ToorCon Seattle 2008: Nuke plants, non-existent sub domain attacks, muffin diving, and Guitar Hero
Alright, that title probably sounds pretty random... well, welcome to ToorCon! ToorCon has long been one of my favorite conferences for the easy atmosphere, laid-back presentations, and parties. This year's Seattle-based ToorCon was the best I've been to.
Anyways, after a long night, I got up bright and early because Dan Kaminsky was talking and (for once) was NOT out drinking with us the night before. When I called Dan, he told me, "Nate, make sure you are there, it will be worth it!" Well, I was there, and Dan most certainly dropped an absolute bomb on the conference attendees... a completely unexpected, devistating attack vector... more on this later.
Not to leave you all hanging, but prior to Dan's talk, David Hulton (h1kari) and Tim Huynh (nfiltr8) gave an awesome talk about this year's ToorCon and where it's going. Attendees at ToorCon got some serious swag, T-Shirt's, flasks, pint glasses, and challenge coins. I thought the challenge coins were an awesome idea, very similar to what the military branches do that really ties the ToorCon community together. David and Tim announced that next year there will be no ToorCon Seattle, but that instead, there would be a ToorCamp which would be held in, a nuclear power plant. They weren't joking, I asked them like ten times each. Very exciting news indeed.
Ok, so back to Dan's talk... I've watched Kaminsky speak a number of times now, and he's always entertaining, regardless of your interest in the content of his talk. He said he would drop something huge, and he did not disappoint. Dan talked about how ISPs are taking non-existent subdomains and redirecting unsuspecting browsers to ad-servers. The thought is novel and started back with domain squatting. The idea was that if someone typed groogle.com instead of google.com, they'd get redirected to a page that let them know the domain didn't exist, and hey, while they were there, it didn't hurt to hit them with some ads. Well, they extended the idea to subdomains, so if you type mil.google.com instead of mail.google.com, you might end up at an adserver. Well, that's all well and good, but let's say these web sites serving up these ads contain an XSS... um, yeah, that's a problem that leads to MASS pwnage. If you can't see how, consider how cookies work in a domain... typically cookies are set for an entire domain and will work for all subdomains, hence why you can log into www.google.comand also be logged into mail.google.com and code.google.com, etc. This means if I XSS you on nonexistent.google.com, which just so happens to actually be an adserver completely NOT controlled by google, then I can actually steal your cookies for the REAL google.com domain and subdomains, thus allowing me to read your GMail, etc.
It actually gets worse if you can believe it... consider how document.domain works, and now there's a good chance you could actually use the XSS on the adserver to modify the content redisplayed to a user of that domain.... ugh. Kaminsky actually demoed this by loading content (he "Rick-rolled" us by loading some nasty 80's video from youtube) into a number of real domains like www.google.com, www.live.com (think malware), and www.toorcon.org. I can't begin to describe the all encompassing exploitation this could lead to... I'm still extremely scared.
After watching Dan's talk, I thought nothing could be close to it in terms of wow factor, but the rest of the conference was outstanding as well. The next talk that really caught my eye was put on by NGSSoftware's John Heasman. John's awesome abuse of Sun has been well documented on this blog, see here and here, but he isn't done yet. He discussed some new vulnerabilities that Sun has just patched, including an attack that allows him to inject arbitrary command line arguments to Java Web Start. The attack, which is so unbelievably simple, takes advantage of how Sun tried to escape a previous attack of the same nature, basically, it involves escaping the escape character used. John discusses this at length on his blog, so I'll leave it at that. The rest of his talk was equally scary, and if we're lucky, you maybe able to see John, Billy Rios, Rob Carter, and I talk about these issues and numerous others at Black Hat Vegas this year. John is a really entertaining presenter and had a lot of humor in his slides, which was well received by the audience. He mentioned the process of stealing the "cookies" that Java Web Start uses, which Java actually calls "muffins", as the process of "muffin diving". I suspect that fellow NGSSoftware member Kev Dunn probably coined the term, but it was quite hilarious (go ahead and call me juvenile, you would've laughed too).
Katie Moussouris of Microsoft gave an interesting discussion that talked about her role at Microsoft and the interesting concepts and ideas that she's pushing at Microsoft to move them towards a culture that is not only accepting of security researchers work, but is actually grateful for security researchers work. I've known Katie for about a year now, and we've had a number of discussions about various security issues and she's very knowledgeable, but I really didn't know what her job was until I worked with her myself. I had spoken at Black Hat Federal with Rob Carter about a Flash anti-DNS pinning attack that we had not reported yet (because we didn't realize it was new). Katie actually put us in touch with the right people at Adobe and made it a very easy job to work with them. A lot of people give Microsoft a lot of grief for security concerns, some of it rightfully so, but they've made a serious culture change, due in large part to the hard work of people like Katie, and that change has had lasting ripple effects on other companies as well. If it's easy to work with Microsoft, it's hard for other companies to excuse difficulties they provide as well.
I got a chance to watch Matt Miller (aka Skape) talk as well, and he discussed some interesting concepts of abstracting exploitation out to a higher level that allows someone to potentially predict or simulate the likelihood of exploting a flaw given a set of conditions. It sounds like some automation of creating an exploit may be underway, all very interesting stuff as always from one of the most legit researchers out there.
One of the most entertaining talks for me was put on by Richard Johnson called "Fast 'n Furious Transforms". I'm going to be honest here, he had an overriding point, but the only thing I pulled out of it was that he was effectively recreating Guitar Hero in an open source method that would allow you to plug in a real guitar and play a game based off of REAL guitar playing. As someone who has been playing guitar for a decade, I found this outstanding and realized that this could be an absolutely AMAZING learning tool. Seriously, consider trying to learn how to play the entire "Little Wing" song by either Hendrix or SRV (take your pick, I like both). This is damn near an impossible song to learn (if you can play it then you are a bastard and I hate you) without assistance. I've used Power Tab in the past, which can help with this by visualizing what's being played, but there's no feedback on whether you are playing it correctly and it's more like watch, then try to play, then watch again, then try to play again, whereas it's quite easy to learn with feedback provided visually at play time. I'm stoked about this, as I love its learning potential and I love playing the real guitar hero, so this is really quite cool. I apologize to Rich for missing his greater point, but I couldn't stop thinking of the possibilities.
Rob Carter and I once again presented on our URI Use and Abuse research, but a shortened down version. I presented a few new flaws on the Mac which I will discuss here later, which got a few laughs from the audience. It was surreal to think about this piece of research which has carried Rob and I through a whole year of conferences, and it was nostalgic to look back on the last year. Rob and I have some new material that we plan to present at BH Vegas if we get in, but sans that, this will be the last time we talk about our URI Use and Abuse topic as we've moved onto other new things, which we also hope to present at BH Vegas.
In any case, ToorCon was an unbelievable time to catch up with old friends, meet new friends and just have an absolute blast with really cool, passionate, and knowledgeable people. Check out images of the fun here!
Thanks a ton to h1kari, nfiltr8, the ToorCon crew, the sponsors, the venue (the Last Supper Club), and all of the researchers who presented for making this an outstanding time.
-Nate