Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Workspace One UEM (used to be AirWatch) is a mobile product used to deploy, secure and manage mobile devices. This also provides compliance-checking tools to ensure remote access devices meet the security standards.

The application comes as a .NET bundle of applications, which is really easy to reverse using a tool like dnspy. They looked at the web.config file in order to find the routes and things to hit.

One of these groupings of routes was in the BlobHandler. One of the pieces of functionality was for proxying HTTP requests. The logic for the parsing functionality went as follows:

• Encrypted URL parameter is passed in.
• Call RenderProxyResponse.
• Decrypt the input and call the proxy service.

The hackers were interested in this functionality because the security of the functionality was based upon the key being secret. Is this a good secret?

The function DataEncryption.DecryptString was completely custom code, which makes it more interesting. The data had a strange format: {cryptoVersion}:{keyVersion}:{text}:{cipherText}. To get the key for the function, it depended on the parameters passed in.

If the key is not specified, then it must be grabbed from the database or cache. However, if the key version is kv0 or NULL, then something else happens: a hardcoded default key is used.

With a hardcoded key, the security boundary has been broken. Now, we can create arbitrary ciphertexts since we know the hardcoded. This allows us to perform SSRF on the site with an unauthenticated user.

Overall, good bug and an awesome description that cryptography needs to be used properly in order to provide security. They also found several other cases that this happened.