| 0900 - 1000 |
While it’s true that many exploits simply blindly send payload waiting for a shell,
many exploits written today, contain pre-checks to determine whether a host is vulnerable
or not, and if so, then the payload is sent. This scenario is often mirrored in malware,
worms, and even vulnerability assessment checks. This paper and talk will focus on educating
attendees, with detailed examples, on how to detect whether vulnerabilities are present,
without triggering IPS signatures. It is important to note however, this is not a talk on
fragmentation or other ways to exploit the vulnerability while evading an IPS. This is a talk
on crafting the pre-checks in such a way that the vulnerability is never triggered or disclosed,
thus automatically bypassing IPS systems. This is particularly useful for security vendors to
ensure stability and cross-product compatibility, and this is useful from an attacker’s perspective,
especially in the case of non-public vulnerabilities, where an attacker may want to build up a
list of vulnerable targets while at the same time not disclosing what vulnerability is actually
being tested for.
雖然說真的很多攻擊單純且盲目的傳遞payload病毒並等待一個shell,很多近日被撰寫的攻擊程式擁有事先辨別主機弱點的能力,如果主機被發現有弱點,payload病毒就會被傳送。這樣的情況通常可以在惡意軟體、蠕蟲病毒,甚至在弱點檢驗中看到。這份報告和討論的重點是透過詳細的案例,告訴與會者要如何在不啟動IPS 特徵偵測的情況下偵測到現有的弱點。但要注意的地方是,這次的討論不是關於分片或其它利用弱點侵入IPS 的方法。這次的討論是關於塑造一個弱點不會被啟動或暴露的事前偵測,進而自動規避IPS 系統。這對提供安全性產品的廠商特別有用,它可以確保穩定性和不同產品的相容性。從一個攻擊者的角度來看,特別是在面對非公開的弱點,當一位攻擊者可能需要建立一個弱點目標的清單卻又不想把偵測的弱點暴露出來的時候,這也是有用的。
|
ANTHONY BETTINI
McAfee 實驗室 (資深研究員)
|
| 1000 - 1015 |
Coffee Break (Beer Available) / 休息時間 (供應啤酒) |
|
| 1015 - 1115 |
If bugs are the raw ore of exploits - Rootite, if you like - then we're mining in areas where the
Rootite is rare and deeply buried. Industrial scale bug mining starts with very, very fast fuzzing.
In contrast to the MS Fuzzing Botnet, we use a dedicated, single purpose cluster of virtual machines
which is optimised for fuzzing. Last year we released some metrics, then MS released better ones.
So, we rebuilt the whole system and made it faster and more scalable - can we outperform the Redmond
Botnet in one small rack? After a fuzz run, we are left with massive piles of low-grade Rootite, full
of impurities such as Nullpointium, which needs to be graded and enriched before it is valuable. After
grading, We "enrich" our highest grade Rootite by using differential runtracing of crashes to assist
root cause analysis. The runtraces are tens of millions of lines long, but we postprocess them using
magic, funky graphs and compression before comparing them side by side with the clean run. Our diff
files are plaintext, small enough for us to eyeball them, and allow us navigate to any point in the
trace using any debugger we choose. Feel free to drop by for a guided tour of the mine. Bring a beer.
如果說程式漏洞是攻擊-或者你想稱之為Rootite-的原始礦石,那麼我們就是在Rootite非常稀有並且被埋在深處的礦區進行挖掘採礦。工業級的程式漏洞挖掘首先需要使用一個非常快速的fuzzing方法。相對於微軟的Fuzzing殭屍網路,我們使用了一種專用的、單一目的的虛擬機器群,並且為達到fuzzing做了最優化處理。去年我們公佈了一些資料,不過微軟很快公佈了更好的。因此我們重新設計了整個系統使它更快速並且更靈活,我們可能在某些方面比Redmond 殭屍網路更出色嗎? 執行一次fuzz之後,我們獲得了大量低層級的Rootite,例如空指標引用,這些程式漏洞需要分級並處理後才能有價值。在分級後,我們會使用不同的執行追蹤記錄分析來使那些最高級別的Rootite更富有價值。執行追蹤記錄有上百萬行那麼長,我們在與正常的執行流程比較前使用了魔術般奇異的圖表和壓縮等方法進行處理。我們的diff檔是明文的,並且小到足以用肉眼進行判斷,並且允許我們在指定的追蹤點使用除錯工具。過來體驗一次有導引的採礦之旅吧。記得要帶一瓶啤酒。
|
BEN NAGY
COSEINC (資深研究員)
|
| 1115 - 1130 |
Coffee Break / 休息時間 |
|
| 1130 - 1230 |
Embedded devices are getting more and more pervasive, but not so much material is
currently available regarding the exploitation of such devices, and in particular
referring to the Linux/MIPS.
