me::title_else
My Schedule
9:00 AM
to 9:50 AM
Keynote
431 schedule::attendees
Location
Augustus Ballroom
10:00 AM
to 11:00 AM
John McDonald & Chris Valasek: Practical Windows Heap Exploitation
65 schedule::attendees
Location
Augustus Ballroom 5-6
eventtype Exploitation
John McDonald & Chris Valasek
event::about As we all know, the era of the straightforward 4-byte overwrite is over. Heap exploitation has steadily increased in difficulty since its genesis in Solar Designer's ground-breaking Bugtraq post in July of 2000. This trend towards increasingly complicated exploitation is primarily a result of the widespread implementation of technical heap counter-measures in modern systems software. The effort required to write reliable heap exploits has steadily increased due to other factors as well: applications have become more and more multi-threaded to take advantage of trends in hardware, and -- in certain code -- memory corruption vulnerabilities have become more nuanced and unique as a result of common, straightforward vulnerability patterns slowly but surely being audited out of existence. The end result of all these defensive machinations is that now, more than ever, you need a fluid, application-aware approach to heap exploitation. The building blocks of such an approach are an extensive working knowledge of heap internals, an understanding of the contributing factors in heap determinism, various tactics for creating predictable patterns in heap memory, and, naturally, a collection of techniques for exploiting myriad different specific types of memory corruption in heap memory.
Our talk is chiefly concerned with developing this foundational knowledge, focusing on the practical challenges of heap exploitation on Windows XP SP3 and Server 2003. While Windows Vista is gaining market share and Windows 7 is on its way, the XP code base is still the most prevalent attack surface on the Internet. XP heap exploitation may not technically qualify as "
Our talk is chiefly concerned with developing this foundational knowledge, focusing on the practical challenges of heap exploitation on Windows XP SP3 and Server 2003. While Windows Vista is gaining market share and Windows 7 is on its way, the XP code base is still the most prevalent attack surface on the Internet. XP heap exploitation may not technically qualify as "
11:15 AM
to 12:30 PM
Nathan Hamiel & Shawn Moyer: Weaponizing the Web
130 schedule::attendees
Location
Augustus Ballroom 5-6
eventtype Exploitation
Nathan Hamiel, Shawn Moyer
event::about Ultimately, basing the value proposition of your site on user-generated and external content is a kind of variant on Russian Roulette, where in every turn the gun is pointed at your head, regardless of the number of players. You may win most of the time, but eventually a bullet is going to find its way into the chamber with your name on it.
We spent some time last year looking at this problem as it related specifically to Social Networks, but that left a lot of the territory unexplored. This time around we'll be talking about a previously unnoticed attack vector for lots and lots of web applications with user-generated content, and releasing a handy tool to exploit it. Bundled in are some thoughts on Web 2.0 attack surface, a few new exploitation techniques, and as in last year, a hefty helping of lulz, ridicule, and demos-of-shame at the expense of a few of your and (our) favorite sites.
We spent some time last year looking at this problem as it related specifically to Social Networks, but that left a lot of the territory unexplored. This time around we'll be talking about a previously unnoticed attack vector for lots and lots of web applications with user-generated content, and releasing a handy tool to exploit it. Bundled in are some thoughts on Web 2.0 attack surface, a few new exploitation techniques, and as in last year, a hefty helping of lulz, ridicule, and demos-of-shame at the expense of a few of your and (our) favorite sites.
1:45 PM
to 3:00 PM
Graeme Neilson: Netscreen of the Dead
46 schedule::attendees
Location
Roman Ballroom
eventtype Infrastructure
Graeme Neilson
event::about Core network security appliances are often considered to be more secure than traditional systems because the operating systems they run are supplied as obfuscated, undocumented binary firmware. Juniper Inc supplies a complete range of security appliances that all run a closed source operating system called ScreenOS which they supply as firmware.
This presentation will detail how the Juniper Netscreen platform can be completely subverted by installation of attacker modified firmware. This firmware is effectively an embedded rootkit.
This presentation will detail how the Juniper Netscreen platform can be completely subverted by installation of attacker modified firmware. This firmware is effectively an embedded rootkit.
3:15 PM
to 4:30 PM
Jeff Williams: There's a Fox in the Henhouse
79 schedule::attendees
Location
Augustus Ballroom 1-2
eventtype Rootkits
Jeff Williams
event::about How much would it cost to convince a developer to insert a few special lines of Java in your application? Would you detect the attack before it went live? How much damage could it do? Malicious developers are the ultimate insiders. With a very small number of lines of Java, they can steal all your data, corrupt systems, install system level attacks, and cover their tracks. A trojaned Struts or Log4j library could affect most of the financial industry at once.
