Browser Exploits - Attacks and Defense - Saumil Shah, Net Square
PhlashDance, discovering permanent denial of service attacks against embedded systems - Rich Smith, HP Labs
Satellite Systems - Adam Laurie, RFIDIOt.org
Phoenix, and automated vulnerability finding - Tim Burrell, Microsoft
Building the bridge between the Web Application and the OS: GUI access through SQL Injection - Alberto Revelli, Portcullis
WebSphere MQ Security - Martyn Ruks, MWR InfoSecurity
Cisco IOS Rootkits - Sebastian Muñiz, Core
Attacking Near Field Communications (NFC) Mobile Phones - Collin Mulliner, trifinite
Abusing X.509 certificate features - Alexander Klink, Cynops GmbH
One Token to Rule Them All: Post-Exploitation Fun in Windows Environments - Luke Jennings, MWR InfoSecurity
Advances in attacking interpreted languages - Justin Ferguson
Synthesizing PDF Attacks - Aditya K Sood, SecNiche Security
Saumil Shah [interview]
Saumil continues to lead the efforts in security research at Net-Square. Saumil has had more than ten years experience with system administration, network architecture, integrating heterogenous platforms, and information security and has perfomed numerous ethical hacking exercises for many significant companies in the IT area.
Previously, Saumil held the position of Director of Indian operations at Foundstone Inc. and a senior consultant with Ernst & Young. Saumil has also worked at the Indian Institute of Management, Ahmedabad, as a research assistant.
Saumil graduated from Purdue University with a master's degree in computer science and a strong research background in operating systems, networking, infomation security, and cryptography. He got his undergraduate degree in computer engineering from Gujarat University, India. Saumil is a co-author of "Web Hacking: Attacks and Defense" (Addison Wesley, 2002) and is the author of "The Anti-Virus Book" (Tata McGraw-Hill, 1996)
Browser Exploits - Attacks and Defense
A vast majority of open attack vectors in today's exploit scene are browser based exploits. New browser based vulnerabilities are being reported every week, if not more frequently. Exploit delivery tools such as MPack largely focus on browser based exploits to expand the botnets. It is high time that we think about different approaches to defending against browser based attacks.
Rich Smith leads the Research into Offensive Technologies & Threats (RiOTT) for Hewlett-Packard's Systems Security Lab. Rich's research interests lie in the areas of novel exploitation vectors and threat futures; much of his current work is focussed on non-PC attack vectors, with particular attention being paid to firmware and attempting to increasingly automate social engineering through data-mining. When not geeking Rich can often be found listening to Japanese noise artists.
PhlashDance, discovering permanent denial of service attacks against embedded systems
This presentation will discuss a new class of attack termed Permanent Denial Of Service (PDOS) targeted against embedded devices. Specifically, a particular manifestation of PDOS will be discussed which targets the firmware update mechanisms of embedded devices, such abuses of flash update mechanisms to cause PDOS conditions have been named Phlash attacks (cuz every attack needs a 'ph' right!). Phlash attacks targeting both the flash update mechanisms of devices, and the structuring of the binary firmwares themselves will be discussed in a generic way. The presentation will also discuss the development of a generic fuzzing framework called PhlashDance, which aims to assist in the identification of PDOS vulnerabilities across an extensible range of embedded devices. Beyond the pure technicalities of how Phlash attacks may be mounted, the presentation will also discuss why such novel attack vectors will be of particular concern to technology vendors, and the difficulties being faced in responding to and mitigating such vulnerabilities.