Few vulnerabilities are published and even less regarding the possibility of
executing arbitrary code, while exploits and shellcodes are nearly absent.
Thorough security reviews are rarely performed and release of patches and fixes is
usually lagging behind.
Research has focused mostly on the security of the wireless communications and the
related implementation, or techniques for attacking devices with private
addressing, while not much has been published regarding the actual exploitation,
that may, in some cases, be non-trivial due to specific challenges discussed in
the presentation.
In this talk remote arbitrary code execution on Access Points, with specific
reference to Linux/MIPS platform, will be demonstrated by leveraging
vulnerabilities discovered by the author.
Devices from major manufacturers, all loaded with their stock firmware will be
targeted, multiple exploitation demos will be performed and a remote root shell
will be gained on each target.
Different kind of flaws bring different opportunities, depending on the attack
range (eg: can be carried over the Internet or from internal LAN) or the need for
authentication: the proposed vulnerabilities and demos have been chosen and
designed for providing sample of different attacks, scenarios and attack
opportunities.
A "no-auth remote blind" attack will be also demonstrated, providing the first
known example of an attacker gaining a remote root shell over an embedded device,
by using a smartphone as a "reflector" and leveraging it for the actual
exploitation.
Outline:
- overview of embedded networking devices
- Specific coverage of Access Points.
- Security considerations on AP
- Overview of typical attacks
- Linux/MIPS specific works
- AP exploitation: advantages
- Exploitation goals set-up
- Challenges
- Attacks: Different flavours
- Exploitation Roundup: 3 APs from different Manufacturers
- For each target:
- Vulnerabilities discussion
- Exploitation strategy
- Demo(S)
- Improvements
- Conclusions
嵌入式儀器越來越普遍,但目前並沒有那麼多關於攻擊這些儀器的資料,特別是針對Linux/MIPS的部份。只有少數的弱點被發表,而任意執行代碼的可能性則更少被發表,再來攻擊和shellcodes 更是幾乎沒有。徹底的安全性檢驗鮮少被執行,補救或修復的發佈更是經常落後。研究者的重點通常都放在無線通信的安全性和其相關的執行作業,或是攻擊擁有私人位置儀器的手法,很少發表關於實際的,且在一些案例中,可能因這次報告中所討論到的特殊挑戰而並非是不重要的攻擊。
討論的過程中,在無線基地台遠端任意執行代碼,特別針對Linux/MIPS 平台的部份,將會透過利用作者所發現的弱點來呈現。目標是主要製造廠已經灌入軟件的儀器設備,呈現出多種攻擊類型,遠端root shell會被置入每個目標。依照不同的攻擊範圍(例: 可透過網際網路傳遞或是從內部區域網路),或是認證的需求,不同的缺陷會帶來不同的機會:這邊提出的弱點和呈現是為了提供不同攻擊、情境和攻擊機會而被設計和挑選出來的。也會展示一個”no-auth remote blind”的攻擊,提供一個第一件攻擊者在嵌入式儀器得到遠端root shell的發現案例,呈現的方法會使用智慧型手機,並利用它作實際的攻擊。
架構:
- 嵌入式網路設備概論
- 詳細探討無線基地台
- 無線基地台的安全考量
- 典型攻擊概論
- 針對Linux/MIPS 的案例
- 攻擊網路基地台:優勢
- 準備攻擊目標
- 挑戰
- 攻擊:不同種類
- 攻擊綜述:三種不同製造廠的無線基地台
- 針對每個目標:
- 弱點討論
- 攻擊策略
- 呈現
- 進步
- 結論
|
CRISTOFARO MUNE
專長手機及嵌入式裝置 (資深研究員)
|
| 1230 - 1330 |
Lunch / 中餐 |
|
| 1330 - 1430 |
While more and more new devices (routers, smartphones, etc.) are getting connected to our SOHO/enterprise
environments, all-colour hats are getting plenty of focus on their security: defend and harden on one
side; exploit and develop malware on the other.
However, a special class of network devices (specifically network printers/scanners/MFPs),
which are networked for more than 15 years, are constantly out of the modern security watchful eye.
And even though we entrust them even the most confidential documents or the most sacred credentials (LDAP, RFID
badges, etc.), we don’t realize closely how weak and unsecured they are, despite the few minor security bulletins
started to pop-up here and there in the recent few months.
In this presentation, we will try to analyse the reasons why hacking network printers/MFPs is a reasonable and accomplishable
idea. Also, we will take a look at current state of (weak) affairs in the vulnerability and security research available. Then
we will try to envision types of possible exploitation scenarios, backed-up with a printer remote-exploit demo. We will conclude
the presentation with possible solutions and what can be done to protect ourselves as well as our network environments.
