Archive for March, 2010

 

CanSecWest – Pwn2Own

Mar 29, 2010 in Security

I just got back from CanSecWest 2010 (http://cansecwest.com/index.html) and here is an update to all the talks:

CanSecWest, the world’s most advanced conference focusing on applied digital security, is about bringing the industry luminaries together in a relaxed environment which promotes collaboration and social networking. The conference lasts for three days and features a single track of thought provoking presentations, each prepared by an experienced professional and talented educator who is at the cutting edge of his or her field.

Day 1:

Pwn2Own contest
From the pwn2own contest, the iphone via safari allowed the sms address
book to be pulled,  MacBook pro was exploited via safari vulnerabilities,
IE8 on Win 7 64bit with ASLR and DEP enabled, and Firefox on Win 7.  No
further information yet released on these as the exploits now belong to
tippingpoint.

From the briefings:
The briefings were kind of slim for the first day.  The only relevant
thoughts were:

-Office 2010 will now be releasing a protected viewer which sandboxes
unknown or misformated files.

-“Can you trust your network card “talk described CVE-2010-0104.

The talk explained how an attacker could be able to exploit a flaw to run
arbitrary code inside some network controllers (NICs). The attack uses
routable packets delivered to the victim’s NIC. Consequently, multiple
attacks can be conducted including: Man in The Middle attacks on network
connections, access to cryptographic keys on the host platform, or malware
injection on the victim’s computer host platform

Paper can be found at www.ssi.gouv.fr/trustnetworkcard and poc code is
privately held.

Day 2:
Peters IE8 on win7 64bit details supposedly has been released:
bit.ly/bBHOYO. I have not checked this out so use due care.

Pwn2own:

Briefings:
1) SEH overwrite and its exploitation
Shuichiro Suzuki discusses using a buffer overflow to exploit SEH
(structured exception handling), which is the major method for exploiting
Windows.

Shuichiro demonstrated that seh protection mechanisms such as safeseh,
software dep, sehop (seh override execption), hardware dep and aslr (aslr
makes things exteremly difficult)  can be broken.

2) Party at ring 0

Discusses exploits that execute at ring 0.  This could be useful to exploit
around chroot jails, sandboxes, and etc.  There have been a large number of
remote kernel attacks against windows, but only a handful for linux.

Notes:
If the kernel trusts userspace, this could lead to a security issue.
Kernel protection using trusted path executables aka white listing.

Bit.ly/b9tPqn is an example of kernel attack.

3) Fuzzing
Charlie miller discussed fuzzing adobe, mac preview, openoffice ppt, and
office ppt.  Using 5 lines of python code, charlie developed a fuzzing
environment using an array of home computers.  Comparing adobe reader, mac
preview, open office ppt and office ppt, charlie was able to find bugs and
potentially exploitable bugs in all applications.  These bugs had not been
fully exploited or reported.  The trends from newer versions of these
applications did not seem to remedate any of his findings.  Within 3 months
of work, he had found between 6 to 60 potentially exploitable bugs in each
app.

4) ShaREing is caring
Halvar and sebastian release a new tool call bincrowd.  This is a ida
plugin.

bincrowd – database of libraries in use in programs. can identify if a
module used was open source or not.  You can ask bincrowd which other
programs use this lib as well.  It is also useful for malware analysis and
reverse engineering as it can remember past analysis and import results.

How to use this?
Ida pro 5.6
idapython 1.3.2
Bincrowd account
Bincrowd ida plugin
-Github.com/zynamics

Bincrowd.zynamics.con

5) Exploiting cisco ios with IODIDE
Iodide – ios debugger and integrated disassembler environment tool which is
not released yet, will be a full debugger for IOS via serial and IP.

6) Phone hacker

Collin Mulliner outs multiple telcos for leaking sensitive mobile phone
user info: phone no., IMEI, even IMSI.  Data leakage is caused by the cell
carriers gateway/proxy adding information to the http header.

Check http://mulliner.org/pc.cgi to check your own phones headers

Day 3:

Exploration of wireless devices
Keykeriki v2 schematics will be released later this year which is a tool
used to sniff and command inject wireless keyboards

Slides —
http://www.remote-exploit.org/wp-content/uploads/2010/03/keykeriki_v2_cansec_v1.1.pdf

RFID
Rfid.guardian.org will be releasing tools and schematics for a pentesting
RFID tool called RFID Guardian.

Mac os x physical memory analysis
http://www.msuiche.net/con/BHDC2010_MacOSX_PhysicalMemory.pdf

-Cheetz