Sensepost released their JSP/PHP/ASP pivot/covert channel named reDuh :










Basic concept :
  • Glenn has the ability to upload / create a JSP page on the remote server
  • Glenn wishes to make an RDP connection to the server term-serv.victim.com (visible to the web-server behind the firewall)
  • The firewall permits HTTP traffic to the webserver but denies everything else
http://www.sensepost.com/research/reDuh/

Skape released whentrust as opensource :
http://www.codeplex.com/wehntrust

Thanks skape and good luck at MS

PS. Don't underestimate Whentrust, even with Windows2003 and Hardware NX it still increases protection (nx pages)

There are quite a few sql injection tools around, Pangolin is one of the most sophisticated blind SQL injetion tool I have come across, you can find it here :Pangolin Enjoy

For those into RCE, you surely came across Themida and know it can be a bitch.
Here is the PEB hooking loader from ARteam :

  1. you will need to build fake_kernel32.dll and fake_advapi32.dllsolutions, and 2 dlls will be created in ..\..\fake\ folder.
  2. in ..\..\fake\ folder you have adjust_fake.exe which you MUST use onnewly created dlls to get valid import table for kernel32/advapid32.dll
  3. rebuild themida loader project, as fake_kernel32.dll and fake_advapi32.dllare stored in resources of themidaloader.exe
Another nice ARTeam release : http://arteam.accessroot.com/releases.html

Addendum :in other news ARTeam is hooking Services .exe To Hide Softice


Here is an old but still relevant and nice description on how to analyse a session ID (cookie, session value) from scusi , includes all required code.



@scusi

http://www.nullcode.com.ar/ncs/crash/nsloo.htm

What was theoretically feasible has been practically tested : "BIND used fully randomized source port range, i.e. around 64000 ports. Two attacking servers, connected to the attacked one via GigE link, were used, each one attacked 1-2 ports with full ID range. Usually attacking server is able to send about 40-50 thousands fake replies before remote server returns the correct one, so if port was matched probability of the successful poisoning is more than 60%. Attack took about half of the day, i.e. a bit less than 10 hours."

More Info :
http://tservice.net.ru/~s0mbre/blog/devel/networking/dns/2008_08_08.html

Here is an interesting flaw called "Surfjacking"

Pre-requisites :

  • Take a MitM situation
  • Take a site that uses Cookies for Session handling
  • Take a site that does not set the "secure" cookie flag.
Result :
  • Victim logs into https://www.somebank.com/
  • Session cookie is generated and set on the client
  • Victim visits another website (http://www.example.com)
  • The MitM attacker sees clea text traffic to www.example.org
  • Attacker sends a 302, or "301 Moved Permanently" to “Location: http://www.somesecurebank.com/”, . Note the HTTP (not HTTPS).
  • Victim browser follows the redirect and sends session cookie to http://www.somesecurebank.com in clear text.

Recommendation:
Set-Cookie: NAME=VALUE; expires=DATE; path=PATH;
domain=DOMAIN_NAME; secure
as such the cookie will not be sent to the HTTP site - simple fix, pay attention to this during your next pentest.

Whitepaper :
Surf Jacking.pdf

Video :

Sandro Gauci

Here is the white paper and the slides to Mark Dowd & Alexander Sotirov Talk "How to Impress Girls with Browser Memory Protection Bypasses" - a must read :

Especially the whitepaper has some interesting details.

Whitepaper :
http://taossa.com/archive/bh08sotirovdowd.pdf

Slides :
http://taossa.com/archive/bh08sotirovdowdslides.pdf



Who am I to disagree : I think the lack of quality only partially has to be accounted to the prices being paid for 0day, 0day in terms of bugs are rarely being presented at conferences. I think the security market has become crowded and noisy, press is jumping more and more on it security over the last 5 years and have not been helping to increase quality but sensationalism. See DNS bug vs. SNMPv3 bug. I also think that time is increasingly getting spare to prepare for such conferences (this implies research) for every researcher there are 5+n consultants. Anyways that's the reason I have not been at BH or Defcon this year - last year really sucked.

PS. The 100k price tag for an SSH 0day is too low by the way.


After the dns + evilgrade fiasco I hope that insecure auto update functions are taken as serious as they should always have been Back in 2006 I warned about it when reporting that Zango Adware was downloading and executing udaptes without checking for authenticity. Zango fixed it eventually, my scenario I illustrated back then however was seen as unlikely event. Fast Forward 2 years - oops.

What is of more concern is that adware update process seems to be more "secure" in 2006 than adobe acrobat is in 2008. ouch.

Here are the slides and the code from the Blackhat USRP talk :
http://ossmann.com/bh-usa-08/