Miniature Dotted Hot Pink Cake a CC NC ND image from - Stephanie Kilgast's Flicker account

on in security tools. There are some tools that have some visualization, but it is limited and lacks features.

He then takes us through the hall of fail of visualizations and gives us some tips on visualization.

Thinks as a designer, be aware of who you are visualizing for. Each group has different demands for visualization and want to take different things out of it.

He then proceeds to give us some tips and tricks. He recommends to follow the work of Edward Tufte and Stephen Few who have both done excellent work on data visualization.

If you do data visualization you may want to get data from external reports like osvdb.org datalossdb.org and other industry vendors.

Common problems of data visualization are redundant elements like 3D and color. This is expressed in the ink-to-info ratio. You may want to reduce the bell and whistles you use.

Dashboards are often messy, they should really be aware of their screen real estate. Most important places on the screen are top left and the center of the screen. In order to squeze as much info as possible into a dashboard dashboard often get messy.

Wim presents a number of idea’s on how to make these dashboards better.

Visualization can really aid as well. Wim is showing use visualization tools that can really help.

First, Wim shows us a video that represents an attack on a VOIP server. The movie was created using gltail and can be downloaded from http://www.fudgie.org/.

Afterglow is another tool used b Wim a lot, it creates visualization that can really aid understand log files.

Perl perl | chart director which can also help to create understandable graphics form complex data charts.

The Google charts API and Google Visualization API may be a good alternatives as well. Wim demo’s the visualization capabilities of the Google Visualization API by using publicly available data and visualizing it. Naturally you have to be careful of what data you send to a could provider such as Google.

Sparkline and JQPlot are interesting JQuery libraries you can use for data visualization in a good way without sending it to a cloud..

Conclusions:

• We need data standardization to get more out of visualization
• You need to understand data before you can successfully visualize it
• We need to think outside the gox
• There is more to visualization then pie charts
• There are tools out there: use them wisely.

Cycle Garage a CC NC ND image from Ezu's Flickr stream

This talk focuses on ABAP, Advance Business Application Programming language from SAP.

ABAP:

• A proprietary language of which the exact specification is not freely available.
• It has platform independent code
• It has client separation built-in
• It has integrated auditing capabilities
• System-to-system calls via SAP RFC standard
• Built-in transportation system and version control
• Integrated platform-independent SQL Standard: Open SQL
• Built-in authentication, roles and (explicit) authorization model
• Thousands of well-known standard programs and database tables
• 150+ Million Line of Code in an ECC6.0 System

So what are the ABAP security risks?

• Back doors can be introduced, e.g. by a malicious developer.
• The program can have undesired side effect (e.g. SQL injection)
• Sub standard authentication used

Some ABAP code in the SAP system is dynamically generated at run time this can affect names of variables, SQL statements, but also ABAP variables can contain ABAP code that can be executed at runtime.

While SQL injection is possible in ABAP, it is not possible to terminal an SQL statement an start a new one in Open SQL, hence the possibilities are somewhat limited.

There is even dynamically generated ABAP code, that is generated and executed in memory and then disappears without leaving any trace in the system.

The shortest ABAP program to become super user on a SAP system is 34 characters, but will set of all alarms, a longer version of 56 characters is completely stealthy.

But ABAP has a low level ABAP kernel. It should only be used by SAP, and mostly undocumented, but can be explicitly invoked from ABAP.

There are three kinds of ABAP kernel functions:

• Kernel calls
• System calls
• Kernel methods

Kernel methods are the newest method to interact with the SAP kernel, they are called like normal functions and have typed parameters.

Some routines in the ABAP runtimes have hooks back into ABAP code. These functions are called from the C/C++ of the ABAP runtime. Data is exchanged between the ABAP code and the ABAP runtime via more ABAP kernel calls AB_GET_C_PARAMS and AB_SET_C_PARAMS.

These ABAP kernel hooks can be used to hijack calls in the ABAP runtime.

There are 8 high risk kernel calls:

• SYSTEM – OS command execution
• XXPASS and XXPASSNET – Compute password hasj
• INTERNET_USER_LOGOON
• C_GET_TABLE
• C_MOD_TABLE
• C_DB_EXECUTE
• C_DB_FUNCTION

SYSTEM can execute any OS command. It completely bypasses the list of allowed OS commands specified by the system administrator. Luckily it uses implicit authority check and the call can be disabled by setting the profile parameter rdisp/call_system to 0. But it is not the only way to execute OS commands!

XXPASS and XXPASSNET computes password hashes that is internally used by SAP to put into the user table. If you use this call outside the correct scope (e.g. Y* or Z* namespace) your session will be terminated and your user account will be locked.

INTERNET_USER_LOGON this can be used to perform user switches and create logon tickers. If can only be used to check credentials and it does keep track of failed login attempts.

C_GET_TABLE allows the programmer to read arbitrary database tables. They do allow cross client data access. So it allows one client of a host SAP installation to read tables from another client.

C_MOD_TABLE this call allow the programmer to write or modify any arbitrary tables on the system, without any restrictions.

C_DB_EXECUTE allows for the execution of arbitrary SQL statement. It allows each and any SQL statement apart from select. It does not respect client boundaries.

