Category: INSIGHTS

INSIGHTS | July 16, 2012

The Value of Data

By Cesar Cerrudo
Have you ever entered an office and seen a pile of money sitting unattended and easily accessible on a desk? How many people in your company have a key or combination to a safe with money inside and can open that safe without any controls? Do you leave money in a non-secure place that everyone knows about and can freely access?

Your probable answer to all these questions is NO, which makes sense—what doesn’t make sense is how so many companies don’t think the same way about data. I think data is worth a lot of money if you consider how important it is in terms of cost to the company: cost when it’s stolen, cost when it’s not available, et cetera. Data deserves to be protected as if it were money, but most of it is freely available by way of corporate databases; once you access the database you can play with the data at will, bypassing only modest controls or restrictions.
Of course you need a username and password to make the initial connection or exploit a SQL injection vulnerability (for example), but we all know it’s not that difficult to get access, as shown by recent events. A lot of user passwords have been leaked, obtained from successfully-hacked companies that apparently didn’t protect their data properly and, as a result, put their business at serious risk.
The main cause of data breaches is an improperly-secured database. Unfortunately, when it comes to database security, most companies are ages away from doing it properly.
For example, if the statement used to access a table is always:
Select * from user_accounts where user_email = X
why would you let anyone execute the next SQL statement:
Select * from user_accounts
Why not use stored procedures exclusively and remove all direct access to tables? Why not set alerts to trigger when common SQL injection-related errors occur? Why not monitor the database in real time to detect suspicious activities? Why not create a table named “important_data_is_here” and fire all the alarms when someone tries to access it?
Database servers don’t have advanced security features, but there are numerous third-party solutions that do—Database Activity Monitoring (DAM: a kind of database IPS) being one example—and a very small percentage of companies are using them. This isn’t just about using a DAM product (which won’t solve all your problems anyway), but it does provide a good start, allowing you to know in “real time” whether someone is digging around and playing with your databases.  
If you don’t want to spend money on third-party solutions, there are ways to do customized DAM builds using database-provided functionality that involves creating alerts on specific actions, setting custom permissions on different database objects, monitoring and analyzing logs, creating a database honeypot and querying and analyzing system tables; however, when you have dozens (or hundreds) of databases, the difficulty level increases quickly and you’ll need to have database security-wise personnel in place.
I’ve researched database security for more than 10 years and have seen database software vendors seriously improve the security of their products, but I have yet to see noticeable improvements at the company level—as indicated by all the breaches we know and don’t know about—corporations still don’t seem to get that data is money.
INSIGHTS | June 28, 2012

Inside Flame: You Say Shell32, I Say MSSECMGR

By Ruben Santamarta
When I was reading the CrySyS report on Flame (sKyWIper)[1], one paragraph, in particular, caught my attention:
 
In case of sKyWIper, the code injection mechanism is stealthier such that the presence of the code injection cannot be determined by conventional methods such as listing the modules of the corresponding system processes (winlogon, services, explorer). The only trace we found at the first sight is that certain memory regions are mapped with the suspicious READ, WRITE and EXECUTE protection flags, and they can only be grasped via the Virtual Address Descriptor (VAD) kernel data structure
 
So I decided to take a look and see what kind of methods Flame was using.
Flame is conceived to gather as much information as possible within heterogeneous environments that can be protected by different solutions, isolated at certain levels, and operated upon by different profiles. Which means that, from the developers point of view, you can’t assume anything and should be prepared for everything.
Some of the tricks implemented in Flame seem to focus on bypass just as much AV products, specifically in terms of heuristics. A distributed “setup” functionality through three different processes (winlogon, explorer, and services ) is way more confusing than letting a unique, trusted process do the job; i.e. it’s less suspicious to detect Internet Explorer coming from explorer.exe than winlogon.
In essence, the injection method seems to pivot around the following three key features:
·         Disguise the malicious module as a legitimate one; Shell32.dll in this case.
·         Bypass common registration methods supplied by the operating system, such as LoadLibrary, to avoid being detected as an active module.
·         Achieve the same functionality as a correctly-registered module.
 
