/var/log/messages
This section contains the latest news, announcements and thoughts from the MWR InfoSecurity team.
Full TextDefcon 17
Aug 07, 2009
Author: John Fitzpatrick
Vegas, The Riviera, Hardware Hacking Village, Lock-picking Village, a whole host of talks, iPhone users filling the wall of sheep, fake ATM in the foyer, yep its DefCon17. Here is a quick overview of some of the talks I attended in no particular order:
Locally Exploiting Wireless Sensors & An Open JTAG Debugger - Travis Goodspeed
Travis had two talks lined up this year, "Locally Exploiting Wireless Sensors" and "An Open JTAG Debugger". It would be an understatement to say that Travis knows a lot about microcontrollers and in his wireless sensors talk he showed how you could extract an encryption key from a device in order to give yourself a foothold on the wireless network. In the break out session there was some discussion about how this could enable someone to break into "smart" land mines. As Travis said, its pretty inconvenient if the enemy blow up your land mines whilst you are crossing them!
The talk on JTAG covered Travis' open JTAG project for which he has built an open source USB JTAG adapter, named the GoodFET, which can work with multiple different chips through re-flashing. There were clearly a lot of difficulties to overcome during this project, it sounded like this was primarily down to a lack of publicly available information on the hardware. This talk also looked at methods for getting around a blown JTAG fuse. In the breakout session afterwards we saw how it's possible to use a disposable camera to blow the innards of a chip such that you could no longer use JTAG to debug at all - very cool.
Win at Reversing: Tracing & Sandboxing Through Inline Hooking - Nick Harbour
I saw Nick's talk last year on pescrambler which was pretty cool so this talk was one on my list of 'must attend talks'. This year Nick talked about using inline hooks to monitor a function call and demoed a tool he has written called API Thief which uses DLL injection on a process whilst in a suspended state in order to hook functions. The quality of the data output was significantly better than comparative tools, however, I haven't had a chance to play with it yet.
USB Exploits - Rafael Dominguez Vega
The first thing we learned from this talk is how it feels to be a sardine, it was packed and a lot of people couldn't get in to see it. Despite working with Raf I hadn't had an opportunity to see this presentation before the day. You know a good presentation when the powers that be request that it is censored! Nevertheless, Raf presented some excellent stuff which really should get people thinking about whether they should disable USB by default on their new system builds. The slides are on the Labs website so take a peek for yourselves (http://labs.mwrinfosecurity.com/projectdetail.php?project=12&view=publications) - I believe these differ slightly from those on the DefCon CD.
0-day, gh0stnet and the Inside Story of the Adobe JBIG2 Vulnerability - Matt Richard, Steven Adair
Remember the Adobe JBIG2 vulnerability? These guys know a lot more about it than most and set out to answer some key questions, such as who was behind it, but also whether the disclosure was handled appropriately.
Adobe users were exposed to a vulnerability being exploited in the wild for quite some time, and no patch seemed to be particularly forthcoming. So, ShadowServer went down the partial disclosure route making people aware of the issue and a workaround. This inevitably led to full disclosure and PoC code being posted to Milw0rm. This raised questions about the most appropriate methods for disclosing vulnerabilities responsibly. Is it responsible to not disclose fully? Partially? These questions don't get any easier when something is known to be being readily exploited in the wild.
Router Exploitation - FX
The authority on hacking Cisco was talking... Now, in the past we have seen plenty of Cisco vulnerabilities but a distinct lack of decent exploits; successful compromise of Cisco equipment has traditionally relied on misconfiguration or insecure configuration of the device. FX went through some reasons why this may be the case and covered some of the architectural reasons for the lack of decent exploits and how we can go about writing Cisco shellcode. Perhaps we will start to see more Cisco exploits in the future...
EuSecWest 2009 Run Down
Jun 04, 2009
Author: Luke Jennings
I recently had the good fortune to attend EuSecWest 2009. EuSecWest is one of those great conferences where it’s full of very knowledgeable, like-minded individuals but is small enough that by the end everybody kind of knows everybody, if they didn't already! The talks were all very technical and of good quality I had the pleasure of engaging in many interesting discussions. Here are a few highlights from talks that interested me in particular.
Evolving Microsoft Exploit Mitigations
This covered the main exploit mitigations that have been introduced into Windows over the years, such as DEP, SafeSEH, GS Cookies and ASLR. Information on how effective they have been and where they have conflicted with other quality areas outside of security, such as performance, was included. It was interesting to see exactly which historical exploits would have been made completely unexploitable by these mitigations (and it was the majority).
PCI bus based operating system attack and protections
This covered how to compromise a system if you have physical access to the PCI bus through certain card readers etc. Obviously this is possible (in a similar manner to firewire) but it was interesting how they exploited it because they had to use FPGAs and it gets difficult writing high level code exploits in VHDL. Instead, they wrote a CPU emulator for the FPGA so they could then write conventional high level code that would run on the FPGA. Very cool.
Thoughts about Trusted Computing
An overview followed by criticisms. Conclusions are that at the moment it isn't very effective because the process often only affects the loading and once something has been loaded you can run-time patch it. It isn't very effective practically against full drive crypto either because you can just write a trojaned bootloader that appears the same as the normal login but stores the passphrase on the MBR and then reboots. Then next time you enter the victims hotel room you have the key.