C_DB_FUNCITON allow for the execution of arbitrary stored procedures or any arbitrary SQL statement.

Andreas then goes on to demonstrate how to take over an SAP system using these kernel calls.

He showed this by truncating a table and accessing data from another client something you are not supposed to do in custom code. There are even more 0day kernel calls that at this time cannot be disclosed due to responsible disclosure. The ABAP runtime should guard the SAP kernel, but if a large enough parameter can be transported through ABAP an SAP kernel can be performed. Kernel call C_SAPCPARAM can be used to trigger a SAP kernel buffer overflow via ABAT. This is also available remotely via RFC.

The days that Scada systems could hide behind obscurity are over. These systems are on internet, use common protocols of which information is widely available. On 15 July this year, the first Trojan was found that specifically queries databases that are also used by Scada systems.

This presentation starts by explaining how the power grid works. A typical network architecture has three zones. A corporate network, a DCS (), EMS (Energy Management System) or DMS (Distribution Management System) network and a network with the industrial systems on it. These networks are typically separated by firewalls. When you add smart meters to the mix they are typically connected in a similar fashion.

The formal models around SCADA security all evolve around this zoning model.

Red Tiger Security has developed a special process to do assessment of these networks, because industrial equipment starts behaving funny when scanned with standard vulnerability scanners. Automated scanning of Scada systems form the network is okay, but scanning the industrial equipment will cause outages.

Scada environments are often poorly patched because patches are known to break Scada systems. Most of the vulnerabilities discovered in these infrastructures are found in the Scada DMZ, because these systems are often not maintained by corporate IT, because they don;t know how to maintain it, but it is also not owned by the Scada engineers.

A further breakdown of the vulnerabilities found in this DMZ are found on Web Servers, Application Servers and Databases. The top four common vulnerabilities found are: configuration issues, cross site scripting, Denial of Service and information disclosure.

Most (over 62%) of the Scada systems are running on Microsoft Windows operating systems. Not a good match to the needed stability (monthly patches) and lifetime needed by Scada systems.

Interesting finds are hard to categorized. Adult content, game servers, Online dating databases and Bittorrent clients have all been found on these systems.

After exploring classical Scada system security mistakes the talk moved on to Smart Meter and Smart Grid technology.Smart Meter technology is making the same mistakes again.

First systems where designed to last for 20 years. That is a long time to not find any vulnerabilities in them. And the ability to remotely patch these systems is scary on its own.

Old vulnerabilities have a new impact when considering smart meters. E.g. data enumeration can tell criminals when somebody is vacation and when it is thus a good time to rob somebody’s home.

The software in smart meters is really vulnerable to very old classes of bugs like, e.g. ping of death.

About the speaker

Jonathan Pollet – Red Tiger Security, LLC

Jonathan Pollet, Founder and Principal Consultant for Red Tiger Security, has over 10 years of experience researching vulnerabilities and conducting field security assessments of Industrial Process Control Systems, SCADA Systems, Automated Meter Reading systems, and Smart Grid technology. After graduating from the University of New Orleans with honors and receiving a B.S. degree in Electrical Engineering, he was hired by Chevron and worked in the SCADA and Automation Team for the Upstream Exploration & Production division. Pollet designed and implemented PLC and SCADA systems for several offshore and onshore facilities.

Realizing the potential security implications of the industry moving towards TCP/IP communications in the late 1990s, and seeing a trend to connect SCADA systems to Enterprise IT networks, Pollet started investigating SCADA, Process Control Systems, and embedded devices for cyber security vulnerabilities.

Throughout his career, he has been actively involved with the IEEE, ISA, ISSA, UTC, CSIA, and other professional societies. Pollet has been involved in over 110 vulnerability assessments of plant and process control systems. He has also delivered over 75 presentations and training sessions on SCADA Systems, Critical Infrastructure Protection, and SCADA Security to the FBI, Department of Homeland Security, and several private sector security conferences. He has spoken at many conferences and workshops for government and professional organizations around the world. Pollet has also authored over 25 white papers, all specifically on the security of SCADA and embedded control systems.

The Spyderlabs guys had a busy year. They investigated over 200 incidents in 24 different countries and ended up collecting enough malware samples. Based upon last year’s DEFCON talk they are going to dive deeper and bring you the most interesting samples from around the world

This talk will bring you 4 new freaks and 4 new victims including: a Sports Bar in Miami, Online Adult Toy Store, US Defense Contractor, and an International VoiP Provider.

The malware being demoed are very advanced pieces of software written by very skilled developers. The complexity in their propagation, control channels, anti-forensic techniques and data exporting properties will be very interesting to anyone interested in this topic, even tough the major categories have stayed the same.

Malware comes in various categories: Keyboard logger, screen loggers and memory scrapers. Disk scrapers are not very popular because it is slow and is noticed to easily due to heavy disk activity. There are three basic ways to own a system: Physical, Easy and Uber . Physical means inserting something like a USB stick or key logger. Easy is e.g. through publicly exposed RDP and default passwords.

Malware is getting much harder to detect because they are better tested and using more stealthy techniques like root kits.

