SQL Injection - Leads to false positive results -

[jonathandata1]

MVT-Tool is not hashing DataUsage.sqlite when it is using it as a method to check for IOCs.

It is possible to inject data into the ZPROCESS table and fake an infection based on the fact that MVT-Tool is looking only for keywords.

Prep:

You can download the CSV I used to inject here https://github.com/jonathandata1/Pegasus-CatalanGate-False-Positives/blob/main/IOC_CSV/ZPROCESS_2.csv

0d609c54856a9bb2d56729df1d68f2958a88426b = DataUsage.sqlite

1. Make an encrypted backup
2. decrypt with mvt tool
3. cd into the decrypted backup folder
4. sqlite3 0d609c54856a9bb2d56729df1d68f2958a88426b ".import --csv ZPROCESS_2.csv ZPROCESS"

I was able to create false positive results for all processes listed in the Amnesty Investigations. To prove that this method works to forge false positive results for the processes, I added a record that was not part of the processes.

The CSV file injected into the sqlite db contains this record at the end

236	7	3	482697172.9	482697172.9	com.apple.CrashReporter.plist	com.apple.CrashReporter.plist

The MVT-Tool does not recognize this as an indicator of compromise for processes but successfully recognizes all 80 processes as malicious.

Result

Without having the physical device, and without hashing the databases suspected to hold the IOCs, reliance on a backup provided by a client or a backup taken by a 3rd party forensics team cannot guarantee the integrity of the backup.

[MementoMortes]

This issue is wrongly categorized as SQL Injection. The .csv is manually imported via the sqlite database. No injection is involved.

The "attack scenario" described here assumes that the person using MVT deliberately wants their device to appear infected, therefore manually imports IOC sample strings into a database of an extracted device backup.

Jonathan seems to assume that data collected by arbitrary people via MVT is provided to courts as evidence and forwarded to forensic experts for further investigation and therefore cannot be trusted.

Maybe it would make sense to further expand the tools disclaimer on who is expected to use the tool for what purpose and what the output of the tool is meant to be used for. Apparently that is still not clear.

[jonathandata1]

This issue is wrongly categorized as SQL Injection. The .csv is manually imported via the sqlite database. No injection is involved.

The "attack scenario" described here assumes that the person using MVT deliberately wants their device to appear infected, therefore manually imports IOC sample strings into a database of an extracted device backup.

Jonathan seems to assume that data collected by arbitrary people via MVT is provided to courts as evidence and forwarded to forensic experts for further investigation and therefore cannot be trusted.

Maybe it would make sense to further expand the tools disclaimer on who is expected to use the tool for what purpose and what the output of the tool is meant to be used for. Apparently that is still not clear.

"Jonathan seems to assume that data collected by arbitrary people via MVT is provided to courts as evidence and forwarded to forensic experts for further investigation and therefore cannot be trusted."

Cool opinions - How about lets push to get this tool fixed so that things like this don't happen. How about add logic that stops something like this from happening. Also...You don't understand what an SQL injection is, let me help you.

A SQL injection attack consists of insertion or “injection” of a SQL query via the input data from the client to the application. A successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations on the database (such as shutdown the DBMS), recover the content of a given file present on the DBMS file system and in some cases issue commands to the operating system. SQL injection attacks are a type of injection attack, in which SQL commands are injected into data-plane input in order to affect the execution of predefined SQL commands.

No a disclaimer is not what is needed, LOGIC is needed.

[MementoMortes]

You cannot fix what is not broken. Your attack scenario is flawed, as is your solution. The tool is doing what it's supposed to do: find potential indicators of a compromise. If you manipulate the evidence, it's not the job of this tool to detect that. That is the job of the forensic process.

With your way of thinking, a malicious actor could just as well manipulate the tool itself to tamper the data while processing it.

And no, it is not an SQL Injection, not even per your provided definition. You are literally providing the terminal command to import CSV data into an SQLite database.

[abashinfection]

in order to affect the execution of predefined SQL commands

Where is the predefined command you are injecting into?

Seems like you don't understand SQL injection, same as you don't understand RCE vulns.

[jonathandata1]

A SQL injection attack consists of insertion or “injection” of a SQL query via the input data from the client to the application. A successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations on the database (such as shutdown the DBMS), recover the content of a given file present on the DBMS file system and in some cases issue commands to the operating system. SQL injection attacks are a type of injection attack, in which SQL commands are injected into data-plane input in order to affect the execution of predefined SQL commands.

go argue

in order to affect the execution of predefined SQL commands

Where is the predefined command you are injecting into?

Seems like you don't understand SQL injection, same as you don't understand RCE vulns.

Seems like you want to make up your own definition of SQL injection just like you want to make up your own definition of RCE

A SQL injection attack consists of insertion or “injection” of a SQL query via the input data from the client to the application. A successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations on the database (such as shutdown the DBMS), recover the content of a given file present on the DBMS file system and in some cases issue commands to the operating system. SQL injection attacks are a type of injection attack, in which SQL commands are injected into data-plane input in order to affect the execution of predefined SQL commands.