So, let’s see how Flame implements it.
During the initial infection when DDEnumCallback is called, Flame injects a blob and creates a remote thread in Services.exe. The blob has the following structure:
 
The loader stub is a function that performs the functionality previously described: basically a custom PE loader that’s similar to the CryptoPP dllloader.cpp[2] with some additional tricks.
 

The injection context is a defined structure that contains all the information the loader stub may need including API addresses or names, DLL names, and files—in fact, the overall idea reminded me of Didier Stevens’ approach to generating shellcodes directly from a C compiler[3]

 Injection Context: Blob + 0x710

 
 
 

API Addresses:

esi             OpenMutexW
esi+4        VirtualAlloc
esi+8        VirtualFree
esi+0Ch   VirtualProtect
esi+10h    LoadLibraryA
esi+14h    LoadLibraryW
esi+18h    GetModuleHandleA
esi+1Ch   GetProcAddress
esi+20h    memcpy
esi+24h    memset
esi+28h    CreateFileMappingW
esi+2Ch   OpenFileMappingW
esi+30h    MapViewOfFile
esi+34h    UnmapViewOfFile
esi+38h    ReleaseMutex
esi+3Ch   NtQueryInformationProcess
esi+40h    GetLastError
esi+44h    CreateMutexW
esi+48h    WaitForSingleObject
esi+4Ch   CloseHandle
esi+50h    CreateFileW
esi+54h    FreeLibrary
esi+58h    Sleep
esi+5Ch   LocalFree
The loader stub also contains some interesting tricks.

 

Shell32.dll:  A matter of VAD

To conceal its own module, Flame hides itself behind Shell32.dll, which is one of the largest DLLs you can find on any Windows system, meaning it’s large enough to hold Flame across different versions.
 
 
 
Once shell32.dll has been mapped, a VAD node is created that contains a reference to the FILE_OBJECT, which points to Shell32.dll. Flame then zeroes that memory and loads its malicious module through the custom PE loader, copying sections, adjusting permissions, and fixing relocations.
 
 
 
As a result, those forensics/AntiMalware/AV engines walking the VAD tree to discover hidden DLLs (and not checking images) would be bypassed since they assume that memory belongs to Shell32.dll, a trusted module, when it’s actually mssecmgr.ocx.
The stub then calls to DllEntryPoint, passing in DLL_PROCESS_ATTACH to initialize the DLL.
 
 
 
The malicious DLL currently has been initialized, but remember it isn’t registered properly, so cannot receive remaining events such as DLL_THREAD_ATTACH, DLL_THREAD_DETACH, and DLL_PROCESS_DETACH.
And here comes  the final trick:
 
 
 
The msvcrt.dll is loaded up to five times, which is a little bit weird, no?
Then the PEB InLoadOrder structure is traversed to find the entry that corresponds to msvcrt.dll by comparing the DLL base addresses:
 
 
 
Once found, Flame hooks this entry point:
 
 
 
InjectedBlock1 (0x101C36A1) is a small piece of code that basically dispatches the events received to both the malicious DLL and the original module.
The system uses this entry point to dispatch events to all the DLLs loaded in the process; as a result, by hooking into it Flame’s main module achieves the goal of receiving all the events other DLLs receive. Therefore, it can complete synchronization tasks and behaves as any other DLL. Neat.
I assume that Flame loads msvcrt.dll several times to increase its reference count to prevent msvcrt.dll from being unloaded, since this hook would then become useless.
See you in the next post!
INSIGHTS |

Thoughts on FIRST Conference 2012

By Eireann Leverett

I recently had the opportunity to attend the FIRST Conference in Malta and meet Computer Emergency Response Teams from around the world. Some of these teams and I have been working together to reduce the internet exposure of Industrial Control Systems, and I met new teams who are interested in the data I share. For those of you who do not work with CERTs, FIRST is the glue that holds together the international collaborative efforts of these teams—they serve as both an organization that makes trusted introductions, and vets new teams or researchers (such as myself).