Sample SL2009-127 – Memory Rootkit Malware – Captain Brain Drain

The malware consisted of three files. Loader.exe, ramsys32.sys and searcher.dll. The loader was able to install the sys file, which was the root kit. The main oabjective was to steal credit card data from a Miami Sports Bar. All the data is stored in a system file in the windows system directory. The data is automatically uploaded to the criminals at 10pm every night.

Sample SL2010-018 – Windows Credential Stealer – Don’t Call Me Gina

This malware consists of three files, fsgina.ddl and fsgina.dll and timestop.exe which allows the attacker to change the access times and creation timestamps of the files it creates. Upon installation the malware actually sets the timestamp of fsgina.ddl to the timestamp of msgina.dll so that it looks like the file is created when the system was installed, this applies to all dates, including the datas in the master file table (mft). Next the registry is modified to load the fsgina.dll in front of the msgina.dll. The fsgina.dll looks just like the msgina.dll and even funcitons the same, not letting in users that enter the wrong credentials, but it captures and stores all account names and passwords entered.

Msgina is the dll the handles the graphical logon screen.

Sample SL2009-143 – Network Sniffer Rootkir – Clandestine Transit Authority

This malware was found on the systems of an international voip provider with about 80.000 clients. It was a typical root kit that captured credit card data, but in stead of taking the track data from memory it logged all network packets that contained track data. The captured packets did upload all data to an ftp server at 01:00 when everybody sleeps. The malware actually compresses the data in RAR format and password protects the RAR file to avoid detection by IDS systems.

Sample SL2010-007 0 Client-Side PDF Attack – Dwight’s Duper

This attack was performed against a US defense contractor. The malware was spread by a specially crafted email with PDF attached that exploited the system. The email was actually very impressive, it was coming from the right sender, used his email signture lines and was written in the kind of language used in the organisation.

The malicious PDF file actually first extracts all the files it needs, and then shows another PDF with content you would expect. The malware gets everything that it is in the my documents folder, steals firefox passwords and FTPs them off.

Conclusions

The key to malware success is customisations. Generic malware does not work. The key to successful exploitation is to be slow, steady and stealthy.

Malware is getting more and more advanced.

About the speakers

Nicholas J. Percoco – Trustwave

Nicholas J. Percoco is the head of SpiderLabs at Trustwave -the advanced security team that has performed more than 750 cyber forensic investigations globally, thousands of penetration and application security tests for Trustwave clients. In addition, his team is responsible for the security research that feeds directly into Trustwave’s products and services through real-time intelligence gathering. He has more than 15 years of information security experience. Nicholas acts as the lead security advisor to many of Trustwave’s premier clients by assisting them in making strategic decisions around various security and compliance regimes. As a speaker, he has provided unique insight around security breaches and trends to public and private audiences throughout North America, South America, Europe, and Asia including security conferences such as Black Hat, DEFCON, SecTor and You Sh0t the Sheriff. Prior to Trustwave, Nicholas ran security consulting practices at both VeriSign and Internet Security Systems. Nicholas holds a Bachelor of Science in Computer Science from Illinois State University.

Jibran Ilyas – Trustwave

Jibran Ilyas, is a Senior Forensic Investigator at Trustwave’s SpiderLabs. He is a member of Trustwave’s SpiderLabs -the advanced security team focused on penetration testing, incident response, and application security. He has investigated some of nations largest data breaches and is a regular contributor for published security alerts through his research. He has 7 years experience and has done security research in the area of computer memory artifacts. Jibran has presented talks at security conferences (DEFCON, SecTor) in the area of Computer Forensics and Cyber Crime. Jibran is also a regular guest lecturer at DePaul and Northwestern University. Prior to joining SpiderLabs, Jibran was part of Trustwave’s SOC where he helped Fortune 500 clients with their Security Architectures and deployments. Jibran holds a Bachelors of Science degree from Depaul University and Masters degree in Information Technology Management from Northwestern University.

Moxie developed a tool and technique called SSLSNIFF which is able to do undetectable Man in the Middle attacks on SSL connections exploiting the possibilities null terminated certificates offer. He defined three possible counter measures against his attack. Certificate validation, software updates and extended validation certificates. Unfortunately he was able to defeat two of these three measures.
Certificate validation these days is handled mostly by the OCSP, the Online Certificate Status Protocol. Marlinspike found a flaw in the protocol. On of the statuses the OCSP can send back is “Try later…”, represented by the number 3. Such a reply does not need to be signed by the CA an causes the browser to fail open, or as Moxie put it: “OCSP is defeated by the number 3”.
Software updates can be another issue. At the time of the presentation, these bugs where only fixed in Firefox 3.5, so how do you prevent people from updating to this version? Most browsers these days have a so called auto update function, this function searches online for a more recent version of the browser, addons or plugins. In order to ensure that no malicious content is installed, the browsers rely on SSL, the same SSL that was broken by Marlinspike’s SSLSNIFF.

