Cupfighter.net

The Key to My Mind (11/12) a CC image from Tony the Misfit's Flickr stream

The private key is supposed to be private. It is what proves that the services and the certificate belong to each other. As an attacker you want to obtain this key in order to spoof the identity of the service.

When you import a certificate with private key or generate a private key via the Microsoft Crypto API (CAPI) you can mark it as non-exportable. But are these keys really non-exportable or is this just a GUI option to give administrators a false sense of security?

In order to find out how an attacker can export a non-exportable key RSA key, we need to dive into the CAPI calls.

Disassembling the CAPI functions shows that there are flags in memory that specify that the key is not exportable. It appears that these flags are stored on the same memory location and user the same function. And you can actually temper with this information and set these flags back to being exportable.

The situation is a bit different in the CAPI: Next generation (CNG). Again a disassembly of these functions shows that the CliCryptExportKey() via the c_SrvRpcCryptExportKey function get the private key from the KeyISO or KeyIsolation RPC service that is meant to isolate the RSA keys from the client memory.

Read more…

Wrong Way ... Way Wrong a CC NC SA image from Bob.Fornal's Flickr stream

Virtualization aims to save money, make things simple and quick to deploy. Saving money and quick deployment are arch enemies of security

Virtualization products require security on the hypervisor level. Being able to hop from one virtual machine to another is not acceptable. Also there are a lot of products that focus on the security in the virtual machines, but virtualized infrastructure are complex by nature.

Relative lame bugs like XSS can be a big deal in virtualization infrastructures

Claudio demonstrates that live on stage, by exploiting a XSS bug in VMWare vCenter which took 1.5 years to patch.

Claudio showed us how an unprivileged user on the vCenter machine able to read a logfile contain the administrator SOAP session ID. Using this ID and Vasto administrator privileges where obtained. Until the last patch read-only access to vCenter meant that the user could take over the virtual infrastructure using standard tools.

Next attack demonstrated is against an Oracle virtual machine. Using standard “lame” exploits Claudio was able to hope from the application level administrator to the system root account.

So there are still some very simple vulnerabilities in this software.

Virtualization software is broken today, and we have to treat it accordingly. We have to make people aware that it is broken.

Virtualization infrastructures should be setup in such a way that a XSS in the management layer cannot lead to a disaster.

Read more…

Ghosts of Lake Sutherland a CC NC SA image from Wyrmworld's Flickr stream

DoS, making resources unavailable to others. Common motives are hacktivism, extortion and rivalry. Most big attacks are successful.

So what are the risks of being under DoS attack? Downtime, lost revenue, large bills from the cloud service providers.

What kinds of DoS attacks are there?

• Layer 3 – Muscle-based attacks, generating too much packets for the equipment or saturating the pipe.
• Layer 4 – Consumes more resources on the device., e.g. SYN flood, connection flood, concurrent connection exhaustion, garbage data.
• Layer 7 – Attacking the application. Trying to consume as much resources as possible. E.g. HTTP page flood, HTTP bandwidth consumption, DNS query flood, SIP INVITE flood. There attacks are low rate, high impact

So how do you mitigate DoS attacks?

Static thresholds work and put the operation team in control, however they require constant tuning and restrict the detection phase to a single-dimension (rate only).

Adaptive threshold, attempting the learn real traffic characteristics, which improves accuracy, however, natural traffic peaks like e.g. a Christmas peak may be blocked too.

Read more…

Wim Remes starts of his tool as giving us an overview of the lack of visualizati

Miniature Dotted Hot Pink Cake a CC NC ND image from - Stephanie Kilgast's Flicker account

on in security tools. There are some tools that have some visualization, but it is limited and lacks features.

He then takes us through the hall of fail of visualizations and gives us some tips on visualization.

Thinks as a designer, be aware of who you are visualizing for. Each group has different demands for visualization and want to take different things out of it.

He then proceeds to give us some tips and tricks. He recommends to follow the work of Edward Tufte and Stephen Few who have both done excellent work on data visualization.

If you do data visualization you may want to get data from external reports like osvdb.org datalossdb.org and other industry vendors.

Common problems of data visualization are redundant elements like 3D and color. This is expressed in the ink-to-info ratio. You may want to reduce the bell and whistles you use.

Dashboards are often messy, they should really be aware of their screen real estate. Most important places on the screen are top left and the center of the screen. In order to squeze as much info as possible into a dashboard dashboard often get messy.

Read more…

Cycle Garage a CC NC ND image from Ezu's Flickr stream

This talk focuses on ABAP, Advance Business Application Programming language from SAP.

