/var/log/messages
This section contains the latest news, announcements and thoughts from the MWR InfoSecurity team.
Full TextCanSecWest 2010
Mar 30, 2010
Authors: Adam Bateman and Alex Plaskett
Vancouver, Canada.. Home to this year's winter Olympics but more importantly to CanSecWest 2010! Whether participating to present their latest research to the community or simply to observe, the three day security conference attracts highly respected security professionals from around the globe. The conference consists of a single track of presentations, varying from issues which have been discussed for many years previously to the cutting edge in security research.
This year's Pwn2Own contest challenged applicants to compromise a number of mobile devices and desktop web browsers for a chance to keep the target device as well as a cash prize. Nils from MWR InfoSecurity entered the contest armed with a zero day for the latest version of Firefox and won a Sony Vaio laptop running a fully patched version of Windows 7 using his exploit. Safari was claimed by Charlie Miller and Internet Explorer 8 by Peter Vreugdenhil with Google Chrome being the only browser left undefeated for the second year running. Out of the four mobile devices up for grabs Vincenzo Lozzo and Ralf Philipp Weinmann were the only contestants to submit and successfully exploit a vulnerability. This one was in Mobile Safari on the iPhone which allowed them to retrieve the phone's SMS database. The full details of the contest can be seen at: http://dvlabs.tippingpoint.com/blog/2010/02/15/pwn2own-2010.
In no particular order, below is a summary of some of the talks which stood out to us this year:
:: ShareREing is Caring Halvar Flake and Sebastian Porst, zynamics GmbH
ShareREing introduced the BinCrowd software used for collaborative sharing of reverse engineering information between team members. This software also provided a way to find and match functions which have been previously analysed by the BinCrowd in other software and thus reduce the amount of analysis a reverse engineer would need to repeat. This software was found to be especially useful because it could perform matching across code generated by different compilers. It seems very likely this software will be useful in future reverse engineering projects. More technical information can be found on the zynamics blog:
:: Babysitting an army of monkeys: an analysis of fuzzing 4 products with 5 lines of Python - Charlie Miller, Independent Security Evaluators
This talk consisted of discussing the techniques used to find a number of vulnerabilities in certain vendors' software. It discussed Charlie's methods for locating vulnerabilities (fuzzing) and analysis of the results. I found this talk interesting because there tends to be a lack of fuzzing results in the public domain, the methodology used to find the vulnerabilities and what metrics were used to determine the exploitability of them. The trends discussed throughout this presentation demonstrated significant differences between particular software and demonstrated where security had been incorporated into the product's development life cycle.
:: There's a party at ring0, and you're invited. - Julien Tinnes & Tavis Ormandy, Google
There's a party at ring0 talk covered a number of kernel level vulnerabilities used for privileged escalation on both the Windows and Linux platforms. My personal passion for low level technical details was satisfied and the talk was quite thought-provoking on the challenges faced in defensive kernel security. Although the vulnerabilities found here were very impressive it would have been interesting to expand on some of the vulnerabilities and explain the architecture of the kernel subsystems in greater detail. It's expected due to the large amount of vulnerabilities and variations in these that time constraints may have prevented this.
:: Practical Exploitation of Modern Wireless Devices - Thorsten Schroeder and Max Moser, Dreamlab Technologies
Despite the unfortunate technical difficulties which caused the projector to repeatedly cut out throughout the talk, Thorsten delivered a thought provoking presentation that was well received by the audience. Thorsten presented his research into the security issues related to wireless peripheral devices with a primary focus on wireless keyboards. He revealed the results of his analysis of the wireless protocol implemented by Microsoft and Logitech and the implementation of their Keykeriki V2 software which is capable of sniffing keystrokes in real-time as well as performing command injection. The presentation concluded with a demonstration of an attack which successfully executed commands and launched calc.exe on the target system followed by Thorsten stating that "range testing" revealed that the attack could be launched from an impressive 70 meters.
In summary, the high quality of a number of talks, the opportunities to discuss security issues with like-minded people and the motivation produced by the conference all provide a good reason to attend CanSecWest. It is expected that the research demonstrated at CanSecWest will provide a great benefit for the security community and help drive on further work both within MWR InfoSecurity and the industry at large.
Aurora and Web Browser Security
Jan 25, 2010
Germany's BSI (Federal Office for Information Security) recently warned web users not to use Microsoft Internet Explorer. The BSI advised users to switch to an alternative browser in the mean time until a patch was made available. Shortly after this release France's Certa agency also issued a similar warning to users.
What is the implication of these statements? It would seem like an 0day for an "alternative browser" has just substantially increased in value.
But even though these alternate browsers might be safer to use given the current threat, are they actually more secure? To reach a conclusion about whether this is actually the case it is necessary to look at the actual risk of successful exploitation, assuming such 0day exists somewhere. This assumes that entities or groups with sophisticated skills who are capable of writing exploits while sleeping and by-passing DEP at breakfast also exist (which is a fair assumption).