But there is more trouble in paradise. Marlinspike also demonstrated a technique het called ssl stripping. Ssl stripping does not attack SSL itself, instead it actually attacks, what Moxie described as the bridge between http and https. “Https is today’s world is not often encountered directly. Users don’t often type https:// in the address bar themselves. In stead they get redirected to an https site or click on a link to it”. By performing an man in the middle attack on the http connection and carefully rewriting all https requests to http requests, Marlinspike was able to create near exact copies of the login pages for services such as gmail and paypal. The user would only know something is wrong, if they notice that the https prefix is not there or that the padlock symbol is missing.

Dan Kaminski was also able to exploit the common name field to get certificates he should not be getting. Different implementations of certificate validation routines have flaws when it comes to handling certificates with multiple common names in them. By requesting a certificate with three common names: CN=www.ioactive.com, CN=www.bankofameric.com and CN=* Kaminski was able to get a certificate that would perceived as follows; the CA would sees the certificate as an www.ioactive.com certificate, which Kaminski is allowed to request. Internet Explorer will interpret the certificate as a www.bankofamerica.com certificate and Firefox will allow the certificate to be used for any url.

Besides the common name abuse, Kaminski also showed us that there is still an MD2RSA signed root certificate present in all browsers. While practical exploitation is not possible at the moment, it is very likely that this possible in the near future. Most browser vendors are working to fix the issue right now, but Kaminski kindly requested his public to “please, do not hack MD2 in the next six months.”

The last talk I attended was Mike Zusman’s “Criminal Charges not Pursued, Hacking PKI”. Mike used another technique to get “interesting” certificates. By exploiting a flaw in the web application of a CA, he was able to request certificates for pretty much any domain he wanted.

One of the solutions seems to be popping up is Extended Validation, which in a sense takes us back a couple of years. A few years back, the only way to buy a certificate was to provide legal evidence that you had control over a domain via an out of band mechanism to a human, but then these persons at the CA’s where replaced by an online application with an automated validation process and the fun started.

Extended Validation changes this by enforcing standards for validation and requiring validation by a human before the certificate gets issued. Extended Validation (EV) CA’s are hard coded in the browser to prevent the addition of malicious CA’s. But EV certificates get trusted just as much as classic certificates.

Mike Zusman was able to perform a man in the middle attack PayPal, which uses an EV certificate to protect its site. What his program does is only redirect a small portion of the traffic, the actual login, to his own malicious website which has a non-EV www.paypal.com certificate obtained via on of the methods described earlier. The only side effect visible to the user is a brief flickering of the green address bar. But will a user notice or care?

Obviously dual factor authentication, like PayPal’s security key, will reduce the risk, but what can we really do?

I was able to share a beer with Mike after he presentation and it looks like there are fundamental underlying problems with the current certificate structure. Here we have architecture of trust, yet its foundations are built on the known insecure DNS database. Browser vendors claim they have this set of rules that should be obeyed in order for a CA to be included in the browser, yet practice shows that certain CAs that have not followed these rules are still in the browser, while on commercial CAs, like CAcert are having a hard time getting included in browsers for what seems to be political reasons.
It is time to ask ourselves fundamental questions like: Is it a good thing that a browser vendor determines who’s assertion of identity to trust. There is a trend that browsers make it harder to accept invalid certificates. Mike said: “It currently takes more clicks to accept an invalid certificate, then to import a new CA”. Is this a good thing?

Both Zusman and Kaminski agree that is would be a good thing if we had a trustworthy DNS structure that we could just to, e.g. store the fingerprints of certificates that are valid for our domain. Unfortunately DNSSEC is currently in a status quo. The current implementation still got issues, but until the root servers are going to be signed nobody will be motivated to fix these issues.

Then he started to explain how he was able to build up his cloudburst exploit.he focused on the guest os devices, because the device are omnipresent in all VMWare pruducts, they run on the host, can be accessed from the guest, are written in C/C++ and parse some complex data.

Cloudburst is a reliable guest to host escape on recent VMWare products: Workstation, Fusion?, ESX Server (4.0 RC Hardfreeze). All the bugs in his presentation have already been patched patched.

Couldburst is a combination of 3 / 4 bugs in VMWare emulated video.

• Host memory leak into the guest
• Host arbitrary memory write from the guest into the host, both absolute and relative.

Also some functions in VMWare where very helpful to bypass DEP.

The VMWare VGA device is a virtual PCI device. And it does support 3D on VMWare on windows. There are bugs in 2D video that allow arbitrary read from the host process, but not bugs that allow an arbitrary memory write in the right area’s of memory in functions that are enabled by default. 3D however offers better possibilities in that it actually ahs a default enabled arbitrary memory write function. It was also in ESX 4.0 RC Hardfreeze, but got fixed before ESX4 reached production.

In order to fully exploit the bug, Kostya had to use the MOSDEF shell code and communicate via de video buffer. This means that the compromised guest OS communicates with the shell code in the compromised host using BMP images.

Kostya’s conclusions are: VMWare is not a security layer, it is just another layer to find bugs in. Given the right bug primitives, you can exploit anything.

He is also wondering why is the 3D video function code is even included in ESX?