ABAP:

• A proprietary language of which the exact specification is not freely available.
• It has platform independent code
• It has client separation built-in
• It has integrated auditing capabilities
• System-to-system calls via SAP RFC standard
• Built-in transportation system and version control
• Integrated platform-independent SQL Standard: Open SQL
• Built-in authentication, roles and (explicit) authorization model
• Thousands of well-known standard programs and database tables
• 150+ Million Line of Code in an ECC6.0 System

So what are the ABAP security risks?

• Back doors can be introduced, e.g. by a malicious developer.
• The program can have undesired side effect (e.g. SQL injection)
• Sub standard authentication used

Read more…

gluey harmony a CC NC ND image from giveawayboy's Flickr stream

SAP: Session (Fixation) Attacks and Protections (in Web Applications)

Raul Siles is @taddong on Twitter

Why do we need session management in Web Applications. HTTP is a stateless protocol so the application need to handle ourselves.

Sesion Fixations if different then session hijacking. In hijacking you will use somebody else’s session ID to become them. In session fixation the attacker fixes the session ID before he logins into the target application.

So what is the state of the art of session fixation 9 years after its discovery in 2002?

Like HTTP parameter pollution session IDs can also be accepted from multiple sources, even tough the application only uses a single method. E.g. the application may user GET parameters, but still accept session ID cookies.

So how does session fixation work? An attacker sets up a session with a website, but does not log on. He then tricks a user into log in using the same session ID. As the session gets elevated, both the attacker and victim get the authenticated state.

Session fixation does not require solcial engineering, but can also be obtained by e.g. Cross Site Scripting (XSS) or SQL injection.

In order to demonstrate the problem Raul shows the vulnerability as it existed in Joomla 1.5.x-1.5.15

HTTPS does not protect against session fixation vulnerabilities, neither does using MD5 values for the cookie ID or values.

Read more…

This

photo Eurofighter Typhoon Payload - A CC NC ND image from Stuart R Brown's Flickr stream

talk focuses on the w3af project, which has been Andres project for a long time, but is an open source project. It can be found at http://w3af.sourceforge.net/

Andres starts by giving an overview of w3af.

He then goes into a scenario which is common for a pentest. It starts with a pentester discovering a arbitrary file read vulnerability in a PHP application, but how to proceed to getting root? There appears to a shocking lack of post exploitation tools that can be applied to web application vulnerabilities.

Why is there such a lack of post exploitation tools for web applications?

• Buffer overflows used to be more common then web application flaws
• Web applications only allow you to interact with the system in a specific (restircted) manner

Post exploitation of web applications requires a new mindset, because you are often restricted to one or a few functions, e.g. read files with restricted privileges or write files to specific areas.

Read more…

Fog | Power Plant - A CC NC SA image from fxp's Flickr stream

Marco’s (embyte@iseclab.org) research focuses on the first automated approach to detect PHP parameter pollution.

(Slide deck)

What is parameter pollution?

In http it is allow to provide a parameter via GET and via POST. You can also provide a parameter twice. Some application do not handle this very well and interpret both, the first or the second.

E.g. will the url http://somesite.com/vote.jpt?pool_id=4568&candidate=green&candidate=white vote for Mr. Green or Mr. White? Since PHP always opts for the first parameter the vote will go to Mr. Green.

Since parameters in a get request overwrite the parameters in the post request, An attacker can pollute http parameters without manipulating the page itself.

Marco has built a system that can automatically test HTTP parameter pollution for both problems:

P-Scan scans for Parameter precedence.

It performs three tests:

• Error Test – Test if the application crashes if a parameter is repeated twice
• Identity test – Is a second parameter considered by the application
• Base test – Assume that pre-filtering works

V-Scan tests for actual http parameter pollution vulnerabilities. When it is determined that pages reactive differently when parameter pollution is applied. V-Scan eliminates those cases where these differences are not a vulnerability.

These tests are implemented in a tool called PAPAS.

Marco proceeds to present the results of deploying PAPAS against about 5,000 popular websites. The sites that appeared to vulnerable in more vulnerable where inspected in more detail.

Read more…

WhiteRabbits - A CC NC SA Image from Halans Photo Stream

Subtitle: Theory, Design and Implementation of Complex Systems for Testing Application Logic

Rafal works at HP (blog).

The talk is step up as a three act play.

Act 1 – Definition

What is “application logic”?. Rafal is trying to discover the definition to “application logic”, via and interactive process with the audience.

He starts of by showing a business flow for ordering items online as well as adding loyalty points. If the business flow is not implemented correctly, loyalty points get added without the transaction being completed. This means you can get hacked without your infrastructure being compromised.

The difference between flaw in the business logic instead of a flaw in the application logic, is that the latter can be patched, while the first requires a redesign of the program.

How is this different then e.g. the OWASP top 10? The closest match we have is the MITRE CWE Top 25.

Act 2 – Types of defects

There are basically two types of these attacks:

• Privilege manipulation
• Transaction control manipulation

Read more…