Tag: cesar cerrudo

INSIGHTS | January 22, 2013

You cannot trust social media to keep your private data safe: Story of a Twitter vulnerability

By Cesar Cerrudo

I‘m always worried about the private information I have online. Maybe this is because I have been hacking for a long time, and I know everything can be hacked. This makes me a bit paranoid. I have never trusted web sites to keep my private information safe, and nowadays it is impossible to not have private information published on the web, such as a social media web site. Sooner or later you could get hacked, this is a fact.

 

Currently, many web and mobile applications give users the option to sign in using their Twitter or Facebook account. Keeping in mind the fact that Twitter currently has 200 million active monthly users (http://en.wikipedia.org/wiki/Twitter), it makes a lot of sense for third-party applications to offer users an easy way to log in. Also, since applications can obtain a wealth of information from your Twitter or Facebook account, most of the time you do not even need to register. This is convenient, and it saves time signing into third-party applications using Twitter or Facebook.

 

 

Every time I’m asked to sign in using Twitter or Facebook, my first thought is, “No way!”  I don’t want to give access to my Twitter and Facebook accounts regardless of whether I have important information there or not. I always have an uneasy feeling about giving a third-party application access to my accounts due to the security implications.

 

Last week I had a very interesting experience.

I was testing a web application that is under development. This application had an option to allow me to sign into Twitter. If I selected this option, the application would have access to my Twitter public feed (such as reading Tweets from my timeline and seeing who I follow). In addition, the application would have been able to access Twitter functionality on my behalf (such as following new people, updating my profile, posting Tweets for me). However, it wouldn’t have access to my private Twitter information (such as direct messages and more importantly my password). I knew this to be true because of the following information that is displayed on Twitter’s web page for “Signing in with Twitter”:

 

Image 1

 

After viewing the displayed web page, I trusted that Twitter would not give the application access to my password and direct messages. I felt that my account was safe, so I signed in and played with the application. I saw that the application had the functionality to access and display Twitter direct messages. The functionality, however, did not work, since Twitter did not allow the application to access these messages. In order to gain access, the application would have to request proper authorization through the following Twitter web page:

 

  Image2

 

The web page displayed above is similar to the previous web page (Image 1). However, it also says the application will be able to access your direct messages. Also, the blue button is different. It says “Authorize app” instead of “Sign in”. While playing with the application, I never saw this web page (image 2). I continued playing with the application for some time, viewing the functionality, logging in and out from the application and Twitter, and so on. After logging in to the application, I suddenly saw something strange. The application was displaying all of my Twitter direct messages. This was a huge and scary surprise. I wondered how this was possible. How had the application bypassed Twitter’s security restrictions? I needed to know the answer.

 

My surprise didn’t end here. I went to https://twitter.com/settings/applications to check the application settings. The page said “Permissions: read, write, and direct messages”. I couldn’t understand how this was possible, since I had never authorized the application to access my “private” direct messages. I realized that this was a huge security hole.

 

I started to investigate how this could have happened. After some testing, I found that the application obtained access to my private direct messages when I signed in with Twitter for a second or third time. The first time I signed in with Twitter on the application, it only received read and write access permissions. This gave the application access to what Twitter displays on its “Sign in with Twitter” web page (see image 1). Later, however, when I signed in again with Twitter without being already logged in to Twitter (not having an active Twitter session – you have to enter your Twitter username and password), the application obtained access to my private direct messages. It did so without having authorization, and Twitter did not display any messages about this. It was a simple bypass trick for third-party applications to obtain access to a user’s Twitter direct messages.

 

In order for a third-party application to obtain access to Twitter direct messages, it first has to be registered and have its direct message access level configured here: https://dev.twitter.com/apps. This was the case for the application I was testing.  In addition and more importantly, the application has to obtain authorization on the Twitter web page (see Image 2) to access direct messages. In my case, it never got this. I never authorized the application, and I did not encounter a web page requesting my authorization to give the application access to my private direct messages.

 

I tried to quickly determine the root cause, although I had little time. However, I could not determine this. I therefore decided to report the vulnerability to Twitter and let them do a deeper investigation. The Twitter security team quickly answered and took care of the issue, fixing it within 24 hours. This was impressive. Their team was very fast and responsive. They said the issue occurred due to complex code and incorrect assumptions and validations.

 

While I think the Twitter security team is great, I do not think the same of the Twitter vulnerability disclosure policy. The vulnerability was fixed on January 17, 2013, but Twitter has not issued any alerts/advisories notifying users.

 

There should be millions of Twitter users (remember Twitter has 200 million active users) that have signed in with Twitter into third-party applications. Some of these applications might have gained access to and might still have access to Twitter users private direct messages (after the security fix the application I tested still had access to direct messages until I revoked it).