He finished by successfully demonstrating the attack to us

In their presentation they first looked at SMS.  SMS is a building block of the phone system and essential to the working of the modern network because it is used for all kinds of stuff. Why is it good to attack? No firewall, processed by all phones, no user interaction and you only need a phone number to send an SMS.

So how is an SMS processed? Phones have two processors: CPU and Modem which talk via an (often simulated) serial line. The modem is controlled by a specific set of AT commands. If an SMS is received by the modem, the modem sends an unsolicited AT result to the CPU. This is what can be fuzzed.

For practical reasons they did not want to send all these SMS’s that where coming out of their fuzzer over the network. First of all I would cost too much money. During the tests they sent over 500,000 messages. Secondly if the messages where sent over the air, it would mean that the would be able to watch the fuzzing going on. Last but not least they might get into trouble because the tests might actually crash the equipment of the telco’s. So for various different phones (iPhone, Android and Windows Mobile) they developed a MitM SMS injection application which sits in the middle of the virtual serial line. This gave them a fast way to send messages and gives free SMS sniffing capabilities

The testing results had to be tested in real life because not all messages could be sent through all mobile networks.

It turns out that it is very easy to perform a DoS attack on various phones. While DoS may be a lame attack, it is still a very useful attack.

On the iPhone the bugs are in the section of code that handles concatenated test messages. If a single message gets too big, it is split up in multiple messages. It turn out that these routines act funny when they are presented with the number -1.

If you tell the iPhone to expect -1 messafes parts of it crash and prevent the phone from working normally. They demoed this attack agains a guy from Vodafone who volunteered.

It turns out that if you tell the iPhone to expect a reasonable amount of messages and you then send it message number -1 you get, under the right conditions, the ability to overwrite memory. But, is it possible to exploit the heap via SMS?

Via subtle SMS manipulation the heap can be controlled via “mini heap feng shui”. And actuall exploitation is possible even though it takes about 519 SMS’s (@ 1/sec)

The is also a DoS against Android powered phones. Google was notified June 19 and fixed the vulnerability last week.

Windows Mobile Phone: Any text messages with %n crashes an HTC Windows mobile phone.

Cloud computing is actually defined as three types of services: Software as a Service (SaaS), Platform as a Service (PaaS) and Infrastrcture as a Service (IaaS). A large VMWare farm for one company is not cloud computing.

Each of the models has their pro’s and cons.

Model 1: Software as a Service (SaaS) – Alex Stamos

With SaaS in stead of running and building your own applications, you are using web applications provided to you by the SaaS provider. This might actually be a good idea because SaaS companies generally know about application security.

Unfortunately using SaaS means that your data will actually reside on the vendor’s location. Also some SaaS vendors use a password recovery mechanism that will make your datacenter admin password as secure as his email account.

Most SaaS vendors do not provide the audit logs needed for an enterprise. That is why it is probably a bad idea to put regulated data into SaaS.

Some allow you to address password and auditing issues by allowing you to use SAML authentication. It takes away some the benefits from SaaS, but you can do things like dual factor authentication, have control over password policies, provide an internal password reset, do auditing and anomaly detection or even restrict the login page behind a VPN.

SaaS does bring large legal concerns because the contracts exclude all the important stuff, e.g. liability and support in case of compromise. Most vendors prevent you from executing penetration test on their services in their EULAs. Exceptions: Amazon, Google, Salesforce.com

SaaS provides far less protection again search en seizure. In the US a hard drive in you house is protected by the US constitution, a hard drive in a service providers datacenter isn’t.

Model 2: Platform as a service (Paas) – Nathan Wilcox

With PaaS you get provided with a development framework that you can use to develop you own service. Examples are:

• Google AppEngine
• SalesForce.com Platform as a Server, Force.com
• Windows Azure

In order to see if applications developed in this way are more or less secure, Nathan did a simple investigation to see how easy/hard is was to get/avoid common issues like CSRF, XSS and SQL Injection as a developer.

CSRF can be mitigated transparently by all the three platforms. But is requires some action on the developer it is easy to forget.  Force.com is an exception, all controls are enabled by default.

Cross Site Scripting prevention requires more developer awareness then CSRF prevention. In cloud computing this is not different from tradition methodologies.

SQL Injection is easier to prevent in PaaS then it is in classic frameworks

Model 3: Infrastructure as a Service (IaaS) – Andres Brecherer

With IaaS you get control over everything above the hypervisor. Because hundreds of machines gets cloned, there are issues here with the Psuedo Random Number Generator (PRNG). This can lead to SSH key compromises.

Large SMS messages are cut up in smaller SMS messages, this means that the SMS messages need to be parsed by the phone to put it back together and thus can be used as an attack vector to breach the phone. By using a technique known as fuzzing, Miller and Mulliner where able to find exploitable conditions that could be turned into an attack and an iPhone virus. The attack takes a total of 519 SMS messages, but will work without any user interaction.

Charlie Miller urges anybody with an iPhone to turn it off if they get a text message with a single square character. “That small cipher will likely be the only warning that someone has taken advantage of the bug”.

Apple was notified on the 18th of June and to date has not released a fix.

