| ]

Sensepost released their JSP/PHP/ASP pivot/covert channel named reDuh :










Basic concept :
  • Glenn has the ability to upload / create a JSP page on the remote server
  • Glenn wishes to make an RDP connection to the server term-serv.victim.com (visible to the web-server behind the firewall)
  • The firewall permits HTTP traffic to the webserver but denies everything else
http://www.sensepost.com/research/reDuh/

| ]

Skape released whentrust as opensource :
http://www.codeplex.com/wehntrust

Thanks skape and good luck at MS

PS. Don't underestimate Whentrust, even with Windows2003 and Hardware NX it still increases protection (nx pages)

| ]

There are quite a few sql injection tools around, Pangolin is one of the most sophisticated blind SQL injetion tool I have come across, you can find it here :Pangolin Enjoy

| ]

For those into RCE, you surely came across Themida and know it can be a bitch.
Here is the PEB hooking loader from ARteam :

  1. you will need to build fake_kernel32.dll and fake_advapi32.dllsolutions, and 2 dlls will be created in ..\..\fake\ folder.
  2. in ..\..\fake\ folder you have adjust_fake.exe which you MUST use onnewly created dlls to get valid import table for kernel32/advapid32.dll
  3. rebuild themida loader project, as fake_kernel32.dll and fake_advapi32.dllare stored in resources of themidaloader.exe
Another nice ARTeam release : http://arteam.accessroot.com/releases.html

Addendum :in other news ARTeam is hooking Services .exe To Hide Softice

| ]


Here is an old but still relevant and nice description on how to analyse a session ID (cookie, session value) from scusi , includes all required code.



@scusi

| ]

http://www.nullcode.com.ar/ncs/crash/nsloo.htm

| ]

What was theoretically feasible has been practically tested : "BIND used fully randomized source port range, i.e. around 64000 ports. Two attacking servers, connected to the attacked one via GigE link, were used, each one attacked 1-2 ports with full ID range. Usually attacking server is able to send about 40-50 thousands fake replies before remote server returns the correct one, so if port was matched probability of the successful poisoning is more than 60%. Attack took about half of the day, i.e. a bit less than 10 hours."

More Info :
http://tservice.net.ru/~s0mbre/blog/devel/networking/dns/2008_08_08.html

| ]

Here is an interesting flaw called "Surfjacking"

Pre-requisites :

  • Take a MitM situation
  • Take a site that uses Cookies for Session handling
  • Take a site that does not set the "secure" cookie flag.
Result :
  • Victim logs into https://www.somebank.com/
  • Session cookie is generated and set on the client
  • Victim visits another website (http://www.example.com)
  • The MitM attacker sees clea text traffic to www.example.org
  • Attacker sends a 302, or "301 Moved Permanently" to “Location: http://www.somesecurebank.com/”, . Note the HTTP (not HTTPS).
  • Victim browser follows the redirect and sends session cookie to http://www.somesecurebank.com in clear text.

Recommendation:
Set-Cookie: NAME=VALUE; expires=DATE; path=PATH;
domain=DOMAIN_NAME; secure
as such the cookie will not be sent to the HTTP site - simple fix, pay attention to this during your next pentest.

Whitepaper :
Surf Jacking.pdf

Video :

Sandro Gauci

| ]

Here is the white paper and the slides to Mark Dowd & Alexander Sotirov Talk "How to Impress Girls with Browser Memory Protection Bypasses" - a must read :

Especially the whitepaper has some interesting details.

Whitepaper :
http://taossa.com/archive/bh08sotirovdowd.pdf

Slides :
http://taossa.com/archive/bh08sotirovdowdslides.pdf

| ]



Who am I to disagree : I think the lack of quality only partially has to be accounted to the prices being paid for 0day, 0day in terms of bugs are rarely being presented at conferences. I think the security market has become crowded and noisy, press is jumping more and more on it security over the last 5 years and have not been helping to increase quality but sensationalism. See DNS bug vs. SNMPv3 bug. I also think that time is increasingly getting spare to prepare for such conferences (this implies research) for every researcher there are 5+n consultants. Anyways that's the reason I have not been at BH or Defcon this year - last year really sucked.

PS. The 100k price tag for an SSH 0day is too low by the way.

| ]


After the dns + evilgrade fiasco I hope that insecure auto update functions are taken as serious as they should always have been Back in 2006 I warned about it when reporting that Zango Adware was downloading and executing udaptes without checking for authenticity. Zango fixed it eventually, my scenario I illustrated back then however was seen as unlikely event. Fast Forward 2 years - oops.

What is of more concern is that adware update process seems to be more "secure" in 2006 than adobe acrobat is in 2008. ouch.

| ]

Here are the slides and the code from the Blackhat USRP talk :
http://ossmann.com/bh-usa-08/