Toorcon is an annual computer security conference held in San Diego, California
at the San Diego Convention Center on the Bay waterfront.
I'm told it's a cross between Black Hat (expensive, formal) and Defcon (cheap, rowdy), on a smaller scale.
Toorcon is also cheap and in my backyard.
Toorcon has many of out-of-town visitors, many from greater LA and even the SF Bay area.
There were two track sessions, so I didn't catch everything, and I didn't take notes for all sessions.
These notes are mine, so I may have missed something or made mistakes.
In the past Toorcon presentations were posted online at the Toorcon website.
For last year's conference, videos are available at the website.
DVDs of this year's presentations were on sale onsite,
so they may be made available online sometime.
The web is intended for linking everything to everything. It doesn't work every well with mixed zones like Internet and Intranet or with email on the web.
The exploit described here uses an old technique called "DNS Rebinding". This was first found in 1996 (called the "Princeton Attack"), but has since been forgotten. DNS rebinding works by changing the webserver's IP address so the webserver thinks it's dealing with the same webserver and drops its defense mechanisms.
The web works by embedding links from everywhere, not just one website ("late binding" when the webpage is rendered). Web security is based on a "look but don't touch" policy between objects from different web servers. If the IP address changes for a web hostname, this is defeated. For example, www.foo.com has access to www.foo.com. Can change the IP address of www.foo.com with DNS rebinding and the webclient still acts like it's the same site.
Webservers are now locked down pretty well with firewalls. But web clients (browsers) are still vulnerable. You can use a web client effectively as a router to bounce off traffic from an internal Intranet network. All you have to do is to lure someone to view a Flash video that has the malicious payload.
Dan's point is since servers are locked down so much, the easiest target are clients (usually web browsers).
Large websites typically have multiple IP addresses. This is for load balancing and for distributing webservers throughout the world. Web clients access web services with plugins. Plugins provide sockets. Flash plugins provide sockets to an Internal network. Java plugins provide sockets back to a webserver (which can be switched to a special proxy via DNS rebinding).
There's 3 ways to do it: Temporal, Spatial, and with a CNAME alias:
Dan wrote a proxy server in Perl called "Slirpie" to perform the proxy function above.
How can Slirpie be used?
One method is with this socket, you can say get a ssh connection and use PPTP socket (used with VPN) to obtain general network access.
Other scenarios are possible.
No fixes? Here's some partial measures:
The real problem is stopping a web client from being used as a generic router.
The solution isn't in the Network layer (Level 3) of the TCP/IP protocol, but higher up. So the fix is not, for example, IPSec or IPv6.
Using SSL (https) should help a lot and Dan predicts almost every website will be using SSL 10 years from now.
The real fix Examine Public to private network connectivity.
Exploit with MS Internet Explorer Only
Dan briefly explained another attack using MSIE (the above only works with Firefox).
To take over and spoof a TCP/IP connection you need to the next sequence number, otherwise the packet will be discarded.
An ActiveX control provides sequence numbers for packets and that can be sent to an external proxy.
The browser plugin can send a RST to the real server, to halt the competing légitimité connection, then spoof the connection since it knows the next sequence number.
The external proxy can now send fake packets and spomf the original connection.
Scott Moulton of
This was a popular talk about disk drives (HDs) and solid state drives.
Richard Johnson, Microsoft Research,
talked about the
Phoenix Compiler Framework and its use in Data Flow Analysis for security tools.
generates an intermediate code, Intermediate Representation (IR) for optimization, code coverage testing, and security analysis.
Multiple levels of IR, High-level (source-like) to Low-level (assembler-like).
Can retarget to different machine architectures.
Control flow graphs provide a visual representation of where code flows. Detects loops automatically (non-trivial).
For security, can use program analysis. That is model inference (data structures or program interaction), and vulnerability detection.
For static security analysis, use data flow analysis from outputs (instead of the more-typical analysis from inputs)
More info: Phoenix SDK Software can be downloaded from
Good references for static analysis in general are
Dawson Engler (can download MIT classes), David Wagner, & Cousot.
