Well it’s almost the end of day 1 at Blackhat Europe in Amsterdam. Thanks to Didier Stevens I was lucky enough to get a press pass at the last minute (and yes I do mean last minute). After a frantic search for flights and a friends place to sleep at, all was sorted.
What better way to kick-off the first day than Charlie Miller and Vincenzo Iozzo talking about OSX andd iPhone exploitation. The talk focuses less on exploitation of these platforms (no more free bugs after all), and was more aimed as post exploitation and payload techniques. A very technical overview of how userland-exec was used to inject a payload into a running process. If this sounds familiar then it should, as Meterpreter (or Metasploit fame) works in roughly the same way. However instead of injecting into a DLL, an OSX binary is used. Charlie has ported a number of the existing Meterpreter features too the OSX platform (or Macerpreter as he called it). The lastest version of Metasploit SVN already has this mew feature available for test (see osx/x86/meterpreter). Most of the Meterpreter functionality is included, however the ability to migrate between processes, as well as a couple of other minor commands (route table and idel time) aren’t available. However as an addition to the functionality, Charlie has added a “takepic” command that uses the mac’s iSight camera to take a picture and store it in the /tmp of the exploited machine. As he said, these are all just features to be built on, now that the basics are there. I’m looking forward to getting my OSX system running in the lab and testing some of the functionality for myself. But that will have to wait.
To finish off Vincenzo talked us through the reasons why iPhones that have been jailbroken are more vulnerable to attack than the standard firmware. It appears that some recent research into iPhone exploitation doesn’t take into consideration that the jailbroken iPhone firmware disables application signing and makes the platform more prone to exploitation. Researchers at some recent conferences have given talks about generic iPhone issues that may only be limited to jailbroken systems. This is something to look out for in the coming weeks as questions start being asked.
I suggest you pickup a copy of the slides as soon as they’re released as there is a whole lot of information here about iPhone’s XN bit and how OSX’s ASLR functions that I can’t really go into here.
I also took the time to attend the SAP Penetration Testing talk, which as expected covered a lot of information on default configurations and how to exploit failures in configurations. It seems that although SAP has more than 121, 000 installs world-wide, they still class support as a secondary concern. The sapyto tool (now version 0.99) supports a number of automated information gathering and exploitation options. Although the use of standard buffer overflow attacks isn’t really possible (due to the cross-platform basis of SAP) there are a range of other exploits. Exploitation of user trust seems to be a key point here as user profiles and restrictions are usually overlooked due to project deadlines.
I managed to get to catch Moxie Marlinspike’s talk on SSLstrip. Although I’ve seen the video of the presentation, seeing it live was definitely worthwhile. Still no live demo, but I think John Strand from pauldotcom has done one if you search on pauldotcom.com I’m sure you’ll find it. Some of the new parts added after the last presentation covered the responses by the Mozilla team and others. Mozilla’s response to the Homograph attacks was to begin blacklisting characters that could cause issues and enable attacks. I can understand the response, but fail to see how a blacklisting approach in this respect was the final solution. It would have been better to sit around and find a full solution to the issue and work with it. I discussed quickly with a couple of people from Mozilla on the issue and they also felt that it had been dealt with by the wrong person in the wrong way. So maybe something will be forthcoming on this in the future.
After lunch with Moxie and Didier I popped into the Advanced SQL Injection talk. Although the topic interests me, I got the feeling that I’d seen this presentation already somewhere (possibly last years blackhat US). Still, this gave me some time to have a quick look around the central area and speak to the nice guys at Core Security and IOactive. The Core Impact product is something to keep an eye on, as they’re constantly updating with new modules and exploits.
Taming the Beast: Assess Kerberos-Protected Networks was one of those presentations that contained just a little too much information for 1 hour. The slides were jam packed with information and it was a pity that the demos didn’t seem to work for the first half. The idea presented based on older Kerberos Spoofing and Kerberos Replay attacks. By combining these attacks it was possible to fool a system into thinking they had received a valid ticket and permit logon. Although this didn’t then (usually) allow access to network resources, it did allow access to resources that the workstation already had valid tickets for. To breakdown the process. An ARP spoofing attack was performed against a workstation and the kerberos logon process was performed. After the traffic was captured, it was possible to then logon to the machine using the replayed certificate by maintaining the ARP spoofing and dropping traffic destined for the real server (the one providing the ticket) and replaying the earlier captured ticket traffic. The process also allowed the attacker to set the password expected in the ticket and therefore logon to the workstation through RDP or at the console using the newly set password. These points where unclear, and maybe some more reviewing of the slides will clear this up some more. The process seems sound, but I’d like to understand it some more. The talk ran long, so we didn’t get to see all of the slides and information. Although the tools aren’t expected to be released (python scripts) the talk slides should give enough information to recreate the attack process. At this time the only possible protection (other than preventing ARP spoofing and foreign machines on the LAN) is using dual factor authentication. However, how many companies are doing this on workstation AND server ? I’d love to hear if you are.
Final talk of the day way the Hijacking the Linux Kernel talk from Anthony Lineberry. I won’t claim to understand 100% of the talk as it was very specifically focused. The process of reading memory above 16k seems to be something that is being addressed in kernel 2.6.26 but it’s not quite there yet. RHEL and Fedora are currently ok, but others that default STRICT_DEVMEM to disabled are still vulnerable to this style of user-land attack. Check out the slides and let me know if I’m missing something.
Well that’s the end of day 1. There was talk of a big bug being dropped today, however at the last minute the vendor asked for the issue to be withheld a little longer as it wasn’t 100% sure that it was fixed. More time was needed for testing. Jeff Moss said that “the vendor wanted to avoid speculation, but supported responsible disclosure. We encourage all of our speakers to follow responsible disclosure.”
Jeff Moss talked briefly about next years conference in Barcelona. He cited needing to grow to conference and wanting to give a 3rd track and still have the room for everybody. Lots of options within Amsterdam have been explored, and the choice was made to take it to Barcelona.