Grey bar Blue bar
Share this:

Tue, 4 May 2010

ITWeb Security Summit 2010 & Afterparty

The ITWeb security summit is coming up next week from the 11th to 13th of May. This is a conference we're quite excited about, and have been involved in for the last few years, but most recently, we've been able to further our involvement beyond just speaking.

For years I jealously watched as SensePost'ers would trundle all over the world shaking hands and drinking beer with the leet haxors of the world. Then a few years ago, the ITWeb Security Summit brought over Kevin Mitnick. I remember sitting in the audience awe'd not so much by what was said (sorry Kevin, I'm sure it was interesting) but at the fact a real celebrity hacker was meters from me. I still keep his lock-pick business card as a memento. Since then, the summit has gotten bigger and better. ITWeb previously brought out people like Bruce Schneier (who I think thought I was a stalker), David Litchfield, Johnny Long (he's African now), Johny Cache, Richard Stiennon, Roberto Preatoni and Phil Zimmerman (he video conf'ed in from his hospital bed after emergency heart surgery).

While meeting some of the international speakers was awesome, there was always a feeling that the conference was too vendor dominated. To help remedy this, last year SensePost was asked to put together a technical committee. SensePost's guidance on international speakers had an immediate effect and last year we had a ton of hacker rock stars: Jeremiah Grossman, Window Snyder, Adam Shostack, Mike Dahn, Tyler Moore, Frank Artes, Phil Zimmerman (this time IRL) and even The Gruq washed himself and made it over. In addition to the international speakers, the technical committee (which I was lucky enough to be part of) evaluated and voted on all talks, with the ability to vote out sponsor talks if they weren't up to scratch. While we had some teething problems (for example we weren't able to review all final presentations in detail) and made a mistake in trying to fit more speakers into a "turbo track", I feel the quality of the conference improved significantly.

After the conference, one of the awesome memories was the "Hackers on Safari" trip we took the international speakers on (and some of the technical committee, if they agreed to do dishes). It proved to be a really great way to "sell" South Africa to the international speakers. As we watched a battery of cameras synchronously snap many pictures of the "the asses of Africa" (the animals kept turning their back on us), we were reminded what a great place South Africa is.

This year is looking even better than last. There's a solid line up of international speakers: Kingpin, Moxie, Charlie Miller, FX, Dino Dai Zovi, Saumil Shah, Nitesh Dhanjani & Jeremiah Grossman. In addition, a third track has been created for security products with the other two focusing on the technical and business aspects of security respectively. We should see a lot of quality South African talks. Unfortunately, some promising talks and speakers had to be dropped to make space, but hopefully this is an indicator of higher quality and popularity rather than poor judgement.

Additionally, this year on the 13th of May @7pm (the last day of the conference) there is a hacker's party organised by our local unconference ZaCon (for full details follow the link), which is within walking distance from the conference venue. The party's aim is to raise funds for Hackers for Charity, with voluntary donations of R50 being asked, and HFC shirts for sale. Hopefully it will also provide a chance for members of the local scene who are unable to afford ITWeb tickets the ability to meet some of the international and local speakers.

Mon, 8 Feb 2010

Removing registration requirements

Over the years we've offered almost all our tools, papers, presentations and other materials for free, albeit with a "registration required" proviso. The registration wall has been in place for some time now, and was used to track unique users as well as permit users to opt into SensePost mailruns. What we found though, is that registration is more of a hindrance than a benefit; it creates an artificial barrier with little reward. The data isn't that useful to us and the added steps just an extra annoyance for users, and we wanted to streamline things a little.

To that end, we've remove the registration requirement from our site. All our tools, papers, presentations and other materials are now available for direct download without any registration needed. Go ahead, grab a copy of Wikto. Our main research page is here.

Of course, we still have all those registrations along with email addresses and so on. For those users who chose not to receive mail, we'll purge your details entirely from our database. Only if you opted into mailruns will we retain your address.

Hopefully this makes your experience on our site a little less bothersome!

Fri, 7 Aug 2009

Clobbering the cloud slides

[updated: videos will be made available on this page]

140 slides in 75 minutes. They said it couldn't be done... and they were right! (mostly)

Regardless, our Vegas trip was as much fun as previous years and our presentations at BlackHat and DEFCON went down well from the looks of things. While we plan on writing up the interesting parts, a number of people have requested access to the slidedeck in the mean time, and we've posted them here:

Clobbering the cloud [PowerPoint]

(This is the BlackHat version; the DEFCON deck was trimmed down for time savings.)