Exposing Stormworm by
Brandon Enright, UCSD.
This presentation and data are at the bottom of his webpage.
Brandon specializes in large-scale network discovery and host tracking and contributes to Nmap software.
Stormworm is malware for use by mafia-style organized crime to make money (probably Russian).
Aka "Storm Worm" or "Storm."
Brandon calls it Storm as it's not really a worm.
Common estimates in the press are usually wrong.
Storm was first noticed January 2007 with spam about a storm in Europe.
Nearly unstoppable because it's distributed (no centralized C&C like earlier botnets.
Storm doesn't connect with a server, but a proxy (another zombie) that talks to a distributed server.
Usually used for:
Multiple attack vectors, such as PDF with embedded images.
Storm malware originally was MS Windows kernel drivers, with several generations of improvements.
Now a user-land program with more flexibility (no root kit needed).
Framework Storm uses Overnet, a Distributed Hash Table (DHT) network protocol. Uses a OID (128 bits) to identify a node. DHT computes the distance between two nodes by XORing their hashes. This quickly finds nearby peers. Then it does the same with adjacent peers. This finds a nearby copy of desired content.
Network is very dynamic with peers coming and going and changing OIDs all the time.
Peers must periodically search for themselves to find nearby peers.
This protocol and also be used to easily crawl the entire Storm network.
Can model the Storm network as a directed graph (digraph), even though Storm is a peer-to-peer hash network. The digraph is modeled on discovery rounds.
Message overhead is from connect, search, and publicize.
"Connect" includes advertising itself and receiving a peer list, "search" is finding nearby content, and "publicize" is advertising content (latter isn't really needed).
Stormdrain Brandon built a crawler in Perl, Stormdrain, which needs only a small subset of Storm functionality.
Discussed Stormdrain optimizations, such as not using Java (wastes memory), handle dead host connections, etc.
Stormdrain uses a state machine (live, active, dead, removed, unknown) to figure out the network, which is very large. Active means node sent data to Stormdrain.
Showed a graphs of nodes over time. Microsoft made a noticeable dent in Storm with its periodic update to MRT (Malicious Software Removal Tool)—the Storm (Nuwar) release.
Brandon estimates 15 million machines have been infected at some point (many are detected and removed, never become active, or held at bay with a firewall).
Number of nodes have declined recently.
Encryption is easy to figure out (done by another researcher). 40-bit key, but know large parts of plain text (such as node ID and IP address).
Other researchers are analyzing in other ways, such as "Follow the money"—see who's buying and selling the stock that's being advertised.
Brandon is just doing a technical analysis.
BitBlender provides a privacy layer for BitTorrent, a peer to peer network
which provides large file downloads, such as iso images
(both legal and not legal).
BitBlender was written by
and Damon McCoy,
PhD candidates at University of Colorado at Boulder,
Computer and Communications Security Center.
A more-complete presentation is at Bit Blender.
Protects against MPAA and RIAA evidence gathering
(they are often confused about who to go after
and they often go after the BitTorrent exit node, not the entry node,
which requests the file.)
Hotspot Analysis by Richard Rushing,
analyses what services and sites are used at hotspots,
and password strength.
Stats: 1618 total clients
Live Memory Forensics by datagram.
Live forensics is examining memory image, as opposed to "dead forensics," which looks at a HD image.
Live forensics can be done in software or hardware.
Live forensics gets missing information not available from just "dead forensics," but supplements, not replaces, "dead forensics."
As with dead forensics, live forensics analysis is done off-line.
Additional information gained by live forensics includes:
kernel/modules, running processes, net connections, user logins,
memory-mapped filesystems, and shell history.
First thing to do is take a memory snapshot image, then
analyze offline (can also dump HD image, "dead forensics",
which takes longer and can be also done if needed).
By Sam Bowne, Community College of San Francisco (CCSF).
Michael Lynn presented a Cisco vulnerability at Black Hat 2005, but lost job and was sued. This got Sam interesting in teaching a class on hacking.
has everything online there.