This talk will examine the techniques that malicious programmers can use to insert and hide these attacks in a Java web application. We'll start by looking at the code for a few naive examples of timebombs and backdoors to show the power of these attacks. Several real examples discovered during 10 years of security code reviews will be shared. A more sophisticated attacker will seek to obfuscate their attacks and achieve plausible deniability. We'll start by exploring the tricks for hiding attacks from security code reviewers, including escaping, string hiding, string conversion, and method misuse. We'll also examine data and control flow tricks to fool static analysis tools, such as using EJBs, exception handling, static initializers, dynamic class loading, and compiler misuse. The talk will demonstrate the ease of undetectably loading an application rootkit remotely and executing it in the JVM.
What can organizations do to minimize the risk of malicious Java developers? We'll review the benefits and limitations of technical controls, such as sandboxes, configuration management, least privilege, and intrusion detection. We'll also discuss the use of detection techniques such as code review and static analysis tools. Finally, we'll talk about people and organizational issues that can help minimize this risk. In a world with layoffs, outsourcing, and organized crime, the risk from malicious developers should be considered seriously. Microsoft's Doug Leland has called these attacks "one of the most significant threats companies face." Businesses need to be aware of these risks so that they can make informed decisions about searching their code, using controls, and even whether to use applications to perform certain business functions at all.
This talk will examine the techniques that malicious programmers can use to insert and hide these attacks in a Java web application. We'll start by looking at the code for a few naive examples of timebombs and backdoors to show the power of these attacks. Several real examples discovered during 10 years of security code reviews will be shared. A more sophisticated attacker will seek to obfuscate their attacks and achieve plausible deniability. We'll start by exploring the tricks for hiding attacks from security code reviewers, including escaping, string hiding, string conversion, and method misuse. We'll also examine data and control flow tricks to fool static analysis tools, such as using EJBs, exception handling, static initializers, dynamic class loading, and compiler misuse. The talk will demonstrate the ease of undetectably loading an application rootkit remotely and executing it in the JVM.
What can organizations do to minimize the risk of malicious Java developers? We'll review the benefits and limitations of technical controls, such as sandboxes, configuration management, least privilege, and intrusion detection. We'll also discuss the use of detection techniques such as code review and static analysis tools. Finally, we'll talk about people and organizational issues that can help minimize this risk. In a world with layoffs, outsourcing, and organized crime, the risk from malicious developers should be considered seriously. Microsoft's Doug Leland has called these attacks "one of the most significant threats companies face." Businesses need to be aware of these risks so that they can make informed decisions about searching their code, using controls, and even whether to use applications to perform certain business functions at all.
4:45 PM
to 6:00 PM
Val Smith, Colin Ames & David Kerb: MetaPhish pt. 2
60 schedule::attendees
Location
Florentine 1-2-3-4
eventtype Metasploit
Val Smith, Colin Ames, David Kerb
event::about Attackers have been increasingly using the web and client side attacks in order to steal information from victims. The remote exploit paradigm is shifting from the open port to the browser and email client. Penetration testers need to take these techniques into account in order to provide realistic tests.
In the past several years there have been numerous presentations on techniques for specific client side attacks and vulnerabilities. This talk will focus on building a phishing framework on top of Metasploit that pen testers can use to automate phishing and increase their overall capabilities. We will also cover some techniques for SpearPhishing on pen tests, second stage backdoors, and extensive communication over TOR.
In the past several years there have been numerous presentations on techniques for specific client side attacks and vulnerabilities. This talk will focus on building a phishing framework on top of Metasploit that pen testers can use to automate phishing and increase their overall capabilities. We will also cover some techniques for SpearPhishing on pen tests, second stage backdoors, and extensive communication over TOR.
8:50 AM
to 9:50 AM
10:00 AM
to 11:00 AM
Zane Lackey & Luis Miras: Attacking SMS
135 schedule::attendees
Location
Milano Ballroom 1-2-3-4
eventtype Mobile
Zane Lackey, Luis Miras
event::about With the increased usage of text messaging around the globe, SMS provides an ever widening attack surface on today's mobile phones. From over the air updates to rich content multimedia messages, SMS is no longer a simple service to deliver small text-only messages. In addition to its wide range of supported functionality, SMS is also one of the only mobile phone attack surfaces which is on by default and requires almost no user interaction to be attacked.
This talk will seek to inform the audience of threats to today's mobile phones posed by hostile SMS traffic. We will discuss attacking the core SMS and MMS implementations themselves, along with 3rd party functionality that can be reached via SMS. Results will be presented of testing against mobile platforms in real-world situations.
In addition to our own results we will discuss and release a number of tools to help users test the security of their own mobile devices. Finally, we will demonstrate and release an iPhone-based SMS attack application that facilitates a number of the attacks we discuss.