[MementoMortes]

Every time you repeat this definition and still fail to realize you are wrong, you just confirm that you have no technical understanding of what this definition means. The OWASP definition even lists examples. Please read them and try to understand them.

[abashinfection]

Seems like you want to make up your own definition of SQL injection just like you want to make up your own definition of RCE

I'm making up my own definition by... literally quoting your definition? Makes sense.

[jonathandata1]

Every time you repeat this definition and still fail to realize you are wrong, you just confirm that you have no technical understanding of what this definition means. The OWASP definition even lists examples. Please read them and try to understand them.

typical troll response, no proof, no resource, nothing, just defaulting to you're wrong.

the more you comment to me on on this issue the worse your make this repo look by the way.

[jonathandata1]

Seems like you want to make up your own definition of SQL injection just like you want to make up your own definition of RCE

I'm making up my own definition by... literally quoting your definition? Makes sense.

I gave you the definition you gave me nothing.

[jonathandata1]

Every time you repeat this definition and still fail to realize you are wrong, you just confirm that you have no technical understanding of what this definition means. The OWASP definition even lists examples. Please read them and try to understand them.

Why are you not trolling on my Domain History issue I posted lol...

[ruppde]

A SQL injection attack consists of insertion or “injection” of a SQL query via the input data from the client to the application. A successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations on the database (such as shutdown the DBMS), recover the content of a given file present on the DBMS file system and in some cases issue commands to the operating system. SQL injection attacks are a type of injection attack, in which SQL commands are injected into data-plane input in order to affect the execution of predefined SQL commands.

so this is a SQL injection for you? :)

$ mysql -e "SELECT * FROM db.table;"

[xndr]

4. sqlite3 0d609c54856a9bb2d56729df1d68f2958a88426b ".import --csv ZPROCESS_2.csv ZPROCESS"

That is not an SQL Injection. Manually importing data into a database, using a database management tool for it's intended purpose is not an SQL injection. The original logs aren't signed as they could be on a system such as Linux using journald with signed log records (FSS), so there's no guarantee either way to know that the logs are intact or tampered. MVT only looks for indicators typically left by malware, and there is no difference between the traces left by malware, and someone intentionally importing those same traces.

[jonathandata1]

4. sqlite3 0d609c54856a9bb2d56729df1d68f2958a88426b ".import --csv ZPROCESS_2.csv ZPROCESS"

That is not an SQL Injection. Manually importing data into a database, using a database management tool for it's intended purpose is not an SQL injection. The original logs aren't signed as they could be on a system such as Linux using journald with signed log records (FSS), so there's no guarantee either way to know that the logs are intact or tampered. MVT only looks for indicators typically left by malware, and there is no difference between the traces left by malware, and someone intentionally importing those same traces.

SQL injection definition is irrelevant at this point, it's literally just people trying to deny exactly what you said, so thank you for stepping up and say it.

"MVT only looks for indicators typically left by malware, and there is no difference between the traces left by malware, and someone intentionally importing those same traces."

You're right there is no difference, thus logic needs to be added to make sure there is a distinction.

Thanks again.

[ruppde]

you essentially describe a self hack and your proposed solution could also be self hacked by altering the integrity hash wherever it would be stored in mvt.

[ornaeric]

This issue is wrongly categorized as SQL Injection. The .csv is manually imported via the sqlite database. No injection is involved. The "attack scenario" described here assumes that the person using MVT deliberately wants their device to appear infected, therefore manually imports IOC sample strings into a database of an extracted device backup. Jonathan seems to assume that data collected by arbitrary people via MVT is provided to courts as evidence and forwarded to forensic experts for further investigation and therefore cannot be trusted. Maybe it would make sense to further expand the tools disclaimer on who is expected to use the tool for what purpose and what the output of the tool is meant to be used for. Apparently that is still not clear.

"Jonathan seems to assume that data collected by arbitrary people via MVT is provided to courts as evidence and forwarded to forensic experts for further investigation and therefore cannot be trusted."

Cool opinions - How about lets push to get this tool fixed so that things like this don't happen. How about add logic that stops something like this from happening. Also...You don't understand what an SQL injection is, let me help you.

A SQL injection attack consists of insertion or “injection” of a SQL query via the input data from the client to the application. A successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations on the database (such as shutdown the DBMS), recover the content of a given file present on the DBMS file system and in some cases issue commands to the operating system. SQL injection attacks are a type of injection attack, in which SQL commands are injected into data-plane input in order to affect the execution of predefined SQL commands.

No a disclaimer is not what is needed, LOGIC is needed.

The tool doesn't need to be fixed. It works perfectly for the people with knowledge and skills to understand it. You are not one of those people. The only colleges that would accept you were for profit schools. You tried to get a PhD from an "accredited" school but even they couldn't handle your non-sense and kicked you out. They are literally only in business to take money and hand out worthless degrees and your BS was too much.

Why don't you focus on paying your cousin the $160,000 dollars you own him for filing frivolous lawsuits against him? Blancco would like you to start making payments on that $1.5 mill you scammed them out of.

[spv420]

the more this goes on the more i think jonathan is intentionally being a bullshit artist for some reason instead of just being an absolute retard