From 5edecaa800541238da799d12df0cc0ba6172c800 Mon Sep 17 00:00:00 2001 From: HackTricks News Bot Date: Sun, 21 Dec 2025 01:53:07 +0000 Subject: [PATCH] Add content from: Research Update: Enhanced src/network-services-pentesting/48... --- src/SUMMARY.md | 1 + .../inputmethodservice-ime-abuse.md | 1 + src/network-services-pentesting/4840-pentesting-opc-ua.md | 8 ++++++++ 3 files changed, 10 insertions(+) diff --git a/src/SUMMARY.md b/src/SUMMARY.md index fdf253b1bef..9ac5c0d0b19 100644 --- a/src/SUMMARY.md +++ b/src/SUMMARY.md @@ -375,6 +375,7 @@ - [Objection Tutorial](mobile-pentesting/android-app-pentesting/frida-tutorial/objection-tutorial.md) - [Google CTF 2018 - Shall We Play a Game?](mobile-pentesting/android-app-pentesting/google-ctf-2018-shall-we-play-a-game.md) - [In Memory Jni Shellcode Execution](mobile-pentesting/android-app-pentesting/in-memory-jni-shellcode-execution.md) + - [Inputmethodservice Ime Abuse](mobile-pentesting/android-app-pentesting/inputmethodservice-ime-abuse.md) - [Insecure In App Update Rce](mobile-pentesting/android-app-pentesting/insecure-in-app-update-rce.md) - [Install Burp Certificate](mobile-pentesting/android-app-pentesting/install-burp-certificate.md) - [Intent Injection](mobile-pentesting/android-app-pentesting/intent-injection.md) diff --git a/src/mobile-pentesting/android-app-pentesting/inputmethodservice-ime-abuse.md b/src/mobile-pentesting/android-app-pentesting/inputmethodservice-ime-abuse.md index 878d498c40e..8251e907770 100644 --- a/src/mobile-pentesting/android-app-pentesting/inputmethodservice-ime-abuse.md +++ b/src/mobile-pentesting/android-app-pentesting/inputmethodservice-ime-abuse.md @@ -81,3 +81,4 @@ adb shell ime help - **User/MDM**: allowlist trusted keyboards; block unknown IMEs in managed profiles/devices. - **App-side (high risk apps)**: prefer phishing-resistant auth (passkeys/biometrics) and avoid relying on “secret text entry” as a security boundary (a malicious IME sits below the app UI). +{{#include ../../banners/hacktricks-training.md}} diff --git a/src/network-services-pentesting/4840-pentesting-opc-ua.md b/src/network-services-pentesting/4840-pentesting-opc-ua.md index c85d3090fad..c2f99cae6e8 100644 --- a/src/network-services-pentesting/4840-pentesting-opc-ua.md +++ b/src/network-services-pentesting/4840-pentesting-opc-ua.md @@ -65,8 +65,14 @@ opalopc -vv opc.tcp://$target_ip_or_hostname:$target_port 1. Enumerate policies with `GetEndpoints` and note any `Basic128Rsa15` entries. 2. Negotiate that policy explicitly (`SecurityPolicyUri` in `CreateSession`), then run your oracle loop until the recovered key validates. 3. Abuse the key to forge a high-privilege session, switch roles, or silently downgrade other clients by acting as a rogue reverse proxy. +- **CODESYS Runtime Toolkit (<3.5.21.0)** re-enabled Basic128Rsa15 whenever integrators compile with `CMPOPCUASTACK_ALLOW_SHA1_BASED_SECURITY`. Flip that flag, re-run the oracle workflow above, and you can leak the runtime's private key to impersonate trusted engineering workstations until patch level 3.5.21.0 or later is deployed. - OPC Foundation simultaneously published CVE-2024-42513 for HTTPS bindings. Even if your target claims TLS, make sure it is not silently falling back to Basic128Rsa15 for the binary transport behind the proxy. +### 2024-2025 exploit watchlist + +- **open62541 fuzz_binary_decode (CVE-2024-53429):** SecureChannel chunks that declare oversized `ExtensionObject` bodies make the decoder dereference freed memory, so a pre-auth attacker can repeatedly crash UA servers that embed open62541 ≤1.4.6. Reuse the Claroty corpus (`opcua_message_boofuzz_db`) or craft your own Boofuzz harness to spam mutated `OpenSecureChannel` requests until the watchdog kills the process, then re-enumerate because many integrators fall back to anonymous mode after the reboot. +- **Softing OPC UA C++ SDK / edgeConnector / edgeAggregator (CVE-2025-7390):** The TLS client-auth pipeline accepts any certificate that replays a trusted Common Name, so you can mint a throwaway cert, copy the CN from a plant engineer, and log in with arbitrary `UserNameIdentityToken` or `IssuedIdentityToken` data. Pair this with a downgrade to Basic128Rsa15 to strip integrity checks and persistently impersonate operators until trustlists are rebuilt. + ### Crafting OPC UA clients for exploitation - **Custom clients:** Drop-in libraries (python-opcua/asyncua, node-opcua, open62541) let you drive exploit logic yourself. Always enforce your target namespace index to avoid accidental cross-namespace writes when vendors reorder namespaces after firmware updates. @@ -114,6 +120,8 @@ Combine the search with vendor strings (`"Ignition OPC UA"`, `"KepServerEX"`) or - [https://opalopc.com/how-to-hack-opc-ua/](https://opalopc.com/how-to-hack-opc-ua/) - [https://github.com/claroty/opcua-exploit-framework](https://github.com/claroty/opcua-exploit-framework) - [https://certvde.com/en/advisories/VDE-2025-022/](https://certvde.com/en/advisories/VDE-2025-022/) +- [https://nvd.nist.gov/vuln/detail/CVE-2024-53429](https://nvd.nist.gov/vuln/detail/CVE-2024-53429) +- [https://industrial.softing.com/fileadmin/psirt/downloads/2025/CVE-2025-7390.html](https://industrial.softing.com/fileadmin/psirt/downloads/2025/CVE-2025-7390.html) {{#include ../banners/hacktricks-training.md}}