Cupfighter.net

Fog | Power Plant - A CC NC SA image from fxp's Flickr stream

Marco’s (embyte@iseclab.org) research focuses on the first automated approach to detect PHP parameter pollution.

(Slide deck)

What is parameter pollution?

In http it is allow to provide a parameter via GET and via POST. You can also provide a parameter twice. Some application do not handle this very well and interpret both, the first or the second.

E.g. will the url http://somesite.com/vote.jpt?pool_id=4568&candidate=green&candidate=white vote for Mr. Green or Mr. White? Since PHP always opts for the first parameter the vote will go to Mr. Green.

Since parameters in a get request overwrite the parameters in the post request, An attacker can pollute http parameters without manipulating the page itself.

Marco has built a system that can automatically test HTTP parameter pollution for both problems:

P-Scan scans for Parameter precedence.

It performs three tests:

• Error Test – Test if the application crashes if a parameter is repeated twice
• Identity test – Is a second parameter considered by the application
• Base test – Assume that pre-filtering works

V-Scan tests for actual http parameter pollution vulnerabilities. When it is determined that pages reactive differently when parameter pollution is applied. V-Scan eliminates those cases where these differences are not a vulnerability.

These tests are implemented in a tool called PAPAS.

Marco proceeds to present the results of deploying PAPAS against about 5,000 popular websites. The sites that appeared to vulnerable in more vulnerable where inspected in more detail.

Read more…

WhiteRabbits - A CC NC SA Image from Halans Photo Stream

Subtitle: Theory, Design and Implementation of Complex Systems for Testing Application Logic

Rafal works at HP (blog).

The talk is step up as a three act play.

Act 1 – Definition

What is “application logic”?. Rafal is trying to discover the definition to “application logic”, via and interactive process with the audience.

He starts of by showing a business flow for ordering items online as well as adding loyalty points. If the business flow is not implemented correctly, loyalty points get added without the transaction being completed. This means you can get hacked without your infrastructure being compromised.

The difference between flaw in the business logic instead of a flaw in the application logic, is that the latter can be patched, while the first requires a redesign of the program.

How is this different then e.g. the OWASP top 10? The closest match we have is the MITRE CWE Top 25.

Act 2 – Types of defects

There are basically two types of these attacks:

• Privilege manipulation
• Transaction control manipulation

Read more…

Tomorrow around noon I will board a plane that will bring me to a, hopefully sunny, Barcelona to attend Black Hat Europe. Besides meeting with friends like Didier Stevens, Xavier Mertens, Wim Remes and Rafal Los and hoping to make some new, I will be up to my usual live blogging trick and try to cover the presentations I attend via my Twitter account and CupFighter.net.

Here is a list of presentations I intend to follow on day one:

• Rafal Los: Defying Logic – Theory, Design, and Implementation of Complex Systems for Testing Application Logic
• Marco Balduzzi: HTTP Parameter Pollution Vulnerabilities in Web Applications
• Andrés Riancho: Web Application Payloads
• Raul Siles: SAP: Session (Fixation) Attacks and Protections (in Web Applications)
• Chris Valasek & Ryan Smith: Exploitation in the Modern Era
• Bruce Schneier: The Keynote

And on day two:

• Matt Neely & Spencer McIntyre: EAPEAK – Wireless 802.1X EAP Identification and Foot Printing Tool
• Tom Parker: Stuxnet Redux: Malware Attribution & Lessons Learned
• Wim Remes: Among the blind, the squinter rules : Security visualization in the field
• Yuri Gushin & Alex Behar: Building Floodgates: Cutting-Edge Denial of Service Mitigation
• Claudio Criscione: You are Doing it Wrong: Failures in Virtualization Systems
• Damir Rajnovic: Monoculture – the other side

Now, as usual this plan is exactly that, a plan. Anything that can come up that may disrupt this from a lots laptop (thanks Xavier, I will try not to loose it this time) to a last minute interview or me changing my fancy.

By Christiaan Beek

From isfullofcrap Flickr photo stream. Creative Commons License

BlackhatEU : Virtual Forensics
By Christiaan Beek

What are the challenges when you have to do forensics on a virtual environment?
•    What are the tools available?
•    Are the tools forensically sound?
•    Where is the data?
•    Who owns the data?
•    What forensic techniques do we use?
•    How to acquire data from the cloud?

