HackFest Series: BlackHat 2009 Europe, Cloud, OpenOffice and more

[Lisa Kachold]

2009 BlackHat Europe really delivered!

*Various items submitted included OpenOffice [a clone of an insecure program
is still insecure]:*
OpenOffice Security Design Weaknesses

Document malware exists for Microsoft Office: the sadly known macro-viruses
which still represent a numeric nuisance nowadays. The recent evolution of
office suite towards free software - providing a high compatibility with
existing office software – makes it very necessary to determine and evaluate
the exact level of risk of the OpenOffice suite with respect to document
malware, This paper presents an up to date in-depth evaluation of its
security (release 3.0.x) based on the results established since 2006 and
2007. All those results as well as the different sources codes of our
attacks have been communicated to the OpenOffice developers group in order
to help them to correct the identified security weaknesses and thus enhance
the overall security of the OpenOffice suite around the concept of Trusted
OpenOffice suite.

While this suite has been developed towards more and more easy-to-useness,
the overall security has not been modified at all since. Worrying security
weaknesses that have been identified since can still be exploited. They
still may be used by malware to spread through innocuous-looking documents
by exploiting the feeling of trust based on encryption and digital
signature. At the present time, it seems far easier to develop sophisticated
document malware for OpenOffice than for Microsoft Office. It is worth
mentionning that the attacks we present are NOT based on software
(implementation) flaws but on conceptual weaknesses that urge a redesign of
the whole software concept.

Finally this paper will discuss the pros and cons of both open and
proprietary solutions, on a purely technical basis, as far as security is
concerned. There is no such thing as a perfect solution. Therein lies all
the complexity of doing computer security.

*For those of you who think that a good TCP/IP IPTABLES router will suffice
(you are passing DNS packets?):*
All Your Packets Are Belong to Us - Attacking Backbone Technologies

The year 2008 has seen some severe attacks on infrastructure protocols
(SNMP, DNS, BGP). We will continue down that road and discuss potential and
real vulnerabilities in backbone technologies used in today's carrier space
(e.g. MPLS, Carrier Ethernet, QinQ and the like). The talk includes a number
of demos (like cracking BGP MD5 keys, redirecting MPLS traffic on a site
level and some Carrier Ethernet stuff) all of which will be performed with a
new tool kit made available at the con. It's about making the theoretical
practical, once more!
Stripping SSL To Defeat HTTPS In Practice

This presentation will detail Moxie's SSL stripping technique, designed to
side-step SSL as it is deployed in common web applications such as online
banking and secure web logins. Additionally, there will be some discussion
into possible mitigating patterns and solutions that have been proposed, as
well as a look into what effect this technique might be having in the wild.
Alice in User-Land: Hijacking the Linux Kernel via /dev/mem

Rootkits are commonplace in today’s threat landscape and increasingly
difficult to deal with for those responsible for keeping systems safe.
Kernel rootkits are especially difficult to detect and remove due to the
fact that they operate on the same level as the operating system itself, and
are thus able to intercept or subvert any operation made by the operating
system. With new techniques demonstrated in this talk, it is possible to
subvert the Linux kernel via direct code injection through /dev/mem, the
driver interface to physically addressable memory, instead of using kernel
modules to insert malicious code. This presentation will provide
understanding of emerging rootkit methodologies in the 2.6 linux kernel such
as locating important structures in the kernel, manipulating the memory
inside, and hijacking the system, all via /dev/mem along with practical
defensive countermeasures. Additionally, there will be a demonstration of a
proof of concept implementation of rootkit code that enables manipulation of
virtually anything your heart desires utilizing /dev/mem.
VAASeline: VNC Attack Automation Suite

During network enumerations and pentests VNC servers are commonly found on
otherwise-secured systems. VNC servers can often be the subjects of weak or
blank passwords due to their presence as part of an organisation's 'Shadow
IT' infrastructure, thus not conforming to password or authentication
policies.

For these reasons, it was deemed preferable to have a generic method by
which VNC systems could have arbitrary command execution scripted against
them in an automated manner as part of a penetration test or vulnerability
scan using only the Remote Frame Buffer (RFB) protocol on which VNC is
built. While a seemingly simple task, due to the design of the RFB protocol,
it quickly becomes complex and you are left thinking 'it shouldn't be this
hard …. should it?' The reason for this from a programmatic perspective is
the blind nature of the protocol: mouse and keyboard events input,
framebuffer updates output. This makes input vectors very limited and
outcome of supplied input essentially invisible to scripts as it is
manifested as visual screen updates only.

The presentation discusses a generic method by which arbitrary commands can
be executed on a VNC server only through the use of standard RFB protocol
packet types, albeit through the inventive misuse of them.

In brief, a multi-step technique to use the clipboard of the target VNC
server along with an uploaded VBScript clipboard monitor and the
Client/ServerCutText RFB packet types as a crude RPC interface over which a
custom but extensible ASCII protocol has been implemented to allow
arbitrary, stateful actions to be taken on Win32 VNC servers using only the
RFB protocol.