They also showed that smart phones like the iPhone and Adraoid and Windows mobile phone based devices can be forced to stop working with a single crafted SMS. The simplest attack was against HTC Windows Mobile phones which crash on any SMS containing the character sequence: “%n”.

There is a lot of code involved converting types between various languages.

Interoperability is effected by standard bugs like buffer overflows and memory corruption but also three new vulnerability classes:

• Object retention vulnerabilities
• Type confusion vulnerabilities
• Transitive trust vulnerabilities

Object retention

Since an object does not know which other objects are using it, it does not know when to destroy itself. Most often this is done via a reference counter but this is not perfect, leading to using heap data as pointers, double frees, objects not being freed at all.

Issues arise from reference counters rolling over, objects being freed to often or not at all. Also a shallow copy instead of a deep copy can lead to problems. These are all programmatical errors.

Type confusion

In IE variant data types require careful programming, therefore they present an opportunity to attackers. Often this is not picked up by the compiler. It can lead to memory corruption and can be exploitable. This is what happened in the ATL bug . This can lead to e.g. double frees. These issues are also present in ATL and addressed by Microsoft’s patches.

Demonstration #1: An active X control was loaded and passed a persistent data stream which caused a free call to uninitialized data. This is exploitable so shell code was executed.

Demonstration #2: in windows 7 IE8 an array of object was passed in stead of the actual objects. The browser interpreted the array as an object which leads to exploitable error.

Even tough Firefox’ NPAPI is a lot simpler, it requires the programmer to check the data types himself, which is often forgotten leading to the same types of issues.

Trust

Browsers need to deal with a lot more the just HTML these days.

If a browser uses a trusted object A and object A trusts object B which is not trusted by the browser, it is still executed.

Demonstration #3: An object is first loaded but its killbit set and not executed. Then a trusted object is loaded, but it is passed a killbitted persistent object which it will execute. In its turn this object will actually start up calc.exe

Remediation of the ATL issues

Any ActiveX control compiled in the last 15 may have these vulnerabilities in there. ATL2.0 was released in 1997 and ATL 9.0 in 2008. Any ActiveX control based on a vulnerable ATL need to be checked if it is vulnerable, if may need some reprogramming and will need recompilation.

All in all there might be quite a big check of vulnerable controls out there besides the other interoperability scenarios that this talk did not address.

A paper is available at http://taossa.com or http://hustlelabs.com

Quick word on the Microsoft patches

When I asked the guys if Microsoft patches provide a sufficient solution I got an evasive answer. However, one of the demonstration machines auto updated itself yesterday and the demonstration stopped working.

Moxie wrote the tool SSLSNIF is that is able to do a man in the middle attack on  an SSL connection based on this vulnerability to proof to Microsoft that it could be exploited, contrary to what Microsoft said.

Even tough Microsoft and others fixed the vulnerability, the tool is still useful, mainly because people don’t pay attention to certificate warning. Also when the guys that made the fake CA certificate by means of the the MD5 collision use SSLSNIFF to actually exploit is.

But there are more ways to attack SSL then doing a man-in-the-middle attack; SSL Stripping

SSLSTRIP actually attacks SSL before we get there by doing a MitM attack on http. Most https links are not typed, but clicked on or redirected to. SSLStrip watches the http traffic go by and modifies links to https sites to links to http, but it still does the https connection in the backend.

The server thinks is everything is normal because it is receiving valid https requests, the client does not display any warnings, but they are missing lock, but because the user is trained to pay attention to negative feedback and not look for positive feedback, this is not a big issue.

Where do we need to go next?

SSL needs to provide Secrecy, Authenticity and Integrity in order to be effective.

One of the issues is that today there are no people involved anymore with SSL certificates. Just domain validation which is based on a Whois lookup of root of the subject. This provides an email address or phone number to send a token to.

The standard for the DN has totally broken down. Most implementations just look at the CN= part. The CN is stored as a ASN1 string in memory, so they are basically Pascal strings, which means that the actual string is prepended by a byte representing the length. The null character is a valid part of CN string. However if you use the C routine Strcmp() it will actually regard www.paypall.com\0evil.org the same as www.paypall.com.

This bug exists in most web browsers, mail clients, chat clients and SSL vpn solutions like Citrix.

SSLSNIF 6.0 supports this.

Drawback of this attack: It needs to be targeted

Most of these products use NSSto do their certificate validation. If you look at the size and structure of the CN comparison code, there must be a bug in there somewhere.

There is: a certificate for *\0thoughtcrime.org will actually work. This is better then a CA certificate. *~thoughtcrime.org will work as well for some strange issue. As will grouping. CN=(www.paypal.com|www.google.com|www.bankofameric.com)\0.thoughtcrime.org actually works as well.

Also there is a flaw in the code thas actually remotely exploitable: (AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\0OVERWRITE).foo.com. And the good thing is, the certificate does not even need to be signed.

Wildcard support is in SSLSNIF as well.

It does fingerprint the clients as well to see if they are SSN clients.

Two measures work against these attacks: Revocations and software updates.

These days most revocations are checked via OCSP. The OSCP response “try later”, the number 3, does not need to be signed. Most SSL implementations will assume a cert is valid if a “try later” rsponse is sent.