當越來越多的新電子產品 (分享器、智慧型手機和其它) 被連結到我們的SOHO/企業環境之中,各個顏色帽子的駭客在他們的安全性上得到了眾多關注:一方面防禦並加強;另一方面利用並開發惡意軟體。
但是,一個特殊層級的網路裝置(特別是網路印表機/掃描機/MFPs),已經以網路連結達15年之久,卻一直被排除在現代資訊安全的關注之外。雖然我們在處理最機密的文件或最重要的憑證時(LDAP、RFID badges和其它)給予他們完全的信任,我們卻沒有發現他們有多麼的脆弱和不安全,即使最近幾個月有一些較小的安全注意事項不時被提及。
在這一個報告中,我們會嘗試分析為什麼駭入網路連結的印表機/MFPs是一個合乎常理並可以做到的事情。同時,我們也會探討一下現有的弱點和安全性研究中目前的(脆弱)狀態。之後我們將會試著設想可能的攻擊情境,並以呈現一個遠端印表機攻擊來支持此說。最後我們會以可能的解決方案和可以保護我們自己以及我們的網路環境的措施來作報告的總結。
|
ANDREI COSTIN
(資深研究員)
|
| 1430 - 1445 |
Coffee Break (Beer Available) / 休息時間 (供應啤酒) |
|
| 1445 - 1545 |
In 2009 one of the hottest topics has been code reuse and return oriented programming
as means to bypass exploitation mitigation features in modern operating systems. We have
seen ROP being applied to x86, SPARC, ARM and even election machines. Time has come to take
ROP into the world of web application security.
This presentation consists of two parts that will apply code reuse and ROP techniques to modern PHP exploits. The
first part will show how ROP is applied entirely at the PHP level, reusing code parts of the already running PHP
application to eventually achieve arbitrary code execution. It will be detailed how different PHP vulnerability
classes can be used for these attacks, demonstrating some lesser known facts and tricks in PHP exploitation on the way.
The second part of the presentation will go below the PHP level and feature a memory corruption
in PHP itself that is exposed to remote attackers through several widespread PHP applications. It will be demonstrated
step by step how it is possible to develop a remote exploit for this vulnerability, defeating ASLR and NX/DEP on the
way, by utilizing an information leak and returning into the PHP interpreter to execute arbitrary PHP code.
在2009年,最熱門的議題之一就是透過代碼重用和return oriented程式設計來越過現在運作系統的攻擊緩解功能。我們已經看過ROP被應用在x86、SPARC、ARM,甚至電子機械上。而今,時間已經帶領ROP進入網路應用程式安全的領域。
這個報告包含兩個部份,這兩個部份都是將代碼重用和ROP技術應用在現代PHP攻擊。第一部份將會呈現ROP是如何完全應用在PHP層級,重用已經在執行的PHP應用程式的部份代碼,最後達到任意執行代碼。深入探討不同的類別的PHP弱點如何被利用於這些攻擊,過程中也會呈現一些比較不為人知的真相和PHP攻擊的手法。
這個報告的第二部份將會探討PHP層級之下,也就是PHP本身的記憶毀損並藉由幾個常見的PHP應用程式暴露於遠端攻擊者。我們將會一步一步的呈現,一個遠端的攻擊如何被發展來利用這個弱點,並在過程中打敗ASLR和NX/DEP,而這都是透過運用一個資訊漏洞和返回PHP解譯程式以達到任意執行PHP碼。
|
STEFAN ESSER
SektionEins (資深研究員)
|
| 1545 - 1600 |
Coffee Break / 休息時間 |
|
| 1600 - 1700 |
As the title suggests, we will be talking about genetics. Not human
genetics but the gene concept applied to executable files. We will use
that concept to see what completely different executables have in
common and how we can use that knowledge to build a generic unpacker,
and generic in a way that we will not use any special case to handle
any packer. Running inside a x86 emulator like Bochs, makes the tool
quite useful for automated malware unpacking.
就如標題所示,我們將會討論關於基因的議題。這裡指的不是人類基因學,而是被應用在執行檔案的基因概念。我們會用這個概念來解讀兩個完全不同執行檔有什麼相同之處,並利用這樣的原理來創造一個通用的解封包程式,而通用的意思就是我們不會使用任何特殊案例來處理任何封包軟體。在像是Bochs的X86模擬器上運作,使得這個工具在自動破解惡意軟體上相當有用。
|
TORA
Zynamics (資深研究員)
|
|
CTF'10 PRIZE PRESENTATION AND LUCKY DRAW
CTF’10 頒獎和抽獎
|
|
| End of SyScan'10 Taipei / 2010年SyScan結束 |