CanSecWest 2010

Wed 31 March 2010 by jj

We had the chance to assist to the CanSecWest 2010 IT security conference, which took place as every year in Vancouver, Canada.

This is a summary of the conferences we could attend to.

Internet Nails The first day started with a great rant of Marcus Ranum on how most of today's considerable security efforts are follow-ups to quite simple conception mistakes done on the first internet protocol designs. Like the FTP, which needs a complex connection tracking at firewall level, which could have been quite easily have been rewritten to use a single TCP connection. The other emblematic exemple is HTTP, which at the time it was designed to use short-lived single-request stateless connections, to accomodate the fixed size socket table in the early BSDs. Nowadays complex web frameworks are needed to recreate a stateful context that could have been achieved by simply using long-lived TCP connections.

Under the Kimono of Office Security Engineering It was followed by the Office Security team at Microsoft. They described the environment they put in place to run fuzzing tests against the whole Office suite, using computing power taken from idle developper computers. They put in place a whole architecture to be able to follow and control the full machine park using a centralized server, which could schedule tests to run on different machines and get the results back, including redundant tests and regression tests. This allowed to find (to date) around 2000 bugs in Office 2010, which were all fixed. The exploitability of those bugs was not checked however, the focus was more on a crash-free user experience than a pure security point of view.

Automated SQL Ownage Techniques Next came Fernando Russ from Core, who described a web pentesting framework to find SQL injections without user intervention. The framework is based on a first fuzzing-like pass, to find valid input methods (url parameter names, etc). Such inputs are then tested for SQL injection vulnerability, by setting their value to a fault-generating value, eg a quote, and comparing the resulting page received from the server against the standard page. After that, the nature of the fault is guessed by trial and error, to test if the variable is used for exemple in a SQL string parameter. Then the database engine is checked using eg mysql-specific constructs to determine if the server backend is mysql. It is finally possible to run arbitrary SQL statements, using another Core engine that can translate such statements into sql-injection type queries and extract their result.

Can you still trust your network card? The last presentation of the day was from Loic Duflot and Yves-Alexis Perez (French ANSSI). They showed their work on the remote management software embedded in Broadcom's NetExtreme network interface controller, where they were able to find a program flaw. That software runs on a MIPS chip on the card, independantly of the main processor (in fact it even runs when the PC is shut down, in order to handle wake-on-lan style features). The flaw they found is a simple stack overflow, that can be triggered remotely with a single packet for any card that has the remote management feature activated. Exploiting this flaw allows them to run arbitrary code on the embedded processor, which can be in itself a valuable target ; but the NIC is also a PCI device, it has DMA capabilities, which means that it can access arbitrary memory on the host computer (unless the host uses IOmmu, which is not the case of any major OS at the moment). They had two demos : the first one was a demonstration of the debugger they had to write to qualify the bug they found. It is console-based, and uses a special memory mapping on the host OS that allows to interract with the embedded device memory and registers. The second demo was the actual attack. In the first part they sent a few packets to the network card, which exploited the flaw using a payload that would allow them to map arbitrary network packets directly onto the memory of the host OS ; they then sent a specially-crafted packet that was thus mapped, and launched a root command-prompt on the target GNU/Linux system. The same thing would have been possible with a Windows-based host OS. Another thing they could have done, once they got control of the network card, would be to make the host computer reboot, and force it to boot on PXE (eg the network), which would allow a very simple takeover of the machine. A very interesting (and quite a bit scary) talk. The particular flaw they used was reported to the vendor, and a patch issued, so go update !

SEH overwrite and its exploitability The second day started with Shuichiro Suzuki (1440) presenting the generic structured exception handling overwrite exploitation method, which is commonly used on Windows-based systems during the exploitation of stack overflows.

There's a party at ring0, and you're invited. He was followed by Julien Tinnes and Tavis Ormandy, of the Google security team. They made a clear review of the major security flaws that have been found in various operating system core code (eg ring 0 code) in the last 10 years, with many technical details of the challenges they had to overcome to exploit some of them, which are quite different from the usual userland flaws found in application software. The talk also included some of the generic mitigation technologies that may be used to reduce the impact of such flaws, such as the latest (and upcoming) features of the PaX linux kernel hardening patch. Most of those features implement radical changes in the implementation of the kernel, with mostly unnoticeable user-visible change, to make whole classes of vulnerabilities non exploitable.

Babysitting an army of monkeys: an analysis of fuzzing 4 products with 5 lines of Python Charlie Miller made a quite entertaining talk on how he was able to find many bugs in (we thought) well-audited code, such as the Adobe PDF Reader, and the Microsoft Office suite. Its methodology consisted in downloading as much as possible files from the internet, and running a code-coverage tool to identify a subset of them that would access the same codepaths in the parsing/rendering software. From this subset, he ran a trivial fuzzer (change a random byte of the file to a random value), and loaded each file in turn, waiting for crashes. The bugs would then be classified using different tools : Valgrind, the !exploitable command from the windbg, and third that I can't remember. The net result is that he was able to find around 10 interesting bugs by running its fuzzer 3 weeks, and running it more time would certainly have gotten him more results, as he had not yet reached the asymptotic limit of the fuzzing process. I think he used one of those flaws to win the pwn2own prize for the MacOS/Safari target.

