device using the cve-2010-1807-exploit found by following this link. My setup for this scenario is the following:
- Android SDK – built-in Emulator tool to replicate the Android mobile device.
- Webserver hosts the malicious HTTP message at root.
- QR code barcode which points to the malicious HTTP message on the webserver.
In this attack demonstration I have the Android device scan the QR code barcode which will then send the Android device to the webserver and attempt to view the HTTP message in the default browser of the Android device, I will emulate an Android 2.0 device. This version of the device has the WebKit vulnerability and when attempting to load the page containing the malicious HTTP message should exploit the vulnerability sending a reverse shell back to my webserver which listens for the incoming shell from the device on the specific port using the Netcat tool.
When I had the Android device go to the webserver and access the malicious HTTP message I could see the device processing the message and then eventually the browser on the device would crash but no shell was sent to the listener resulting in a DoS attack. Doing further research I learnt that this exploit reportedly works successfully 80% of the time.
I’ve provided links before for reference materials that I found useful during this blogpost and vulnerability research task.