This is now also in SSLSniff.

Updates

Most software has an auto update function, e.g. take Firefox or Thunderbird. Unfortunately, these update mechanisms themselves could be a problem. Actually, Firefox/Thunderbird update files are not signed and they totally rely on TLS for their security.

This is also included in SSL Sniff

Stripping the NULL character is not the solution. Some CA’s are vulnerable sitekey.ba\0nkofamerica.com becomes sitekey.bankofamerica.com.

http://www.thoughtcrime.org

When asked, Moxie confirmed that Firefox 3.5 is NOT vulnerable.

moxie@toughtcrime.org

Four phases for RETRI

1. Preparation
2. Assessment
3. Segmentation and restoration
4. Investigate and recovery

Phase 1: Make sure you are ready for everything. This includes having propper backups, know how your network works and having a terminal server.

Phase 2: Do damage assessment. Disconnect the infected network from the internet

Phase 3: Segmentation and restoration

• Create two isolated networks (QNet – dirty and CleanNet – clean) with the same IP address schema and separate the two networks with something like MPLS.
• Turn all computers on the QNet into dump terminal and only allow access to CleanNet terminal server over port 443 with dual factor authentication and encryption.
• Provide basic servers on the terminal servers
• Then start moving functionality over.

Phase 4:

Use tools to figure out what happened.

CodeWord is a tool they developed that can assist it has not been release yet, but is planned to be released as open source later. It has quite a bit of nice features.

Interesting fact: User downtime costs 3 times as much as the actual cleanup.

www.hexsec.com

www.code-word.org

FX had a cool feature in his presentation; every slide was accompanied by a BlackHat-O-Meter. Works like the base and acid scale. Corporate suite-and-tie types should stay with slides that have the meter all the way on the top, CISSP should be able to grasp the details of slides that are ranked somewhere in the middle, real Hackers could also grasp bottom of the scale slides.

FX’s first words are comforting, there is not so much real world router ownage going on. Mis-configuration, insider attacks, etc. are much more common.

However, infrastructures are what you want to own, so why don’t we see this more often? Because practical exploits are hard.

There are not much vulnerabilities in routers. In 2008 only 14 vulnerabilities where published for Cisco IOS. Juniper only reported a memory leak and a OpenSSL issue. Nothing was disclosed by Nortel Networks.

Because of the mindset of the people that report these issues, vulnerabilities are often classified as functional issues; e.g. “malformed packet crashes router”

Why are routers often not vulnerable?

• Most routers don’t run network services. If they do, find a new network administrator.
• Those functionalities exposed are pretty secure or too simple to be vulnerable. FX: “RIP is so simple Cisco can’t even fuck it up”
• However if you are in the same multicast domain, the router is in trouble.
• “You should not accept any routing information from unknown hosts.”
• Routers are rarely used as clients.

However, the landscape changes:

• IP v6
• VoIP
• Lawfull interception
• SSL VPN
• Web service routing
• XML-PI
• Web Service Management

All these servers either make the router inspect and manipulate packets (ipv6 has per router headers) or let services run on routers.

Luckily adoption is still slow. Network admins don’t want application level functionality on their devices.

Router Transit vulnerabilities

This is the hackers dream: A vulnerability that gets triggered as and when a packet gets forwarded. However this is hard because routers try to avoid inspecting traffic because it takes CPU cycles. Some traffic must however be inspected like IPv6 and Source Routed packets.

Exploiting a Juniper router is easier then exploiting a Cisco IOS device, because Junos is basically FreeBSD. Exploiting a Cisco Service card is also easier because they also run Linux.

Easy ones: Unix based routers (e.g. ADSL routers, Junipers)

The Hard One: Cisco IOS because it is a single large binary program (ELF) running directly on the main CPU.

Accoording to the Cisco COC website, there are current 272722 different IOS images all with a different memory layout. This makes reliable exploitation very hard. Cisco’s chaotic build process causes more memory entropy then ASLR.

FX showed that using various techniques you can actually execute code on a router using the Rommon router bios code that is still loaded on the router from when it booted up. Rommon is aways loaded in the same location and there are far less versions of Rommon. Plus, nobody ever updates it. Unfortunatly you can only guess the rommon version and not remotely fingerprint it.

So back to the drawing board. Analysis of newer IOS binaries shows that there are similarities between IOS versions so the same exploit might be possible with IOS. Currently the pro’s and con’s of using IOS vs. Rommon are:

Rommon: 30% change of success, cannot be fingerprinted

IOS: approx 15% change of success, can be fingerprinted

But you also need to get away with exploiting a router and inserting shell code without stopping the router. This is hard because the single binary image does not have a pre-emptive scheduler an the memory layout is unknown.

FX showed techniques for this as well, which will involve a second stage loader. This is however still work in progress.

Protection: So what can we do against it?

• Prevent the router from receiving traffic
• Protect protocol update.
• Don’t run stuff on routers.
• Monitor service modules independently.
• Use RANCID to monitor configuration changes
• Configure Core Dumping (http://cir.recurity-labs.com wiki)
• Complain to Cisco and other vendors about stable upgrade paths.

