10:00 AM
to 11:00 AM
John McDonald & Chris Valasek: Practical Windows Heap Exploitation
65 Attendees
Location
Augustus Ballroom 5-6
Type Exploitation
John McDonald & Chris Valasek
As we all know, the era of the straightforward 4-byte overwrite is over. Heap exploitation has steadily increased in difficulty since its genesis in Solar Designer's ground-breaking Bugtraq post in July of 2000. This trend towards increasingly complicated exploitation is primarily a result of the widespread implementation of technical heap counter-measures in modern systems software. The effort required to write reliable heap exploits has steadily increased due to other factors as well: applications have become more and more multi-threaded to take advantage of trends in hardware, and -- in certain code -- memory corruption vulnerabilities have become more nuanced and unique as a result of common, straightforward vulnerability patterns slowly but surely being audited out of existence. The end result of all these defensive machinations is that now, more than ever, you need a fluid, application-aware approach to heap exploitation. The building blocks of such an approach are an extensive working knowledge of heap internals, an understanding of the contributing factors in heap determinism, various tactics for creating predictable patterns in heap memory, and, naturally, a collection of techniques for exploiting myriad different specific types of memory corruption in heap memory.
Our talk is chiefly concerned with developing this foundational knowledge, focusing on the practical challenges of heap exploitation on Windows XP SP3 and Server 2003. While Windows Vista is gaining market share and Windows 7 is on its way, the XP code base is still the most prevalent attack surface on the Internet. XP heap exploitation may not technically qualify as "
Our talk is chiefly concerned with developing this foundational knowledge, focusing on the practical challenges of heap exploitation on Windows XP SP3 and Server 2003. While Windows Vista is gaining market share and Windows 7 is on its way, the XP code base is still the most prevalent attack surface on the Internet. XP heap exploitation may not technically qualify as "
11:15 AM
to 12:30 PM
Nathan Hamiel & Shawn Moyer: Weaponizing the Web
130 Attendees
Location
Augustus Ballroom 5-6
Type Exploitation
Nathan Hamiel, Shawn Moyer
Ultimately, basing the value proposition of your site on user-generated and external content is a kind of variant on Russian Roulette, where in every turn the gun is pointed at your head, regardless of the number of players. You may win most of the time, but eventually a bullet is going to find its way into the chamber with your name on it.
We spent some time last year looking at this problem as it related specifically to Social Networks, but that left a lot of the territory unexplored. This time around we'll be talking about a previously unnoticed attack vector for lots and lots of web applications with user-generated content, and releasing a handy tool to exploit it. Bundled in are some thoughts on Web 2.0 attack surface, a few new exploitation techniques, and as in last year, a hefty helping of lulz, ridicule, and demos-of-shame at the expense of a few of your and (our) favorite sites.
We spent some time last year looking at this problem as it related specifically to Social Networks, but that left a lot of the territory unexplored. This time around we'll be talking about a previously unnoticed attack vector for lots and lots of web applications with user-generated content, and releasing a handy tool to exploit it. Bundled in are some thoughts on Web 2.0 attack surface, a few new exploitation techniques, and as in last year, a hefty helping of lulz, ridicule, and demos-of-shame at the expense of a few of your and (our) favorite sites.
1:45 PM
to 3:00 PM
Moxie Marlinspike: More Tricks for Defeating SSL
147 Attendees
Location
Augustus Ballroom 5-6
Type Exploitation
Moxie Marlinspike
This talk aims to pick up where SSL stripping left off. While sslstrip ultimately remains quite deadly in practice, this talk will demonstrate some new tricks for defeating SSL/TLS in places where sslstrip does not reach. Cautious users, for example, have been advised to explicitly visit https URLs or to use bookmarks in order to protect themselves from sslstrip, while other SSL/TLS based protocols such as imaps, pop3s, smtps, ssl/irc, and SSL-based VPNs never present an opportunity for stripping.
This talk will outline some new tools and tricks aimed at these points of communication, ultimately providing highly effective attacks on SSL/TLS connections themselves.
This talk will outline some new tools and tricks aimed at these points of communication, ultimately providing highly effective attacks on SSL/TLS connections themselves.
