Black Hat Europe 2010 //briefings
Barcelona, Spain • Apr 12 - 15
|//speakers & topics|
Misusing Wireless ISPs for Anonymous Communication
Most wireless communication techniques are broadcast media by nature on the physical layer, i.e., the actual signal can be received by any party in a certain coverage area. A common means to perform secure unicast point-to-point communication over such wireless infrastructures is by applying cryptographic protocols on higher layers: both communication end-points (commonly user and carrier) set up a session key, which is then used to build private and authentic unicast communication by means of encryption and message authentication. As of today, a common assumption in the design and analysis of such communication protocols is that both end-points (user and carrier) behave correctly according to the cryptographic protocol, because they want to preserve security against outsiders.
However, if carriers have more power/resources in terms of bandwidth or coverage, users may not be interested in protecting their unicast communication against outsiders at all. Instead, users may try to extend their communication power/resources by means of insider attacks against the communication protocol. Therefore, such insider attacks pose new threats to these protocols and have, to the best of our knowledge, been neglected so far.
In this presentation we will present several insider attacks, which break the unicast communication imposed by the carrier of the infrastructure. The most striking example of highly asymmetric resources are satellite ISPs: here the user normally has a terrestrial link to the carrier and no means to broadcast data at all. On the other side, the carrier can broadcast its signals over huge footprints, covering thousands of kilometers. Therefore, we will illustrate our attacks mainly in terms of satellite ISPs, but also discuss other examples such as WIMAX. Our strongest insider attack allows any end-user to make the satellite ISP broadcast data as clear text, even if the downlink (data sent from the satellite to the user) is properly encrypted by the satellite ISP, thereby breaking the unicast communication structure imposed by the satellite ISP. Finally, we discuss how the presented findings can be used to set up communication channels, achieving perfect receiver anonymity.
Iftach Ian Amit
Cyber[Crime|War] charting dangerous waters
CyberWar has been a controversial topic in the past few years. Some say the the mere term is an error. CyberCrime on the other hand has been a major source of concern, as lack of jurisdiction and law enforcement have made it one of organizaed crime's best sources of income. In this talk we will explore the uncharted waters between CyberCrime and CyberWarfare, while mapping out the key players (mostly on the state side) and how past events can be linked to the use of syndicated CyberCrime organization when carrying out attacks on the opposition. We will discuss the connections between standard warfare (kinetic) and how modern campaigns use cybersecurity to its advantage and as an integral part of it.
Binding the Daemon: FreeBSD Kernel Stack and Heap Exploitation
FreeBSD (http://www.freebsd.org/) is widely accepted as one of the most reliable and performance-driven operating systems currently available in both the open source and proprietary worlds. While the exploitation of kernel vulnerabilities has been researched in the context of the Windows and Linux operating systems, FreeBSD, and BSD systems in general, have not received the same attention. This presentation will initially examine the exploitation of kernel stack overflow vulnerabilities on FreeBSD. The development process of a privilege escalation kernel stack smashing exploit will be documented for vulnerability CVE-2008-3531. The second part of the presentation will present a detailed security analysis of the Universal Memory Allocator (UMA), the FreeBSD kernel's memory allocator. We will examine how UMA overflows can lead to arbitrary code execution in the context of the latest stable FreeBSD kernel (8.0-RELEASE), and we will develop an exploitation methodology for privilege escalation and kernel continuation.
SCADA and ICS for Security Experts: How to avoid being a Cyber Idiot
The traditional security industry has somehow decided that they are the white knights who are going to save everyone from the horror of insecure powergrids, pipelines, chemical plants, and cookie factories.
Suddenly, every consultant is an expert and every product is loudly advertising how it solves SCADA SECURITY AND COMPLIANCY ISSUES!!!
And because they don't know what the hell they're talking about - 'fake it till ya make it' doesn't work - they're making all of us look stupid.
Let's sit down for a little fireside chat and discuss all things SCADA and ICS with an eye towards increasing our knowledge to the point where we can confidently say: "I'm not an expert at everything, I can help some, may we work together on a solution?"
It's time to stop being a Cyber Idiot and start being a positive contributor. Learn some truth, look behind the curtain, bust some FUD, Oh - and make government agents have kittens. That's fun for everyone.