On a current Windows 7 system with fully updated browsers the following situation currently exists: -
| DEP/ASLR in browsers on Win 7 | |||||
| IE 8.0.7600.16385 | Firefox 3.6 | Opera 10.10 | Safari 4.0.4 | Chrome 3.0.195.38 | |
| DEP | Enabled | Enabled | Enabled | Enabled | Enabled |
| ASLR | No DLL without ASLR in default process |
Not properly used e.g. nspr4.dll |
Not properly used e.g. opera.exe |
Not properly used e.g. dnssd.dll |
Not properly used e.g. icudt38.dll |
We tested the default up-to-date installation of each browser in the table above on the Windows 7 Operating System. It should be noted that these results will vary substantially on different operating system versions. The actual ease of exploitation for these targets depends on a number of factors, for example, sandboxing techniques such as the Google Chrome Sandbox or IE 8's protected mode. Also, other weaknesses may allow DEP/ASLR to be bypassed such as the now patched Dowd/Sotirov technique. For the purposes of this assessment a measurement about the effectiveness of ASLR was obtained by observing the addresses of executable modules loaded in the default process.
Aside from the effort needed to produce a reliable exploit, another important factor in the risk exposed by the use of a particular browser is its market share. Internet Explorer is still is in the (un)fortunate situation of being the market leader, which makes it a juicy target for the bad guys.
In order to make web browsing safer, effective OS exploitation mitigations techniques and a fully updated browser are essential. Make sure you apply the Internet Explorer patch which was released on Thursday.
Update:
As of the 31th March 2010 the following updated browser versions still do not opt-in to ASLR properly:
Firefox 3.6.2, Chrome 4.1.249.1045 (42898) (now icudt42.dll), Opera 10.51 and Apple 4.0.5 (AppleVersions.dll).
The recent changes to Safari are notable, as AppleVersions.dll is the only binary left not opting-in to ASLR, hopefuly this will be fixed in the next release. We will continue monitoring the status of the browsers on a regular basis.
Google Forensics (...beta)
Jan 18, 2010
Author: Ben Downton
File carving is a technique that can be used by forensic investigators to recover files from a disk. Forensic software can search through the raw data against a set of known file header signatures and extract items based on content rather than metadata.
This is particularly useful when examining the free space on a disk, as files that may no longer exist within the file system can be recovered. This can be particularly useful if the file system has changed, such as when a Windows system has been rebuilt as a Linux box.
It will not always be possible to recover the full path or original creation dates by file carving, as only the data contained within the file might remain. But the data itself can sometimes contain more information than timestamps could provide...
On the surface, the extraction of a Google logo from temporary internet files might not appear to be of any real relevance to a forensic examination. But what if the Google logo was of the Cookie Monster? This logo was created to commemorate the 40th anniversary of Sesame Street, and replaced the standard Google logo on the site in selected countries on the 5th of November 2009. Similarly, forensic examiners viewing a pumpkin instead of the 'e' of Google can be fairly confident that the site was visited on the 31st of October 2009. A plasma covered logo from Nikola Tesla's birthday indicates activity on the 10th of July.
Whilst this technique cannot, of course, provide indisputable evidence, it demonstrates how the content of web based files can be used to build a more complete picture of how and when a machine has been used. It could even allow other evidence to be collected that may aid a case, particularly when recovering data from file or volume slack.
Solaris Debugging and Bug Hunting at ShmooCon 2010
Jan 18, 2010
Matt Hillman will be presenting the fruits of his Solaris research thus far at ShmooCon in Washington DC on the 6th of February. The abstract for his talk is shown below:
"Lately there has been a lot of excitement over the use of DTrace for bug hunting and reverse engineering purposes on platforms that support it such as Solaris. But there are a plethora of advanced tools and techniques out there for other more common x86 based platforms, so does DTrace really add that much? In this talk that question is examined by introducing RSol, a Ruby based debugging component for Solaris in a similar vein to PyDebug for Windows. RSol allows powerful bug hunting tools to be coded quickly, and using this the pros and cons are investigated of using DTrace vs more traditional debugging techniques to achieve different goals in different circumstances. The ultimate plan is for RSol to become a suite allowing debugging and DTrace based techniques to be used together in a complimentary way."
If you can't make it to DC to see the talk, it will also be streamed live (along with the rest of ShmooCon) via uStream. This is the first year ShmooCon have done this, so lets hope it goes without a hitch!
Demo: Adobe Reader Exploit on Vista and 7
Jan 14, 2010
In response to the recent vulnerability in Adobe Reader MWR InfoSecurity conducted some additional research in this area. We were able to confirm that the issue, otherwise referred to as Adobe Reader "media.newPlayer" vulnerability, is also exploitable on Vista and Windows 7 with ASLR and DEP enabled. This can be observed in the following flash demo: -
The research enabled an exploit to be crafted that works very reliably across multiple versions of Adobe Reader. Given these facts MWR InfoSecurity highly recommend that everyone running the software installs the appropriate patch for the issue using the adobe update software. In addition it is recommended that JavaScript support within Adobe Reader is also disabled.