Mon, 9 Mar 2009

Defcon 16 Videos Available..

Ok.. So The Dark Tangent announced this [a few days ago], but i felt it deserved mention because i was genuinely wow'ed at the video quality.. I have only gone through a couple of the presentations, but its the first time ive found demos video'd well enough to follow ferpectly on screen..

Readers can pull the videos from [here]

SensePost'ers can pull from [here]

/mh

PS. When we did our talk (pictured above) i had almost no voice and a flu from hell

PPS. Thats my excuse for my voice.. the constant uhmms and errrs i have no excuse for..

Fri, 23 May 2008

ActiveX Repurposing.. (aka: Other bugs your static analyzer will never find..) (aka 0day^H^H 485day bug!)

Earlier this week we had an internal presentation on Attacking ActiveX Controls. The main reason we had it is because of the ridiculously high hit rate we have whenever we look at controls with a slight security bent.. When building the presentation i dug up an old advisory we never publicly released (obviously we reported it to the vendor who (kinda) promptly fixed the bug (without giving us any credit at all, but hey.. )) While the IEBlog promises updates to IE8 that will minimize the damage caused by owned controls in the future, the fundamental problems with ActiveX today are an attackers dream.

  • Developers still write controls as if only they can invoke its methods (repurposing++),
  • The fact that Skylined's HeapSpraying and Alex Sotirovs Heap Feng Shui makes the browser such a comfortable exploiting environment means that memory corruption bugs in a control == trivial to write client side exploits.
This blog post is not about fuzzing the hell out of a control or even about comfortable memory corruption inside a modern browser.. Instead its about the bugs you will never find with static analysis (and statistically will never find with fuzzing). You occasionally have a customer asking if an application needs to be assessed if the customer has already used some sort of static analysis tool. Of course answering this is tricky since we do application assessments for a living and my honest answer must seem at least slightly tainted.. For me the attached bug we found in a Juniper ActiveX control covers my point of view perfectly..

The Background:

The Juniper SSL-VPN products make use of an ActiveX Control on the client-side. Previously bugs had been found in the control by eEye and had been subsequently fixed by Juniper. This was a pretty garden variety stack smash and it would appear that Juniper did the right thing and hunted down other instances of these bugs within the control.

The Bug(s):

The ActiveX control included the functionality to upgrade itself if the server informed it of a new software version. By simply instantiating the control and passing it a high build number and a URL path to a downloadable file, we could cause the client to download our (possibly malicious) file.

upgrade.png
(click here to enlarge) This was a pretty obvious attack though, and the Control first checked the downloaded file to see if it was signed by Juniper. If it wasnt, then the file was not executed. Drat!

The kicker though.. was that this file was not deleted, and was always downloaded to a predictable spot. (C:\predictable_location)

Interlude: Now.. the usual attack vectors dont really come through for us.. We cant over-write anything important with this file and simply filling the disk seems pointless.

Bug (Continues):

When instantiating the control, one of the parameters we can pass is the path to the control's .ini configuration file:

inifile.png
(click to enlarge) Now..  We can drop an arb file to the victims machine && we can instantiate the control using any well formed config file on his machine.. hmmm..

config.png
(click to enlarge)

Now, in case you dont see it, the config file above has the winning line: UninstallString="calc.exe &&"

So.. the writing is on the wall and the full process is this:

  1. Client with control visits malicious page.
  2. Page instantiates control and offers an upgrade 
    newconfig.png
    (click to enlarge)
  3. new-config.txt downloads to c:\predictable_location\new-config.txt
  4. Malicious page re-instantiates control with ini file == c:\predictable_location\new-config.txt [new-config contains arbitrary commands as uninstall string]
  5. We use the controls uninstall method:
    uninstall.png
    (click to enlarge)
  6. The victims machine fires calc.exe && and the game is over..
Conclusion:

Ok.. so the simple deal is.. that much like the eEye find, client visits page and client gets arb. code executed on his machine, but (and this was the point of this whole rant) bugs like this have always been considered "less sexy" than stack smashes. Whats far more important for me however, is that even if our static analysis tools get to the state where they match their marketing hype, they will never find a bug like this..

There are some things that computers are good at, and some things that humans are.. and just because we want this to be a problem thats solvable with technology doesnt mean that the technology to do it will ever exist. This obviously does not mean that such tools are useless, just that they will never be a silver bullet, and that its still difficult to beat a trained set of eyes with high criminal energy..

/mh