This presentation will be about the problems we are facing when forensic research has to be done on environments which are virtualized. What are the differences between 'traditional' system forensics, what techniques & tools can be used? Which files are important when performing forensic research on Citrix and VMWare environments? What about the VMDK file system and what do we need for future research?
Surviving your phone: protecting mobile communications with Tor
Tor is a software project that helps you defend against traffic analysis, a form of network surveillance that threatens personal freedom and privacy, confidential business activities and relationships, and state security. Tor protects you by bouncing your communications around a distributed network of relays run by volunteers all around the world: it prevents somebody watching your Internet connection from learning what sites you visit, and it prevents the sites you visit from learning your physical location.
Unfortunately, with the new features of HTML5 and browser built-in geolocation being pushed into the Web2.0 world and on mobile phones and browser, it's becoming harder and harder to keep the users' privacy safe. This presentation will describe the problems which are arising around the use of these new technologies and how they can be (ab)used to attack Tor users. It will also describe where the development is going to protect mobile phone users privacy and let them survive their own devices.
Fireshark - A tool to Link the Malicious Web
Thousands of legitimate web sites serve malicious content to millions of visitors each and every day.
Trying to piece all the research together to confirm any similarities between possible common group patterns within these websites, such as redirectors that belong to the same IP, IP range, or ASN, and reconstructing the final deobfuscated code can be time-consuming and sometimes impossible given many of the freely available tools.
I will present a web security research project called FireShark that is capable of visiting large collections of websites at a time, executing, storing and analyzing the content, and from it identifying hundreds of malicious ecosystems of which the data, such as the normalized, deobfuscated content within them can easily be analyzed.
Mariano Nuñez Di Croce
SAP Backdoors: A ghost at the heart of your business
In any company, the ERP (Enterprise Resource Planning) is the heart of the business technological platform. These systems handle the key business processes of the organization, such as procurement, invoicing, human resources management, billing, stock management and financial planning. Among all the ERPs, SAP is by far the most widely deployed one, having more than 90.000 customers in more than 120 countries and running in Fortune 100 companies, governmental and defense organizations.
The information stored in these systems is of absolute importance to the company, which unauthorized manipulation would result in big economic losses and loss of reputation.
This talk will present an old concept applied to a new paradigm: SAP Backdoors. We will discuss different novel techniques that can be deployed by malicious intruders in order to create and install backdoors in SAP systems, allowing them to retain access or install malicious components that would result in imperceptible-and-ongoing financial frauds.
After the description of these techniques, we will present the countermeasures that should be applied in order to avoid these attacks and protect the business information, effectively reducing financial fraud risks and enforcing compliance.
Furthermore, we will release a new Onapsis free tool that will help security managers to automatically detect unauthorized modifications to SAP systems.
Is your SAP backdoored? If your answer is "I don’t know," then you may consider attending to this talk.
Verifying eMRTD Security Controls
With the transition to RFID enabled travel documents (including the ePassport and the eID) in Europe, a correct implementation of the authentication and verification of passport technologies is necessary.
The complexity if the technology can cause a myriad of security issues in the identification.
Our presentation examines the eMRTD security controls and suggests correct implementations to enable identification as a mechanism. We also examine the dangers of incorrect implementations and the resulting consequences.
Targeted attacks: from being a victim to counter attacking
This presentation is an analysis of a common sort of targeted attacks performed nowadays against many organizations. As it turns out, publicly available remote access tools - RAT (which we usually call trojans) are frequently used to maintain control over the victim after a successful penetration. The presentation and the white paper do not focus on a particular exploitation techniques used in these attacks. Instead, they aim to get a closer look at one of the most popular remote access trojans.
The presentation describes a way to ﬁgure out which particular trojan has been used. It shows the architecture, capabilities and techniques employed by developers of the identiﬁed trojan, including mechanisms to hide its presence in the system, and to cover its network trace. It speaks about tools and techniques used to perform this analysis. Finally, it presents a vulnerability analysis and a proof of concept exploit to show that the intruders could also be an object of an attack.