A library written in python to allow the technique to be easily used has be
written and will be released under the LGPL license, along with the
presentation. In addition a number of other VNC attack tools based on the
same library will also be released, including:

   - Passive Clipboard Sniff: This allows the contents of the clipboards
   from both a VNC client and server to be grabbed off the wire by an attacker.
   - Active Clipboard Sniff: This allows the clipboard of a targeted VNC
   system to be monitored by a n attacker who is able to authenticate to a VNC
   server.
   - VNC Auto Auth: This allows a VNC server utilising password
   authentication to have its password enumerated by either dictionary or brute
   force attacks.

These tools help an attacker to get into a position whereby he is able to
use the VNC RPC technique to take arbitrary scriptable actions on a target.

These tools can be easily scripted together to provide an entirely automated
VNC server enumeration, password discovery and attacker action across an
entire network as part of a penetration test.

Demonstrations of the tools, libraries and techniques will be shown in the
presentation.

Finally the techniques should be generally applicable to the Remote Desktop
Protocol also, although a library to support this is not ready for release
at this time.
Fun and Games with Mac OS X and iPhone Payloads

Mac OS X continues to spread among users, and with this increased market
share comes more scrutinization of the security of the operating system. The
topics of vulnerability analysis and exploit techniques have been discussed
at length. However, most of these findings stop once a shell has been
achieved. This paper introduces advanced payloads which help to avoid
detection, avoid forensics, and avoid countermeasures used by the operating
system for both Mac OS X and iPhone. These payloads include Meterpreter and
userland-exec for forensics evasion and two iPhone payloads which work
against factory iPhones, despite the deviceʼs memory protections and code
signing mechanisms.
Passports Reloaded Goes Mobile

In 2006, BlackHat Las Vegas presented a cloned ePassport. In 2008 Elvis'
ePassport was found. This presentation will examine the different mechanisms
used in ePassport to prevent cloning and creation of electronic travel
documents with non-original content and ways to attack these mechanisms.
Additionally we dive into the process of integrating emulator chips in
existing travel documents. Also a new ePassport attack suite will be
presented, allowing you to backup your passport chip with a mobile phone.
A Cloud Security Ghost Story

This presentation rips apart the hype and "newfangledness" of Cloud Services
(IaaS, PaaS, SaaS etc) to expose the ghost in the machine. Just as the human
brain has grown, built upon earlier, more primitive brain structures, so it
is with the Cloud. With the advent of commercially available, pay-as-you-go
public Cloud services, CFOs are casting a weary eye to the CIO in
anticipation of joining the great infrastructure linedance in the sky.
Meanwhile, vendors are jockeying for position to "enable" the Enterprise
Cloud and Cloud brokers are trading excess compute capacity in data centers.
What does all this mean from a security point of view? What are the security
risks (and benefits)? Are you ready to face the ghosts in the Clouds?

Taming the Beast : Assess Kerberos-Protected Networks

Due to its universal support, to the fact that it is Microsoft's default and
that it provides for a real SSO solution, Kerberos is a pervasive
authentication protocol with a strong reputation of security. This talk will
cover some of the issues involved with attacking a Kerberized network both
under Unix and Microsoft Windows environment. It will review known yet
underestimated implementation limitations and study under which
circumstances they still lead to exploitable vulnerabilities. It will also
present new ones that enable to step in the targeted systems. We will show
how simple python codes implement those attacks. Finally, we will discuss
some of the protocol evolutions and study their potential consequences in
terms of security.
*
and my personal favorite:*

WiShMaster - WIndows SHellcode MASTERy

Malicious codes have to be able to manipulate their own code in order to
implement some viral techniques, like executable infections, memory-only
execution or polymorphism.

Such manipulations are considerably simplified if the program comes in the
form of a shellcode. There are few solutions to obtain a shellcode: one is
to write source code in assembly, but it quickly becomes a boring work.
Another is to write source code in C language in a specific way, so that
compiled code doesn't contain any hardcoded address. However, writing C code
like this is very boring too, and it quickly appears that using an automatic
tool that generates "specific" code from "normal" code is indispensable.

WiShMaster is a tool that converts a set of C source files written
"normally" (the compilation of those source files produce an executable) and
generates a shellcode, that is a block of code without any hardcoded or
external reference and that can run in any process at any address. If
execution is redirected to its first byte, the shellcode will accomplish
exactly the same operation than the executable generated through normal
sources compilation.

This transformation - called "shellcodisation" - opens lots of facilities:
quick implementation of advanced viral techniques, shellcodes'
redistribution etc.

WiShMaster first release is available on my web site (
http://benjamin.caillat.free.fr/wishmaster.php)

Full source:
http://www.blackhat.com/html/bh-europe-09/bh-eu-09-speakers.html

-- 
www.obnosis.com (503)754-4452
"Contradictions do not exist." A. Rand
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.PLUG.phoenix.az.us/pipermail/plug-discuss/attachments/20090430/cfb2bb8d/attachment.htm