Current and past popular attack vectors have tended to target the higher-level software components of computing systems. Such attacks are often aimed at the OS itself or at pervasively deployed applications such as Microsoft's Exchange Server or Internet Explorer. Consequently, hardening the security of servers as well as end user systems has been an increasingly high priority for IT vendors. Current industry efforts to deliver much greater OS security are important steps forward; alongside industry-wide initiatives to provide more reliable hardware based security to commercial systems (such as the work of the Trusted Computing Group, or other hardware protections such as the NX bit etc). However, such industry efforts to harden software systems against popular attack vectors are expected to displace the focus of attackers away from the traditional targets of OS and application software. This raises the question: if current attack targets are becoming increasingly secure, where will the attacks of tomorrow focus? While there is not one simple answer, it is believed that attacks against system firmware components are prime candidates for increased attention. Client system firmware (BIOS, UEFI-based, etc) is already subject to increasing visible attention from attackers, with publications starting to appear from security researchers. This trend is so established that the industry has already launched into efforts to harden server and client system firmware. Still, with expertise in firmware attack techniques becoming more widespread, it is our belief that other groups of devices will be under increasing threat. Notably, firmware in what we call Network Enabled Embedded Devices (NEEDs) is seen as particularly at risk for the following reasons:
- Large numbers of NEEDs are already deployed across corporate/government networks
- Attention given to managing NEEDs is lacking; default configs and unpatched devices are commonplace
- NEEDs often not treated as "computers" and are likely to be ignored during audits
- Application level bugs & flaws are common, with remote management interface bugs aplenty
- Ability to remotely update firmware tends to be enabled by default and not securely controlled
- COTS solutions are not available to secure or attest the current security posture of NEEDs
- Given typical NEED role in IT infrastructures, affecting a single device will likely affect many users
Specifically, we have identified that the insecure remotely updateable nature of firmware in many such devices opens the door to a new class of attack, that does not affect software targets on client and server systems. Such attacks have been termed Permanent Denial Of Service (PDOS) attacks, which are defined as "attacks requiring the introduction of replacement hardware to a system in order to restore pre-attack service levels." This differentiates PDOS from Denial Of Service (DOS) and distributed DOS (DDOS) attacks where service restoration is achieved by restarting a service, system or upon the cessation of overwhelming input. PDOS is an attack class rather than method, and so is achievable in various ways; localised physical attack being the most obvious. Worryingly our research shows PDOS conditions can be caused remotely in software through the abuse of remote firmware update mechanisms.
Adam Laurie is a freelance security consultant working the in the field of electronic communications. He started in the computer industry in the late Seventies, working as a computer programmer on PDP-8 and other mini computers, and then on various Unix, Dos and CP/M based micro computers as they emerged in the Eighties. He quickly became interested in the underlying network and data protocols, and moved his attention to those areas and away from programming, starting a data conversion company which rapidly grew to become Europe's largest specialist in that field (A.L. downloading Services). During this period, he successfully disproved the industry lie that music CDs could not be read by computers, and, with help from his brother Ben, wrote the world's first CD ripper, 'CDGRAB'. At this point, he and Ben became interested in the newly emerging concept of 'The Internet', and were involved in various early open source projects, the most well known of which is probably their own 'Apache-SSL' which went on to become the de-facto standard secure web server. Since the late Nineties they have focused their attention on security, and have been the authors of various papers exposing flaws in Internet services and/or software, as well as pioneering the concept of re-using military data centres (housed in underground nuclear bunkers) as secure hosting facilities. Adam has been a senior member of staff at DEFCON since 1997, and also acted as a member of staff during the early years of the Black Hat Briefings, and is a member of the Bluetooth SIG Security Experts Group and speaks regularly on the international conference circuit on matters concerning Bluetooth security. He has also given presentations on forensics, magnetic stripe technology, InfraRed and RFID. He is the author and maintainer of the open source python RFID exploration library 'RFIDIOt', which can be found at http://rfidiot.org.
Your satellite receiver is capable of receiving far more channels than your service provider programmed into it, but how do you find them without spending the rest of your life watching "snow" on your TV set whilst tuning from one end of the spectrum to the other... Let's face it, there's only so many hours of pr0n and Italian game shows a man can take, so how can we cut to the chase and quickly find the really interesting stuff?
This talk will look at how I used to do it "back in the day", and how I do it now... Using off the shelf consumer equipment, modified only in software, I harness the power of the human brain's visual interpretation capabilities to quickly show me, out of the thousands of channels up there, what's new, what's old, what's commercial and what's probably not.
How about tuning in to live news crews while they set up for an "exclusive", or bookmaker's data streams with all their betting odds? Fancy watching the fight as it gets fed from Vegas to the UK? What? Internet feeds over Satellite? Here, on my telly??? Do they really do that?
Oh, yes. They do. And more...
This talk will show the tools and techniques outlined above, including discussion of interesting feeds found in the past, and will also have a live demo of feed hunting using a receiver based in the UK, controlled from the podium.
Tim Burrell joined Microsoft's Secure Windows Initiative (SWI) team in 2006 with a background in reverse engineering and security evaluation of infosec products. As part of the newly formed security science team within SWI he uses root cause analysis of past MSRC cases to drive the development of security analysis techniques to apply to future Microsoft products.