This talk will seek to inform the audience of threats to today's mobile phones posed by hostile SMS traffic. We will discuss attacking the core SMS and MMS implementations themselves, along with 3rd party functionality that can be reached via SMS. Results will be presented of testing against mobile platforms in real-world situations.
In addition to our own results we will discuss and release a number of tools to help users test the security of their own mobile devices. Finally, we will demonstrate and release an iPhone-based SMS attack application that facilitates a number of the attacks we discuss.
11:15 AM
to 12:30 PM
Jeremiah Grossman & Trey Ford: Mo' Money Mo' Problems
136 schedule::attendees
Location
Augustus Ballroom 5-6
eventtype Random
Jeremiah Grossman, Trey Ford
event::about Sequel to the much acclaimed Get Rich or Die Trying presentation. This time around we're not going to restrict ourselves to the super simple, legal gray area, or even those previously exploited in the real-world. The theoretical is fast becoming dangerously likely and we can't wait until it becomes a reality for them to be examined.
Many people still mistakenly believe profiting illicitly or causing serious damage on the Web requires elite, ninja-level hacking skills. Nothing could be further from the truth. In fact, given the ever-increasing complexity of Web technology, using sophisticated vulnerability scanners can make the monetization process more difficult, noisy, and arguably less lucrative. While scanners and code reviews can lend themselves to identifying SQL Injection and Cross-Site Scripting, which can lead to significant harm and financial loss, so too can the issues they consistently miss -- business logic flaws.
Business logic flaws, or an oversight in the way a system is designed to work or can be made to work, is one that typically can be gamed in low-tech ways. In the real world, these attacks have lead to between four and nine-figure paydays with nothing more than basic analytical skills required. Furthermore these are attacks that Intrusion Detection Systems (IDS) will miss, Web application firewalls can't block, and Web application vulnerability scanners fail to identify. Attacks so subtle that most organizations will not know they've been hit until a financial audit uncovers a discrepancy, they receive angry customer calls, or when they become headline news.
Many people still mistakenly believe profiting illicitly or causing serious damage on the Web requires elite, ninja-level hacking skills. Nothing could be further from the truth. In fact, given the ever-increasing complexity of Web technology, using sophisticated vulnerability scanners can make the monetization process more difficult, noisy, and arguably less lucrative. While scanners and code reviews can lend themselves to identifying SQL Injection and Cross-Site Scripting, which can lead to significant harm and financial loss, so too can the issues they consistently miss -- business logic flaws.
Business logic flaws, or an oversight in the way a system is designed to work or can be made to work, is one that typically can be gamed in low-tech ways. In the real world, these attacks have lead to between four and nine-figure paydays with nothing more than basic analytical skills required. Furthermore these are attacks that Intrusion Detection Systems (IDS) will miss, Web application firewalls can't block, and Web application vulnerability scanners fail to identify. Attacks so subtle that most organizations will not know they've been hit until a financial audit uncovers a discrepancy, they receive angry customer calls, or when they become headline news.
1:45 PM
to 3:00 PM
Hristo Bojinov, Elie Bursztein & Dan Boneh: Embedded Management Interfaces
60 schedule::attendees
Location
Augustus Ballroom 5-6
eventtype Random
Hristo Bojinov, Dan Boneh, Elie Bursztein
event::about Over the last few years, the number of devices that embed user-friendly management interfaces accessible from the network has drastically increased. These interfaces can be found on almost every kind of device, from lights-out management systems for PCs, to small SOHO NAS appliances, to photo frames.
In this talk, we will cover the attack surface of embedded management interfaces and pinpoint which parts of them are the most likely to be vulnerable, based on our evaluation of more than a dozen device models from different categories. In particular, we will review known yet underestimated implementation shortcuts that lead to vulnerabilities. To illustrate each shortcut, we will describe real-world vulnerabilities that we have found and exploited in devices from Intel, Linksys, Lacie, Samsung, and Dell among others.
In this talk, we will cover the attack surface of embedded management interfaces and pinpoint which parts of them are the most likely to be vulnerable, based on our evaluation of more than a dozen device models from different categories. In particular, we will review known yet underestimated implementation shortcuts that lead to vulnerabilities. To illustrate each shortcut, we will describe real-world vulnerabilities that we have found and exploited in devices from Intel, Linksys, Lacie, Samsung, and Dell among others.