 

Since Twitter, has not alerted its users of this issue, I think we all need to spread the word. Please share the following with everyone you know:

Check third-party applications permissions here: https://twitter.com/settings/applications

If you see an application that has access to your direct messages and you never authorized it, then revoke it immediately.

 

Ironically, we could also use Twitter to help users. We could tweet the following:

Twitter shares your DMs without authorization, check 3rd party application permissions  https://ioactive.com/you-can-not-trust-social-media-twitter-vulnerable/ #ProtectYourPrivacy (Please RT)

 

I love Twitter. I use it daily. However, I think Twitter still needs a bit of improvement, especially when it comes to alerting its users about security issues when privacy is affected.

 

INSIGHTS | August 8, 2012

Impressions from Black Hat, Defcon, BSidesLV and IOAsis

By Cesar Cerrudo

A week has passed since the Las Vegas craziness and we’ve had some time to write down our impressions about the Black Hat, Defcon and BSidesLV conferences as well as our own IOAsis event.

It was great for me to meet lots of people—some of who I only see once a year in Las Vegas. I think this is one of the great things about these events: being able to talk for at least a couple of minutes with colleagues and friends you don’t see regularly (the Vegas craziness doesn’t allow long chats most of the time). I also got to meet people personally for the first time after working together and/or communicating just by email, Twitter, or chat. The IOActive team delivered a lot of successful talks that were well received by the public, which makes me proud of our great team and reflects well our constant hard work.

By Fernando Anaboldi

 

Fwknop at IOAsis:

The “Single Packet Authorization” term was first mentioned by MadHat at the BlackHat Briefings in July 2005; however, the first available implementation of SPA was the release of fwknop in May 2005 by Michael Rash. Basically, it grants access to a service upon receiving a particular packet.

We had the opportunity at the IOAsis to attend a fwknop presentation given by Michael Rash. The tool is currently capable of performing several useful things:

·         It allows you to hide a service on a “closed” port.
·         It lets you create a “ghost service” where a port switches for a short period of time to whatever service is requested within an SPA packet (e.g. SSHD)—and it doesn’t seem to be susceptible to replay attacks like a normal port knocking implementation would.
·         And the list goes on.

 

Hidden and obscuring available services on external networks looks like a first interesting line of defense, and fwknop seems to be the leader in that field.

 

By Ian Amit @iiamit

 

BlackHat/BSides/Defcon Week: Finding My Peace

 

After finally recovering from a week (which felt like a month) in Vegas, I can safely say that I found my peace. Although it was one of the more hectic weeks I’ve had this year—and the most successful BlackHat/BSides/Defcon personally—I managed to find myself in a better place professionally, socially, and generally. How did this come about?

 

Although BlackHat has been wandering the past few years between what it used to be—a highly professional security conference—and what it started to become (for me at least)—a vendor dog-and-pony show—I thought the new format of tracks focused on different security elements made a difference in how attendees approached the topics. Additionally, the arsenal pods allowed more free-form presentations and discussions on new technologies and ideas while capitalizing on the hallway-track that conferences so famously miss out on.

 

My schedule really put me in a position to appreciate the entire spectrum of our amazing community: speaking at BlackHat first thing in the morning after the keynote, switching gears to volunteer for the security staff at BSidesLV, and then speaking at BSides. From the more polished feel of BlackHat to the relaxed atmosphere of BSides, from a stressful speaking slot to giving back to the community, it just made perfect sense…

 

Having a chance to get together with people I consider friends online and offline was another critical aspect of my week in Vegas. Although some of these meetings were ridiculously short, the energy, and the relationship boost they gave was invaluable. A critical part of being in information security is the ability to work with industry peers in ways that nurture critical thinking, innovation, and peer-support (and criticism). Being able to throw around research initiatives; explore new elements of the information security world; and talk about business, government, international relations, law, economics, physical security, and other crazy aspects that we all need to take into account is a must-have in an industry that has almost zero-tolerance for failure.

 

Wrapping it up with a massive Defcon attendance, talks, and of course the occasional party was the cherry on top. Although some nights felt more like work than play, you won’t hear me complaining because even though party hopping between 4–5 venues to catch up with everyone really took its toll physically, I got to see a beautiful sunrise over the desert.

 

Last but definitely not least, getting the chance to meet with co-workers from around the globe was a great experience made possible by working for a company large enough to have people in almost every time zone. So, being able to do that against the backdrop of an amazing Freakshow party (thanks again to Keith Myers and Infected Mushroom) just made all the talks about exploits, kernel space vulnerabilities, counter-intelligence, and social engineering that much more appropriate ?

 

Until the next Vegas, stay safe!
INSIGHTS | July 19, 2012

IOActive Las Vegas 2012

By IOActive

That time of the year is quickly approaching and there will be nothing but great talks and enjoyment. As a leading security and research company, IOActive will be sharing a lot of our latest research at BlackHat USA 2012, BSidesLV 2012, and IOAsis.  And, of course, we’ll also be offering some relaxation and party opportunities, too!

This year we are proud to be one of the companies with more talks accepted than anyone else at BlackHat USA 2012, an incredible showing that backs up our team’s hard work:
·         SEXY DEFENSE – MAXIMIZING THE HOME-FIELD ADVANTAGE, by Iftach Ian Amit
·     EASY LOCAL WINDOWS KERNEL EXPLOITATION, by Cesar Cerrudo
·     THE LAST GASP OF THE INDUSTRIAL AIR-GAP, by Eireann Leverett
·     HERE BE BACKDOORS: A JOURNEY INTO THE SECRETS OF INDUSTRIAL FIRMWARE, by Ruben Santamarta
We also will be showing interesting tools at BlackHat Arsenal:
·         BURP EXTENSIBILITY SUITE by James Lester and Joseph Tartaro
…and we will be presenting at BSidesLV 2012, too:
·         SEXY DEFENSE – MAXIMIZING THE HOME-FIELD ADVANTAGE, by Iftach Ian Amit
·         OCCUPY BURP SUITE: Informing the 99% What the 1% are Taking Advantage Of, by James Lester and Joseph Tartaro
But wait, that’s not all—at same time as BlackHat and BSidesLV we will be running IOAsis, where VIPs can meet with our team and also attend exclusive talks, where our team will present their latest research. 
Enough already? No, there’s still more. For the second year IOActive will be sponsoring BarCon, an exclusive, invitation-only event where the great hacking minds get together to talk about who knows what. And to drink. 
And last, but certainly not least, IOActive will present the fifth annual Defcon Freakshow, the freakiest party for celebrating Defcon 20!  More information is available on the Facebook page: http://www.facebook.com/events/409482889093061/

 

If you are not tired of reading yet, continue and find more information about our talks at BlackHat USA 2012 and BSidesLV 2012:

 HERE BE BACKDOORS: A JOURNEY INTO THE SECRETS OF INDUSTRIAL FIRMWARE, by Ruben Santamarta
July 25, 2012. 5:00–6:00pm. BlackHat USA 2012

PLCs, smart meters, SCADA, Industrial Control Systems…nowadays all those terms are well known for the security industry. When critical Infrastructures come into play, the security of all those systems and devices that control refineries, and water treatment or nuclear plants pose a significant attack vector.

For years, the isolation of that world provided the best ‘defense’ but things are changing and that scenario is no longer valid. Is it feasible to attack a power plant without ever visiting one? Is it possible to hack into a smart meter…without having that smart meter? Yes, it is. This talk discusses the approach followed to do so, mixing theory and practice.

This presentation pivots around the analysis of firmware through reverse engineering in order to discover additional scenarios such as backdoors, confidential documentation or software, and vulnerabilities. Everything explained will be based on real cases, unveiling curious ‘features’ found in industrial devices and disclosing some previously unknown details of an interesting case: a backdoor discovered in a family of smart meters.

We will navigate through the dark waters of Industrial Control Systems, where security by obscurity has ruled for years. Join us on this journey, here be backdoors…

THE LAST GASP OF THE INDUSTRIAL AIR-GAP, by Eireann Leverett
July 25, 2012. 2:15–3:15pm. BlackHat USA 2012

Industrial systems are widely believed to be air-gapped. At previous Black Hat conferences, people have demonstrated individual utilities control systems directly connected to the internet. However, this is not an isolated incident of failure, but rather a disturbing trend. By visualizing results from SHODAN over a 2-1/2–year period, we can see that there are thousands of exposed systems around the world. By using geo-location and vulnerability pattern matching to service banners, we can see their rough physical location and the numbers of standard vulnerabilities they are exposed to.

This allows us to look at statistics about the industrial system security posture of whole nations and regions. During the process of this project, I worked with ICS-CERT to inform asset-owners of their exposure and other CERT teams around the world. The project has reached out to 63 countries, and sparked discussion of convergence toward the public internet of many insecure protocols and devices.
The original dissertation can be found here:  https://ioactive.com/wp-content/uploads/2012/07/2011-Leverett-industrial.pdf

EASY LOCAL WINDOWS KERNEL EXPLOITATION, by Cesar Cerrudo
July 26, 2012. 5:00–6:00pm BlackHat USA 2012

For some common local kernel vulnerabilities there is no general, multi-version, reliable way to exploit them. While there have been interesting techniques published, they are neither simple nor do they work across different Windows versions most of the time. This presentation will show easy and reliable cross-platform techniques for exploiting some common local Windows kernel vulnerabilities. These new techniques even allow exploitation of vulnerabilities that have been considered difficult or almost impossible to exploit in the past.