ShareREing is Caring After lunch, the Zynamics team of Halvar Flake introduced their new production, BinCrowd. This is a collaborative website for reverse-engineers, where they can share disassembly listings, and make annotations on code or modifications that will be visible to other people working on the same or similar binaries. It is still in its early stages, but seems to be compatible with many products and provide features that are not (at least publicly) available anywhere else.

Cisco IOS Exploitation with IODIDE The next speaker, Andy Davis, made a demonstration of a graphical debugger for Cisco IOS. It was developped internally to work on code vulnerabilities that were identified in some of those products, and the author expects to be able to publish the tool later this year once he has the legal department's approval.

Random tales from a mobile phone hacker He was followed by Collin Mulliner, who made some extensive research using his own website on the various privacy leaks from mobile phone-based web browsing. He discovered that most of the phone providers' border web proxies do add various identification tags in the HTTP headers of outgoing requests. Some of them leak information on the current subscription level of the client, whereas others include altogether the phone number, the IMEI number (phone unique identifier) and/or the ISEI (sim card unique identifier). This behavior seems very different depending on the operator, and the actual HTTP header name they use also varies, making it difficult to acquire those informations from varied sources without manual intervention. He also noted that this kind of information was not added for high-end devices with full-featured web browsers (iphone, android).

Legal Perspectives of Hardware Hacking Finally Jennifer Granick, lawyer for the EFF, made a very interesting talk on the legal aspects of reverse engineering, especially on hardware devices. To summarize one of the key points, the goal of the reverse-engineering effort must be very clear from the beginning of the project, and the final result should be a new software that does not use any code from the original source. The reverse-engineering work must be necessary and only temporarily used for the creation of the new software, and not be used for anything else. In this situation, you may avoid going to jail. The talk was focused on US laws, which should be similar to what is found in other countries (eg in Europe) -- or not. The talk also raised some interesting questions on EULA-style contracts, which would be too hard to write down here, and many other aspects on interoperability and reverse-engineering.

Lightning Talks The lightning talk session was very short, with only about 5 speakers registered, but it included a nice guitar solo from some Microsoft guy in support for the patch tuesdays.

Stuff we don't want on our Phones: On mobile spyware and PUPs The final day started with Jimmy Shah (McAfee), who made a list of various malware that may be found on mobile devices.

Practical Exploitation of Modern Wireless Devices After that, Thorsten Schroeder and Max Moser (Dreamlab Technologies) presented a very nice open device (incl software and PCB blueprint) allowing to intercept and inject packets into the custom protocol used by wireless keyboards. The device includes support for the 'encryption' used on high-end keyboards (eg Microsoft), the encryption scheme in this case being a weak 1-byte xor operation. The device can work up to a few meters of the source. The slides contains all the little details of the protocols, the packet format, etc. The presentation was concluded with a demo of injecting the dreaded 'win+r cmd' on a target computer, thus spawning a remote shell (kind of).

RFID Hacking at Home The following talk stayed in the same vein of hardware devices, this time on RFID. Melanie Rieback (Vrije univ., AMS) came to show the RFID Guardian, which is a hardware device that can both receive and send rfid messages. The board is quite complete, with many parts such as a touchscreen, an FPGA chip, etc. The intent is to provide a very versatile programmable device, able to selectively jam RFID transmissions occuring in its neighborhood. The specs are freely accessible from the website, and a pre-built devices should be available soon for purchase. The device itself is PDA-sized and battery-powered, and even if the current usage seems to need a very good knownledge of the specific RFID tags you're playing with, it may become a very useful privacy tool once pre-build rulesets are available.

Advanced Mac OS X Physical Memory Analysis The afternoon was animated by Matthieu Suiche who made a demonstration of the tool he wrote to do forensic investigations on MacOSX-based computers, from a raw physical memory dump. The offline tool can rebuild the full kernel virtual address space, and from there list processes, open files, kernel modules, mappings, etc. It allows interactive navigation among those, and has an on-demand loading of the data, which makes it very responsive. Also, the color scheme is awesome.

Full Process Analysis and Reconstitution of a Virtual Machine from the Native Host James Buttles (Mandiant) followed with his own tool. This one targets Windows systems that runs inside a virtual machine manager, and uses the VMM facilities to grab the live physical memory of the guest OS ; it also handles the swap file. The virtualisation engines supported are VMWare and the Xen hypervisor, running any Windows guest (including 64-bits versions). The GUI allows enumerating processes, modules, handles etc ; and it includes a small scripting feature, that was used in the demo to find all RWX mappings in the live process list. A dump of such a mapping that was found in svchost revealed a meterpreter library loaded into the service manager address space, which showed that the guest OS had been compromised using the metasploit framework.

Through the Looking Glass: An Investigation of Malware Trends and Response Activity Next came a quick overview of an operation to shut down a large botnet, in which part Microsoft took part (this particular subject was already the subject of a lightning talk the previous day).

The Jedi Packet Trick takes over the Deathstar: taking NIC backdoors to the next level The conference was concluded by a remote conference of Arrigo Triulzi, who expressed his willingness to work further on NIC firmware remote compromission (as in Loic's talk). His goal would be to compromise such a device inside a router/firewall, use it as a pivoting point to take control of another NIC in the same computer using the PCI bus, and finally make them cooperate to forward packets to one another (and to the network) without any cooperation from the host CPU, thus bypassing any routing/firewall rules put in place by the network administrator.

The very nice conference, with many interesting talks, and lots of security gurus from all around the world can only let us hope that we'll be able to go back there for next year's venue !