Day 1 of the EUSecWest/core06 security conference in London...

by Justin Clarke

Related link: http://eusecwest.com



Here are my notes from day one of the first annual EUSecWest/core06
security conference in London:



van Hauser
from The Hacker's Choice
talked about IPv6 vulnerabilities, including the
differences, and similarities of performing certain types of exploits
in IPv4 and IPv6, and some of the new issues raised by the introduction
of IPv6. The
presentation can be downloaded from here
.



Some of the interesting highlights from my point of view were:


  • IPv6 is not in widespread use right now in Europe or
    the US
    (it is in Japan and South Korea).  A lot of the people using
    IPv6 (especially over IPv4) at the moment are Blackhats

  • A lot of the IPv4 reconnaissance techniques (such as
    ping
    sweeping) are not possible on IPv6 due to the number of IP's in
    the space - DNS is going to become key in identifying systems


    • Once we can compromise a "public" server (i.e. one
      we can
      find through DNS) we can use IPv6 multicast to find systems on that
      subnet

    • OSPFv3 relies on IPSec.... so we'd better be
      running it,
      or use another routing protocol


  • vh has written a toolset (library?) for testing IPv6,
    and
    created a whole host of tools as part of the IPv6 attack suite:


    • alive6 - for "alive" checking of hosts.
       If you
      are on the
      local subnet.  Ping sweeping the Internet for live hosts is
      not
      going to be feasible in an IPv6 world

    • parasite6 - for Man-in-the-middle attacks,
      leveraging
      weaknesses in Neighbour Discovery protocol (the IPv6 replacement for
      ARP)

    • dos-new-ipv6 - for preventing people from joining
      the
      network by claiming all IPs are already taken

    • fake_router6 - for Man-in-the-middle attacks using
      Router
      Advertisements

    • smurf6 - local subnet DoS using multicast

    • rsmurf6 - remote DoS for broken Linux IPv6 implementation

    • redir6 - route implanting using "secure" ICMPv6 redirects

    • toobig6 - reduce client's MTU


  • vh tested various IPv6 implementations (Windows XP
    SP2, Linux 2.6,
    OpenBSD, FreeBSD 5.3), and found that all of the implementations were
    vulnerable to one or more issues

  • Source routing may make a
    comeback, as all of the OS's tested passed on source routed packets,
    and these can be disguised by putting a fragmentation header in front
    of the routing packet, hence passing routers.



The next talk was by Barnaby
Jack
(from eEye
Digital Security
)
about exploiting embedded
systems.  This one was pretty interesting, and he was using a
standard D-Link DI-604 broadband router as the exploit target.
 Here are some notes:


  • A lot of embedded systems use ARM architectures, and
    real time OS's such as ThreadX

  • By using a JTAG emulator, and with some soldering,
    you can
    hook up a debugger to the device and start debugging the firmware as it
    runs


    • Because of the watchdog timer, the device may need
      a patch to prevent the watchdog from resetting the device

    • Modifying firmware involves figuring out how it is
      encoded and checksummed by the vendor - from debugging the web server
      code


  • The demo was pretty impressive


    • It used a LAN-side 0day bug in a function
      in
      the uPnP code for the router - the exploit removed the admin password,
      and enabled the external WAN side admin port

    • Uploaded modified firmware with a "payload" that
      modified
      every .exe file downloaded through the router (popped up a command
      prompt with "OWNED" on it)





Javier
Burroni
and Carlos
Sarraute
from CORE
Security
gave a quite interesting talk on using
statistical methods and neural networks to more accurately determine
operating system versions from the network.  They talked about
a couple of
different tools:


  • An improved DCE-RPC endpoint mapper, which much more
    reliably determined what Windows version and service pack was running

  • An OS detection tool using the nmap OS signature
    database,
    designed to reduce false positives, and "improbable" results that you
    can get with nmap


    • first neural network to determine whether it is a
      "relevant" OS or not (i.e. one we have exploits for)



    • second neural network to determine what
      OS family the system is - i.e. Linux, Windows, OpenBSD, FreeBSD,
      NetBSD, Solaris

    • neural networks for each OS family to determine
      what version is running.





Nguyen
Anh Quynh
from Keio
University
in Japan (he is involved
with
development of Xen) gave a talk on next generation honeypot technology
using Xen.



He talked about the weaknesses with Sebek in a honeynet environment -
specifically that there are several ways to detect that you are in a
honeypot, from detecting the presence of Sebek, to detecting the
traffic that it sends on the network.



He then talked about "Xebek", which uses Xen to run honeypot systems as
virtual machines ("user domains") within Xen, with the Xebek server
running on the "Domain 0" (host/first VM) on the machine.
 Apparently this, patching the system calls in the kernel, and
using shared memory to share data with the server will fix most of the
weaknesses with Sebek.



There was a spirited discussion in the Q&A about how detectable
this approach will be versus the approach of Sebek.  Quynh did
note that they are not attempting to hide the fact that the
system
in running in Xen, on the assumption that enough production systems
will be running Xen that it will not be suspicious.



Frederick
Raynal
from the EADS
Corporate Research Centre

talked about the (ab)use of crypto.  This included discussion
of a
number of scenarios where crypto, humans, and trust could be
abused, such as:


  • breaking the crypto (mis)used in the SuckIt rootkit
    versions 1 and 2 to take over a network of systems with SuckIt installed

  • using the trust relations, and information stored in
    a
    user's directory to theorise the possibility of a SSH worm.
     This
    included noting the use of existing sessions and other methods of
    capturing or leveraging existing access

  • looked at methods/possibilities for preventing the
    analysis
    of a binary through the use of crypto, including differing situations
    over keys and decryption

  • looked at scenarios for performing Man-in-the-Middle
    attacks against Skype.



Cesar
Cerrudo
from Argeniss
talked about Windows local shellcode injection.  The technique
he
was demonstrating was based on the use of LPC named ports.
 You
can see these things using Process Explorer from href="http://www.sysinternals.com">SysInternals.
 He went through the process of connecting to a process's LPC
port
(including some of the problems, like how to find the name of the
port), create a shared memory section, and use the shared section to
put shellcode into the process's memory space.  This also
returns
you a pointer to where the shellcode resides, making exploit even
easier, more portable, and Windows version independant.



Cesar then went through and demonstrated his exploits for MS05-12 and
MS05-40 that leverage this approach.  



Andrew
Cushman
from href="http://www.microsoft.com/security">Microsoft
came and talked about the work that MS is putting in on the security
front over their products.  Andrew went through a lot of the
efforts that are going into Vista, as well as an interesting talk about
the Microsoft response to the WMF bug.