quick editing pass

This commit is contained in:
maia arson crimew 2023-07-24 16:57:37 +02:00
parent 2abd455256
commit b65d35a79d

View file

@ -18,13 +18,13 @@ content_warnings:
> the intro to this series and the concept of stalkerware can be found [here](/posts/fuckstalkerware-0/)
this is a rather technical deep dive into how i hacked SpyHide and a bit of [my own analysis](#analysis), for a less technical and more journalistic approach to the breach you can read [this exclusive piece in techcrunch](link).
this is a rather technical deep dive into how i hacked [SpyHide](https://cellphone-remote-tracker.com) (sometimes referred to by the shortening CRT, their .com domain) and a bit of [my own analysis](#analysis), for a less technical and more journalistic approach to the breach you can read [this exclusive piece in techcrunch](link).
when i started work on the #FuckStalkerware series i did what i always do first, scanning for super low hanging fruit vulns without expecting much. so as i was running as scan over the target list for .git exposure (which happens when a website is deployed via git but the webserver isn't configured not to serve contents of .git) in midst of various false positives there was an actual hit. using [goop](https://github.com/nyancrimew/goop) (an offensive git dumping tool i originally developed in 2020) i managed to download the full source code and git history for the account panel of SpyHide/cellphone-remote-tracker.com (CRT).
when i started work on the #FuckStalkerware series i did what i always do first, scanning for super low hanging fruit vulns without expecting much. so as i was running as scan over the target list for .git exposure (which happens when a website is deployed via git but the webserver isn't configured not to serve contents of the .git directory) among various false positives there was an actual hit. using [goop](https://github.com/nyancrimew/goop) (an offensive git dumping tool i originally developed in 2020) i managed to download the full source code and git history for the account panel of SpyHide.
![the goop command line tool being used to download the source code to account.cellphone-remote-tracker.com](/img/posts/fuckstalkerware-2/goop.jpg)
and so i began digging into the repository, first with a focus mostly on figuring out some background info on spyhide/CRT. let's start with some git metadata, a look at the `.git/config` file reveals that the code is hosted in a private repository on the [`virsysplaytech`](https://github.com/virsysplaytech) ([archived](https://web.archive.org/web/20230713150318/https://github.com/virsysplaytech/)) github account.
and so i began digging into the repository, first with a focus mostly on figuring out some background info on spyhide. let's start with some git metadata: a look at the `.git/config` file reveals that the code is hosted in a private repository on the [`virsysplaytech`](https://github.com/virsysplaytech) ([archived](https://web.archive.org/web/20230713150318/https://github.com/virsysplaytech/)) github account.
```ini
[remote "origin"]
@ -32,7 +32,7 @@ and so i began digging into the repository, first with a focus mostly on figurin
fetch = +refs/heads/*:refs/remotes/origin/*
```
the account name says "Arasteh" and the bio reads "CEO of Decima Tech", which we should keep in mind, because both already appear again immediately, though virsys with slightly different spelling, in the list of git commit authors:
the account name says "Arasteh" and the bio reads "CEO of Decima Tech", , which (along with the "virsysplaytech" name above) we should keep in mind, because they also appear in the list of git commit authors (with a slightly different spelling of virsys):
```bash
nyancrimew@meowcbook CRTPanel % git shortlog --summary --numbered --all -e
@ -40,13 +40,13 @@ nyancrimew@meowcbook CRTPanel % git shortlog --summary --numbered --all -e
34 root <root@server.virsis.net>
1 Arasteh <83481775+virsysplaytech@users.noreply.github.com>
```
so the CRT site appears to be hosted on a server called server.virsis.net, and we have the only real dev behind their php infrastructure. mojmadah (Mohammad Aresteh, oh here is that name again) is fairly easily googleable, and it turns out his email address has been used to [register various domain names](https://website.informer.com/email/mojmadah@gmail.com) (which given these companies are all called decima* also confirms that virsysplaytech is Mohammad's account). Based on further clues in the source code, OSINT, as well as having owned the decima [ERP system](https://en.wikipedia.org/wiki/Enterprise_resource_planning) they used for a bit in 2021 (story for another day), it can also be concluded that Mohammad also goes by Mahdi/Mehdi (مهدى) and the username mahdi110 in various places. i reached out to mohammad for comment via email as well as telegram (where he blocked me), at the time of publishing i have not received any real response.
so the spyhide site appears to be hosted on a server called server.virsis.net, and we have the only real dev behind their php infrastructure. mojmadah (Mohammad Aresteh, oh here is that name again) is fairly easily googleable, and it turns out his email address has been used to [register various domain names](https://website.informer.com/email/mojmadah@gmail.com) (which given these companies are all called decima* also confirms that virsysplaytech is Mohammad's account). based on further clues in the source code, OSINT, as well as having owned the decima [ERP system](https://en.wikipedia.org/wiki/Enterprise_resource_planning) they used for a bit in 2021 (story for another day), it can also be concluded that Mohammad also goes by Mahdi/Mehdi (مهدى) and the username mahdi110 in various places. i reached out to mohammad for comment via email as well as telegram (where he blocked me) - at the time of publishing i have not received any real response.
so the people involved, as well as the source code and references to a formerly existing iranian front for SpyHide (spyhide.ir) is how it at least became clear that spyhide is software by an iranian company called virsys or virsis. and that's about all i managed to gather about the backgrounds of this company from surface research based on the repository, so it's time to move on to the real fun stuff! diving into the source code and...
so the people involved, as well as the source code and references to a former iranian front for SpyHide (spyhide.ir) is how it at least became clear that spyhide is software by an iranian company called virsys or virsis. and that's about all i managed to gather about the backgrounds of this company from surface research based on the repository, so it's time to move on to the real fun stuff! diving into the source code and...