Phoenix, and automated vulnerability finding
Phoenix is Microsoft's next generation compiler; its plugin model allows any developer (internal or external to Microsoft as the Phoenix SDK is freely available for non-commercial purposes) to insert so-called "phases" to the compilation/build process. This custom phase can undertake analysis and reuse information available internally to the compiler at that point. By way of example we will take an MSRC case (CreateTextRange, MS06-), explain the underlying vulnerability and go on to demonstrate how we can spot this issue generically in source code via a Phoenix plugin. We will demo an implementation of this plugin and discuss some other features of interest.
The closeness of integration of compiler and security tests is a new possibility opened up by Phoenix. The direct application of such techniques to historical MSRC cases is representative of Microsoft's strategy in terms of root cause and post-mortem analysis and as such is of generic interest to others in the security industry who deal in incident prevention and response.
Alberto Revelli [Interview]
Alberto Revelli (aka icesurfer) lives and works in London, where he enjoys the bad weather and the astronomically expensive cost of living. He is a senior penetration tester for Portcullis Computer Security, where he mostly deals with web applications and anything else that happens to tickle his passion for breaking things. He is the Technical Director of the Italian Chapter of OWASP, has co-authored the OWASP Testing Guide 2.0, and he has developed sqlninja (http://sqlninja.sf.net).
Building the bridge between the Web Application and the OS: GUI access through SQL Injection
SQL Injection techniques are well known in the community, especially the ones used to extract data from the remote DB. In this speech, however, we will focus on some tricks that are targeted to obtain an interactive access to the underlying operating system. The examples will be mostly based on MS SQL Server, but the concepts are valid for all DB technologies. The talk is targeted to penetration testers and in general to anybody that wants to be protected against such tricks.
The first part of the presentation will illustrate:
- How to bruteforce the 'sa' password using the remote DB's own CPU resources
- How to obfuscate our queries (and even run quote-free ones)
- How to set up a DNS tunnel to get the results of our commands
The second part will feature a live demo (featuring a brand new version of sqlninja) in which we'll show how to take a few new SQL Injection tricks, add a couple of remote shots in the registry to disable Data Execution Prevention, mix with a little Perl that automatically generates a debug script, put all this in a shaker with a Metasploit wrapper, shake well and obtain a full graphical access on the remote DB!
This talk will provide an overview of some advanced SQL Injection techniques, which can be very useful for penetration testers (of course!) but also to network administrators that need to protect their infrastructures from this kind of attacks.
Moreover, the talk should be interesting for a vast audience, since it includes material ranging from Web security to TCP/IP tunneling and Operating System internals.
The talk will show how the division between the web application and the underlying OS is becoming more and more blurred, and how this must be taken in consideration when assessing the risk of a whole infrastructure.
Martyn Ruks is an information security professional working for MWR InfoSecurity in the UK. His primary interest is in weird networking protocols and the software that use them. His interest in Websphere MQ arose over a year ago after being asked to test an installation for a client and the results encouraged him to investigate further. Martyn has spoken about Websphere MQ security at other conferences and after receiving lots of interest and support in the subject decided to continue his research. His presentations always include up to the minute results from his research projects. He is also a big believer in the use of collaboration tools such as the Dradis framework for security testing.
WebSphere MQ Security
Every day billions of dollars pass through middleware, the unglamorous component of most enterprise applications. Middleware may be unglamorous, but even if billions of dollars doesn't interest you, it's bound to attract someone's interest sooner or later. Often security is addressed in the front-end web server and back-end database but the other components are often ignored. The reason for this can be a lack of understanding of the risks or lack of knowledge of the middleware products and how they can be attacked. One important property of a multi-tier environment is the ability to reliably pass data between authorised system components and therefore messaging software is often required. A popular and widely deployed example of such a component is IBM's Websphere MQ (formally MQ Series).
This software can be run across a number of platforms including Microsoft Windows, commercial and Open Source UNIX platforms and IBM \u2019s z/OS and i5 Operating Systems. Companies use the technology to pass messages between application components and it is widely deployed across a wide range of industry sectors including Finance, Retail, Healthcare and many others. During penetration tests conducted by MWR InfoSecurity against its clients it has been discovered that the security features provided by the product are either not utilised correctly or are not suitable for their intended use.