Thai Duong & Juliano Rizzo
Practical Crypto Attacks Against Web Applications
In 2009, we released a paper on MD5 extension attack (), and described how attackers can use the attack to exploit popular web sites such as Flickr, Vimeo, Scribd, etc. The attack has been well-received by the community, and made the Top Ten Web Hacking Techniques of 2009 (). In the conclusion of that paper, we stated that we have bexen carrying out a research in which we test-run a number of identified practical crypto attacks on random widely-used software systems. To our surprise, most, if not all, can be attacked by one or more of well-known crypto bugs. In this talk, we present the latest result of that research, where we choose another powerful crypto attack, and turn it into a new set of practical web hacking techniques.
We show that widely used web development frameworks and web sites are using encryption wrongly that allow attackers to read and modify data that should be protected. It has been known for years in cryptography community that encryption is not authentication. If encrypted messages are not authenticated, data integrity cannot be guaranteed which makes systems vulnerable to practical and dangerous chosen-ciphertext attacks. Finally, we list several popular web development frameworks and web sites that are vulnerable to Padding Oracle attacks, including, but not limited to, eBay Latin America, Apache MyFaces, SUN Mojarra, Ruby On Rails, etc. These are all 0-day vulnerabilities. We show that even OWASP folks can't get it right, how can an average Joe survive this new class of vulnerabilities? We strongly believe that this is just the tip of the iceberg, and the techniques we describe in this research would uncover many more vulnerabilities for years to come.
How to operationally detect and break misuse of weak stream ciphers (and even block ciphers sometimes) - Application to the Office Encryption Cryptanalysis
Despite the evergrowing use of block ciphers, stream ciphers are still widely used: satellite communications (military, diplomatic...), civilian telecommunications, software... If their intrinsic security can be considered as strong, the main drwaback lies in the high risk of key misuse wich introduces severe weaknesses, even for unconditionnally secure ciphers like the Vernam system. Such misuses are still very frequent, more than we could expect.
In this talk we explain how to detect such misuses, to identify ciphertexts that are relevant to this misuse (among a huge amount of ciphertexts) and finally how to recover the underlying plaintext within minutes. This may also apply to (intendly or not) badly implemented block ciphers.
To illustrate this technique, this talk will also deal with the technical cryptanalysis of encryption used in Office up to the 2003 version (RC4 based). We will focus on Word and Excel applications. The cryptanalysis has been successfully and we manage to recover more than 90% of the encrypted texts in a few seconds.
The attack is based both on a pure mathematical effort AND a few basic forensic approach. In a more general cases (e.g. satellite communications), we just need to intercept ciphertexts.
In the Office case, we will explain in our sense that the attack does not rely on particular weakness but in a setting that can be seriously considered and described as a possible intended trap. We will develop this concept to explain how in a more general way such trap can be built.
Defending the Poor
The talk presents a simple but effective approach for securing Rich Internet Application (RIA) content before using it. Focusing on Adobe Flash content, the security threats presented by Flash movies are discussed, as well as their inner workings that allow such attacks to happen. Some of those details will make you laugh, some will make you wince. Based on the properties discussed, the idea behind the defense approach will be presented, as well as the code implementing it and the results of using it in the real world.
Weaponizing Wireless Networks: An Attack Tool for Launching Attacks against Sensor Networks
The pervasive interconnection of autonomous sensor devices has given birth to a broad class of exciting new applications. At the same time, however, the unattended nature and the limited resources of sensor nodes have created an equal number of vulnerabilities that attackers can exploit in order to gain access in the network and the information transferred within. While much work has been done on trying to defend these networks, little has been done on suggesting sophisticated tools for proving how vulnerable sensor networks are. This work demonstrates a tool that allows both passive monitoring of transactional data in sensor networks, such as message rate, mote frequency, message routing, etc., but also discharge of various attacks against them. To the best of our knowledge, this is the first instance of an attack tool that can be used by an adversary to penetrate the confidentiality and functionality of a sensor network. Results show that our tool can be flexibly applied to different sensor network operating systems and protocol stacks giving an adversary privileges to which she is not entitled to. We hope that our tool will be used proactively, to study the weaknesses of new security protocols, and, hopefully, to enhance the level of security provided by these solutions even further.
Hardware is the New Software
Society thrives on an ever increasing use of technology. Electronics are embedded into nearly everything we touch. Hardware products are being relied on for security-related applications and are inherently trusted, though many are completely susceptible to compromise with simple classes of attacks that have been known for decades.
