Saturday, April 9, 2011

Hackito Ergo Sum 2011 - Day 3 (and last)

Day 3 was another great day: we had a couple of cybercrime talks, Ruby on rails, DNIe , USB autorun for Linux and the solution to the conference crackme. I want to take a chance to thank the organizers, I really enjoyed this conference, the people were great and the talks interesting and I hope to be back next year, maybe even to present a talk.
As usual I welcome comments, either here or directly to me - feel free to let me know anything constructive.

Raoul Chiesa / Keynote
Raoul's keynote focused on cybercrime and UNICRI and their hacker profiling project (HPP). Cool quote - "you got information, you got power". The talk was cool and included parts focusing on who's behind cybercrime that I won't recount here out of respect to the fact he asked not to record anything during these parts of the talk. He shared his views on why cybercrime works:
  • New user every day = new fools every day
  • Making money  (fits to the economical crisis)
  • Technical know how is easy to get
    • Back in the day we worked hard to get something
  • Easy to recruit idiots ("mules")
  • Psychological - "they will never find me/bust me"
  • Psychological - Lack of violent actions
And how HPP classifies hackers:
  • Amateur
    • Wanna be lamer (9-16)
    • Script kiddie (10-18)
  • Hobbyist
    • Cracker (17-30)
    • Ethical hacker (15-50)
    • Quiet, paranoid, skilled hacker (16-40)
  • Pros
    • Cyber warrior (18-50)
    • Industrial spy (22-45)
    • Gov agent (25-45)
    • Military hacker (25-45)
He had a lot of interesting stuff to say and the talk actually went overtime. I can't possibly begin to recount even the public parts of the talk in a short summary but I highly advise you to listen to him if you get a chance.

Joernchen of Phenolit / Ruby on Rails form a code auditor's perspective
This talk focused on how to audit Ruby on Rails (RoR) code. Key points:
  • 3 layers called MVC - Models, Views, Controllers - review them
    • Start from the controllers
  • Look at the database
  • Look at the filters
  • RoR has some fancy magic that can go wrong - for example: mass assignments ( had a vuln because of using this)
Nice talk and definitely someone you should talk to if you audit RoR, personally this isn't in my focus areas.

Gabriel Gonzalez Garcia / Man in the Remote: PKCS 11 for fun and profit
This talk focused on ways to defeat the DNIe which is the Spanish government system of digital IDs used for authentication and non-repudiation certificates. Basically he implemented an attack against the untrusted terminal problem that the PC is posing between the DNIe device and what it authenticates to. There are two ways to use DNIe for web auth: Java applet or SSL + client certificate. The device itself has an EAL 4+ certification and defends against most hardware tampering attacks. What he found were two practical attacks on the terminal:
  1. Write a fake interface library that acts as an RPC server connecting his machine with a remote DNIe
  2. Write a fake java applet that acts as the proxy and runs on the client machine (easier)
He proposed a solution that I personally disagree with to use "distance bounding" == measure response time and disallow slow responses.

Jon Larimer / USB autorun attacks against Linux
This talk focused on how to implement autorun attacks against Linux and showed one successful attack. To be exact it is successful against GNOME. So first of all the specs of forbid systems from running code without asking the user. That being said a lot of processing is done when a new storage device is connected: file system drivers execute, file browsers read the contents and thumbnailers create thumbnails. These attacks are basically physical access which usually means "game over" because you can use DMA attacks using 1394 vulns and other attacks like cold boot attacks. However, assuming the latter is complicated for you and you are on a system where protections for against 1394 DMA attacks were implemented you need another way. From here on Jon described his processes of research which I will skip directly to the end - he decided to focus on Thumbnailers used by Nautilus (GNOME file manager). He found a vulnerability in the Evince thumbnailer for DVI files (among others). Luckily (or unfortunately, depending on you view) Evince uses AppArmor and compiles as PIE, in addition the kernel has ASLR enabled (but 32bit system). He worked on overcoming this:
  • ASLR and PIE can be defeated by brute forcing -
    • On a 32bit system there are only about 3000 addresses that the Linux kernel can load libc to.
    • Using this we can just generate 3000 files - 1 for each address
    • Loading will be slow (about 10 min), but success is almost sure
    • Interesting result he found were that in his statistics around 10% of the addresses were used significantly more than others
      • So you can create only about 300 files and have high chance of success
      • He says he didn't research why is this. This is something that someone should really pay attention to.
  • AppArmor can be worked around
    • Doesn't protect against X11 library calls
He showed a demo of killing the lockscreen using a USB stick. Jon Oberhide added an interesting comment that there is a rather new layer for partition parsing in Linux that had a lot of bugs recently.