3:15 PM
to 4:30 PM
Mark Dowd, Ryan Smith & David Dewey: The Language of Trust
74 Attendees
Location
Augustus Ballroom 5-6
Type Exploitation
Mark Dowd, Ryan Smith, David Dewey
Interactive content has become increasingly powerful and more flexible over the last few years, with major functionality additions appearing in several web-based technologies such as Javascript, .NET, and via browser plugins. These functionality changes coupled with increasingly complex cross-communication layers has created a nuanced and precarious trust layer between many different previously unrelated components.
This presentation attempts to address the issue of trust in the context of active content, and how it is is more complicated than it might first appear. We will demonstrate the exploitation of these trust relationships at different levels of applications, from subverting architectural security controls to memory corruption vulnerabilities that lead to arbitrary execution.
This presentation attempts to address the issue of trust in the context of active content, and how it is is more complicated than it might first appear. We will demonstrate the exploitation of these trust relationships at different levels of applications, from subverting architectural security controls to memory corruption vulnerabilities that lead to arbitrary execution.
4:45 PM
to 6:00 PM
Thomas Ptacek, David Goldsmith & Jeremy Rauch: Hacking Capitalism '09
67 Attendees
Location
Augustus Ballroom 5-6
Type Exploitation
Thomas H. Ptacek, David Goldsmith, Jeremy Rauch
Place an order for a stock on a retail brokerage, and you've set off a long chain of events across a broad, proprietary network of systems running at most financial institutions around the world. Orders are created, tagged, and stored in multiple databases. Messages are created in middleware stacks, funneled through order routing systems, and stored in persistence layers backed by everything from embedded databases to Oracle servers. Traders at firms large and small join in as the other side of the order, working from proprietary Windows trading dashboards, web applications, and magical excel spreadsheets. Sub-second latencies matter, so parts of this patchwork quilt are written in C, and virtually none of it is encrypted.
Our talk is a guided tour through the systems and protocols used to transact this business; a parallel Internet that routes money and contracts instead of porn and MP3s. We'll describe patterns of vulnerabilities we've uncovered, explain poorly-understood trading protocols and middleware stacks and describe the all-important interactions between these components where subtle vulnerabilities crop up.
Our talk is a guided tour through the systems and protocols used to transact this business; a parallel Internet that routes money and contracts instead of porn and MP3s. We'll describe patterns of vulnerabilities we've uncovered, explain poorly-understood trading protocols and middleware stacks and describe the all-important interactions between these components where subtle vulnerabilities crop up.
10:00 AM
to 11:00 AM
Datagram: Lockpicking Forensics
84 Attendees
Location
Augustus Ballroom 5-6
Type Random
Datagram
Lockpicking is portrayed as the ultimate entry method. Undetectable and instantaneous as far as films are concerned. Nothing is further from the truth, but freely available information on the topic is nearly impossible to find. This talk will focus on the small but powerful fragments of evidence left by various forms of bypass, lockpicking, and impressioning. Attendees will learn how to distinguish tool marks from normal wear and tear, identify the specific techniques and tools used, and understand the process of forensic locksmithing in detail.
11:15 AM
to 12:30 PM
Jeremiah Grossman & Trey Ford: Mo' Money Mo' Problems
136 Attendees
Location
Augustus Ballroom 5-6
Type Random
Jeremiah Grossman, Trey Ford
Sequel to the much acclaimed Get Rich or Die Trying presentation. This time around we're not going to restrict ourselves to the super simple, legal gray area, or even those previously exploited in the real-world. The theoretical is fast becoming dangerously likely and we can't wait until it becomes a reality for them to be examined.
Many people still mistakenly believe profiting illicitly or causing serious damage on the Web requires elite, ninja-level hacking skills. Nothing could be further from the truth. In fact, given the ever-increasing complexity of Web technology, using sophisticated vulnerability scanners can make the monetization process more difficult, noisy, and arguably less lucrative. While scanners and code reviews can lend themselves to identifying SQL Injection and Cross-Site Scripting, which can lead to significant harm and financial loss, so too can the issues they consistently miss -- business logic flaws.
Business logic flaws, or an oversight in the way a system is designed to work or can be made to work, is one that typically can be gamed in low-tech ways. In the real world, these attacks have lead to between four and nine-figure paydays with nothing more than basic analytical skills required. Furthermore these are attacks that Intrusion Detection Systems (IDS) will miss, Web application firewalls can't block, and Web application vulnerability scanners fail to identify. Attacks so subtle that most organizations will not know they've been hit until a financial audit uncovers a discrepancy, they receive angry customer calls, or when they become headline news.