It was quite an honor to present a talk to this audience of 500 people from strong technical teams around the world. However, the purpose of this post is not my presentation, but rather to focus on all of the other great content that can be found in such forums. While it is impossible to mention all the presentations I saw in one blog post, I’d like to highlight a few.
A session from ENISA and RAND focused on the technical and legal barriers to international collaboration between National CERTS in Europe. I’m interested in this because during the process of sharing my research with various CERTs, I have come to understand they aren’t equal, they’re interested in different types of information, and they operate within different legal frameworks. For example, in some European countries an IP address is considered private information and will not be accepted in incident reports from other teams. Dr. Silvia Portesi and Neil Robinson covered a great wealth of this material type in their presentation and report, which can be found at the following location:
In the United Kingdom, this problem has been analyzed by Andrew Cormack, Chief Regulatory Advisor at Janet. If I recall correctly, our privacy model is far more usable in this respect  and Andrew explained it to me like this:
If an organization cannot handle private data to help protect privacy (which is part of its mission), then we are inhibiting the mission of the organization with our interpretation of the law.
This is relevant to any security researcher who works within incident response frameworks in Europe and who takes a global view of security problems.
Unfortunately, by attending this talk—which was directly relevant to my work—I had to miss a talk by Eldar Lillevik and Marie Moe of the NorCERT team. I had wanted to meet with them regarding some data I shared months ago while working in Norway. Luckily, I bumped into them later and they kindly shared the details I had missed; they also spent some of their valuable time helping me improve my own reporting capabilities for CERTs and correcting some of my misunderstandings. They are incredibly knowledgeable people, and I thank them for both their time and their patience with my questions.
Of course, I also met with the usual suspects in ICS/Smart Grid/SCADA security: ICS-CERT and Siemens. ICS-CERT was there to present on what has been an extraordinary year in ICS incident response. Of note, Siemens operates the only corporate incident response team in the ICS arena that’s devoted to their own products. We collectively shared information and renewed commitments to progress the ICS agenda in Incident Response by continuing international collaboration and research. I understand that GE-CIRT was there too, and apparently they presented on models of Incident Response.
Google Incident Response gave some excellent presentations on detecting and preventing data exfiltration, and network defense. This team impressed me greatly: they presented as technically-savvy, capable defenders who are actively pursuing new forensic techniques. They demonstrated clearly their operational maturity: no longer playing with “models,” they are committed to holistic operational security and aggressive defense.
Austrian CERT delivered a very good presentation on handling Critical Infrastructure Information Protection that focused on the Incident Response approach to critical infrastructure. This is a difficult area to work in because standard forensic approaches in some countries—such as seizing a server used in a crime—aren’t appropriate in control system environments. We met later to talk over dinner and I look forward to working with them again.
Finally, I performed a simple but important function of my own work, which comprises meeting people face-to-face and verifying their identities. This includes our mutually signing crypto-keys, which allows us to find and identify other trusted researchers in case of an emergency. Now that SCADA security is a global problem, I believe it’s incredibly important (and useful) to have contacts around the world with which IOActive already shares a secure channel
INSIGHTS | June 13, 2012

Old Tricks, New Targets

By Ruben Santamarta

Just a few days ago, Digitalbond announced that they had been victims of a spear phishing attack. An employee received an email linking to a malicious zip file, posing as a legitimate .pdf paper related to industrial control systems security. Therefore, the bait used by the attackers was supposedly attracting targets somehow involved with the ICS community. (more…)

INSIGHTS | June 6, 2012

Summercon 2012

By Chris Valasek
Hi Everyone,
Chris Valasek guest blogging here at IOActive. I just wanted to tell everyone a little bit about my involvement with Summercon and what to expect at the conference. Although I’m one of the current organizers (along with Mark Trumpbour @mtrumpbour), I’m obviously not the originator, as it started many years back (1987, I believe) as detailed in the most recent Phrack magazine.