Yuval Vadim Polevoy / Money is in the eye of the beholder: new and exciting ways to steal you money
This talk again focused on Cybercrime, Yuval is from RSA research lab and really interesting to talk to. He focused on how cyber-criminals make money and the underground economy. I will recount some of the most interesting points, I'm not sure I can do justice to the details but that is the cost of summarizing...
  • A cybercrime operation requires:
    • Bots
    • Campaign
    • Drop point
    • Bot plugins
    • Hiring & managing mules
    • Establishing covert channels
    • Maintain fast-flux (optional)
  • The skill set required for that is:
    • Low level programmer
    • Oday researcher
    • Spammer
    • Hosting owner
    • JS programmer
    • HR recruiter
    • E-commerce export
    • IT specialist
These are too many skills for most people, so the common solution nowadays is outsourcing parts of this effort to others.
For the end, he focused a bit on the future techniques that malware authors will use, in particular screen grabbing. Yuval showed a demo of two techniques that can be used for screen grabbing in Windows, thus defeating on screen keyboard and allowing other stuff like cheating in online poker…

Eloi Vanderb├ęken / Hackito Ergo Sum crackme
For the end Eloi talked about the crackme. I won't go into all the details but here are the highlights:
  • Verification alg - based on modified RC4
  • Obfuscation
    • Inst. Mutation
    • Control flow graph obfuscation
  • Encryption layers
  • Direct native API call
  • Using sysenter (also uses a lot of random invalid syscalls) which is why the crackme only worked on 32bit systems
  • Anti-X
    • Anti debugger
    • Anti-instrumentation
      • This was especially interesting to me, in particular because Eloi used Pin as the example for instrumentation engine
      • Detect hook on KiUserExceptionDispatcher nad KiUserCallbackDispatcher
      • Detect stack reuse by instrumentation code: place a constant in esp-4, execute syscall, check constant
    • Anti data-tainting
This is definitely a respectable set of protections. Only 3 solutions were submitted. I might try to write a PinTool that will be able to handle all these protections and post it here if I can.

Well, that's it for Hackito this year - I hope you will read my future posts.

Friday, April 8, 2011

Hackito Ergo Sum 2011 - Day 2

Day two of HES 2011 brought even more awesomeness. I will summarize the talks here:

Keynote - Rodrigo Branco (BSDaemon) / Behind the scenes: security research
First up was Rodrigo giving a keynote ( which shows he is old :P ) he focused on the state of the industry and mentioned several key points that might be debatable:
  • there are a lot of snake-oil security experts, its really hard to find real experts
  • 0days are nowadays spreading in minutes to all vulnerable hosts
  • lots of "vulnerabilities" released are not exploitable or at best have an exploit that works only on the VM of the guy that developed it and nowhere else
  • The new generation of hackers is not coming - most of us grew in a time where using a computer was a challange, now its just plug&play, GUI, etc...
  • he went into security myths common in the industry
I'll settle for repeating two interesting points he made since this is a short summary:
  1. What is the difference between rouge AV and a real AV?
    1. both do not guarantee anything
    2. both have "premium options" you can buy
    3. both have a nice GUI (although rouge AVs usually havea nicer one)
    4. both will slow your system
    5. both will have false alarms
  2. All companies benefit from having a security research team but you need to know how to build and work with one:
    1. Researcher brings real understanding of threats and security awareness
    2. when choosing a researcher, select carefully
    3. researcher are lazy so define expectation not a specific target
      1. if you know what you want you hire a developer, not researcher
    4. your team has to travel
    5. expect to buy tools