This presentation will uncover the truth behind Websphere MQ security as it is deployed in the real world and will look at how the software can be abused by an attacker resulting in remote code execution. The talk will focus on methods for analysing the security controls that can be used to protect an installation of MQ and the limitations of each of them. Following on from this section of the talk a number of methods will be presented for compromising both the message data and the Operating System through the MQ service. This will culminate in a demonstration of some of the attacks presented in the talk, followed by a discussion about the methods that exist for protecting an installation and ensuring that security breaches do not occur.
Sebastian Muñiz [Interview]
Sebastian Muñiz worked for several years as a senior developer in the telecommunications industry and for the last 2 1/2 years as Exploit Writer at CORE Security Technologies writing exploits for multiple platforms. In his free time he enjoys disassembling (and sometimes even desoldering) embedded systems like his (ex)DVD Player.
Killing the myth of Cisco IOS rootkits: DIK (Da Ios rootKit)
Public rootkit implementations for Cisco IOS have not been seen and system administrators tend to think that this is not possible or that even being possible, a generic method could not be created and that a skilled attacker is needed to target them. We will present DIK (Da Ios rootKit), a real multi-architecture rootkit to show that real threat exist and that advanced IOS forensics are probably not enought to detect it.
No public IOS rootkit implementation has been publicly presented before and the techniques employed here are generic and could be easiy usd to implement other closed-source OS rootkits.
Collin Mulliner [Interview]
Collin Mulliner is a programmer, researcher, and a hacker and holds a Master's of Science in Computer Science degree. Collin's main interest is mobile devices, their security and pretty much everything that is somehow related. Collin started working on PalmOS-based projects in 1997, and by now has done projects for pretty much every portable device he can get hold of. In recent years Collin was mainly working on Bluetooth-based projects where he created the first Bluetooth port-scanner. Collin also is a member of trifinite - a group of hackers that focus on the security of mobile devices and wireless technologies. Lately Collin's focus shifted towards mobile Linux devices and PocketPC-based smart phones. In the past Collin was writing software for Linux-based portable media players. Collin's current overall focus is the security of mobile devices and mobile phones.
Attacking NFC Mobile Phones
Near Field Communication (NFC) based services and mobile phones are starting to appear in the field, therefore it is time to take a look at the security of the services and especially the NFC mobile phones them self's. The presentation will provide this first look at the security of NFC mobile phones. We will show some known theoretical attacks and how they may work in the field. Further we will present results from analyzing a specific NFC mobile phone, here we will reveal some security issues and methods to exploit them. Also we will provide a small survey of NFC applications in the field. Finally we will release a small set of tools to do further analysis on NFC mobile phones and applications.
We recognize that NFC is not widely used yet but we anticipate that it will be in the near future due to the massive effort carried out by the member companies (http://www.nfc-forum.org/member_companies/). Also since NFC is based on RFID technology (ISO 14443) the whole topic should be highly interesting for wide range of security professionals and researchers. The innovative part of this presentation is that it is the first presentation on this topic and it shows mainly real world attacks and provides some hands-on experience for the security people and application developers.
Alexander Klink [Interview]
Alexander Klink is a security consultant and researcher at Cynops GmbH, a network security company near Frankfurt, Germany. Having studied mathematics and computer science with an emphasis on cryptography, starting to work in the area of Public Key Infrastructure (PKI) was a natural move. As a core developer of the open source PKI project OpenXPKI and external consultant in the PKI group of a large financial institution, he has learned much about the intricacies and (more or less) subtle problems of X.509 PKIs within the last two years. Alex has published vulnerabilities in Firefox, Opera, Outlook and Office 2007, Adobe Reader as well as in some servers and services, oftentimes related to certificate handling.
Abusing X.509 certificate features
Public key infrastructures and X.509 are designed to improve the security of applications and protocols. Unluckily, they also offer a lot of features that (when implemented naively) compromise security. The talk will show how browsers and mail clients have implemented certificates in such a way that they could be used for cross-domain user tracking, to unknowingly present a MITM threat to a user or to trigger unwanted HTTP requests on a client or server.
Many people believe PKI and X.509 "just works". The talk will show that the subtleties in the specification and implementations are something that should not be forgotten. Also, it shows some examples of interesting vulnerabilities where the vulnerability is actually in the "logic" part of the application or specification.
