List of talks I attended:
- Why Web Security is Fundamentally Broken by Jeremiah Grossman
- Innovative Approaches to Exploit Delivery by Saumil Shah
- XSS & CSRF Strike Back Powered by HTML5 by Shreeraj Shah
- IOS panel discussion
- Messing Up the Kids Playground: Eradicating Easy Targets by Fyodor Yarochkin
- A Scientiﬁc (But Non Academic) Study of Malware Obfuscation Technologies by Rodrigo Rubira Branco
- Element 1337 in the Periodic Table: Pwnium by Chris Evans
Why Web Security is Fundamentally Broken by Jeremiah Grossman
This talk focused on the fundamental flaws present in the current security model of web technology. Nothing Jeremiah talked about required a vulnerability to exploit, all of these flaws are there by design. Jeremiah started by introducing the two main categories of browser attack:
- Attacks to escape the browser e.g. browser exploits, java exploits, adobe exploits etc.
- Attacks from inside the browser sandbox, e.g. XSS, CSRF, clickjacking etc.
img src Login Checker
This one liner tries to retrieve an image from a site on a different domain. If the user is logged in Twitter or Facebook will redirect to the image sending back a HTTP 302 message. If not an error code will be returned. There is a module within Beef that uses this technique to check for gmail, facebook and twitter login status.
<img src="https://twitter.com/login?redirect_after_login=%2Fimages%2Fspinner.gif" onload="succesful()" onerror="error()">
Personal Information leakage through Follows and Likes
It's surprising how much information is given away when someone follows or likes something on Twitter or Facebook. With default privacy settings it's possible for the person you follow or the page you like to actually view a selection of your personal information. Facebook and Twitter should really address this issue but this would no doubt piss off big business as data mining these sources would be prevented.
Host Information Leakage
- To fix login detection - Do not send web visitors cookie data to off-domain destinations.
- Not possible to fix likes or follows as money-making analytics relies on these features.
- Ban iframes or transparent iframes. Facebook, gmail and others rely on iframes!
- Create a barrier between public and private networks filtering particular RFCs. Not possible because business's often have fucked up internet/intranet settings.
- Ultimately no browser is willing to fix these issues as they might lose users.
- Instead apply a bandage through opt-in security settings deployed by individual website owners. e.g. Secure cookies, HttpOnly, x-frame-options.
There are three choices either we :
- Carry on as usual.
- Use the new .SECURE tld.
- Break the internet, uh oh.
Innovative Approaches to Exploit Delivery by Saumil Shah
He presented an easy alternative to eval:
- Flagged by AV: var a = eval(str);
- Not-flagged by AV: var a = (new Function(str))();
Combining these techniques he demoed two images one containing the payload another the decoding routine. It was cool seeing this in action and I can imagine it's a nightmare for AV vendors to try and catch this kind of obfuscation.
In his final demo he placed adobe reader exploit code within an image in a pdf and used it to exploit adobe reader.
This talk reminded me a lot of Thor's talk at DefCon "Socialized Data: Using Social Media as a Cyber Mule" where he demoed embedding data in video and images. At the moment I don't think this is something malware authors have really focused on just because they haven't needed to but I'm sure going into the future we'll see more of this stuff in the wild.
XSS & CSRF Strike Back Powered by HTML5 by Shreeraj Shah
I actually saw this talk at BlackHat 2012 but I found Shreeraj went through his material really fast. Unfortunately it was the same time this time round as well :( He essentially took us on a whistlestop tour of HTML5, the modern browser architecture and exactly where the issues lie.
Shreeraj presented a few examples, I'm only going to mention my favourites:
CSRF with XHR and CORS bypass
He demonstrated how a malicious attacker could modify the code of a page to use cross domain resources. For example to replace a login element on the current page with remote data:
Instead of me writing a really poor explanation I'd recommend this link for some great examples of these techniques: http://isisblogs.poly.edu/2011/06/22/cross-origin-resource-inclusion/
HTML5 brings some really interesting new features such as the ability for web sites to create SQL databases or filesystems in the browser. If the website that's implementing these features contains XSS an attacker can pull all of a users data from these resources. It's cool but unfortunately not possible cross domain.