 I started attending in 2000 when it was in Atlanta, GA and had a fantastic time. Over the years, the conference has changed and organizational efforts have varied, as running a conference is quite subjective and provides little utility (at times). Around 2006, the changing of the guard happened once again, leaving Mark and me the new organizers of the con. Like others that came before us, we put our own touch on the conference and have probably strayed further from the original than any before us.

 

While the talks are still the main attraction, the ability to meet people and have a good time is really what we want it to be all about. Many of us live in a world without much social interaction. The purpose of Summercon, in my opinion, is to provide an event that promotes social interaction of people with similar but varying backgrounds. If you really want to learn about the material being presented on, then you will take the time to review the content and figure out its purpose after the presentation. The ability to talk to others about your ideas and thoughts, regardless of their relevance to computer security, is the main benefit of gathering in a centralized location.

 

With that being said, I really do think we have a fantastic line-up of speakers this year that will promote stimulating conversation throughout the weekend (https://www.summercon.org/). Whether you’re interested in Android hacking, instrumentation, or reverse engineering, I think you’ll be happy with the speakers this year (and every year for that matter!).

 

Lastly, I’d like to talk a bit about sponsorship. Although we feel that we had to ‘sell-out’ a bit by acquiring sponsors, it does facilitate having many more people attend and present at Summercon. I want to remind everyone that we’re not out to make a profit, but to throw the best party we can. By having sponsors, such as IOActive, we can ensure that speakers don’t have to pay their own way and attendees can have a blast learning something while making new friends.

 

        cv
P.S. We have big plans for next year, so follow @SummerC0n on twitter for more information.
INSIGHTS | May 24, 2012

QR Fuzzing Fun

By IOActive

QR codes [1] have become quite popular due to their fast readability and large storage capacity to send information. It is very easy to find QR codes anywhere these days with encoded information such as a URL, phone number, vCard information, etc. There exist tons of apps on smartphones that are able to read / scan QR codes.

 
 
The table below shows some of the most common apps and libraries for the major mobile platforms – keep in mind that there are many more apps than listed here.
 
Platform
Popular QR Apps / Libraries
Android
·       Google Goggles
·       ZXing
·       QRDroid
iOS
·       Zxing
·       Zbar
BlackBerry
·       App World
Windows Phone
·       Bing Search App
·       ZXlib

QR codes are very interesting for attackers as they can store large quantity of information, from under 1000 up to 7000 characters, perfect for a malicious payload, and QR codes can be encrypted and used for security purposes. There are malicious QR codes that abuse permissive apps permissions to compromise system and user data. This attack is known as “attagging”. Also QR codes can be used as an attack vector for DoS, SQL Injection, Cross-Site Scripting (XSS) and information stealing attacks among others.
 
I have been pentesting Apps that supported QR codes lately, so I thought will be a good idea to fuzz this feature looking for bugs. I developed a tool for QR fuzzing called IOAQRF (beta phase) that is quite easy to use and modify as well in case you need to add something else.

This tool is composed of two files: a Python file that generates QR fuzz patterns and a shell script that can be used to generate common QR code content that apps use, such as phone numbers, SMS, and URLs. Previous work has been done on this field [2] [3] but more can be researched for sure! Enjoy the fuzzing!
 
 
Links
 
 
IOAQRF directory output
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
Opening index.html with fuzz QR codes
 
INSIGHTS | May 22, 2012

ST19XL18P – K5F0A Teardown

By IOActive

4 Metal, 350 nanometer fabrication process, EAL4+ smart card.  A device fabricated in 2002 and yet, today the latest ST19W/N series only main differences are the ROM data bus output width into the decrypt block and the fabrication process (180nm and 150nm shrink).

The device was dipped into a HydroFluoric (HF) bath until the active shielding fell off.  The result of this saved about 10 minutes of polishing to remove the surface oxide and Metal 4 (M4).  This also helps begin the polishing process on the lower layers fairly evenly.

The oxide thickness of a layer once the passivation oxide is removed requires less than 2 minutes per layer to remove.  We purposely stop just before the Metal 3 (M3) surface is exposed leaving the vias visibly clear (there are several gates tied to the ground of the mesh on Metal 4 (M4) as well as the active shield’s begin and end vias.

