Saturday 13 October 2012

Hack In The Box 2012 Kuala Lumpur Day Two

So Hack In The Box 2012 is all over. I had an awesome two days, the talks were really enjoyable and it was great talking to the other folks who attended. As promised here is the write-up of day two (with one or two pictures).

List of talks I attended:
  • Why Web Security is Fundamentally Broken by Jeremiah Grossman
  • Innovative Approaches to Exploit Delivery by Saumil Shah
  • XSS & CSRF Strike Back Powered by HTML5 by Shreeraj Shah
  • IOS panel discussion
  • Messing Up the Kids Playground: Eradicating Easy Targets by Fyodor Yarochkin
  • A Scientific (But Non Academic) Study of Malware Obfuscation Technologies by Rodrigo Rubira Branco
  • Element 1337 in the Periodic Table: Pwnium by Chris Evans 

Why Web Security is Fundamentally Broken by Jeremiah Grossman

This talk focused on the fundamental flaws present in the current security model of web technology. Nothing Jeremiah talked about required a vulnerability to exploit, all of these flaws are there by design. Jeremiah started by introducing the two main categories of browser attack:
  • Attacks to escape the browser e.g. browser exploits, java exploits, adobe exploits etc.
  • Attacks from inside the browser sandbox, e.g. XSS, CSRF, clickjacking etc.
He made the point that often there is little users can do to protect themselves and the responsibility to address these flaws lies with the website owners. Next he presented a couple of examples.

img src Login Checker
This one liner tries to retrieve an image from a site on a different domain. If the user is logged in Twitter or Facebook will redirect to the image sending back a HTTP 302 message. If not an error code will be returned. There is a module within Beef that uses this technique to check for gmail, facebook and twitter login status.

<img src="" onload="succesful()" onerror="error()">

Personal Information leakage through Follows and Likes
It's surprising how much information is given away when someone follows or likes something on Twitter or Facebook. With default privacy settings it's possible for the person you follow or the page you like to actually view a selection of your personal information. Facebook and Twitter should really address this issue but this would no doubt piss off big business as data mining these sources would be prevented.

Host Information Leakage
Through browser calls and javascript it's possible to find out information such as browser version, underlying OS, browser plugins, add-ons and extensions (different to plugins). It's possible to brute force their existence by using the extension URLs from the app store.

Possible Solutions
  • To fix login detection - Do not send web visitors cookie data to off-domain destinations.
  • Not possible to fix likes or follows as money-making analytics relies on these features.
  • Ban iframes or transparent iframes. Facebook, gmail and others rely on iframes!
  • Create a barrier between public and private networks filtering particular RFCs. Not possible because business's often have fucked up internet/intranet settings.
  • Ultimately no browser is willing to fix these issues as they might lose users.
  • Instead apply a bandage through opt-in security settings deployed by individual website owners. e.g. Secure cookies, HttpOnly, x-frame-options.

There are three choices either we :
  • Carry on as usual. 
  • Use the new .SECURE tld. 
  • Break the internet, uh oh.
As a final thought Jeremiah looked at the browser model used by mobile apps. Apps are quite often just mini versions of browsers but locked down to a particular site. This is a secure model and something that could be adopted on Desktops.

Innovative Approaches to Exploit Delivery by Saumil Shah

Saumil presented an interesting way to obfuscate javascript by encoding it within an image. He started off by covering traditional obfuscation techniques that usually rely on the eval statement to decode javascript. Although this can prevent manual analysis of code, it doesn't evade dynamic analysis and AV/IDS vendors will often flag an eval statement as suspicious! He gave a quick demo to show how easy it is to place malicious javascript in a tinyurl website and then embed it on another site or share the link through email/social networks.
Saumil then demo'ed an encoder and decoder he had built that would take javascript and convert it to a basic png and back. Neat stuff. However this still used an eval to process the image to extract and run the javascript.

He presented an easy alternative to eval:
  • Flagged by AV:  var a = eval(str);
  • Not-flagged by AV:  var a = (new Function(str))();
Next up he demonstrated how to create an image that is both an image and javascript. Wut?!?! I can't remember exactly how he did this but if you look at the hex of a gif you will see the gif89a header after this there were some width and height bits, apparently you can just stuff javascript after these bits using tags /**my javascript**/ and it will be executed. All you do is embed it in the page with the following:

<img src="a.gif">
<script src="a.gif"></script>

And this worked on all browsers. Next he presented a bmp example, where he had inserted the javascript in the alpha channel section of the image and the original image remained completely in tact.

Combining these techniques he demoed two images one containing the payload another the decoding routine. It was cool seeing this in action and I can imagine it's a nightmare for AV vendors to try and catch this kind of obfuscation.

In his final demo he placed adobe reader exploit code within an image in a pdf and used it to exploit adobe reader.

This talk reminded me a lot of Thor's talk at DefCon "Socialized Data: Using Social Media as a Cyber Mule" where he demoed embedding data in video and images. At the moment I don't think this is something malware authors have really focused on just because they haven't needed to but I'm sure going into the future we'll see more of this stuff in the wild.

XSS & CSRF Strike Back Powered by HTML5 by Shreeraj Shah

I actually saw this talk at BlackHat 2012 but I found Shreeraj went through his material really fast. Unfortunately it was the same time this time round as well :( He essentially took us on a whistlestop tour of HTML5, the modern browser architecture and exactly where the issues lie.