3:15 PM
to 4:30 PM
Kostya Kortchinsky: Cloudburst - Hacking 3D and Breaking out of VMware
142 schedule::attendees
Location
Augustus Ballroom 3-4
eventtype Cloud Virtualization
Kostya Kortchinsky
event::about Virtualization is everywhere, and VMware is a major actor in the domain. A MacOS user running a Windows only application in a Fusion guest. A malware researcher analysing the latest Conficker in a Workstation guest. A big company running a cloud virtualized on some ESX servers. All of them rely on the security offered by the virtualization software, as a breakout would have disastrous consequences.
Yet VMware products include implement a lot of functionality, and as such have a decent chance to include some bugs. CLOUDBURST is the combination of 3 of those found in the virtualized video device (more specifically the 3D code). Combined, these allow a user in a Guest to execute code on the Host. Since the virtualized device code is the same for all the branches of the products, this impacts Workstation, as well as Fusion or ESX. Immunity, Inc. will present the various vulnerabilities and the techniques used to exploit the bug reliably, even on platforms with ASLR or DEP such as Vista SP1. Once exploited, Immunity will demonstrate how to establish MOSDEF between the Host and Guest.
Yet VMware products include implement a lot of functionality, and as such have a decent chance to include some bugs. CLOUDBURST is the combination of 3 of those found in the virtualized video device (more specifically the 3D code). Combined, these allow a user in a Guest to execute code on the Host. Since the virtualized device code is the same for all the branches of the products, this impacts Workstation, as well as Fusion or ESX. Immunity, Inc. will present the various vulnerabilities and the techniques used to exploit the bug reliably, even on platforms with ASLR or DEP such as Vista SP1. Once exploited, Immunity will demonstrate how to establish MOSDEF between the Host and Guest.
4:30 PM
to 4:45 PM
5:10 PM
to 5:35 PM
Mikko Hypponen: The Conficker Mystery
170 schedule::attendees
Location
Roman Ballroom
eventtype Turbo Talks
Mikko Hypponen
event::about Network worms were supposed to be dead. Turns out they aren't. In 2009 we saw the largest outbreak in years: The Conficker aka Downadup worm, infecting Windows workstations and servers around the world. Apparently written in Ukraine, this worm infected several million computers worldwide - most of them in corporate networks. Overnight, it became as large an infection as the historical outbreaks of worms such as the Loveletter, Melissa, Blaster or Sasser.
Conficker is clever. In fact, it uses several new techniques that have never been seen before. One of these techniques is using Windows ACLs to make disinfection hard or impossible. Another is infecting USB drives with a technique that works *even* if you have USB Autorun disabled. Yet another is using Windows domain rights to create a remote jobs to infect machines over corporate networks. Possibly to most clever part is the communication structure Conficker uses. It has an algorithm to create a unique list of 250 random domain names every day. By precalcuting one of these domain names and registering it, the gang behind Conficker could take over any or all of the millions of computers they had infected.
But the real mystery is why nothing happened. The infected machines have never been used for anything. No botnet, no spamming, no data theft. Why? In my talk I will present the work we did to analyse Conficker. We reverse engineered the domain-generation algorithm and infiltrated the network. I will also disclose, for the first time ever, what was the motive of the gang behind Conficker - and why they never acted upon it.
Conficker is clever. In fact, it uses several new techniques that have never been seen before. One of these techniques is using Windows ACLs to make disinfection hard or impossible. Another is infecting USB drives with a technique that works *even* if you have USB Autorun disabled. Yet another is using Windows domain rights to create a remote jobs to infect machines over corporate networks. Possibly to most clever part is the communication structure Conficker uses. It has an algorithm to create a unique list of 250 random domain names every day. By precalcuting one of these domain names and registering it, the gang behind Conficker could take over any or all of the millions of computers they had infected.
But the real mystery is why nothing happened. The infected machines have never been used for anything. No botnet, no spamming, no data theft. Why? In my talk I will present the work we did to analyse Conficker. We reverse engineered the domain-generation algorithm and infiltrated the network. I will also disclose, for the first time ever, what was the motive of the gang behind Conficker - and why they never acted upon it.
5:35 PM
to 6:00 PM
Muhaimin Dzulfakar: Advanced MySQL Exploitation
111 schedule::attendees
Location
Roman Ballroom
eventtype Turbo Talks
Muhaimin Dzulfakar
event::about This talk focuses on how MySQL SQL injection vulnerabilities can be used to gain remote code execution on the LAMP and WAMP environments. Attackers performing SQL injection on a MySQL platform must deal with several limitations and constraints. For example, the lack of multiple statements in one query makes MySQL an unpopular platform for remote code execution compared to other platforms. This talk will show that arbitrary code execution is possible on the MySQL platform and explain the techniques. In this presentation, the author will demonstrate the tool he wrote, titled MySqloit. This tool can be integrated with metasploit and is able to upload and execute shellcodes using a SQL Injection vulnerability in LAMP or WAMP environments.
footer::loading