Class based on Hands-on Ethical Hacking and Network Defense textbook.
Projects in book are dull, but provided cover to officer class (CNIT 123).
Hands-on labs with man-in-the-middle attack, ARP poisoning, practice attack/defense. Useful even for professional netadmins.
Lab network is isolated with a throttled upstream connection to 128Kb (can isolate totally, but such a drag to use).
Criminals don't take classes, but good guys need to know and it needs to be in the open.
Half of students are working professionals.
Colleges still scared-to-death of this.
The course has basic network and security prereqs, no programming or exploit creation knowledge required. The course uses existing tools like "script kiddies". Each project shows vulnerability, attack, and defense.
Sam will be teaching a more-advanced class next semester.
Taught summer class to a roomful of instructors after being invited by another college (but host college refused to put "hacking tools" in labs)
Most encoders place the key in a stub as plaintext or doesn't even use a key.
This makes it easier for security scanning software to view the payload in real time.
The problem is how to relay the key without it being discovered in real time.
The solution proposed here is
"Contextual keying"—generates a key from context information.
For proof of concept Metasploit's Shikata Ga Nai was extended to optionally use contextual keying. Encoding is a simple XOR with the key. This is easily defeated later (even the key can be discovered later), but the goal is only to defeat decoding in real time—to provide a hurdle, not a totla preventive.
By Brenda Larcom, Intel Corp. (day job),
founding member of
Trike Development Team.
The intent is to model security-intended behavior and problems with respect to privilege.
The model chains attacks with multiple vulnerabilities (links).
Each attack link requires some privileges (on left), then provides some privileges (on right)—a "requires/provides" relationship.
E.g. write to file —> view with PuTTY 0.53 —> execute arbitrary code.
Hooking up multiple attacks links (like this) into a chain can be automated.
Privileges come from a limited number of places and have to be derived from somewhere. These are the places you look.
Gather list of all components, with requires/provides relationships.
Also have a limited users with elevated privileges.
No code yet, but creating relationships has already been used to find design flaws.
Automatic generation of requires/provides relationships would be nice.
Generic URIs include http://, ftp://, telnet://, etc.
However, there's new app-specific uris such as aim://, firefoxurl://, picasa://, etc, that are registered with MS Windows.
This new class of URI attacks is caused by access to application functionality from the web browser.
Cross script scripting (XSS) can be used to do attack.
Attacks include stack overflows, command injection, automated file transfer, etc.
Nathan wrote a tool called "DUH" that looks for Microsoft Registry keys that map a URI to a program, to find what program it's tied to.
Trillian, a chat client, uses aim://
Data is input directly in the aim:// URI
A long string of anything will cause an overflow, and you can get a shell.
Cross Browser Scripting—IE pwn Firefox
Firefox has firefoxurl;// and navigatorurl:// registered—this was required to be MS Vista compliant, but these also make Firefox vulnerable to command injection when invoked from MS IE. So MS Vista compliance comes at a cost of making Firefox vulnerable!
Can pass Firefox command line arguments, such as -chrome
Another URI can execute an arbitrary MS Windows program
mailto:(some stuff)../../../../../../windows/system32/cmd".exe (anything).exe
Fix attempts: Firefox 220.127.116.11 (partial) 18.104.22.168 (still partial), 22.214.171.124 (fixed, sort of). MS updateds ShellExecute. However, other instances, such as stack overflow are still not fixed.
The root cause of the problem is application developers are creating lots of 3rd-party URIs, all of which are attack vectors.
These apps can be invoked directly through the browser!
Proof of Concept Application:
Trust-based Applet Attack against Google's Picasa (affectionately known as "T-bAG")
This is a one-button click exploit (no patent).
(downloads a button, with malware payload that uploads all your image files to a remote directory)
Uses DNS rebind (explained above with Slirpie) and Flash.
Google's Picasa opens up its own instance of MSIE.
Picasa starts its own webserver on the client.
The Picasa webserver is only localhost accessible, but it can be circumvented with Flash (with DNS rebinding and ActionScript).
