Black Hat Las Vegas Day 2

Again, sorry for the late updates.  Vegas is the kind of place that demands a lot of a person.

Again, sorry for the late updates.  Vegas is the kind of place that demands a lot of a person.  Too many parties make it difficult to find time to blog on the conference.  Pictures of the even are a bit sparse, due to consistently forgetting to bring my camera, but I will post them shortly.

Day 2 began a bit rough for me, but I forced myself down to catch Shawn Moyer and Nathan Hamiel's talk, "Satan Is On My Friends List".  The talk was really solid, and focused on attacking social networking sites, such as MySpace, Adult Friend Finder, and LinkedIn.  The pair pointed out numerous flaws with these sites, such as impersonation, theft of sensitive data (pics etc.), arbitrary code execution (through various plug-in applications).

Moyer said, "You share way more information with someone you would on the street (with these sites)", which is interesting because any number of people you share with might be perfect strangers.

Third-party applications were also a huge concerns as it was mentioned that there is little or no vetting process for the creation of these applications, and further, the API hooks into the main applications can be very dangerous.  Some applications have a sense of graduated functionality, or requests for permission to develop apps, but the Moyer and Hamiel commented that getting around these was simple.  Moyer said, "There's a functionality arms race", pointing to the fact that the social network which has the most interesting functionality and capabilities is going to be the most popular.  On third-party applications, Hamiel said, "When you add a third-party app, it's just like adding a friend, you are essentially saying 'I fully trust this application with all of my data', and a lot of people don't understand that."

I think there's always been a concern around social networking sites, but this pair really showed some interesting attacks.

After this talk, I moved on to good friend Billy Hoffman's talk "Circumventing Automated JavaScript Analysis Tools".  There was a ton of interesting discussion in this talk on various JavaScript related quirks.  Hoffman was using various JavaScript quirks to determine whether or not he was in a sandbox, further he discussed some of the difficulties of programming a scanning application that works within the bounds of AJAX and all this client-side code we face these days.

The most interesting piece of this whole discussion was when Hoffman was discussing using JavaScript for side-channels.  In this piece, he discussed the creation of an XBM image, where he actually provided it dimensions, but did not initialize it's data.  When he attempted to render this image in Firefox, it appeared as a long series of white and black space.  When analyzing this, Hoffman didn't note any pieces which showed a large number of repeats.  Thinking about this further, it may be that during the creation of this image by Firefox, it's actually pulled from memory it should NOT have to create this image.  Could be a very interesting attack vector if the image could be analyzed.

Due to preparing for my talk, I only got to see the very end of Ben Hawkes talk on "Attacking the Vista Heap", so I'll unfortunately have to wait until the DVD comes out to see the details, but I was told it was a great talk.

Now it was finally time for Rob Carter, John Heasman, and I to present on our research (which also featured work by Billy Rios).  The whole point of our talk was to describe a feasible compromise of a corporation through the use of techniques that did not involve classic memory corruption issues.  We used a variety of attacks together, but here's a very brief summary of how we did some of this:

  1. Use a GIFAR to upload an image that is really an applet to a remote site allowing bypass of same origin policy for that site.
  2. Force a GIFAR to the file system of a victim through the use of various caching techniques or third-party applications, to gain access to an applet that has far more permissions.  In this case, we used the applet to create a proxy from the Intranet to the Internet that would allow us to steal NTLM authentication credentials.
  3. Use CSRF on the uTorrent web management console to force the download of an executable to the victim's startup folder, allowing arbitrary code execution upon the user's next boot.
  4. Use CSRF on the uTorrent web management console to force the download of a JAR file to the Java extensions directory.  Applets loaded from this directory receive the AllPermissions permission from the JVM, so we can actually read/write files, run arbitrary commands, invoke native code, basically do anything Java can do.
  5. Use Same Origin Policy bypasses in the way that the JVM resolved codebase vs. code URLs to convince the JVM that we are loading our applet from the Java extensions directory (again gaining AllPermissions for our applet).
  6. Repurposing the "ThinkFree" Web 2.0 office solution's signed applet for evil purposes.  Basically here, ThinkFree had an applet that was signed to provide access to the file system of a user, for the purpose of saving or reading office files.  The applet was packaged in a JAR that contained many classes, not all of which were signed.  In fact, there was a main class loader applet that was signed, and all other classes were unsigned.  This means that we could download the signed class loader, and host it from our site, loading our own nefarious unsigned classes.  Add to this that Java allows you to check a box that trusts content from a provider, and if you have previously used ThinkFree, you won't even get warned when loading from our site.

The talk was a lot of fun, and we had a surprisingly good turn out with all the other great talks during this block.  We were up against Mark Dowd and Alex Sotirov (who's talk is so good, I nearly skipped my own talk to go watch it), Jeremiah Grossman and Arian Evans (with Trey sitting in for Arian, I understand) discussing how to make money the black hat way, Joanna Rutkowska and Rafal Wojtczuk discussing Bluepilling the Xen Hypervisor, and of course the Microsoft team of Mike Reavey, Katie Moussouris, and Steve Adegbite discussing new strategic security initiatives on their way from Microsoft.

We also had some really great questions from the audience that even led to some outside conversation about possible further research.  Thanks to everyone who came!

The final talk slot of the day had a talk that I was REALLY interested in seeing from Bruce Dang of Microsoft which discussed understanding the methods behind targeted attacks against Microsoft Office documents.  Unfortunately, I had media commitments from our talk to deal with, such as a Dark Reading video interview and Securosis (thanks Rich Mogul) podcast that I will post links to later.  I suppose I will have to reach out to Bruce and see if we can't get a guest editorial from him for the blog to discuss his research.  I saw a few previews of it when I was in Seattle for Microsoft Blue Hat, and I have to say, it was very technical, very interesting work, that I look forward to seeing in the future.

Of course, after Black Hat the madness of parties began.  There was a CORE security party, iSec Partners had a party, the Microsoft party, etc.  There was too many to go to them all... not sure why more of them couldn't have been on Wednesday, but hey, beggars can't be choosers.  I settled for going out to dinner with a few friends, moved to the Microsoft party (which was really great), and then wrapped up with a party with my co-workers from Ernst & Young's Advanced Security Center.  It was a great night to cap off a great week.