Interoperability is everywhere in browsers Java <-> VBScript, VBscript <-> .NET, .NET <-> Javascript, Javascript <-> DOM etc. This interoperability presents a large attack surface, which is up to now where not well explored.
There is a lot of code involved converting types between various languages.
The background: In the past, basic constraints where not properly checked, so any client certificate could be used to create another client certificate that would actually validate.
Moxie wrote the tool SSLSNIF is that is able to do a man in the middle attack on an SSL connection based on this vulnerability to proof to Microsoft that it could be exploited, contrary to what Microsoft said.
Even tough Microsoft and others fixed the vulnerability, the tool is still useful, mainly because people don’t pay attention to certificate warning. Also when the guys that made the fake CA certificate by means of the the MD5 collision use SSLSNIFF to actually exploit is.
But there are more ways to attack SSL then doing a man-in-the-middle attack; SSL Stripping
Talk focused on a methodology for restoration after a massive compromise while keeping the users on the network and somewhat productive.
Four phases for RETRI
I arrived late, but talk hadn’t started unfortunately it did mean standing room only.
FX had a cool feature in his presentation; every slide was accompanied by a BlackHat-O-Meter. Works like the base and acid scale. Corporate suite-and-tie types should stay with slides that have the meter all the way on the top, CISSP should be able to grasp the details of slides that are ranked somewhere in the middle, real Hackers could also grasp bottom of the scale slides.
FX’s first words are comforting, there is not so much real world router ownage going on. Mis-configuration, insider attacks, etc. are much more common.
However, infrastructures are what you want to own, so why don’t we see this more often? Because practical exploits are hard.
BlackHat Las Vegas has officially started. Jeff Moss kicked the conference off with the usual boring stuff. One of the surprises is that BlackHat Amsterdam will not happen. Instead they decided to move the event to Barcelona because they could not find a facility in Amsterdam big enough anymore. As a result BlackHat Barcelona will be bigger it feature three parallel tracks in stead of the two tracks that where possible in Amsterdam. Still I am sad that they abandoned my home country.
Then the keynote by Douglass Merill started.
Today Microsoft released two out of band patches. Remarkably one of the patches is a moderate patch in itself however, it turns out that this patch is for a flaw in Microsoft Active Template Library (ATL). If software is built using this ATL it contains a vulnerability which can be exploited easily and can lead to arbitrary code execution on a client e.g. when surfing to a malicious website. Interestingly the active content (ActiveX control) is executed even when a killbit for the ActiveX control has been set. A preview demonstration is available online and details will be disclosed on the BlackHat conference tomorrow 29-7-2009 3:25 PM (GMT-8).
Yesterday, I spent some of the hours that I was stuck in a metal tube above the Atlantic Ocean to pull together my schedule for BlackHat and Defcon coming Wednesday to Sunday. The schedule I pulled together combined with my plans to do (semi) life blogging from the conference for Cupfighter.net is actually quite mad so I fully expect to have to skip some of the activities listed below.
Wednesday 29 July 2009 (BlackHat)
Thursday 30 July 2009 (BlackHat)
Friday 31 July 2009 (Defcon)
Saturday 1 August 2009 (Defcon)
Sunday 2 August 2009 (Defcon)