The device was very modularly placed n’ routed.  The MAP consists of asymmetric and symmetric crypto functions (DES, RSA, etc).
The EEPROM control logic is actually in the lower left corner of the EEPROM block.

As Metal 3 (M3) was removed exposing the M2 layer, the device is beginning to not look so complicated.

Metal 1 (M1) shows us all the transistors.  We did not polish down to the poly.  Most of the gates are understandable without it for the purposes of finding the clear data bus.

Most likely, these NVM areas in Figure 7 & 8 are trimming or security violation related.  No further investigation is planned on these areas (it isn’t necessary).

Strangely enough, it is now understandable why ST cannot achieve high performance on the ST19 platform.  Each logic area with access to the clear data bus runs via a high-output driver that is tri-stated (hi-z) when not driven.  This means that all drivers are OR-tied and only one set of 8 drivers are ever active at a time.  This is a very large and cumbersome way of creating a MUX.
As time permits, the ST19W and ST19N series will be looked at.  It is expected to again find this kind of pattern.  Overall, finding the clear data bus took 1.5 hours once the images were created.  Most of the 1.5 hours was the alignment of the layers.
INSIGHTS | May 15, 2012

#HITB2012AMS: Security Bigwigs and Hacker Crème de la Crème Converge in Amsterdam Next Week

By IOActive
Hi guys! We’re less than a week away from #HITB2012AMSand we’re super excited to welcome you there!

HITBSecConf2012 – Amsterdam, our third annual outing in Europe will be at the prestigious Hotel Okura Amsterdam and this year marks our first ever week-long event with what we think is a simply awesome line-up of trainings, speakers, contests and hands-on showcase activities. There should be pretty much something to keep everyone happy!
The HITB crew is pretty excited and there’s very little else we talk about these days, so when IOActive invited us to write a blog post with complete free rein – we can’t help but name a couple of event highlights the crew are particularly looking forward to and we think you’ll be equally excited about. 
Here’s a little lot of what’s in store in less than T minus 7 days’ time:
Hands on Technical Training Sessions
May 21st – May 23rd: Training Day 1, 2 & 3 
As always, we kick things off with our hands-on training days. This year, trainings stretch across a three-day period and will feature all new 1-day-only courses covering a gamut of topics from wireless security, SQL injection attacks and mobile application hacking. This will be followed by several 2-day intensive hands-on classes featuring some of our popular trainers. Laurent Oudot will be Hunting Web Attackers alongside Jonathan Brossard who’ll be conducting a course on Advanced Linux Exploitation Methods. Next door Shreeraj Shah will be running his ever popular Advanced Application Hacking training. As usual, trainees come braced for intense headache filled days with these hands-on courses crammed to the brim with real-life cases plus new, next-gen attack and defense tools and methods.
Quad Track Conference – The Pièce de résistance
May 24th – May 25th: Conference Day 1 & 2
Big Ideas – Big Picture… 
It’s always hard selecting keynote speakers – especially at HITBSecConf, where our audience expects nothing but absolutely killer content filled with awesome! Andy Ellis, CSO of Akamai we feel will deliver a talk that fulfills that and will be kicking off Conference Day 1 with a keynote on Getting Ahead of the Security Poverty Line – sharing a behind-the-scenes look at Akamai’s in-house security program and how it has evolved over the years to protect over 105,000 servers in 78 countries.
On Day 2, a man who needs no introduction and who has the rare distinction of having delivered keynote at all the locations of HITBSecConf events held around the globe, Bruce Schneier, CISO of BT Counterpane will deliver the second keynote. Bruce’s talk on Trust, Security and Society will deliver a big picture look at how in any system of trust, there will always be abuses. Understanding how moral systems, reputational systems, institutional systems, and security systems work and fail in today’s society is essential in understanding the problems of our interconnected world.
An Apple a Day…
One of the indisputable highlights this year and perhaps the one item the HITB Crew is most looking forward to is the first ever appearance by the full four-member iOS Jailbreak Dream Team (@p0sixninja, @pod2g, @planetbeing and @pimskeks) plus world famous, iPhone Dev Team member @MuscleNerd.
They will be rocking Amsterdam with three talks (and maybe a new jailbreak?), two of which will primarily focus on the detailed inner workings behind the Corona (A4) and Absinthe (A5) jailbreaks. Apple fans and jailbreak enthusiasts will be well pleased to hear the team plans to cover pretty much everything a jailbreaker would want to know including:
iOS security basics
iOS format string attacks
iOS kernel heap overflows
iOS profile command injections
iOS application sandbox escape
How to bypass ASLR & DEP for all exploits listed above
In the third and separate talk, MuscleNerd will dive into the inner workings and most recent changes to the iPhone baseband comparing it against its earlier hardware and software incarnations. His presentation will cover everything baseband related – from baseband ROP to activation and baseband tickets: The mechanism Apple uses to authorize use with specific carriers and authenticates software updates to the baseband. He will also look at the current attack surfaces comparing iPhone4 vs iPhone4S hardware-based protection mechanisms. Tasty. 
I want my MTV…
And here’s another personal crew favourite – Adam Gowdiak. Is.
Back. The man who first brought Microsoft Windows to its knees in 2003 as part of the LSD Group and later became the world’s first to present a successful and widespread attack against the mobile Java platform is back at HITBSecConf! This time he will demonstrate the first ever successful attack against digital satellite settopbox equipment implementing the Conax Conditional Access System with advanced cryptographic pairing function. Yes, we’re talking major security flaws in digital satellite TV set-top-boxes and DVB chipsets used by many satellite TV providers worldwide.

