Tuesday, April 13, 2010

Hackito Ergo Sum, Day 2

The first speaker of the second day was Jorge Luis Alvarez Medina from Core Security. His talk was named "Internet Explorer turns your personal computer into a public file server" and it was the same theme that he has presented at the Black Hat DC 2010 (February 2-3th 2010). His talk explained how it is possible to blindly read every files (navigation history, cookies ...) on the victim's hard drive.

He has begun by presenting security implementations of IE : security zones, zone elevation attack (a web page in a given security zone loads a page from a less restrictive zone) and MIME type detection. The simplest scenario he has described is the following :
1- The attacker put a specific HTML file in the victim's shared folders
2- The attacker send a link to a malicious site to the victim
3- The malicious webpage redirects the navigation flow towards the uploaded file
4- HTML/script code runs in the context of 127.0.0.1

He has continued with a demo with a BeEf module specially developed for this vulnerability. So if you want to protect your computer about this vulnerability, you can for example :
- Set to high the security level of Internet and Intranet zones
- Use Internet Explorer in Protected Mode
- Disable administrative shares
- Change your browser :)

Jonathan Brossard @ HES2010 on TwitpicThe last talk of the morning was presented by Jonathan Brossard from P1 Security and was entitled "Breaking Virtualization by switching to Virtual 8086 mode". He has begun his talk by the definition of virtualization and the presentation of the different kinds of it (full virtualization, paravirtualization). Then he has presented an overview of the different kinds of virtualization vulnerabilities like :
- privilege escalation in a virtual machine
- from one VM, attack an other VM
- do a DOS attack on the host to disrupt VMs
- inside a VM to access the host
During his researchs, Jonathan has fuzzed Virtual Box in which he has found 2 bugs in the hypervisor and a bug concerning the guest machine in Virtual PC. He ended his presentation with a demonstration in which the exploitation of a bug he has found in vserver crash the host machine (his laptop in this case). [Slides]


During the lunch time, I've assisted to the lockpicking workshop which was mainly based on practice. I've learned how to build lockpicks and I've successfully lockpicked one lock.


The afternoon has begun with a conference of Matthieu Suiche from MoonSols about Mac OS X Physical Memory Analysis. He was talking about physical memory analysis on x86/x64 Intel processors macintosh (not PowerPC) running Mac OS 10.5 (Leopard) or 10.6 (Snow Leopard). Lots of informations can be found during analysis of memory like syscalls, processes, machine informations (minor & major OS version, kernel version) ... He is also able to found the password of an user account (used to log on his mac) just in analysing the memory. [Slides]


The next talk was presented by Sandro Gauci and was named "Attacking VoIP – attacks and the attackers".  He has introduced the SIP, SIP scanning and tools like SIPVicious and VoiPPack for CANVAS. [Slides]


Then Laurent Gaffié has started his "Fuzzing the SMB case" conference by the presentation of this old protocol. His approach for his research was the following :
- RFC, books and Microsoft documentation reading
- Set a lab representing a company network with Windows 3.1 to Windows 7
- Fuzz the different implementations of SMB
During his demonstration, the bug discovered has permitted to him to cause a bluescreen from a remote pc in few seconds on a victim Windows 7 machine. At this moment, he's working with Microsoft teams to resolve this bug and it should be patched next Tuesday (MS10-020). He has also discovered lots of other bugs in Vista, XP, 7, 2008 Server, Samba and Netware 6.5 SP8. Because packets are very small, all these bugs have taken less than 2 minutes to be found by Laurent's tools. [Slides]


Lutz Böhne has presented the last talk of the second day which was entitled "Peeking into Pandora’s Bochs: instrumenting a full system emulator to analyse malicious software".  Pandora’s Bochs is an automated unpacker written in python. [Slides]


No comments:

Post a Comment