Citrix is a nightmare for forensics investigators. There is no personal hard disk to investigate, only a personal profile which does not have very much data in it.
Read more…

By David Lindsay & Eduardo Vela Nava

The talk is about abusing the anti-XSS filters built into IE8 to always be able to perform XSS.

Microsoft decided to implement anti-XSS measures in IE because XSS is so common. On the other hand the wanted to be careful not to break the web and to keep things performant and the solution itself had to be secure.

So how do these filters work?
•    Examine all outbound requests for XSS patterns using heuristics filters.
•    If something matches the filter a dynamic signature is generated
•    If the signature matches then the response is neutered.
Read more…

By Steve Ocepek & Wendel G. Henrique

Steven and Wendel will be showing live demos of tools for exploitation of Oracle that will be released after the conference. These tools are all about performing man in the middle attacks. And while a lot of people think this is a hard scenario, the truswave guys find that it is surprisingly efficient in practice.

First tool demoed is vamp. Vamp is a tool for basic arp spoofing.
Arp poisoning is old. The specification of ARP was written in the 80s. However it still very effective and open up an entire category of attacks.
Read more…

By Christian Papathanasiou

Christian demoed two tools called JBoss-autopwn and Tomcat-autopwn.

For both tools he demonstrated that exploitation is possible both on Windows and Linux systems. It is also very likely that his tool also works on Solaris.
Read more…

By Andre Adelsbach

Image from christianmeichtry's Flickr photostream. Creative Commons license

The talk starts with explaining the properties of Satellite ISPs. Due to the nature of satellite communication, high latency, high downstream bandwidth, the ISPs often use performance enhancing proxies. Often the satellite ISPs use asymmetric links, using a local uplink in combination with the satellite downlink, but symmetric communication, where the uplink also is sent via the satellite is possible too.

The performance enhancing proxy on the local machine has to breaks some of the basic TCP/IP properties to enhance performance, in this also breaking some of the basic security measures.

Read more…

By Enno Rey & Daniel Mende
erey@ernw.de
dmende@ernw.de

When implementing Cisco Wireless network infrastructure Enno and Daniel got the impression that, security wise, these systems smell.

First part of the presentation focuses on what a typical implementation looks like.

There are three generations:
1.    Structured Wireless-Aware Networks (SWAN)
2.    Based on managed APs and LWAPP (After acquiring Airport)
3.    Cisco Unified Wireless Network

The talk focuses on generation one and three.
Read more…

By James Arlen (@myrcurial, james.arlen@pushthestack.com)

James talk is not about SCADA, it about talking about SCADA.

The security industry has discovered that SCADA systems are in fact information system and all of a sudden security professionals are talking about how they can fix the SCADA security issues.

One of the biggest pieces of FUD that is out there is: if you own the computer you own the system? This is not the case, most of the time when SCADA systems fail, the processes they control stop.

Yes, SCADA systems use control processes by using standard protocols, like modbus tcp, but that doesn’t mean that you understand what energizing coil 13 does to the actual process. If you can break the computer system, it doesn’t men you can break the process.

There are more controls in place in a manufacturing process, e.g. the safety systems that are their to prevent catastrophic from happening or the quality control systems that prevent that dodgy products get out. The most important control in place is that manufacturing is still mostly run by humans who will notice that stuff is about to go wrong.

One of the facts about big infrastructures (electrical nets and manufacturing processes) is that the people who run them count on stuff breaking down. Most of the time you don’t even notice that a major failure in these systems has occurred.

It’s not all negative…
We can understand SCADA systems and we can indeed help. In industrial systems Availability is the key element of the triad, not Integrity or Availability.

If you are going to get involved, be a student, before you become the teacher. Buy some people a cup of coffee and be prepared to put you ego behind you. Understand that these people have being doing this work for a long time and are indeed you parents age, that makes you the kid.

James shared, not for disclosure, a number of examples of IT Security bad practices that where found in the real world and make most IT Security wince and giggle at the same time. Words like rsh, solitaire and non-upgradable NT 4.0 where mentioned.

What will save us, Super Ninja’s, l337 super heros or just “Not Sucking”.

As IT Security people we need to open up, understand this stuff and make small progress that will have a big effect.