More Labs / More Signal Intelligence 
Forming our third track in our quad-track line up, only a maximum of 75 attendees will get to experience these intensive, mini training sessions, so get to the doors early if you wanna join in. Audience interaction is expected so bring your laptops with you! What kind of brain mashing kungf00 can you expect?
Hacking Using Dynamic Binary Instrumentation by Intel’s Gal Diskin promises an insight into extracting metadata and other hidden goodies from public documents using FOCA 3 and bad nasty things one can do with malformed portable executable (PE) files and Didier Stevens, Security Consultant, Contraste Europe NV will be talking about the reverse of the kind of shellcode we all know and love – White Hat Shellcode: Not for Exploits.
Still hungry for more bytes? Grab your coffee, real world bites and head into the SIGINT sessions – our version of lightning talks which run for 30 minutes during coffee and lunch breaks. The SIGINT sessions this year are twice as long as usual as we want you to truly savour the appetising morsels we’ve lined up.
24TH MAY 2012
12:30 – 13:00 – Pastebinmon.pl & Leakedin.com – Xavier Mertens
13:00 – 13:30 – Third Party Software in Your Baseband – Ralf-Philipp Weinmann
15:30 – 16:00 – Hack To The Future – Marinus Kuivenhoven
25TH MAY 2012
12:30 – 13:00 – Integrating DMA Attacks in Metasploit – Rory Breuk & Albert Spruyt
13:00 – 13:30 – CloseUp of Three Technical Hackerspace Projects – Elger ‘stitch’ Jonker
Lawfully intercepting your packets…
After 2 days of conference awesomeness, Ms. Jaya Baloo, Verizons inhouse lawful interception expert and our first-ever lady closing keynoter will wrap things up in a yet to be announced keynote.
We’re not done yet …
If it isn’t already difficult enough to pick which talks to go to, we’ve got even more things lined up to keep you busy outside of the main conference tracks – With an expanded technology showcase area, our all new CommSec Village is going to be packed to the brim with more hacky-goodness than you can shake a Kinect at!
CommSec Village 
 