In Chrome you can view the resources of the site by bringing up the developer console, right click the page and select inspect element. Under the resources tab you will be able to see any locally stored data including session data and cookies.
IOS Panel Discussion by @Musclenerd, David ‘@planetbeing’ Wang, Cyril ‘@pod2g’ & Mark Dowd
I went to see the iOS6 talk on day one and found it a bit tricky to follow as I don't have a lot of experience with iOS or writing kernel exploits. Although this panel discussion focused on similar material it was more high level and not as technical as the previous talk.
Despite the aslr, heap hardening, address space protection and more added by Apple, there's no doubt these will be the guys releasing a jailbreak for the iPhone5 in the coming weeks.
Messing Up the Kids Playground: Eradicating Easy Targets by Fyodor Yarochkin
Fyodor presented a rushed and somewhat unclear talk on ways to detect/catch malware and botnet owners by analysing DNS records.
He started by giving an overview of the Crimeware as a service (CaaS) scene. He described how different groups are generally responsible for different parts of the service. Fundamentally this is a black market economy where there is competition between individuals and just like the real business world it's far more profitable to cooperate with others to get the job done. This has resulted in different groups that each specialise in either malware creation, traffic generation, infrastructure or handling stolen data and each group will sell their services to the highest bidder.
He provided an interesting example of a banner advertising agency in Russia that has managed to escape prosecution because they claimed they had been hacked and there just wasn't enough evidence to achieve a conviction.
The remainder of the talk was a bit rushed, he talked a bit about how patterns in DNS can be used to detect botnets. Typically the same registrar will be reused and also the same whois information. It is also possible to automate detection of malicious domain names but he didn't go into how to do this.
He mentioned fast flux techniques where malicious domains are rotated very rapidly to evade detection and suggested how this could be done. Apparently a number of registrars offer a returns policy on domains and charge only a small cancellation fee. This allows botnet infrastructure owners to repeatedly change domains for only a small cost. He also talked about how you can try to predict the domains they will use in the future. If you guess correct then you will get bots actually connecting to you, sweet.
A Scientiﬁc (But Non Academic) Study of Malware Obfuscation Technologies by Rodrigo Rubira Branco
I only caught the last 20 minutes of this talk and regretted not watching from the start. Rodrigo is head of malware research at Qualys and can best be described as a funny Brazilian guy. In his talk he presented an analysis of anti-debugging and obfuscation techniques used by malware.
I missed the first half of the talk where he described the various anti-debugging techniques used but I was lucky enough to catch the second half where Rodrigo explained how the presence of anti-debugging in malware can actually be used as a way to detect the malware. It's such a simple idea and I'm really surprised (as was Rodrigo) that AV vendors don't use these techniques already.
For more info - https://community.qualys.com/blogs/securitylabs/2012/07/30/how-malware-employs-anti-debugging-anti-disassembly-and-anti-virtualization-technologies
Element 1337 in the Periodic Table: Pwnium by Chris Evans
The final talk of the day was presented by Chris Evans who is a senior in the Google security team. He started off by handing out a big pile of cash to different researchers for their contributions. Props to Google for supporting the security community.
Chris mentioned how successful the vulnerability disclosure program had been since it's launch and presented some statistics. I was surprised to see that Chrome has contained so many vulnerabilities. I had rather naively assumed Google developers were invincible! Take a look at: http://googlechromereleases.blogspot.com/ each month a ton of vulnerabilities get reported.
Next he discussed Pinkie Pie's working Chrome exploit. Pinkie's exploit abused a use-after-free vulnerability present in the SVG module to compromise the renderer process within Chrome and a ROP chain to evade ASLR. To escape the Chrome sandbox and access Windows he used specific IPC messages that weren't properly restricted. In other words to escape the sandbox no super fancy exploit was used, just a simple call to the Chrome IPC layer. Chris was face palming live on stage at this point. More info can be found here: http://blog.chromium.org/2012/10/pwnium-2-results-and-wrap-up_10.html
It was an awesome two days and hopefully I'll be back next year. If anyone has any comments or questions feel free to post them below.
Pwndizzle over and out.