Saturday 5 October 2013

Notes from Derbycon 2013 - Day #3

After another late night partying on the streets of Kentucky I arrived home at 5am and had to get some sleep. I missed the first two talks of the day but did make it in for the afternoon sessions and there were some cool talks.


#########################################################
Title: Sandboxes from a pentester's view
Link: http://labs.bromium.com/2013/07/23/application-sandboxes-a-pen-testers-perspective/
What was it about:
Rahul took us on a journey through the concepts of application sandboxes and how to escape them. He started by explaining how most third party software sandboxes can be bypassed simply because they don't properly control access to the kernel. The products are basically badly designed. He then went on to talk about the sandboxes for Chrome and Adobe Reader which are a lot more secure.

The high privilege "broker" and low privilege "target" process architecture and the fact Google have spent millions on development has made the Chrome sandbox very secure. However Chrome and the sandbox run on top of the Windows kernel. So to escape the sandbox all we need to do is exploit the kernel. With such a large attack surface, all of user land and RPC services, there are a lot of potential targets.

Rahul showed a demo exploit for ms11-063 which he had reversed from the patch. csrss.exe didn't properly enforce access permissions so by connecting to csrss.exe over RPC from Chrome he was able to execute arbitrary commands.

Lessons learned:
Forget about exploiting the browser, attack the Windows kernel instead, there's a gold mine of potential vulnerabilities yet to be found.


#########################################################
Title: Exploiting the zeroth_hour; Developing your advanced persistant threat to pwn the network
Link: https://github.com/splinterbotnet
What was it about:
Solomon and Nick talked about how they created their own botnet agent and backend C&C. Although botnets are nothing new, what they had built was the first open source botnet framework, cool. In the demo they showed off some of the features like beaconing, information gathering and file transfers, all pretty fun.

The full source code should be appearing on github sometime soon.

Lessons learned:
Man + dog will now be running a botnet?


#########################################################
Title: Stop making excuses it's time to own your HIV (high impact vulnerabilities)
Link: http://www.youtube.com/watch?v=BbkwzhU1_4A
What was it about:
As a defender one of the biggest challenges I've encountered is deciding what to prioritize. There's simply too much to do and too little time. In this talk Jack presented his experiences developing and implementing an effective security program. He used a four step process: identify (what problem areas you have), align (decide on solutions and create a project schedule), communicate (let users know what's gona happen) and report (provide metrics to management). I liked that. Also he suggested when reporting, think like a CFO. Keep reports simple and show the return on investment.

Lessons learned:
Take a step back. Look at the big picture, the risks facing your organisation, what can you do to address those risks and create a plan with clear projects and schedule.


#########################################################


After two days of full time corelanc0d3r training, three days of conference talks and two heavy nights out I was ready to sleep for a week. Overall I had an amazing time, learnt so much and met so many cool people. Would definitely recommend you check it out and will be doing my very best to return next year. 

Questions/comments/corrections - leave a message below.

Pwndizzle out!   

2 comments: