Black Hat Las Vegas Day 1

Well, this is well late, but here’s my recap of Black Hat Day 1. Sorry for the delay, but I’ve been terribly busy finishing up preparations for my Day 2 talk.

The first talk I went to see, “Pointers and Handles, A Story of Unchecked Assumptions in the Windows Kernel”, by Apple’s Alex Ionescu, discussed a number of vulnerabilities in the Windows kernel-mode library responsible for the Windows GUI subsystem. Most of this talk centered around attacking code where bad assumptions were made regarding the validity of pointers before they are dereferenced, and abusing the kernel mechanism of “protect from close” handles.

As Alex mentioned, these attacks have largely been overlooked in the past, due to the fact that most simply result in Denial of Service conditions. Alex mentioned how these flaws can no longer be overlooked as we have so many users working in Terminal Services emulated environments. I don’t know if Alex mentioned it, but a Denial of Service condition of this fashion could obviously also have lasting effects if used against a “cloud computing” or virtual server environment, where numerous systems could depend upon the up time of a singular machine.

About 3/4 of the way through Alex’s talk, I made my way over to Nitesh Dhanjani and Billy Rios’s talk on identity theft, “Bad Sushi”. I’ve seen and blogged about this presentation numerous times now, but there was some new tricks the pair pulled together. Dhanjani and Rios have talked at a few Black Hat conferences on this, and covered the ecosystem that is identity theft and how phishing, ATM skimming, etc. fill the demand for this market. So, I mentioned they had some new stuff, and it pretty much went like this:

  1. Rios shows a picture of a terrorist with an AK-47 spraying bullets into a crowd, comparing this to the current state of mass phishing attacks.
  2. He says, “Most people will turn and run, or get mowed down, but I will not go quietly into the night… I’m fighting back!”.
  3. Rios now shows a slide of Rambo with a automatic weapon that seems unlikely to be wielded by a single individual, which is to represent Rios and his attack back on the phishers.
  4. Rios sends out numerous word document files with embedded Rick-rolls to the phishers, claiming it is his account information and he’s looking to buy some of their phishing kits.
  5. Said phisher gets Rick-rolled. Awesome!

I next made my way to the “DNS Goodness” talk by Dan Kaminsky. What a circus! By the time I got their, the largest room for Black Hat was full, people were standing room only, spilling out into the hallway for several feet. The heavily air-conditioned room couldn’t keep the temperature down with this many people in the room. Dan’s talk did not let down, despite all of the hype and leakage of information from the attack. The highlight for me was the visualization of vulnerable DNS servers turning into patched DNS servers on a global scale. All said and done, kudos to Dan, he found a serious bug and handled it as best he could to try to protect as many people as possible in my opinion.

The next talk I watched was “Return-Oriented Programming: Exploits Without Code Injection”, by Hovav Shacham. The idea with this talk is that you didn’t need to inject your own shellcode and jump to it, and you don’t need to do a return-to-libc into system, etc. The technique takes what already exists in the program to create shellcode. The method for doing this involves linking code snippets together that achieve the intended purpose, which end in ret instructions which will allow the attacker to control the stack to chain together instructions resulting in shellcode, etc.

Because the executed code is stored in memory marked executable, common protections like DEP and W^X are bypassed. Unfortunately, we’re still left to potentially deal with ASLR, but a very interesting talk and possibly useful technique.

After the “Return Oriented Programming” talk I went to watch my good friend Kevin Stadmeyer talk with co-worker Jacob Carlson on FLEX, AMF 3, and BlazeDS. The talk was interesting, and a bit different then a lot of the talks you see at Black Hat. The talk didn’t focus on any one specific vulnerability, it talked more about how you tackle the challenge of assessing FLEX, AMF 3, and BlazeDS. It also provided perspective for developers on what to keep in mind as potential security issues during design and development. Very interesting perspective, something I think the audience in attendance saw as very useful, especially considering the decent amount of questions that came up.

Finally, and most entertaining for the day, was the Pwnie Awards. The ZDNet blog had two Pwnie Award winners this year, myself (along with Rob Carter and Billy Rios) for best client-side bug, and Ryan Naraine, accepting the award on behalf of Kaspersky for best song. This was my first time attending the show, and it was a ton of fun. Judges Mark Dowd, Alex Sotirov, Dave Aitel, Dino Dai Zovi, and Halvar Flake gave Rob Carter, Billy Rios, and I the nod for best client-side bug, although I will say this for the record, it’s likely we got it as a default since Mark was one of the judges. He certainly deserved it for the amazing amount of hoops he jumped through to pull of his exploit.

Look for Day 2 later today, followed by coverage of DEFCON!

[Source: zdnet]