SEXY DEFENSE – MAXIMIZING THE HOME-FIELD ADVANTAGE, by Iftach Ian Amit
July 25, 2012. 10:15–11:15am.BlackHat USA 2012
July 25, 2012. 5:00–6:00 pm. BSidesLV 2012

Offensive talks are easy, I know. But the goal of offensive security at the end of the day is to make us better defenders. And that’s hard. After the penetration testers (or worse, the red team) leaves, there’s usually a whole lot of vulnerabilities, exposures, threats, risks and wounded egos. Now comes the money time—can you fix this so your security posture will actually be better the next time these guys come around?

This talk focuses mainly on what should be done, not what should be BOUGHT—you probably have most of what you need already in place and you just don’t know it yet.
The talk will show how to expand the spectrum of defenders from a reactive one to a proactive one, will discuss ways to perform intelligence gathering on your opponents, and will model how that can assist in focusing on an effective defense rather than a “best practice” one. Methodically, defensively, decisively. The red team can play ball cross-court, so should you!

BURP EXTENSIBILITY SUITE, by James Lester and Joseph Tartaro
July 25, 2012. 3:30–4:30 pm BlackHat USA 2012 – Arsenal

Whether it be several Class B Subnets, a custom web application utilizing tokenization, or the integration of third-party detection/exploitation software, there comes a time when your go-to testing application is insufficient as is. With Burp Suite Extensibility you can push these requirements to the next level by building functionality that allows you to perform your required task while maintaining efficiency, value, and, most of all, detection/exploitation of the specified target. Several extensions along with a common extensibility framework will be on display to demonstrate its ability, adaptation, and ease of use while still reaching your testing requirements. Along with the demonstration, these extensions will be released to the public during the week of BlackHat to encourage further development and extensibility participation.

OCCUPY BURP SUITE: Informing the 99% What the 1% are Taking Advantage Of, by James Lester and Joseph Tartaro
July 26, 2012. 3:00–4:00 pm BSidesLV 2012

In this presentation, James Lester and Joseph Tartaro will focus on building demand, support, and an overall desire around the creation of Burp Suite extensions with the hope of bringing extensibility to the forefront of web application testing. Lester and Tartaro will introduce up to a dozen extensions they’ve created that utilize currently-accessible functionality within the extensibility suite. Along with the release of these extensions, a campaign will be presented to organize and develop an extension community that documents tool primers, lessons learned, and tips/tricks; and hosts extensions and tools catered to Burp. Something learned isn’t research until it’s shared—putting this statement into practice, the duo believes that BSides is the perfect environment to help collect data, convey interests, and share results.
INSIGHTS | July 16, 2012

The Value of Data

By Cesar Cerrudo
Have you ever entered an office and seen a pile of money sitting unattended and easily accessible on a desk? How many people in your company have a key or combination to a safe with money inside and can open that safe without any controls? Do you leave money in a non-secure place that everyone knows about and can freely access?

Your probable answer to all these questions is NO, which makes sense—what doesn’t make sense is how so many companies don’t think the same way about data. I think data is worth a lot of money if you consider how important it is in terms of cost to the company: cost when it’s stolen, cost when it’s not available, et cetera. Data deserves to be protected as if it were money, but most of it is freely available by way of corporate databases; once you access the database you can play with the data at will, bypassing only modest controls or restrictions.
Of course you need a username and password to make the initial connection or exploit a SQL injection vulnerability (for example), but we all know it’s not that difficult to get access, as shown by recent events. A lot of user passwords have been leaked, obtained from successfully-hacked companies that apparently didn’t protect their data properly and, as a result, put their business at serious risk.
The main cause of data breaches is an improperly-secured database. Unfortunately, when it comes to database security, most companies are ages away from doing it properly.
For example, if the statement used to access a table is always:
Select * from user_accounts where user_email = X
why would you let anyone execute the next SQL statement:
Select * from user_accounts
Why not use stored procedures exclusively and remove all direct access to tables? Why not set alerts to trigger when common SQL injection-related errors occur? Why not monitor the database in real time to detect suspicious activities? Why not create a table named “important_data_is_here” and fire all the alarms when someone tries to access it?
Database servers don’t have advanced security features, but there are numerous third-party solutions that do—Database Activity Monitoring (DAM: a kind of database IPS) being one example—and a very small percentage of companies are using them. This isn’t just about using a DAM product (which won’t solve all your problems anyway), but it does provide a good start, allowing you to know in “real time” whether someone is digging around and playing with your databases.  
If you don’t want to spend money on third-party solutions, there are ways to do customized DAM builds using database-provided functionality that involves creating alerts on specific actions, setting custom permissions on different database objects, monitoring and analyzing logs, creating a database honeypot and querying and analyzing system tables; however, when you have dozens (or hundreds) of databases, the difficulty level increases quickly and you’ll need to have database security-wise personnel in place.
I’ve researched database security for more than 10 years and have seen database software vendors seriously improve the security of their products, but I have yet to see noticeable improvements at the company level—as indicated by all the breaches we know and don’t know about—corporations still don’t seem to get that data is money.
INSIGHTS | April 4, 2012

Hackito Ergo Sum: Not Just Another Conference

By IOActive
My name is Jonathan Brossard, but you may know me under the nic Endrazine. Or maybe as the CEO of Toucan System.. Nevermind: I’m a hacker. Probably like yourself, if you’re reading this blog post. Along with my friends Matthieu Suiche and Philippe Langlois,—with the invaluable help of a large community worldwide—we’re trying to build a conference like no other: Hackito Ergo Sum.
First, a bit of background on conferences as I have discovered them:
I remember really well the first conference I attended almost a decade ago: it was PH-Neutral in Berlin. The first talk I’d ever seen was from Raoul Chiesa on attacking legacy X25 networks, specifically how to root satellites. (For those unfamiliar with X25, it was the global standard for networking before the internet existed. Clearly, if you sent a satellite to space in the 1980s, you weren’t going to get it back on earth so that you could path it and upgrade its network stack, so it would remain in space, vulnerable for ages, until its owner eventually decided to change its orbit and destroy it).
The audience comprised some of the best hackers in the world and I got to meet them. People like Dragos Riou, FX, Julien Tinnes, and various members of the underground security industry were asking questions or completing what the presenter was saying in a relaxed, respectful, and intelligent atmosphere. It was a revelation. That’s when I think I decided I’d spend the rest of my life learning from those guys, switch my career plans to focus on security full time, and eventually become one of them: an elite hacker.
Back in those days, PH-Neutral was a really small conference (maybe 50 or 100 people, invitation only). Even though I had many years of assembly development and reverse engineering behind me, I realized those guys were way ahead in terms of skills and experience. There were exactly zero journalists and no posers. The conference was put together with very little money and it was free; anyone could pay for their travel expenses and accommodations, and, as a result, all the people present were truly passionate about their work.
Since then I’ve traveled the world, gained some skills and experience, and eventually was able to present my own research at different security conferences. I have probably given talks or trainings at all the top technical security conferences in the world today, including CCC, HITB,  BlackHat U.S., and Defcon. I couldn’t have done half of it without the continuous technical and moral help and support of an amazing group of individuals who helped me daily on IRC.

 

Building the Team
I remember the first talk I ever gave myself: it was at Defcon Las Vegas in 2008. Back in those days, I was working in India for a small security startup and was quite broke (imagine the salary of an engineer in India compared to the cost of life in the U.S.). I was presenting an attack, working against all the BIOS passwords ever made, as well as most disk encryption tools (Bitlocker, Truecrypt, McAfee). I remember Matthieu knocking at my door after his own BlackHat talk on RAM acquisition and forensics: he was only 18 and had no place to stay!

 

We slept in the same bed (no romantic stuff involved here). To me, that’s really what hacking was all about: sharing, making things happen in spite of hardcore constraints, friendship, knowledge. I also started to realize that those big conferences had nothing to do with the small elite conferences I had in mind. A lot of the talks were really bad. And it seemed to me that attitude, going to as many parties as possible, and posing for journalists was what attendees and most speakers really expected from those conferences.

 

In 2008 during PH-Neutral (once again), I met Philippe Langlois. For those of you who don’t know him by any of his numerous IRC nics, you might know him as the founder and former CTO of Qualys. An old-school guy. Definitely passionate about what he was doing. Phil was feeling equally unsatisfied with most conferences: too big, too commercial, too much posing, and very little actual content. At that time in France the only security conference was organized by the army and the top French weapons sellers. To make it even worse, all the content was in French (resulting in zero international speakers, which is ridiculous given that we collaborate daily with hackers literally from around the globe, even when coding in our bedrooms, at our desks, or in a squat).
So, we decided to make our own conference with Matt.

 

Breaking the Rules and Setting Our Own
We agreed immediately that the biggest problem with modern conferences was that they had turned into businesses. You can’t prioritize quality if your budget dictates you have famous, big-name speakers. So we decided that Hackito would be a spin-off from the /tmp/lab, the first French hackerspace, which was a 100% non-profit organization housed in a stinky basement of an industrially-zoned Paris suburb. At first we squatted until we reached an agreement with the landlord, who agreed to let us squat and eventually pay for both our electricity (which is great for running a cluster of fuzzing machines) and water. It was humid, the air was polluted by a neighboring toxic chemical plant, and trains passed by every 10 minutes right outside the window. But it didn’t matter because this spot was one of the most important hacker headquarters in France.

 

One thing that played a major role in creating the spirit of Hackito was the profile of the people who joined this hackerspace: sure there were software programmers, but also hardware hackers, biologists, artists, graphic designers, and general experimenters who wanted to change the world from a dank, humid garage. This was a major inspiration to us because (just like the internet) anyone was welcome to the space, without discrimination. Hackerspaces by nature are open and exchange a lot of information by having joint events such as the HackerSpace Festival or hosting members from other hackerspaces for extended period of times. We modeled this by wanting to share with other conferences instead of competing, which led to the Security Vacation Club (it started as a joke, but today allows us to share good speakers, good spirit, and mutual friendship with other hacking conferences we respect).

 

We then called our irc friends for help. Some could make it and others couldn’t, but all of them contributed in one way or another, even if it was only with moral support.

 

Early Days
Building your own conference out of thin air is more challenging than you might expect and, of course, we wanted to do it with minimal sponsorship. We agreed straight away with sponsors that they’d get nothing in exchange for their support (no anticipated disclosure, no right to vote on what talks would be presented, no paid talk or keynote). We requested help from friends to help us select solid technical talks and to come speak. You’d be surprised how the hackers you respect most (and are seriously busy) are willing to help when they share the spirit of what you’re doing.

 

So, we ended up with the scariest Programming Committee on earth, for free—I don’t think there’s a company in existence with a security team half as talented. I can’t express here how much we value the time and effort that they, and our speakers, spend helping us. Why would they do this? Because a lot of people are unsatisfied with the current conference offerings. Now don’t get me wrong, commercial and local conferences do offer value, if only to gather disparate communities, foster exchange of ideas, and sometimes even introduce business opportunities. If you’re looking after your first job in the security industry, there’s no better choice than attending security conferences and meeting those who share the same taste for security.

 

Hackers Prize Quality—Not Open Bars, Big Names, or Bullshit
To give you some perspective: two of the talks nominated in last year’s pwnie awards at BlackHat were given first at Hackito. Tarjei Mandt and his 40 kernel Windows Exploit (winner of the Pwnie award for best local exploit) and Dan Rosenberg and John Obereide with their attack against grsecurity exploit. That’s what Hackito is all about: giving an opportunity to both known and unknown speakers, judging them based solely on their work—not their stardom or their capacity to attract journalists, or money.

 

I think it’s important to make clear that most Hackito speakers have paid for their own plane tickets and accommodations to come and present their work in Paris. I can’t thank them enough for this; they are true hackers. It is common practice for so-called security rock stars to not only pay for nothing, but to ask for a four-digit check to present at any conference. In contrast, we believe our hacking research is priceless and that sharing it for free (or even at your own cost) with your peers is what makes you a hacker. That’s the spirit of Hackito.
Without any rock stars, Hackito can feature what we believe represents some of the most innovative security researchers worldwide. The content is 100% in English and must be hardcore technical—if you can’t code, you can’t talk for the most part. If it’s not new or offensive, we don’t care. If you’re asking yourself why anyone would present years of hard research for free at Hackito instead of selling it the highest bidder, the answer is simple: respect from your peers. That’s what hackers do: distribute software, share knowledge, collaborate. Period.

 

Hackito is More Than Just Talks
I’ve used the words quality and best a lot in this post; to be honest, I believe competition is a bad thing in general and for hacking in particular. Hacking is not about being better than others. It’s about being better than the machine and getting better yourself. It has everything to do with sharing and being patient, polite, passionate, respectful, innovative…that is, being an accomplished human being.

 

If you remember only one thing from this post, make it that message.

 

In the same vein, I don’t see Hackito as directly competing with other conferences. We actually speak at other conferences of similar quality and I strongly believe that any conference that promotes hacking is a good thing. We need diverse offerings to match all skills and expectations. Hackito focuses on the hardcore top end of security research, but that doesn’t mean newbies shouldn’t be allowed to progress in other cons.
The Hackito framework allows us to offer more than just talks, which are important, but like FX repeatedly told my in the PH-Neutral days: the conference is the people. Therefore, we try to maintain an open conference as much as possible. Anyone with a cool security-related project is welcome to submit it to us, making it part of Hackito and then labeling it Hackito. For example, Steven van Acker from the overthewire.org community has written a special war game for attendees every year.

 

Our presenter line-up seriously rocks! This year, Matias Brutti from IOActive will offer a free workshop on Social Engineering and Walter Belgers from the highly respected Toool group will do the same with a Lockpicking workshop. Eloi just published a cryptographic challenge open to anyone on the internet with the valuable help of Steven Van Acker (who is hosting the challenge on the overthewire.org community servers). Other featured editions include an FPGA reverse engineering challenge by the incredible hardware hacker LeKernel.

