2009 BlackHat Europe really delivered! *Various items submitted included OpenOffice [a clone of an insecure program is still insecure]:* OpenOffice Security Design Weaknesses Document malware exists for Microsoft Office: the sadly known macro-viruses which still represent a numeric nuisance nowadays. The recent evolution of office suite towards free software - providing a high compatibility with existing office software – makes it very necessary to determine and evaluate the exact level of risk of the OpenOffice suite with respect to document malware, This paper presents an up to date in-depth evaluation of its security (release 3.0.x) based on the results established since 2006 and 2007. All those results as well as the different sources codes of our attacks have been communicated to the OpenOffice developers group in order to help them to correct the identified security weaknesses and thus enhance the overall security of the OpenOffice suite around the concept of Trusted OpenOffice suite. While this suite has been developed towards more and more easy-to-useness, the overall security has not been modified at all since. Worrying security weaknesses that have been identified since can still be exploited. They still may be used by malware to spread through innocuous-looking documents by exploiting the feeling of trust based on encryption and digital signature. At the present time, it seems far easier to develop sophisticated document malware for OpenOffice than for Microsoft Office. It is worth mentionning that the attacks we present are NOT based on software (implementation) flaws but on conceptual weaknesses that urge a redesign of the whole software concept. Finally this paper will discuss the pros and cons of both open and proprietary solutions, on a purely technical basis, as far as security is concerned. There is no such thing as a perfect solution. Therein lies all the complexity of doing computer security. *For those of you who think that a good TCP/IP IPTABLES router will suffice (you are passing DNS packets?):* All Your Packets Are Belong to Us - Attacking Backbone Technologies The year 2008 has seen some severe attacks on infrastructure protocols (SNMP, DNS, BGP). We will continue down that road and discuss potential and real vulnerabilities in backbone technologies used in today's carrier space (e.g. MPLS, Carrier Ethernet, QinQ and the like). The talk includes a number of demos (like cracking BGP MD5 keys, redirecting MPLS traffic on a site level and some Carrier Ethernet stuff) all of which will be performed with a new tool kit made available at the con. It's about making the theoretical practical, once more! Stripping SSL To Defeat HTTPS In Practice This presentation will detail Moxie's SSL stripping technique, designed to side-step SSL as it is deployed in common web applications such as online banking and secure web logins. Additionally, there will be some discussion into possible mitigating patterns and solutions that have been proposed, as well as a look into what effect this technique might be having in the wild. Alice in User-Land: Hijacking the Linux Kernel via /dev/mem Rootkits are commonplace in today’s threat landscape and increasingly difficult to deal with for those responsible for keeping systems safe. Kernel rootkits are especially difficult to detect and remove due to the fact that they operate on the same level as the operating system itself, and are thus able to intercept or subvert any operation made by the operating system. With new techniques demonstrated in this talk, it is possible to subvert the Linux kernel via direct code injection through /dev/mem, the driver interface to physically addressable memory, instead of using kernel modules to insert malicious code. This presentation will provide understanding of emerging rootkit methodologies in the 2.6 linux kernel such as locating important structures in the kernel, manipulating the memory inside, and hijacking the system, all via /dev/mem along with practical defensive countermeasures. Additionally, there will be a demonstration of a proof of concept implementation of rootkit code that enables manipulation of virtually anything your heart desires utilizing /dev/mem. VAASeline: VNC Attack Automation Suite During network enumerations and pentests VNC servers are commonly found on otherwise-secured systems. VNC servers can often be the subjects of weak or blank passwords due to their presence as part of an organisation's 'Shadow IT' infrastructure, thus not conforming to password or authentication policies. For these reasons, it was deemed preferable to have a generic method by which VNC systems could have arbitrary command execution scripted against them in an automated manner as part of a penetration test or vulnerability scan using only the Remote Frame Buffer (RFB) protocol on which VNC is built. While a seemingly simple task, due to the design of the RFB protocol, it quickly becomes complex and you are left thinking 'it shouldn't be this hard …. should it?' The reason for this from a programmatic perspective is the blind nature of the protocol: mouse and keyboard events input, framebuffer updates output. This makes input vectors very limited and outcome of supplied input essentially invisible to scripts as it is manifested as visual screen updates only. The presentation discusses a generic method by which arbitrary commands can be executed on a VNC server only through the use of standard RFB protocol packet types, albeit through the inventive misuse of them. In brief, a multi-step technique to use the clipboard of the target VNC server along with an uploaded VBScript clipboard monitor and the Client/ServerCutText RFB packet types as a crude RPC interface over which a custom but extensible ASCII protocol has been implemented to allow arbitrary, stateful