lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Mon, 15 Jan 2018 04:29:54 -0200
From: Rodrigo Menezes <rodrigo@...idlight.io>
To: "fulldisclosure" <fulldisclosure@...lists.org>
Subject: [FD] [CVE-2018-5258] Neon 1.6.14 for iOS Missing SSL Certificate
 Validation

Title 

========

Neon 1.6.14 for iOS Missing SSL Certificate Validation



Date

========

2018-01-15



Author

========

Rodrigo Laneth

Twitter: @rlaneth



CVE-ID

========

CVE-2018-5258



Vendor

========

Banco Neon S.A.



Software

========

Neon

https://itunes.apple.com/app/neon/id1127996388



Version

========

1.6.14

Previous versions have not been tested, but may also be affected.



Platform

========

iOS



Summary

========

The Neon app 1.6.14 for iOS does not verify X.509 certificates from SSL servers,

which allows man-in-the-middle attackers to spoof servers and obtain sensitive

information via a crafted certificate.



Details

========

The app does not validate SSL certificates from the

webapimethods.banconeon.com.br and servicos.banconeon.com.br hosts, allowing a

man-in-the-middle attacker to silently intercept requests.



In addition to SSL, the app implements a custom layer of encryption. It does

not, however, serve as an effective protection against attacks. One of its

weaknesses is that it encrypts sensitive data with AES using a key received from

the server when the user logs in; although this key is RSA encrypted when

transmitted, the private keys necessary for its decryption are hardcoded within

the app, and therefore could be easily obtained by an attacker.



Sensitive user information such as name, virtual card number, expiration date 

and verification code (CVV) have been confirmed to be recoverable through the

exploitation of this vulnerability and the weaknesses present in the app's

custom encryption layer.



Response

========

Up to date, Banco Neon S.A. has not yet addressed this vulnerability.



Timeline

========

- [2017-12-30] First attempt to contact the vendor (no response).



- [2017-01-06] Second attempt to contact the vendor. The vendor affirms the

  report will be forwarded to the app's development team, but does not provide a

  deadline for the release of an update addressing the issue.



- [2017-01-13] Vendor is informed of the assignment of a CVE ID and the planned

  date for disclosure. The vendor affirms the issue is being investigated by the

  app's development team, not providing any new information.



- [2017-01-15] Full disclosure.



_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux - Powered by OpenVZ