James Oakley and Sergey Bratus / Exploiting the Hard-Working DWARF
Due to circumstances I couldn't avoid I had to miss this talk which is really worthwhile. I have done some work on DWARF for instrumentation but was interested to see it from an exploitation point of view, especially since they say it is Turing complete.
Slides (from shmoocon actually):

Jon Oberheide & Dan Rosenberg / Stackjacking Your Way to grsecurity or PaX Bypass
In this talk the authors showed how to exploit the Linux Kernel in spite of hardening mechanisms like GRSecurity or PaX. They took an interesting approach - not focusing on a specific vulnerability but making a minimal set of assumptions on the situation and showing any vulnerability and situation satisfying these assumptions can be exploited.

  • Kernel protection Assumptions:
    • Zero knowledge of kernel address space
    • Fully randomized kernel text & data
    • Cannot introduce new code into Kernel address space
    • Cannot modify kernel control flow (e.g. data only - no ROP)
  • Attacker assumptions:
    • #1: can do arbitrary kmem write
      • Requires some knowledge of some kernel layout information leak to exploit
    • #2: Kernel stack memory leak
      • AKA "the Dan Rosenberg" :P
taking this into account they developed a 3-stage exploitation technique: KSTACK leak --> stack groping --> overwrite a specific part of thread_info struct. Going into details will require a whole post at least so I will mention the highlights only, for more details try Oberhide's homepage (nothing up yet) or Dan's blog (seems abandoned). For now I will focus on two points:
  • In order to get all the information needed from a Kernel stack leak they developed a library called "libkstack" - it works with a leak of 3-bytes and up.
  • Stack grouping is a name to techniques they invented in order to actually exploit
    • kernel_ds - invented by Dan R. focuses on using set_fs() to change addr_limit in the kernel
    • Obergroupe - invented by Oberhide - uses a child process to clobber a process stack frame while it is inside a syscall (race condition)
Exploitation is pretty safe and takes about 1-2 minutes according to their demo.

Richard Johnson – A Castle Made of Sand: Adobe Reader X Sandbox
This talk went into detail regarding Adobe reader sandboxing and security, here are my takeaways:
  • Adobe started using ASLR and DEP which is great, but only on new Windows systems. also seems implementaiton is partially lacking since some DLLs (e.g encryption) are loaded to a pre-defined address.
  • Adobe works on sandboxing using Win process privileges and IPC limitations, a lot more work is required
  • need to implement security features for non-Windows platforms as well
  • need to compile to 64 bit - will reduce chances of spraying

Aaron Portnoy & Logan Brown / Concentrated Fire: Black Box Auditing Adobe Shockwave
The guys from TippingPoint gave a similar talk to the one from CanSecWest so no need to go deep here. Some cool stuff:
  • They use a lot of Dynamic Binary Instrumentation to analyze SW
  • Shockwave uses a private memory manager called SmartHeap
  • they crowd-sourced the exploitation of the crashes they discovered during Recon
  • If shockwave lacks a vulnerable component on your target don't worry - it will DL it for you :)
  • ZDI will not buy any more shockwave bugs or touch shockwave from now on!

Kevin Redon & Ravishankar Borgaonkar / femtocells : inexpensive devices to test UMTS security
For those of you that don't know a femtocell is a small cellular base-station that works in a really limited range. Basically your phone connects to the femtocell that connects to your provider network over the internet. First part of the talk focused on taking control of the femtocell firmware, I will skip this except they used the recovery mode, which shows how careful you need to be with such features. you can buy a Femtocell in 12 countries, see femto-forum for details. Once you are in control you can do some cool stuff:
  • MITM on UMTS 
  • Calls are only encrypted between the phone and the femtocell, then sent in clear text
    • showed a demo (that failed first time) of recording a call and capturing SMS messages
  • Provider networks assume full trust in players so no firewalls, protections, etc... 
    • seems like easy targets from their description, no actual details provided
  • 3G / 4G phones can be attacked by the femtocell acting as the network provider
    • again, no details were provided
This is still a research in progress, seems very promising. I recommend to follow.