Pwning your grandmother's iPhone
An overview of iPhone history and how it used to be much less secure (everything ran as root etc) and how now there is privilege separation, DEP, signed code and security policy files governing what processes can access. Eventually, with a little ninja action he came up with a clever way to get remote code execution using a staged three call return-to-libc style attack followed by shellcode execution. Sadly nobody has found a remote vuln in the iPhone 2 yet to try it out on in practice.
Exploiting Firefox Extensions
Unsigned code, dubious security code reviews, insecure distribution and no security model separating them from the core code. I'm sure we probably all knew we should be wary of firefox extensions but this gave further reason to be very careful of which extensions to use, if any!
Have you got bad timing?
Mar 13, 2009
Timing attacks have a long and successful history when used against a wide variety of systems and technologies. This is because these attacks can take so many forms, from vulnerabilities related to race conditions, or blind SQL injection vectors which use delays in execution through to the timing of a UNIX login.
One of the classic timing attacks is based on measuring the difference in the time an application takes to complete two different but related tasks. If the code path followed by different inputs varies in its length or in its complexity the execution time for the two different inputs can vary slightly – but measurably. The most common example of this is the time taken by a login mechanism to process authentication attempts. When the username which is supplied is valid, the code path can often be longer than that taken for an invalid user and therefore could allow a timing attack to occur. This type of attack has been widely publicised and there are many examples which are known to work.
These types of attack are indirect and it can be difficult to identify every instance when they are viable. As a result they can occur even in established and widely deployed technologies. The following example was identified on a number of occasions during penetration testing, although the cause could never be isolated.
The issue relates to installations of Citrix Access Gateway where users can authenticate with Microsoft Active Directory (AD) credentials. In these scenarios it has been observed that authentication attempts that use valid AD users take a marginally longer time to return a failed login message to the user's browser. This enables an attacker to identify whether a username is valid which, in turn, provides help with password guessing attacks.
It is worth noting here that a number of attempts were made to replicate this issue in controlled conditions and the vendor was actively involved in this process. However, it was not possible to reproduce the behaviour observed in production environments and with customers being naturally reluctant to disclose details of their internal environments the cause could not be positively identified.
We are raising the issue now for two reasons: to provide security professionals with information about these observations and to encourage further investigation which could lead to the underlying cause or its dependencies being identified. It is hoped that with more open discussion and further testing more information can be uncovered about this issue and a resolution identified.
Presentation: DeepSec 2008 - Behind Enemy Lines: Administrative Web Application Attacks
Nov 15, 2008
Rafael Dominguez Vega presented at DeepSec 2008 about his research into attacking administrative web interfaces. His talk included demonstrations of these kinds of attacks through SSID and DHCP script injection vulnerabilities discovered by in the course of his research. The slides for this presentation are available from:
Stockholm Sec-T Conference Roundup
Sep 15, 2008
Author: Martyn Ruks
When you talk about attending a major security conference it is tempting to dream of a trip to the lights and glamour of Las Vegas. However, what often gets lost is that it is the speakers and the content that make a conference not just the surroundings. So when considering this important fact the inaugural Sec-T conference in Stockholm was a very exciting prospect for anybody interested in cutting edge security research.
No matter what your role is in the Information Security industry there was a talk that would be of interest. Here is a flavour of what you would have heard if you were an attendee: -
Virtualisation is secure, isn't it? As we have learnt ourselves through John Fitzpatrick's research project the answer as we might have predicted new technologies have new threats. Oded Horowitz works for VMWare and talked about how rather than having to accept new threats you can use Hypervisor technology to catch malicious behaviour within your virtual machines in real-time.
Hacking is all done by misguided teenagers in their bedrooms! That semi-romantic picture is still held to be true by many but in reality is far from the truth. Today's enemy is highly organised, well funded and interested in making lots of money. Mikko Hyponen from F-Secure gave lots of practical examples of this and why we should all be wary.
After hearing about the prevalence of IT related crime around the world it is comforting to hear that there are people trying to bring the to justice. People working in criminal justice still need educating and Bosse Norgren talked about the efforts being made to achieve this in Sweden.
The guys from Outpost 24 demoed their new SockStress framework and at the same time gave a warning about a new class of DoS attacks that are just around the corner. They didn't reveal any details, but using techniques such as client side “SYN cookies” appears to be a fundamental cornerstone of lots of new methods for causing havoc inside IP stacks.
Christer Oberg, Claes Nyberg and James Tusini talked about how even the most venerable Operating Systems are at risk if the assumption is made that they are secure. They presented their talk on OpenVMS hacking that was given at Defcon 16 this year but included further details about some of the previously disclosed vulnerabilities and some new ones.
If you run SAP on your network you should be very concerned, that is the conclusion you will reach if you watch any of Mariano Nunez di Croce's presentations on the subject. He outlined the new improvements to his SAP testing framework (sapyto) and also demonstrated the plugin that can be used to tunnel connections through a SAP router.
The special guest speaker was the worst kept secret at the conference, especially when you are talking to him at breakfast! As usual Felix 'FX' Lindner spoke eloquently and passionately about the crucial role of Cisco security in the majority of network environments including the Internet. It is good to know that the work being done on Cisco forensics includes an understanding of how developments in exploitation techniques and rootkits are progressing and how they can be countered as they evolve.
The other talks that aren't described in detail were also very interesting and covered topics such as how to practically develop a Mac OSX rootkit, how global politics and Information Warfare are now intrinsically linked and of course the best talk was obviously about IBM Websphere MQ security. Or maybe that's just because I haven't got an unbiased opinion! In reality this was a very well organised and run conference and I am just one of many looking forward to a return trip next year.