QR Code Barcode Fun

I decided I wanted to play around with QR codes and I thought I would make a blog post while I was playing around with them. A QR code (quick response code) bar-code a matrix bar-code which is readable by computers and other devices to extract information stored within the bar-code. The information that can be encoded by one of these bar-codes are broken up into four standard types:

  • numeric
  • alphanumeric
  • binary/byte
  • Kanji

Using the Reed-Solomon error correction process, I am not going to go into describing the process, a camera or other imaging devices can scan the QR code bar-code which consists of  black squares on a white background generally until the image is able to be interpreted by the device.

There is currently 40 versions of the QR code bar-codes, version 40’s storage capacity is broken down below:

Input Modes Max. Characters Bits/Char Possible Characters/default Encoding
Numeric 7,089 3 1/3 0, 1, 2, 3, 4, 5, 6, 7, 8, 9
Alphanumeric 4,296 5 1/2 0-9, A-Z (upper case only), space, $, %, *, +, -, ., /, :
Binary/Bytes 2,953 8 ISO 8859-1
Kanji 1,817 13 Shift JIS X 0208
QR image containing a hyperlink to nsimattstiles.wordpress.com

QR code version 2 bar-code containing a hyperlink to nsimattstiles.wordpress.com

Because of the spread of these bar-codes, users have started creating bar-codes for malicious intent. In this blog post I will attempt to embed a link to a webserver that I own and operate into a QR code bar-code and have a machine under my control navigate to the webserver via scanning the bar-code to show how an attacker could potentially have you redirected to a malicious webserver without you knowing. I will also attempt to demonstrate embedding shellcode into QR code bar-code to send a reverse TCP bindshell from my victim machine back to my attacking machine.

Using QR Code for Website Direction

Using QR code bar-codes an attacker would be able use the QR codes to have unsuspecting individuals directed to any webserver that the attacker wants too. An attacker could set up a webserver which serves exploits to a target’s browser when an individual scans a QR code image. This could be done by using exploits such as the auxilary/browser_autopwn module from Metasploit Framework which loads all the browser exploits currently in the framework to a webserver, the attacker then creates a QR code bar-code containing a link to the malicious webserver and releases the QR code bar-code into the “wild” for unsuspecting victims to scan and trigger the exploits.

Using an old iPhone 3Gs of mine to scan a QR code and netcat as a webserver I will demonstrate how a unsuspected individual can scan a QR code bar-code that has been generate for malicious intent, though I am not demonstrating malicious intent just how it could be done.

The first part of this demonstration is to generate the QR code bar-code, I found a free QR code generator online, I selected the data type I want to place within the bar-code which was a URL link and then entered the actually URL link I wanted, the link entered was the link to my demonstration webserver. After the bar-code was generated I used my iPhone to scan the barcode, the webserver I had created with netcat captured request made by the iPhone to the webserver as the iPhone connected to it.

The screenshot is the result from iPhone scanning the QR code bar-code being directed to the webserver I used to listen for the connection with netcat.

The screenshot is the result from the iPhone scanning the QR code bar-code and then being directed to the webserver I setup using netcat.

I will repeat the process I did before with an Android device, using the Android emulator software created an Android 2.1 device in the emulation software and sent it to my listening webserver after restarting the netcat listening service.

The screenshot is the result from the Android 2.1 device scanning the QR code bar-code and then being directed to the webserver I setup using netcat

The screenshot is the result from the Android 2.1 device scanning the QR code bar-code and then being directed to the webserver I setup using netcat

In this demonstration I showed how an attacker could generate a QR code bar-code containing a URL to any webserver they would like. An attacker could be able to direct the individual scanning the QR code to a webserver which would attempt to launch any exploit they wanted against the victim.

Using QR code to gain a shell

Using the information I learnt in the section above I did a Google search to see if any known vulnerabilities have been identified in the browser’s of either of these two devices. I quickly learnt about the a potentially useful vulnerability, CVE-2010-1807, I downloaded the exploit code to learn its use and purpose, cve-2010-1807-exploit this is a link to a PDF file that contains specially created HTTP message which is used to exploit a vulnerability in the Webkit engine 1.2.6. This can potentially lead to arbitrary code being executed by a remote attacker. Even though it is listed in the Offensive Security database as Android exploit, http://www.exploit-db.com/exploits/15548/, apparently this exploit works on iPhone devices as well that use the WebKit engine prior to version 1.2.6. Following this link will provide more information on the CVE-2010-1807 vulnerability, link.

In this part of the blogpost I will attempt to gain a shell of an Android mobile device using the cve-2010-1807-exploit found by following this link. My setup for this scenario is the following:

  • Android SDK – built-in Emulator tool to replicate the Android mobile device.
  • Webserver hosts the malicious HTTP message at root.
  • QR code barcode which points to the malicious HTTP message on the webserver.

In this attack demonstration I have the Android device scan the QR code barcode which will then send the Android device to the webserver and attempt to view the HTTP message in the default browser of the Android device, I will emulate an Android 2.0 device. This version of the device has the WebKit vulnerability and when attempting to load the page containing the malicious HTTP message should exploit the vulnerability sending a reverse shell back to my webserver which listens for the incoming shell from the device on the specific port using the Netcat tool.

When I had the Android device go to the webserver and access the malicious HTTP message I could see the device processing the message and then eventually the browser on the device would crash but no shell was sent to the listener resulting in a DoS attack. Doing further research I learnt that this exploit reportedly works successfully 80% of the time.

———————————————————————————————————————————————————

I’ve provided links before for reference materials that I found useful during this blogpost and vulnerability research task.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s