## finding something to exploit
i got going by just scouring through the source code, pretty much at random, slowly trying to build an image of how their (oh so incredibly shoddy) backend works. lots of the php files seemed unused, were back up copies of now changed scripts (which seems rather unneccessary given the use of git, but i digress) or had `_new` versions. so here is a mostly unfiltered look into my research notes of this stage:
i got going by just scouring through the source code, pretty much at random, slowly trying to build an image of how their (oh so incredibly shoddy) backend works. lots of the php seemed unused, were back up copies of now changed scripts (which seems rather unneccessary given the use of git, but i digress) or had `_new` versions. here is a mostly unfiltered look into my research notes of this stage:
auth cookies are in the format of `userid.passwordmd5.lang.timezone.db_type`
* user ids are sequential
@ -80,7 +80,7 @@ if(!in_array($ext,$allowed) ) {
there is a check to only allow `.mp3` and `.3gp` files respectively which clearly references potential hacks, however the check isn't actually used for anything besides a now commented out log message. so even there it would still be possible to upload whatever i want.
the only problem i still had with all off these endpoints is that i needed a victim device registered to my account (or just know any active device id) to make use of them. since i had only just moved flats and not yet unpacked everything i didn't have a throwaway test device at hand to throw stalkerware at, so i guess i had to also figure out how to do the api calls to register a device myself. once i managed to understand the confusing logic of different account types this turned out to actually be pretty simple, so i now had a device with the definitely very numeric id `maia`.
the only problem i still had with all off these endpoints is that i needed a victim device registered to my account (or just know any active device id) to make use of them. since i had only just moved flats and not yet unpacked everything i didn't have a throwaway test device at hand to throw stalkerware at, i guess i had to also figure out how to do the api calls to register a device myself. once i managed to understand the confusing logic of different account types this turned out to actually be pretty simple, so i now had a device with the definitely very numeric id `maia`.
all that remained to do now to take over their server is to upload a base64 encoded [php webshell](https://github.com/b374k/b374k) using the `uploadPhoto` endpoint, and as a little extra flex and to make it slightly more convenient to access i also did a directory traversal placing the webshell at `/funky.php`. and baaaaaam
@ -96,7 +96,7 @@ as always i did my quick surface analysis to have a better idea of how to pitch
some of the users (operators) have multiple devices connected to their account, with some having as much as 30 devices theyve been watching over a course of multiple years, spying on everyone in their lives (sidenote: there is some sad irony to naming the device of someone you're stalking for literal years accross multiple phones with "\<name\> the crazy", like idk whos the fucked up one here).
i once again obviously also searched the email address and [email domain list](/files/posts/fuckstalkerware-2/email-domains.txt) (once again public, but since there is no email verification there is lots and lots of typoed and fucked up domains this time, also the script i used to make this list fucking sucks) for interesting email addresses. which in my book as always mostly means government email addresses, there are at least 190 users who have signed up with various government email addresses, at least 16 of which are US goverment addresses (there is even some .mil ones in there this time), many of which were correctional officers (use of commercial spyware in parole/house arrest ??), a massive amount of users from the brazilian and philippine departments of education, as well as 5 users from the colombian national police, indicating they at the very least seem to have evaluated commercial spyware at one point.
i once again obviously also searched the email address and [email domain list](/files/posts/fuckstalkerware-2/email-domains.txt) (once again public, but since there is no email verification there is lots and lots of typoed and fucked up domains this time, also the script i used to make this list fucking sucks) for interesting email addresses, which in my book as always mostly means government email addresses. there are at least 190 users who have signed up with various government email addresses, at least 16 of which are US goverment addresses (there is even some .mil ones in there this time), many of which were correctional officers (use of commercial spyware in parole/house arrest ??), a massive amount of users from the brazilian and philippine departments of education, as well as 5 users from the colombian national police, indicating they at the very least seem to have evaluated commercial spyware at one point.
spyhide also appears to keep data around for way longer than they even tell the operators, for photos and audio recordings they claim that all data will be deleted after 3 months, however i have found photos as well as recordings from all the way back in mid 2022. this data appears to only actually be deleted from storage when devices "expire", as in the operators stops paying for the subscription or they have been disconnected for a specific amount of time.
@ -104,4 +104,4 @@ spyhide also appears to keep data around for way longer than they even tell the
on the evening of sunday the 23rd i noticed that i could no longer sign into my testing account at spyhide, it appears that virsis has "responded to my request for comment" by closing up at least some of the holes. sign ups were disabled (except i think through the app ?), some database password were changed, my webshell removed and my account deleted. a quick check with goop shows that .git is still exposed and nothing else (including the arbitrary file upload) has been fixed.
the data from this leak will be available soon in limited distribution to other journalists and researchers via [DDoSecrets](https://ddosecrets.com) (please [support them financially](https://ddosecrets.charity)), this article will be updated to reflect that once that is the case. as always feel free to [contact](/contact) me with any tips, vulnerabilities (for this series and just in general), industry insider info or for journalistic inquiries.
the data from this leak will be available soon in limited distribution to other journalists and researchers via [DDoSecrets](https://ddosecrets.com) (please [support them financially](https://ddosecrets.charity)), this article will be updated to reflect that once that is the case. as always feel free to [contact](/contact) me with any tips, data, vulnerabilities, industry insider info (for this series and just in general) or for journalistic inquiries.