The content of the article
QR codes are now completely commonplace – they are found everywhere, they are used as one of the authorization methods by large services like WhatsApp, Yandex and AliExpress, there are QR codes for connecting to Wi-Fi. But how reliable is this technology? Is it possible to create such a QR code, which, when scanned, will load the victim's device? We will analyze this issue in more detail today.
A QR Code (Quick Response Code) is a matrix or two-dimensional barcode that can contain up to 4296 ASCII characters. That is, in other words, a picture in which the text is encrypted.
Attack vector history
In May 2013, network security company Lookout Mobile developed special QR codes that could compromise Google Glass. At the time, the glasses scanned all photographs “that might be useful to their owner,” and gave hackers full remote access to the device. Researchers reported this vulnerability to Google, and it was closed in just a few weeks. Fortunately, they managed to fix it before it could be used outside the laboratory, because hacking a real user's glasses could lead to big problems.
The scanner tried to filter out dangerous types of attacks using regular expressions, requiring the URI to have a period with a subsequent extension of at least two characters, a transport protocol that is at least two characters long followed by a colon, and that there are no spaces in the URI.
If the content does not meet at least one of the requirements, then it is defined as plain text, not a URI. This mechanism blocks attacks like
This is how it looked.
As we can see, the notification appeared in the browser, which means that the URI with the potentially malicious code was executed. However, this JS code is only executed when the user clicks Open Browser (that is, "Open in Browser").
Another interesting example from 2012: information security expert Ravishankar Borgaonkar demonstrated how scanning a simple QR code can format Samsung devices! What was inside? MMI code for factory reset:
*2767*3855#and also the prefix
tel: to make a USSD request.
The most dangerous thing here is that a person, without prior preparation, cannot find out the content of the code without scanning it. And the person is very curious: in various studies, most of the subjects (who, by the way, did not even know about the experiment) scanned the QR code out of curiosity, forgetting about their own safety. Therefore, always be careful!
If you do not have a code scanner, but have a lot of free time, you can try to decipher the code manually. Instructions are on Habré…
QRGen – each with a code
To demonstrate the tools for working with QR codes, I will use Kali Linux 2019.2 with Python version 3.7 installed – this is necessary for the utilities to work correctly.
Don't forget about criminal liability for the creation and distribution of malicious programs, which in a broad sense also include our “charged” QR codes.
Let's start with the QRGen utility, which allows you to create QR codes with scripts encoded in them. This utility (and attack vector) is aimed at checking unprotected and unpopular software or highly specialized tools like warehouse QR scanners that send SQL queries to the company's database. Most modern scanners, for security reasons, do not execute the script found in the QR code.
Accordingly, there are two options for the development of events after scanning: the scanner simply displays the contents of our image (which is completely unprofitable for us) or executes the code hidden in the image, sending a SQL query to the DBMS or Web API so that a hacker can capture it.
QRGen allows you to use ready-made options or set them yourself.
Install QRGen by copying the repository and go to the content folder.
git clone https://github.com/h0nus/QRGencd QRGen && ls
QRGen requires Python 3.6 or higher. If an error occurs, try updating the interpreter.
Install all dependencies and run the script itself.
pip3 install -r requirements.txt## или python3 -m pip install -r requirements.txtpython3 qrgen.py
We see the help.
-h will output the same, but launch with the key
-l will result in the generation of QR codes from a specific category. There are eight in total.
- SQL injection.
- Command injection.
- QR with formatted string.
- Fuzzing strings.
- SSI injections.
- LFI or gaining access to hidden directories.
Now let's look at examples from each category, and also figure out what damage and what devices they can cause.
"A" x 33
You can view text files with all the options for the "filling" of QR codes in the folder
words (they are categorized as above).
Now a few words about the consequences of attacks with such loads.
The first class of attacks – SQL injection – is used to hack databases and disrupt websites. For example, the request may cause the site to freeze.
The following example (numbered 2) demonstrates the exploitation of an XSS vulnerability when attacking web applications using SVG (Scalable Vector Graphic). I think you know perfectly well what XSS can lead to, so I will not dwell on this in detail.
The third item displays the contents of the file on the victim's screen
/etc/passwd: a list of Linux-based systems accounts and additional information about them (formerly, password hashes of these accounts). In such cases, they usually try to get
/etc/shadow and server configuration, but everything very much depends on the purpose, so which files to read is up to you.
The fourth example is an expression that will cause a buffer overflow. It occurs when there is more data to be written or read than the buffer can hold and can cause a program to crash or hang, leading to a denial of service (DoS). Certain types of overflows allow an attacker to download and execute arbitrary machine code on behalf of the program and with the rights of the account under which it is executed, which makes this error rather dangerous.
The fifth class of attacks (XXE Injections) is a variant of obtaining hidden information from a web server by parsing the output of XML files. Specifically, in our example, when requesting the server, it will respond with the contents of the file encrypted in Base64
/etc/passwdwhich has already been mentioned. However, it will not be difficult to decrypt it – you just need to use the utility built into most Linux distributions
base64 or an online converter.
Format string attacks (example 6) is a class of vulnerabilities that involves providing language-specific format markers to execute arbitrary code or crash a program. Instead of this obscure explanation, I propose another: this is a class of attacks when an application incorrectly cleans user input from control structures, which are then executed. If you have programmed in C, then, of course, you remember those interesting things with the output of variables through
printf: it was necessary in the first argument (which is a string) to indicate the type of the displayed value (
%d for a decimal number, and so on).
The seventh clause is a command injection variant that executes certain code on the server side. In my example the command will be executed
lswhich will show the contents of the current directory, but of course there could be much more dangerous code there.
Finally, the last category is LFI (Local File Inclusion) vulnerabilities that allow you to view files and folders on vulnerable (or misconfigured) servers that should not be visible to everyone. One of the possible options is to view the file
/etc/passwd, which we have already talked about more than once. It might look like this.
Note that the test web application is DVWA (Damn Vulnerable Web Application), which was specially designed for training pentesting. Many attacks on web applications can be practiced on it.
Now let's move on to practice – let's test this utility ourselves.
Continuation is available only to participants
Materials from the latest issues become available separately only two months after publication. To continue reading, you must become a member of the "Xakep.ru" community.
Join the Xakep.ru community!
Membership in the community during the specified period will open you access to ALL Hacker materials, increase your personal cumulative discount and allow you to accumulate a professional Xakep Score!
I am already a member of "Xakep.ru"