Many people still mistakenly believe profiting illicitly or causing serious damage on the Web requires elite, ninja-level hacking skills. Nothing could be further from the truth. In fact, given the ever-increasing complexity of Web technology, using sophisticated vulnerability scanners can make the monetization process more difficult, noisy, and arguably less lucrative. While scanners and code reviews can lend themselves to identifying SQL Injection and Cross-Site Scripting, which can lead to significant harm and financial loss, so too can the issues they consistently miss -- business logic flaws.
Business logic flaws, or an oversight in the way a system is designed to work or can be made to work, is one that typically can be gamed in low-tech ways. In the real world, these attacks have lead to between four and nine-figure paydays with nothing more than basic analytical skills required. Furthermore these are attacks that Intrusion Detection Systems (IDS) will miss, Web application firewalls can't block, and Web application vulnerability scanners fail to identify. Attacks so subtle that most organizations will not know they've been hit until a financial audit uncovers a discrepancy, they receive angry customer calls, or when they become headline news.
1:45 PM
to 3:00 PM
Hristo Bojinov, Elie Bursztein & Dan Boneh: Embedded Management Interfaces
60 Attendees
Location
Augustus Ballroom 5-6
Type Random
Hristo Bojinov, Dan Boneh, Elie Bursztein
Over the last few years, the number of devices that embed user-friendly management interfaces accessible from the network has drastically increased. These interfaces can be found on almost every kind of device, from lights-out management systems for PCs, to small SOHO NAS appliances, to photo frames.
In this talk, we will cover the attack surface of embedded management interfaces and pinpoint which parts of them are the most likely to be vulnerable, based on our evaluation of more than a dozen device models from different categories. In particular, we will review known yet underestimated implementation shortcuts that lead to vulnerabilities. To illustrate each shortcut, we will describe real-world vulnerabilities that we have found and exploited in devices from Intel, Linksys, Lacie, Samsung, and Dell among others.
In this talk, we will cover the attack surface of embedded management interfaces and pinpoint which parts of them are the most likely to be vulnerable, based on our evaluation of more than a dozen device models from different categories. In particular, we will review known yet underestimated implementation shortcuts that lead to vulnerabilities. To illustrate each shortcut, we will describe real-world vulnerabilities that we have found and exploited in devices from Intel, Linksys, Lacie, Samsung, and Dell among others.
3:15 PM
to 4:30 PM
Alexander Sotirov & Mike Zusman: Breaking the Security Myths of Extended Validation SSL Certificates
87 Attendees
Location
Augustus Ballroom 5-6
Type Random
Alexander Sotirov, Mike Zusman
Extended Validation (EV) SSL certificates have been touted by Certificate Authorities and browser vendors as a solution to the poor validation standards for issuing traditional SSL certificates. It was previously thought that EV certificates are not affected by attacks that allow malicious hackers to obtain a non-EV SSL certificate, such as the MD5 collision attack or the widely publicized failures of some CAs to validate domain ownership before issuing certificates.
Unfortunately, it turns out that the security offered by EV certificates is not any better than the security of even the cheapest $12 SSL certificate. In this talk we will show how any attacker who can obtain a non-EV SSL certificate for a website can perform completely transparent man-in-the-middle attacks on any SSL connection to that site, even if the website is protected is by an EV certificate and the users are diligently inspecting all information contained in the SSL certificates.
Unfortunately, it turns out that the security offered by EV certificates is not any better than the security of even the cheapest $12 SSL certificate. In this talk we will show how any attacker who can obtain a non-EV SSL certificate for a website can perform completely transparent man-in-the-middle attacks on any SSL connection to that site, even if the website is protected is by an EV certificate and the users are diligently inspecting all information contained in the SSL certificates.
4:45 PM
to 6:00 PM
Bill Blunden: Anti-Forensics: The Rootkit Connection
77 Attendees
Location
Augustus Ballroom 5-6
Type Random
Bill Blunden
Conventional rootkits have focused primarily on defeating forensic live incident response and network monitoring using a variety of concealment strategies (e.g. detour patching, covert channels, etc). However, the tools required to survive a post-mortem analysis of secondary storage, which are just as vital in the grand scheme of things, recently don't seem to have garnered the same degree of coverage. In this presentation, the speaker will examine different approaches to persisting a rootkit and the associated anti-forensic tactics that can be employed to thwart an investigator who's performing an autopsy of a disk image.