Bolstered by the flourishing hobbyist electronics/do-it-yourself movement, easy access to equipment, and realtime information sharing courtesy of the internet, hardware is an area of computer security that can no longer be overlooked. In this session, Joe will explore the hardware hacking process and share some recent high-profile attacks against electronic devices.
Nowadays fuzzing is a pretty common technique used both by attackers and software developers. Currently known techniques usually involve knowing the protocol/format that needs to be fuzzed and having a basic understanding of how the user input is processed inside the binary.
In the past since fuzzing was little-used obtaining good results with a small amount of effort was possible. Today finding bugs requires digging a lot inside the code and the user-input as common vulnerabilies are already identified and fixed by developers.
This talk will present an idea on how to effectively fuzz with no knowledge of the user-input and the binary. Specifically the talk will demonstrate how techniques like code coverage, data tainting and in-memory fuzzing allow to build a smart fuzzer with no need to instrument it in any way.
Haifei Li & Guillaume Lovet
Adobe Reader's Custom Memory Management: a Heap of Trouble
PDF vulnerabilities are hot. Several AV and security companies, in their 2010 predictions, cited an increase in PDF vulnerabilities volume, possibly driven by demand from Cybercriminals, eager to leverage them in focused and large-scale attacks alike.
But how serious could it really be, and what's the share of casual marketing FUD spreading here? After all, many PDF vulnerabilities out there are structure (i.e. file format) based ones, and essentially result in heap corruption situations. And everybody knows that leveraging a heap corruption bug into actual exploitation, with execution of attacker-supplied code, is no piece of cake. Indeed, MS Windows' heap is hardly predictable, and is armoured with protection mechanisms such as safe-unlinking.
Yet, the main PDF reader software out there, called Adobe Reader, has a specificity that may lead us to revise our beliefs: for performance purpose, it implements its own heap management system, on top of the Operating System's one. And it turns out that, performance sometimes (often? nah...) being the enemy of security, this custom heap management system makes it significantly easier to exploit heap corruption flaws in a solid and reliable way. Coupled with the very recent developments in DEP protection bypass in Flash (eg: JIT spraying ), which we will briefly show to be also valid in PDF context, this makes heap corruption exploitation potentially consistent across a very large amount of setups (a very interesting characteristic for the Cybercriminal, either for "blind-shooting" at a targeted system, or for compromising a large amount of systems at once).
This paper introduces Adobe's Reader custom heap management system, dissects its mechanisms, and points out its weaknesses in order to shed light and awareness on the PDF vulnerabilities issue. In addition, limitations will be discussed and possible mitigation leads evoked.
 Interpreter Exploitation: Pointer Inference and JIT Spraying, Dion Blazakis
David Lindsay & Eduardo Vela Nava
Universal XSS via IE8s XSS Filters
Internet Explorer 8 has built in cross-site scripting (XSS) detection and prevention filters. We will explore the details of how the filters detect attacks, the neutering method, and discuss the filters' general strengths and weaknesses. We will demonstrate several ways in which the filters can be abused (not just bypassed) in order to enable XSS on sites that would not otherwise be vulnerable. We will then show how this vulnerability makes most every major website vulnerable to XSS in affected versions of Internet Explorer 8.
Changing Threats To Privacy: From TIA to Google
We won the war for strong cryptography, anonymous darknets exist in the wild today, and decentralized communication networks have emerged to become reality. These strategies for communicating online were conceived of in anticipation of a dystopian future, but somehow these original efforts have fallen short of delivering us from the most pernicious threats to privacy that we're now facing.
Rather than a centralized state-based database of all our communication and movements, modern threats to privacy have become something much more subtle, and perhaps all the more sinister. This talk will explore these evolving trends and discuss some interesting solutions in the works.
Steve Ocepek & Wendel G. Henrique
Oracle, Interrupted: Stealing Sessions and Credentials
In a world of free, ever-present encryption libraries, many penetration testers still find a lot of great stuff on the wire. Database traffic is a common favorite, and with good reason: when the data includes PAN, Track, and CVV, it makes you stop and wonder why this stuff isn’t encrypted by default. However, despite this weakness, we still need someone to issue queries before we see the data. Or maybe not… after all, it’s just plaintext.