 

We Still Party Hard
Hackito unites hackers from across the globe—Korea, Brazil, Israel, Australia, Argentina, Germany, Sweden, U.S., Portugal, Switzerland, Russia, Egypt, Romania, Chile, Singapore, Vietnam, New Zealand—so of course we have to party a bit. I remember the first Hackito party in our /tmp/lab garage space; imagine the anti-Vegas party: no sponsors, live hardteck music, artists spanking each other in a crazy performance, raw concrete walls, bad cheap beer, virtually no females, zero arrogance, zero drama, zero violence—just 300 people going nuts together. That was one of the best parties of my entire life.
Have a look at our website.
Greetings

 

Thanks heaps to (in no particular order): itzik, Kugg, redsand, Carlito, nono, Raoul, BSdeamon, Sergey, Mayhem, Cesar Cerrudo, Tarjei, rebel, #busticati, baboon, all those I can’t possibly exhaustively name here, plus the Hackito team of Matt and Phil.
I also must thank:
  • All of our speakers.
  • All of our sponsors (who help us and don’t ask much in exchange).
  • The incredible team behind Hackito that spends countless hours in conference calls on their weekends to make things happen during an entire year so that others can present or party.
  • Our respected Programming Committee of Death (you guys have our highest respect; thank you for allowing us to steal some of your time in return).
  • Every single hacker who comes to Hackito, often from very far, to contribute and be part of the Hackito experience. FX was right: the conference is the people!!
RESEARCH | March 16, 2012

Atmel AT90SC3232CS Smartcard Destruction

By IOActive

Having heard that Atmel actually produced three variants of the AT90SC3232 device, we did some digging and found some of this previously never-seen-by-Flylogic AT90SC3232CS.  We had already several AT90SC3232 and AT90SC3232C.  We assumed that the CS was just a 3232C with an extra IO pad.  Well, one should never ass-u-me anything!  The AT90SC3232CS is a completely new design based on the larger AT90SC6464C device.

Decapsulation revealed that Atmel actually did place an active shielding over the surface of the device.  A 350nm, 4 metal process was used on the AT90SC3232CS where the AT90SC6464C was a 350nm, 3 metal.

A quick polishing session removes that residue you saw in the previous photo.  Now the device looks very similar to the AT90SC6464C.

Given the AT90SC family all run encrypted code that even Atmel claims they don’t know the key on.  It’s mandatory to polish down the device and image areas of interest at each level to trace through the logic.

With the chip at Metal 2, it was time to go to Metal 1.  This is where the actual transistor is put together to become something such as AND, OR, INVert, …

While not really required but always desired, removal of Metal 1 leaves us with the poly/diffusion areas visible.  This is always helpful to explain P/N FETs for our purposes.
Given the feedback received from the recent 3 Metal display, we thought we would do it again.  This time however, we imaged it at 1000x for a distance of 25,000 pixels across by 2413 down (25,000 is the max a JPEG will allow).

Having no knowledge of how the Atmel AVR smart card family works means we have to tear it down and trace out the databus paths.  The next 4 images are just a sample of the real image we created.  The real image is so huge, it would take days to download.

The next four images can be clicked on to open up the full 25,000 pixel JPEG.  Metal 4 was not imaged because it was the active shield.  The active shield is an obstacle  that can be ignored until the signals determined to be important are identified.

 

This is definitely the memory encrypt-decrypt block (MED) or at least the entry of it ;).

 

INSIGHTS | January 17, 2012

A free Windows Vulnerability for the NSA

By Cesar Cerrudo

Some months ago at Black Hat USA 2011 I presented this interesting issue in the workshop “Easy and Quick Vulnerability Hunting in Windows,” and now I’m sharing it with all people a more detailed explanation in this blog post.

In Windows 7 or Windows 2008, in the folder C:WindowsInstaller there are many installer files (from already installed applications) with what appear to be random names. When run, some of these installer files (like Microsoft Office Publisher MUI (English) 2007) will automatically elevate privileges and try to install when any Windows user executes them. Since the applications are already installed, there’s no problem, at least in theory.

 

However, an interesting issue arises during the installation process when running this kind of installer: a temporary file is created in C:UsersusernameAppDataLocalTemp, which is the temporary folder for the current user. The created file is named Hx????.tmp (where ???? seem to be random hex numbers), and it seems to be a COM DLL from Microsoft Help Data Services Module, in which its original name is HXDS.dll. This DLL is later loaded by msiexec.exe process running under the System account that is launched by the Windows installer service during the installation process.