Lightning Talks
There were 3 lightning talks today:
  • First one was mine, I got manipulated into doing it while drinking beer over lunch but it was really fun.
  • I talked about "Binary Instrumentation for Hackers" 
    • I presented a few select slides form the talk I'm working on (see earlier posts) explaining what can you do with binary instrumentation and and example Pin based binary instrumentation tool.
  • After me Alex talked about his Passive DNS work
    • See the website
    • He showed a cool demo how it worked on the recent Lizamoon attack
  • Last talk for the day was joernchenon Distributed Ruby (dRuby) vulns
    • to sum it up dRuby uses $SAFE which prevents you from calling arbitrary code (eval etc) by activating taint protection
    • unfortunately this doesn't work so well becasue you can still use syscall()
    • nice method to identify if you are one a 64bit or 32bit by using syscall(20)

Well that's it for today, I hope I can keep the pace and publish a summary tomorrow as well.

Thursday, April 7, 2011

Hackito Ergo Sum 2011 - Second half of the first day

Short summaries of the talks in the second half of the first day:

Itzik Kotler / Let Me stuxnet you
Although the name of the talk has Stuxnet in it it does not another one of these boring Stuxnet talks but focuses on Permanent DOS (PDOS) of your hardware using all sorts of methods. This is a research that is still WIP.
Several key concepts:
  • SW can harm HW by making it perform harmful operations
  • SW can harm FW and cause it to do harmful operations
  • SW can take advantage of one piece of HW to harm another HW
PDOS can be achieved in many manners:
  • Phlashing - overwriting FW on Flash to brick parts
  • over-clocking
  • over-volting
  • over-using - esp. in mechanical parts
  • power cycling - uses temperature flection
Can attack CPUs, GPUs, RAM, HDDs, SSDs, Flash, NICs, CRTs, Floppys and more...
Interesting focus on examples how to implement these attacks so the user doesn't realize it's done until his system dies.

Marc Heuse / Recent advanced in IPv6 insecurities
This is Van Hauser from THC. First part of the talk focused on IPv6 basics. He then covered some attacks against IPv6 he released since 2005 and then went on to talk about new attacks - I'll try to cover everything real quick. In particular I liked the quote: "if you start fuzzing things will blow up".
First it is important to mention the THC IPv6 attack tool he is developing, many parts of which are not yet released BUT if you join the dev team he is willing to share (and he is looking for help)... He also released a new version of THC Hydra during his talk.
So, a real quick overview of IPv6 attacks he mentioned (only the headlines or I won't finish this post):
  • ARP Spoofing => ND spoofing
  • Duplicate address detection DOS
  • Many ways to MITM using redirects
  • Using Autoconfig (like DHCP but built in IPv6) for pretending to be a router
  • Replacing the default router using lifetime=0
  • Most Linux distros (and in general) don't filter most IPv6, especially weird headers
  • Can announce a remote network as local to spoof it
  • RA flooding - can DOS cisco, Netscreen, all Windows, FreeBSD, some Linux
  • you can detect systems sniffing on your local network
  • taking over as MLD
  • side channels in IPv6
  • techniques to identify remote systems (can't scan 16 octets!)

Tarjei Mandt / Kernel pool exploitation on Win7
This talk was too technical to go into details in a brief summary - see the slides for details.
The short version is as following: Win7 has protections in the kernel pool - these are not good enough. several tehcniques were invented by Tarjei to bypass these and two exploits for CVEs were shown.
CVE-2010-3939 (MS10-098) - Used Quota process pointer to exploit
CVE-2010-1893 (MS10-058) - Used Pool index overwrite to exploit
If you like kernel exploits on Windows you really should check out Tarjei's slides and blog.