Shreeraj presented a few examples, I'm only going to mention my favourites:

CSRF with XHR and CORS bypass
Before HTML5 cross domain XHR was not possible, however now pages can set CORS headers to allow cross domain. For example when a site sets the access-control-origin header to "any" e.g. "access-control-allow-origin : *"  you can successfully make cross-domain calls. What this means is that if a user were to visit say legitimate site A that happened to contain malicious javascript an attacker would be able to do CSRF or pull data from the user's legitimate site B session.

He demonstrated how a malicious attacker could modify the code of a page to use cross domain resources. For example to replace a login element on the current page with remote data:


Instead of me writing a really poor explanation I'd recommend this link for some great examples of these techniques:

Web Storage
HTML5 brings some really interesting new features such as the ability for web sites to create SQL databases or filesystems in the browser. If the website that's implementing these features contains XSS an attacker can pull all of a users data from these resources. It's cool but unfortunately not possible cross domain.

In Chrome you can view the resources of the site by bringing up the developer console, right click the page and select inspect element. Under the resources tab you will be able to see any locally stored data including session data and cookies.

For more awesome HTML5 hacks it's worth checking out:

IOS Panel Discussion by @Musclenerd, David ‘@planetbeing’ Wang, Cyril ‘@pod2g’ Mark Dowd

I went to see the iOS6 talk on day one and found it a bit tricky to follow as I don't have a lot of experience with iOS or writing kernel exploits. Although this panel discussion focused on similar material it was more high level and not as technical as the previous talk.

Despite the aslr, heap hardening, address space protection and more added by Apple, there's no doubt these will be the guys releasing a jailbreak for the iPhone5 in the coming weeks.

Messing Up the Kids Playground: Eradicating Easy Targets by Fyodor Yarochkin

Fyodor presented a rushed and somewhat unclear talk on ways to detect/catch malware and botnet owners by analysing DNS records.

He started by giving an overview of the Crimeware as a service (CaaS) scene. He described how different groups are generally responsible for different parts of the service. Fundamentally this is a black market economy where there is competition between individuals and just like the real business world it's far more profitable to cooperate with others to get the job done. This has resulted in different groups that each specialise in either malware creation, traffic generation, infrastructure or handling stolen data and each group will sell their services to the highest bidder.

He provided an interesting example of a banner advertising agency in Russia that has managed to escape prosecution because they claimed they had been hacked and there just wasn't enough evidence to achieve a conviction.

Next Fyodor showed two ransomware examples one that been installed locally through a browser exploit and one fake firefox update javascript example running in the browser.

The remainder of the talk was a bit rushed, he talked a bit about how patterns in DNS can be used to detect botnets. Typically the same registrar will be reused and also the same whois information. It is also possible to automate detection of malicious domain names but he didn't go into how to do this.

He mentioned fast flux techniques where malicious domains are rotated very rapidly to evade detection and suggested how this could be done. Apparently a number of registrars offer a returns policy on domains and charge only a small cancellation fee. This allows botnet infrastructure owners to repeatedly change domains for only a small cost. He also talked about how you can try to predict the domains they will use in the future. If you guess correct then you will get bots actually connecting to you, sweet.

A Scientific (But Non Academic) Study of Malware Obfuscation Technologies by Rodrigo Rubira Branco

I only caught the last 20 minutes of this talk and regretted not watching from the start. Rodrigo is head of malware research at Qualys and can best be described as a funny Brazilian guy. In his talk he presented an analysis of anti-debugging and obfuscation techniques used by malware.

I missed the first half of the talk where he described the various anti-debugging techniques used but I was lucky enough to catch the second half where Rodrigo explained how the presence of anti-debugging in malware can actually be used as a way to detect the malware. It's such a simple idea and I'm really surprised (as was Rodrigo) that AV vendors don't use these techniques already.

For more info -

Element 1337 in the Periodic Table: Pwnium by Chris Evans 

The final talk of the day was presented by Chris Evans who is a senior in the Google security team. He started off by handing out a big pile of cash to different researchers for their contributions. Props to Google for supporting the security community.

Chris mentioned how successful the vulnerability disclosure program had been since it's launch and presented some statistics. I was surprised to see that Chrome has contained so many vulnerabilities. I had rather naively assumed Google developers were invincible! Take a look at:  each month a ton of vulnerabilities get reported.

Next he discussed Pinkie Pie's working Chrome exploit. Pinkie's exploit abused a use-after-free vulnerability present in the SVG module to compromise the renderer process within Chrome and a ROP chain to evade ASLR. To escape the Chrome sandbox and access Windows he used specific IPC messages that weren't properly restricted. In other words to escape the sandbox no super fancy exploit was used, just a simple call to the Chrome IPC layer. Chris was face palming live on stage at this point. More info can be found here:

Lock-picking stand:

CTF contest:

It was an awesome two days and hopefully I'll be back next year. If anyone has any comments or questions feel free to post them below.

Pwndizzle over and out.


  1. Such knowledge should be well used by us. Thanks for sharing such nice information.
    Book your ideal accommodation

  2. Hi...
    Notorious security conference Hack In The Box is about to celebrate its ten year mark in Kuala Lumpur, Malaysia. Doors open to conference ...
    You are also read more Personal Loan interest rates in India