Wendel G. Henrique and Steve Ocepek of Trustwave’s SpiderLabs division offer a closer look at the world’s most popular relational database: Oracle. Through a combination of downgrade attacks and session take-over exploits, this talk introduces a unique approach to database account hijacking. Using a new tool, thicknet, released at Black Hat Europe, the team will demonstrate how deadly injection attacks can be to database security.
JBoss Application Server is the open source implementation of the Java EE suite of services. It's easy-to-use server architecture and high flexibility makes JBoss the ideal choice for users just starting out with J2EE, as well as senior architects looking for a customizable middleware platform.
The pervasiveness of JBoss in enterprise JSP deployments is second to none meaning there is an abundance of targets both for the blackhat or the pentester alike. JBoss is usually invoked as root/SYSTEM meaning that any potential exploitation usually results in immediate super user privileges.
A tool has been developed that is able to compromise an unprotected JBoss instance. The current state of the art in published literature involves having the JBoss instance connect back to the attacker to obtain a war file that is subsequently deployed. The tool that will be presented at Black Hat does this in-situ and ultimately uploads a Metasploit payload resulting in interactive command execution on the JBoss instance. On Windows platforms, through the Metasploit framework a fully interactive reverse VNC shell can also be obtained and shall be demonstrated.
Depending on the platform that has been exploited and the level of access obtained, the tool is able to deploy the Metasploit payload as a persistent backdoor in conjunction with the Metasploit framework’s antivirus evasion techniques.
Due to the cross platform nature of the Java language, we are able to compromise JBoss instances running on Linux, MacOSX and Windows.
Enno Rey & Daniel Mende
Hacking Cisco Enterprise WLANs
The world of "Enterprise WLAN solutions" is full of obscure and "non-standard" elements and technologies. Cisco's solutions, from the early Structured Wireless-Aware Network (SWAN) to the current Cisco Wireless Unified Networking (CUWN) architectures, only partly differ here. In this talk we describe the inner workings of these solutions, dissect the vulnerable parts and discuss theoretical and practical attacks, with some nice demos.
A new tool automating a number of attacks (incl. taking over the WDS master role, extracting WPA pairwise master keys from intra-AP communication etc) will be released at Black Hat Europe.
Attacking JAVA Serialized Communication
Many applications written in JAVA make use of Object Serialization to transfer full blown objects across the network via byte streams or to store them on the file system. While Penetration Testing applications communicating via Serialized Objects, current tools/application interception proxies allow very limited functionality to intercept and modify the requests and responses like in typical web applications. I'm trying to introduce a new technique to intercept such Serialized communication and modify it to perform penetration testing with almost the same ease as testing regular web applications. For achieving this I have developed a plug-in for Burp Suite as a proof-of-concept. What makes this technique unique is that it is completely seamless and gives the penetration tester the same control and power that an application developer has.
Peter Silberman & Ero Carrera
State Of Malware: Family Ties
Over the last few years malware has gravitated towards a few major families rather than the single or small-sized families of the past. Families of hundreds or even thousands are not uncommon. These families grouped together demonstrate the evolution of malware over time. This evolution may originate in simple bugfixes and small enhancements or entirely new sets of functionality added over an existing code base. Studying the ties between families, both within and across families, provides us with a context in which to study the development pace and technical improvements as they appear. We will examine how families grow and change amongst the mass malware and targeted attack malware. While examining how families grow and change we will attempt to identify features across all families that are both common and implemented in the same way. This could lead to quick static identification of malware features as well as signaturing these features. We hope to show how multiple families are derived from one code base, we will not just address mass malware, targeted malware but also rootkits and code sharing amongst them.
Next Generation Clickjacking
Clickjacking is a technique that can be used to trick users into performing unintended actions on a website by formatting a web page so that the victim clicks on concealed links, typically hidden within an IFRAME. However, in comparison to other browser-based attacks such as XSS (Cross-site Scripting) and CSRF (Cross-site Request Forgery), Clickjacking has hitherto been regarded as a limited attack technique in terms of consequences for the victim and the scenarios in which it can be used. During this talk I intend to demonstrate that this assumption is incorrect, and that today’s Clickjacking techniques can be extended to perform powerful new attacks that can affect any web application.