Last year, LEGO Mindstorm robots ruled the roost and this year, the HITB CommSec Challenge is bringing the world of motion capture into the tinkering hands of Benelux hackerspaces. Seven hackerspaces from Belgium and the Netherlands will work with Microsofts all new Kinect for Windows platform and battle head to head to translate their body movements into words at the highest rate of character output. Yep – expect to see lots of physical action here as the various participants battle it out for the grand prize of EUR1000.
HackWEEKDAY
HackWEEKDAY: Turbo Edition will see code junkies and working over a 12 hour period on this year’s theme of ‘Browsers and Extensions’ – Sponsored again by Mozilla and organized by the HITB.nl Crew, participating developers stand a chance to walk away with a prize of EUR1337 for the best coder! 
Capture The Flag – Bank0verflow
 
Capture The Flag: Bank0verflow will see eleven teams – 5 home grown teams from The Netherlands: Mediamonks and four Vubar teams battle it out against French team C.o.P. Also, for the first time two Russian teams will be joining the battleground including the much ‘feared’ winners of #CODEGATE2012’s Capture The Flag – Leetchicken
Lock Picking Village by TOOOL.nl
The ever popular Lock Picking Village returns this years with crowd favourite TOOOL.nl at hand to showcase best and latest picking, shimming, bumping and safecracking techniques. Hands on as usual, come with deft fingers and your own locks to see how (in)secure that house or fiets lock of yours really is!
Sogeti Social Engineering Challenge
This year for the first time Sogeti is introducing Sogeti Social Engineering and CTF Challenge(#SSEC2012). This will be HITB’s first ever social engineering game so we’re pretty excited to say the least! Participants will be flexing their wit and wits against the top 100 Dutch companies via in-live-studio phone calls and conference attendees plus members of the public can check out the game in progress via the Listening Post. Blag for swag – and the best ‘wit-hacking’ engineer walks away with a swanky new iPad 3 sponsored by Sogeti!
Hackers On The Far Side of the Moon with Microsoft and IOActive 
 
It would not be a proper HITBSecConf if there was no killer party to cap things off. This year we plan to blast off to the dark side of the moon with IOActive’s Keith Myers providing the choons!
 
Sponsored as always by Microsoft, conference hackers, heroes, dudes and dudettes will make their way to the Wyndham Apollo Hotel for three solid hours of food, music and of course, copious amounts of alcohol thanks to additional alco_pwn support by the kind folks at IOActive! o/ 
 
IOActive’s DJ Keith Myers will be delivering the ear pounding dance floor madness with a warm up set  by Roy Verschuren of Elevator Passion – all this at the only spot in Amsterdam where the city’s five famous grachts meet!
 
Bring. On. The. Madness.
 
See you next week!
– The HITB Crew
 
 
INSIGHTS | May 3, 2012

Enter the Dragon(Book), Pt 2

By Shane Macaulay
Nobody has been able to find this backdoor to date (one reason I’m talking about it).