 

When the DLL file is loaded, the code in the DLL file runs as the System user with full privileges. At first sight this seems to be an elevation of privileges vulnerability since the folder where the DLL file is created is controlled by the current user, and the DLL is then loaded and run under the System account, meaning any user could run code as the System user by replacing the DLL file with a specially-crafted one before the DLL is loaded and executed.

 

Analysis reveals that the issue is not easily exploitable since the msiexec.exe process generates an MD5 hash of the DLL file and compares it with a known-good MD5 hash value that is read from a file located in C:WindowsInstaller, which is only readable and writable by System and Administrators accounts.

 

In order to exploit this issue, an attacker needs to replace the DLL file with a modified DLL file that contains exploit code that can match the valid MD5 hash. The attacker DLL will then be run under the System account, allowing privilege elevation and operating system compromise. The problem is that this is not a simple attack—it’s an attack to the MD5 hashing algorithm referred to as a second-preimage attack for which there are no practical attacks that I know of, so it’s impossible for a regular attacker to generate a file with the same MD5 hash as the existing DLL file.

 

The reason for the title of this post comes from the fact that intelligence agencies, which are known for their cracking technologies and power, probably could perform this attack and build a local elevation of privileges 0day exploit for Windows.

 

I don’t know why Microsoft continues using MD5; it has been banned by Microsoft SDL since 2005 and it seems there has been some component oversight or these components have been built without following SDL guidance. Who knows on what other functionality MD5 continues to be used by Microsoft, allowing abuse by intelligence agencies.

 

Note: When installing some Windows updates, the Windows Installer service also creates the same DLL file in the C:windowstemp folder, possibly allowing the same attack.

 

The following YouTube links provide more technical details and video demonstrations about this vulnerability.

References.

INSIGHTS | October 3, 2011

Windows Vulnerability Paradox

By Cesar Cerrudo
For those who read just the first few lines, this is not a critical vulnerability. It is low impact but interesting, so keep reading.

 

This post describes the Windows vulnerability I showed during my Black Hat USA 2011 workshop “Easy and Quick Vulnerability Hunting in Windows”.

 

The Windows security update for Visual C++ 2005 SP1 Redistributable Package (MS11-025) is a security patch for a binary planting vulnerability. This kind of vulnerability occurs when someone opens or executes a file and this file (or the application used to open the file) has dependencies (like DLL files) that will be loaded and executed from the current folder or other folders than can be attacker controlled. This particular vulnerability allows an attacker to execute arbitrary code by tricking a victim user into opening a file from a network share. When the victim user opens the file, the application associated with the file is executed, and an attacker-crafted DLL file is loaded and executed by the application.

 

It’s either funny or scary (you choose) that the Windows security update meant to fix the above-described vulnerability is also vulnerable to the same kind of vulnerability it fixes, and it can be exploited to elevate privileges.

 

When installing the security update on 64-bit Windows 7, the file vcredist_x64.exe is downloaded and then executed under the System account (the most powerful Windows account, it has full privileges) with some command line options:

 

C:WindowsSoftwareDistributionDownloadInstallvcredist_x64.exe” /q:a /c:”msiexec /i vcredist.msi /qn
After being run, vcredist_x64.exe tries to launch the msiexec.exe process from theC:WindowsTempIXP000.TMPtemporary folder, which is where the vcredist.msi used in the command line option is located, but because msiexec.exe doesn’t exist there, vcredist_x64.exe will fail to run it. Then vcredist_x64.exelaunches msiexec.exefrom C:WindowsSysWOW64, where msiexec.exe is located by default on 64-bit Windows 7.

 

There is an obvious vulnerability and it can be exploited by low-privilege Windows users since theC:WindowsTempIXP000.TMP temporary folder DACL has write permissions to the Users group, so any Windows user can place in that temporary folder a file named msiexec.exe and execute arbitrary code under the System account when they attempt to install the vulnerable security update.

 

While this is an interesting vulnerability, it’s not critical at all. First, to be vulnerable you have to have the vulnerable package installed and without the security update applied. Second, for an attacker to exploit this vulnerability and elevate privileges, the option “Allow all users to install updates on this computer” must be enabled. This option is enabled on some systems, depending on configuration settings about how Windows updates are installed.

 

This presents an interesting paradox in that you’re vulnerable if you haven’t applied the vulnerable patch and you’re not vulnerable if you have applied the vulnerable patch. This means that the patch for the vulnerable patch is the vulnerable patch itself.

 

The following links provide some more technical details and video demonstrations about this vulnerability and how it can be exploited:
References
INSIGHTS |

Easy and Quick Vulnerability Hunting in Windows

By Cesar Cerrudo

I’m glad to start this new blog for IOA Labs by publishing the video demonstrations and updated slides of my Black Hat USA 2011 workshop. I hope you like it, please send me your feedback, questions, etc. We will continue posting cool materials from our researchers very soon, keep tuned!