This talk will cover the basics of Clickjacking, quickly moving on to more powerful, and newly developed, techniques. The presentation will explore further ways in which a user can be tricked into interacting with a victim site and how these can lead to attacks such as injecting data into an application (bypassing all current CSRF protections) and the extraction of data from websites without the user’s knowledge. The demo will show several cross-browser techniques, and newly released browser-specific vulnerabilities in Internet Explorer, Firefox and Safari/Chrome which can be used to take full control of a web application.
I will also be demonstrating and releasing a new tool that allows for easy point-and-click creation of multi-step Clickjacking attacks on any web application, by visually selecting the links, buttons, fields and data to be targeted. The tool will highlight the need for improved Clickjacking defences in both browsers and web applications.
Hacking the Smartcard Chip
Unveiling Maltego 3.0
For a year the Paterva team has been quietly working on Maltego 3 with no new releases since March 2009. For the first time since Black Hat 2009 Paterva will be showing you what they have been up to - revealing an all new Maltego version - built from the ground up. Expect Hollywood quality graphing and animation, endless possibilities of extensions, new analytic views that will make you weep, and brand new transforms to will blow your mind.
Julien Tinnes & Chris Evans
Security in depth for Linux software
In many designs, the slightest error in the source code may become an exploitable vulnerability granting an attacker barely or not at all restricted access to a system. In this talk, using vsftpd and Google Chrome Linux as examples, we will firstly show how to design your code to be more robust to well-known classes of vulnerabilities and secondly, how to generically mitigate the consequences of such a vulnerability by dropping privileges and reducing attack surfaces.
There are a surprising number of options in Linux to manage privileges, but using them tends to be nuanced. This talk will discuss the technical aspects of various options and explain how to mix them to raise the bar to a system compromise from a sophisticated attacker.
While Mandatory Access Control systems are readily available, three of them being merged in the current Linux kernel tree, the ability to drop privileges in a "discretionary" way has to often rely on ancient mechanisms (which may not have been designed for security). We will show the state of the art on Linux and how well-known mechanisms, such as switching to an unprivileged uid, using chroot() and capabilities may or may not be suitable to achieve decent privilege dropping. We will discuss their drawbacks, availabilities to non-root processes and how an incorrect usage could be exploited by an attacker to circumvent security measures.
We will then explain and demonstrate designs, some of them using novel ideas or obscure features that can allow developers to put error-prone parts of their code inside a sandbox, using vsftpd and the Google Chrome Linux sandbox as examples.
We will discuss their limitations and how further kernel support could improve them.
Mario Vuksan, Tomislav Pericin & Brian Karney
Hiding in the Familiar: Steganography and Vulnerabilities in Popular Archives Formats
Exploiting archive formats can lead to steganographic data hiding and to processing errors with serious forensic consequences. These formats are very interesting as they are commonly found on every PC, Apple or Linux machine, and it is popularly believed that they are well understood and trusted. Can exploits ever be present in file formats that have been in use for over ten or even twenty years?
Through deep format analysis, beyond fuzzing, we look at what goes wrong when the format specifications are interpreted differently. Can you trust programs that work with archives? Can you even trust your antivirus? We will answer these questions and disclose for the first time 15 newly discovered vulnerabilities in ZIP, 7ZIP, RAR, CAB and GZIP file formats revealing the impact they have on anti-malware scanners, digital forensic, security gateways and IPS appliances.
This talk will include demo of ArchiveInsider, a new forensics tool that detects and extracts hidden data and fully validates vulnerable file formats. We will demonstrate file format steganography, file malformation, and even data "self destruction," all with tools that you use and trust.
Protocol, Mechanism and Encryption of Pushdo/Cutwail/Webwail Botnet
After several months efforts, the pushdo/cutwail botnet author(s) finally released a new pushdo advanced installer(codename "revolution") which not only changed the protocol and encryption totally but also implemented "Services" mechanism. Moreover, a new spam engine was in the experimental phase. In this presentation, I will examine pushdo's brand new protocol and encryption, reveal their "Cyber Crime Services" vendors mapping and disclose the debug version of the new spam engine's protocol and encryption.