Firefox emulates the MS registry on \*nix (Linux, Solaris, Mac OS X, UNIX), so \*nix is not immune.
(Personally, I think it's a problem with \*nix, but to a lesser degree—\*nix doesn't have as many URIs registered, as Firefox is not the OS and it's not as mandatory as with MS Windows—DEA).
Earliest WEP attacks in 2001. 2004 made simpler (500,000 packets needed to analyze and automatically crack the key), 2005 made more simple. By 2007 just need 60-90K packets to break WEP.
These WEP attacks requires being in RF range of the WEP network (i.e., must be localized).
Remote WEP attacks:
attacks may be made away from WEP network—just need isolated CLient that used to be in range of WEP network.
MS Windows caches WEP key in its PNL (to save retyping).
A honey pot be built without knowledge of the key.
Honey pot can answer probe requests, even though it
can't read received packets (until the key is known), but it can send and reply to packets.
Client might send DHCP client, and honey pot can connect, capture packets, disconnect and retry (to get more encrypted data packets).
Eventually, enough packets are gathered to crack the key.
However, this takes a long time (days).
A honeypot can spoof WEP connection (even though the honeypot can't decrypt packets it receives), but DHCP from the client will repeat requests until time out.
Next, the client sends Gratuitous ARP packets.
The honeypot can assume IP address is in the range 169.254.0.0 - 169.254.255.255 (only ~65K numbers—a standard IP private address range). Can brute force attack this small set of numbers.
Honeypot can send ARP requests for all 65K addresses.
Once we have about 80K arp packets, we can crack key.
We know large parts of the ARP request packet.
Because of WEP weaknesses, we can replay received ARP packets with flipped bits to find wep key.
Cracking the WEP key takes about 60K packets—takes only minutes.
"The Talk Talk" covers giving presentations, by Strom Carlson.
Strom is known for messing with a printing/shipping company smart cards that rhymes with Kedex/Finkos.
Strom will cover: planning, preparing, giving talks, and after-talk.
Must know audience (three types: someone interested but doesn't understand, geek or eats technical details, or business person who only cares about end result)
Will usually get a blend of these three.
Don't be afraid to start over if proposed topic doesn't work.
Narrow topic down.
Research (know topic thoroughly, take lots of notes, and document)
Select a "Thesis Statement" (a single specific claim to argue, that is narrowed and focused, and is not the topic).
Current practice is performing a "pen test" on a corporate network—that is, try to penetrate an internal from the outside.
Once inside "internal" Intranet, it's really all "cake."
The internal network is wide open and most internal apps never been audited and provide such things as file shares and credentials.
Now getting to internal network easier with client-side attacks,
browsers, email clients, Acrobat, and MS Office.
Client-side attacks are made easier now with
Core IMPACT, Metasploit, or hostile attacker toolkits.
Compromising clients is so easy that attackers need botnets to organize the overwhelming number of compromised clients.
Even the largest organizations have no filters against botnets.
Social engineering is not the problem. Some exploits don't even require a click. Non-technical people should't have to understand vuln to read email. IT must train user, but also protect them from attack.
Over-focus on firewalls and servers.
Easy to attack clients, as there are so many and you only need to pwn one.
Patch management tool not the solution—doesn't cover all products, not always accurate, and not everyone has one.
Usually only MS software is patched by organizations.
Browser plugins added by users.
Acrobat, Flash have many vulnerabilities.
A Proposed Client-Based Solution
Non-network software clients has a lot of metadata
(author, app version, OS, etc).
MS software has lots of metadata.
This can be used to our advantage.
Build a database of client software and versions with this metadata.
Open Source Vulnerability Database
A tool using this database, ClientVA (website www.clientva.org appears dead) shows vulnerable plugins for your client using this vuln db.
Building on this,
a simple client-side Intrusion Protection System (IPS)
should be possible on a web proxy (e.g., Squid).
Thin clients on corporate networks should help avoid problem of several different configurations without outdated software.
IT usually doesn't go there. Jay likes it, but IT doesn't usually go theree—perhaps it's complexity or network load or a unfamiliar concept.