Luke Jennings is a security consultant for MWR InfoSecurity in the UK and is a computer science graduate of the University of Southampton. He is both a CESG-certified CHECK Team Leader and a CREST Consultant.
Luke's previous work has primarily been focused on penetration testing and application testing which has also led to his discovery of some critical, remotely exploitable vulnerabilities in widely deployed software. As a result of this, Luke has become increasingly interested in dedicating a portion of his time to active security research and has been a speaker at both Defcon and CCC. Luke is also interested in promoting security awareness among computer scientists, and has guest lectured at his old university to further this.
Post-Exploitation Fun in Windows Environments
This talk is about the abuse of Windows access tokens for post-exploitation and just how vulnerable large windows networks can be to these attacks. The defense techniques employed by large software manufacturers are getting better. This is particularly true of Microsoft who have improved the security of the software they make tremendously since their Trustworthy Computing initiative. Gone are the days of being able to penetrate any Microsoft system by firing off the RPC-DCOM exploit. The consequence of this is that post-exploitation has become increasingly important in order to "squeeze all the juice" out of every compromised system.
Windows access tokens are integral to Microsoft's concept of single sign-on in an active directory environment. Compromising a system that has privileged tokens can allow for both local and domain privilege escalation.
This talk aims to demonstrate just how devastating attacks of this form can be and introduces a new, open-source tool for penetration testers that provides powerful post-exploitation options for abusing tokens found residing on compromised systems. The functionality of this tool is also provided as a Meterpreter module for the Metasploit Framework to allow its use to be combined with the existing power of Metasploit. In addition, a complete methodology will be given for its use in penetration testing. This will include identifying tokens that can be used to access an otherwise secure target and then locating other systems that may house those tokens. A new vulnerability will also be revealed that appears to have been silently patched by Microsoft. The impact of this vulnerability is that privileged tokens can be found on systems long after the corresponding users have logged off.
Finally, defense strategies will be discussed that can help provide defense in depth to reduce the impact of token abuse as a post-exploitation option.
The security implications of Windows access tokens have been discussed before both in general terms and to different degrees of technical detail. This is not intended to present such discussions as being fundamentally new; instead it is intended to collate some of the existing knowledge, introduce some new findings and to demonstrate why many years after the general principles discussed were highlighted, many corporate environments are still vulnerable to these issues.
Most significantly, it is important because even in 2008, on internal penetration tests these techniques have allowed me to get domain or even forest administrative access from otherwise seemingly small compromises. It seems a lot of organisations are highly vulnerable to these types of attacks.
Justin Ferguson [Interview]
Justin Ferguson is a security consultant at IOActive. At IOActive his work largely revolves around Application Security Review and has been involved in numerous Fortune 500 companies understand and mitigate risk introduced in complex software. Justin has over 7 years experience working as a reverse engineer, source code auditor, malware analyst, and enterprise security analyst for industries ranging from security providers and financial institutions to the US government.
Horizon 3: smashing the stack for profit
The semantics of attacking C/C++ metadata have been well documented with the majority of attacks being known for over a decade. In this time the loyal opposition have developed semi-effective methodologies for addressing language-based issues such as ASLR, NX, et cetera. Furthermore the popularity of interpreted and managed languages continues to increase, which ultimately decreases the volume of deployed unmanaged code.
This of course begs the question, what is the future of insecurity? This talk implies that at least the partial answer lay in a shift in paradigm of thinking, in where the actual application becomes an interface to the interpreter or virtual machine-- almost all of which are written in unmanaged code. This talk is intended as a first in a series and will focus on memory corruption bugs in PERL & Python and their respective call stacks.
Aditya K Sood
Aditya K Sood is an independent security researcher and founder of SecNiche Security. He goes with a handle of 0kn0ck. He holds a BE and a MS in Cyber Law and Information Security. He is an active speaker at conferences like XCON, OWASP, and CERT-IN etc. His research interests include penetration testing, reverse engineering and web application security. Aditya's research has been featured in USENIX login. He is also a Lead author for Hakin9 Group for writing hacking and security related papers Aditya's research projects include CERA, Cutting Edge Research Analysis on Web Application Security , Mlabs and TrioSec project. He has also released number of security related papers on packetstormsecurity, infosecwriters, Xssed and also given number of advisories to fore front companies.
Vulnerability Vectors in PDF