While the C specification defines many requirements, it also permits a considerable amount of implementation-defined behavior (even though it later struck me as odd that many compilers could be coerced into generating this backdoor in an identical way).
From the C specification; Environmental Considerations, Section 5.2—in particular section 5.2.4.1 (Translation limits)—seems to offer the most relevant discussion on the topic.
Here’s a concise/complete example:
typedef struct _copper
{
  char field1[0x7fffffff];
  char field2[0x7fffffff];
  char pad0;
  char pad1;
} copper, *pcopper;
int main(int argc, char **argv)
{
    copper david;
    printf(“sizeof david = %xn”, sizeof(david));
    printf(“sizeof david’s copper.field1 = %xn”, sizeof(david.field1));
       if(argc > 1 && strlen(argv[argc-1]) < sizeof(david.field1))
              strncpy_s(david.field1, argv[argc-1], sizeof(david.field1));
    return 0;
}
What is the expected size of david?
What is the expected size of the copper.field?
Here’s the compiled output:
sizeof david = 1
sizeof david.copper.field1 = 7fffffff
W0W!! The sum of the parts is GREATER than the whole!
It would seem that a (somewhat) correct check for length (let’s forget about the NULL and strncpy_s for portability/readability) is always going to pass since field1’s length is VERY large; however, the storage for this type is allocated with sizeof(copper) (statically or dynamically). This means that we can arbitrarily write into memory despiteany amount of bounds checking!
So, what we have is the sizeof operator failing due to the arrangement of this struct, which violates the environmental limits of C.
This struct actually contains numerous variations and interesting vectors. For instance, I’ve found _MANY_ type’s defined in the SDK of both operating systems and compilers—if you surreptitiously #define (actually redefine) an existing constant, you can exploit existing code.
The situation here is that it’s virtually impossible to detect this backdoor.
I’ve attempted to detect the flaw with all sorts of code checking tools, all of which are blind to this attack.  It seems that this overflow occurs statically, which is why sizeof is failing. I’ve been calling this a “static overflow,” which may or may not be a good name, but it seems to fit given that the overflow happens during compilation (AST formulation).
Possible attack vectors include: (1) untrusted .c/.h files in your compiler’s path, (2) environment (set CARGS=/DMAXPATH=0x7fffffff), (3) arguments, and (4) flags.
This may seem a relatively small surface area, but in any modestly-complex application, hundreds/thousands of header files are included from untrusted sources.
I’ve had many crashes in cc/ld. I anyone finds a way to exploit the actual compilation (take control of the cc/ld process) that would be pretty neat. Some of the more aggressive faults tend to occur when the compiler looks up instructions to address the oversized region, or when this type is used in more elaborate loop/indexed [array].foo[bar] arrangements.
I hope you all enjoyed this magic trick.
INSIGHTS | April 25, 2012

Thoughts on AppSecDC 2012

By Ruben Santamarta
The first week of April brought another edition of AppSecDC to Washington, D.C., but this year people from two different worlds came to the same conference: Web security and Industrial Control Systems security.  Of course, at the device level this convergence happened a long time ago if we take into account that almost every modern PLC  includes at least a web server, among other things.

 
I was presenting Real-world Backdoors in Industrial Devices on the Critical Infrastructure track, which included really exciting topics from well-known researchers including:
  •        Pentesting Smart Grid Web Apps from Justin Searle
  •        Vulnerabilities in Industrial Control Systems from ICS-CERT
  •        AMI Security from John Sawyer and Don Weber
  •        Project Basecamp: News from Camp 4 from Reid Wightman
  •        Denial of Service from Eireann Leverett
  •        Securing Critical Infrastructure from Francis Cianfrocca
I found it remarkable that most of the talks were basically about offensive security. I think that’s because ICS researchers are still at the point of squeezing all the potential attack vectors, an approach that eventually will provide the intelligence necessary to actually protect critical infrastructure in the best way possible. We would do well to remember that it’s taken many years for the IT sector to finally reach a point where some defensive technologies are solid enough to stop complex attacks.
 
The best thing about the CI track was that it introduced different perspectives and the technical talks highlighted two issues that should be addressed ASAP:  backdoors/unauthenticated protocols and exposure. Amazingly, a large number of industrial devices still rely on unauthenticated protocols and backdoors to implement their functionalities.  PLCs, smart meters, HVAC… during the talks we saw real-world examples that would let attackers control facilities, even remotely!
 
The talk from the ICS-CERT was pretty interesting since it brought another point of view to the track: what happens on the other side? For example, when vendors realize their products contain vulnerabilities or how real incidents are handled—yes, there have been real attacks against industrial facilities. The scary thing is that, according to the data presented by the ICS-CERT, these attacks are not isolated, but represent a trend.
 
The number of published SCADA vulnerabilities has dramatically increased, and societies (as well as the security industry and researchers) are slowly becoming more aware of and concerned about the importance of securing critical infrastructures. Even so, there are still a lot of things waiting to be discovered, so we should expect exciting findings in this area.
 
In summary, security conferences are great places to learn about and meet brilliant people, so if you have the chance to attend some, don’t hesitate! It was a pleasure to attend and speak at AppSecDC, so I would like to thank OWASP and IOActive for giving me this opportunity.
 
See you at the next one!