Sebastien Tricaud / Capture me if you can!
Sebastien discussed handling incidents in large networks (country level). He talked about capture methods like: PCAP, netfilter queue, DAQ and others. And on data processing techniques - how to find meaningful information in logs. He made a very convincing point on log "0day" - due to not collecting or collecting information incorrectly you can lose important information,
In my view, the most interesting news in the talk were:

Well, I hope you enjoyed; Please leave a comment. I will try to keep up in the next two days...

Hackito Ergo Sum 2011 - The first half day

The first half day of HES 2011 is done. The first two talks were pretty cool, I'm gonna post some quick summaries:

Keynote - Eric Freyssinet / hacking investigations 
Eric manages a team in the Gendarmerie (one of the two French police forces) that focuses on internet investigations. He was formerly working in Forensic analysis team in same org. His team opens over 600 cases per year, focusing on child porn and most of the rest on fraud.
Mentioned a trend of serious cyber-criminals using kids as "mules" to perform crimes. e.g. a 14 year old from an online hacker community was used as a mule to transfer money from hacked PayPal accounts to the criminal's accounts.
He mentioned a bit about anonymous and said they coordinated some of their attacks against Bank of America from French servers that his team had to take down. He also mentioned the recent espionage case against French govt. and that leads point to China and that they're trying to work with Chinese authorities to find the sources.

Mate Soos / Breaking Industrial Ciphers at a Whim
I really enjoyed this talk. Anybody that is security minded knows that you shouldn't invent your own crypto, especially not closed source one because:
A. it will be reverse enigneered
B. it will probably be broken
Mate focused on HiTag2 which is a Philips cipher used for access control for cars, military bases, etc...
He basically converts the problem to a SAT problem in CNF format and then feeds it to a SAT solver - really cool. He estimates it shouldn't take more than 48 hours to break a HiTab2 key from transaction data.
Mate is one of the lead devs on the open source CryptoMiniSat project that won SAT Race 10. He also had some cool visualizations I hope he will share on his homepage.

I have high hopes for Itzik's talk about permanent denial of service in the afternoon

Saturday, April 2, 2011

Instrumentation, Hackito Ergo Sum and this week in the news

Well, it's been a week so I guess it's time to post something.

I haven't had a lot of time this week to do stuff I can write about in this blog because I was really busy @ work. In and of itself that is cool becuase being busy at work usually means I'm doing some cool hacking but unfortunately I can't talk about my work here.

Binary Instrumentation for Hackers
In the limited free time I had I have been working on a presentation called "Binary instrumentation for hackers", I hope to present it at DC9723 April meeting, anybody coming? This presentation will probably become the base to a workshop proposal I plan on submitting to BlackHat USA 2011.
I also plan to post some material on binary instrumentation here so stay tuned. If you use instrumentation for hacking / security purposes please leave a comment - I'm really interested to know what others do.

Hackito Ergo Sum 2011
I'm going to attend HES 2011 (Apr 7-9). If you are going there let me know and I'll buy you a beer. This is a limited time offer to celebrate the start of this blog and I can afford about 10 beers so FCFS.
If you are not there, stay tuned: the schedule (PDF) looks awesome and I will try to post write-ups about the talks right here.

News stuff:
Well, I can talk about the RSA APT and whether or not it is an APT or about LizaMoon or the new SCADA attacks from GLEG (and also Tenable and VUPEN) and even about the funny false alarm about Samsung installing keyloggers on their laptops but I don't have the patience so follow the links if you didn't already hear about all this stuff.
I also saw an interesting post about CRAP in Assaf Nativ's Blog (home automation and fw/hw hacking). 

-- Gal

p.s - feel free to comment with your opinions, requests, ideas how to improve this blog or just whatever