It is scary to think that the best protection we have against Cisco attacks is the security through obscurity created by Cisco’s hampered build process.

Then the keynote by Douglass Merill started.

Now being a CEO and having been a security guy before he talks about the way we work changed over time.

First of all he talks about what has caused the IT security budgets to rise where technology budgets in general have decrease. Security guys have learned how to speak executive. CEO’s listen to the Security guys and are scared of them. Unfortunately the executive speak from security guys comes with falsisms. False ROI calculations based on missed loss in stead of gain and technology push based on compliance requirement are just a few.

But the world is not the place we learned to know and love. Work and private life are getting more and more intertwined. And people are using consumer technology in stead of enterprise software, because consumer technology is currently better then enterprise technology.

This has cause classic paradigms like “hard shell soft center” (a.k.a. perimeter security) to fail. Security needs to transform from being a preventative technology and listen to users. If you make it easy for users/developers to use security they will start to use it, “humans are like rats, if you show then the easy way through the maze they will take it”.

Since the ATL is widely used it means that a lot of vulnerable software may be out there. Software vendors who used the vulnerable ATL should install the update and release updated versions of their ActiveX controls immediately.

The rest of us should at least install the ActiveX Killbit bypass update ASAP and set killbits as more and more vulnerable controls are discovered.

Wednesday 29 July 2009 (BlackHat)

• Introduction to BlackHat 2009 by Jeff Moss
• Keynote by Douglas C. Merrill
• Router Eploitation by Felix “FX” Linder
• Rapid Enterprise Triaging by Aaron LeMasters & Michael Murphy
• More tricks for defeating SSL by Moxie Marlinspike
• Economics and the Underground Economy by Gormac Herley or
• The Language of Trust: Exploiting Trust Relationships in Active Content by Mark Dowd, Ryan Smith and David Dewey (preview)
• Internet Special Ops by Andrew Fried, Paul Vixie and Christopher Lee
• Gala reception with the talk “Me to We” by Johnny Long and the Pwnie Awards

Thursday 30 July 2009 (BlackHat)

• Keynote by Robert Lentz
• Cloud Computing Models and Vulnerabilities – Raining on the Trendy New Parade by Alex Stamos, Andrew Becherer & Nathen Willcox
• SADE: Injecting agents into VM Guest OS by Matt Conover
• Clobbering the Cloud! by Haroon Meer, Nick Arvanitis and Marco Slaviero
• Breaking the Security Myths of Extended Validation SSL Certificates by Alexander Sotirov and Mike Zusman
• Cloudburst – Hacking 3D and Breaking out of VMWare by Kostya Krichinsky
• Reconceptualizing Security by Bruce Schneier
• Toxic BBQ together with Chris John Riley

Friday 31 July 2009 (Defcon)

• Beckstrom’s Law – A Model for Valuing Networks and Security by Rod Beckstrom
• Asymettric Defense: How to Fight Off the NSA Red Team with Five People or Less by Efstratios L. Gavas
• Q&A with Bruce Schneier
• More tricks for Defeating SSL by Moxie Marlinspike
• Cloud Security in Map Reduce by Jason Schlesinger
• Socially 0wnded in the Cloud by Digividual
• Defcon Security Jam 2: The Fails Keep on Coming by David Mortman et al
• Stealing Profits from Stock Market Spammers or: How I learned to Stop Worrying and Love the Spam by Grant Jordan
• Malware Freakshowby Nicolas J. Percoco and Jibran Ilyas
• Criminal Charges are not Pursued: Hacking PKI by Mike Zusman
• Something about Network Security by Dan Kaminsky
• 10,000 cent Hacker Pyramid
• Hacker Karaoke or Hacker Jeopardy

Saturday 1 August 2009 (Defcon)

• Breaking the “Unbraekable” Oracle with Metasploit by Chris Gates and Mario Ceballos
• CSRF: Yeah, It Still Works by Mike “mckt” Bailey and Russ McRee
• RFID MysthBusting by Chris Paget
• Failure by Adam Savage
• The Projects of “Prototype This!” by Joe “Kingpin” Grand, Zoz
• Hijacking Web 2.0 Sites with SSLstrip – Hands-on Training by Sam Bowne
• Metasploit Track

Sunday 2 August 2009 (Defcon)

• Down the Rabbit Hole: Uncovering a Criminal Serverby Iftach Ian Amit
• Invisible Access: Electronic Access Control, Audit Trails and “High Security” by Marc Weber Tobias, Matt Fiddler and Tobias Bluzmanis
• Unmasking You by Jushua “Jabra” Abraham and Robert “RSnake” Hansen
• Cracking the Poor and the Richt: Discovering the Relationship Between Pysical and Network Security by Damian Finol
• AAPL – Automated Analog Telphone Logging by Da Beave
• Slight of Mind: Magic and Social Engineering by Mike Murray and Tyler Reguly
• USB Attacks: Plug & 0wn by Rafael Dominguez Vega
• Cracking 400,000 Passwords or: How to Explain to Your Roommate why the Power Bill is a Little High by Matt Weir and Sudhir Aggarwall
• Award Ceremonies hosted by Dark Tangent