actions to be taken on Win32 VNC servers using only the RFB protocol. A library written in python to allow the technique to be easily used has be written and will be released under the LGPL license, along with the presentation. In addition a number of other VNC attack tools based on the same library will also be released, including: - Passive Clipboard Sniff: This allows the contents of the clipboards from both a VNC client and server to be grabbed off the wire by an attacker. - Active Clipboard Sniff: This allows the clipboard of a targeted VNC system to be monitored by a n attacker who is able to authenticate to a VNC server. - VNC Auto Auth: This allows a VNC server utilising password authentication to have its password enumerated by either dictionary or brute force attacks. These tools help an attacker to get into a position whereby he is able to use the VNC RPC technique to take arbitrary scriptable actions on a target. These tools can be easily scripted together to provide an entirely automated VNC server enumeration, password discovery and attacker action across an entire network as part of a penetration test. Demonstrations of the tools, libraries and techniques will be shown in the presentation. Finally the techniques should be generally applicable to the Remote Desktop Protocol also, although a library to support this is not ready for release at this time. Fun and Games with Mac OS X and iPhone Payloads Mac OS X continues to spread among users, and with this increased market share comes more scrutinization of the security of the operating system. The topics of vulnerability analysis and exploit techniques have been discussed at length. However, most of these findings stop once a shell has been achieved. This paper introduces advanced payloads which help to avoid detection, avoid forensics, and avoid countermeasures used by the operating system for both Mac OS X and iPhone. These payloads include Meterpreter and userland-exec for forensics evasion and two iPhone payloads which work against factory iPhones, despite the deviceʼs memory protections and code signing mechanisms. Passports Reloaded Goes Mobile In 2006, BlackHat Las Vegas presented a cloned ePassport. In 2008 Elvis' ePassport was found. This presentation will examine the different mechanisms used in ePassport to prevent cloning and creation of electronic travel documents with non-original content and ways to attack these mechanisms. Additionally we dive into the process of integrating emulator chips in existing travel documents. Also a new ePassport attack suite will be presented, allowing you to backup your passport chip with a mobile phone. A Cloud Security Ghost Story This presentation rips apart the hype and "newfangledness" of Cloud Services (IaaS, PaaS, SaaS etc) to expose the ghost in the machine. Just as the human brain has grown, built upon earlier, more primitive brain structures, so it is with the Cloud. With the advent of commercially available, pay-as-you-go public Cloud services, CFOs are casting a weary eye to the CIO in anticipation of joining the great infrastructure linedance in the sky. Meanwhile, vendors are jockeying for position to "enable" the Enterprise Cloud and Cloud brokers are trading excess compute capacity in data centers. What does all this mean from a security point of view? What are the security risks (and benefits)? Are you ready to face the ghosts in the Clouds? Taming the Beast : Assess Kerberos-Protected Networks Due to its universal support, to the fact that it is Microsoft's default and that it provides for a real SSO solution, Kerberos is a pervasive authentication protocol with a strong reputation of security. This talk will cover some of the issues involved with attacking a Kerberized network both under Unix and Microsoft Windows environment. It will review known yet underestimated implementation limitations and study under which circumstances they still lead to exploitable vulnerabilities. It will also present new ones that enable to step in the targeted systems. We will show how simple python codes implement those attacks. Finally, we will discuss some of the protocol evolutions and study their potential consequences in terms of security. * and my personal favorite:* WiShMaster - WIndows SHellcode MASTERy Malicious codes have to be able to manipulate their own code in order to implement some viral techniques, like executable infections, memory-only execution or polymorphism. Such manipulations are considerably simplified if the program comes in the form of a shellcode. There are few solutions to obtain a shellcode: one is to write source code in assembly, but it quickly becomes a boring work. Another is to write source code in C language in a specific way, so that compiled code doesn't contain any hardcoded address. However, writing C code like this is very boring too, and it quickly appears that using an automatic tool that generates "specific" code from "normal" code is indispensable. WiShMaster is a tool that converts a set of C source files written "normally" (the compilation of those source files produce an executable) and generates a shellcode, that is a block of code without any hardcoded or external reference and that can run in any process at any address. If execution is redirected to its first byte, the shellcode will accomplish exactly the same operation than the executable generated through normal sources compilation. This transformation - called "shellcodisation" - opens lots of facilities: quick implementation of advanced viral techniques, shellcodes' redistribution etc. WiShMaster first release is available on my web site ( http://benjamin.caillat.free.fr/wishmaster.php) Full source: http://www.blackhat.com/html/bh-europe-09/bh-eu-09-speakers.html -- www.obnosis.com (503)754-4452 "Contradictions do not exist." A. Rand