25C3 -

25th Chaos Communication Congress
Nothing to hide

Ben Kurtz
Day Day 2 (2008-12-28)
Room Saal 1
Start time 18:30
Duration 01:00
ID 2734
Event type lecture
Track Hacking
Language used for presentation en

Short Attention Span Security

A little of everything

Working as a security consultant means that you get to see everyone's dirty laundry. However, it also means a hectic schedule and restrictive confidentiality agreements. Without violating my NDA, here's a set of turbo-talks looking at some new tricks for some new technologies and a look at some lucrative new attack surfaces that will become much more prevalent in the coming year. Topics will include: Script Injection in Flex, EFI Rootkits, static analysis with Dehydra, and pattern-matching hex editors.

Things I want to talk about (details below):

  • EFI Rootkits
  • Bypassing MS anti-XSS libraries
  • Script injection in Flex
  • Pattern-matching hex editors
  • Static analysis with Dehydra
  • Auto-WEP key cracking with ITX
  • Porting Network Security Tools to the iPhone

Along with this, I can make some code available for the hex editor, a bunch of iPhone security apps as an Installer repository, some Dehydra stuff and the source for my little WEP-cracking ITX box.

I want to strip out all the usual introduction and fluff and do 5-7 turbo talks (with two of them being extremely short). Or one of these could be done as a separate turbo talk.

EFI Rootkits In the next year, every major chip manufacturer will ship boards that use EFI. This brings new life to the old idea of PCI Option ROM rootkits, which can now easily access libraries that provide filesystem access as well as a full network stack. What features of EFI make this easy? What are the constraints on an EFI rootkit? How could this be mitigated as an attack vector?

Bypassing MS anti-XSS libraries This is a quick one. There is a bug in the Microsoft implementation of libxml, such that the attributes of start and end tags are merged. This means that Internet Explorer respects XML attributes on end tags. There is a particular Microsoft anti-XSS library which looks for an "<" followed by any letter. It allows a "<" followed by a "/" however. To bypass this library, simply put your script in an end tag attribute, like so: </a style="background:expression(alert(document.cookie))">

Script injection in Flex Since the provided user controls handle input encoding, injections are scarcer, but still available. One less conventional method I found relies on a bug in Internet Explorer. On a web application that allows file uploads, perhaps attachments, you can upload an HTML file containing the injection script.

When this attachment is viewed in Firefox, it will behave correctly and download the file first and then view it in a local file script context. In IE however, the downloaded HTML file is viewed with the script context of the site from which it was downloaded!

So once you have a script injection, Flex can make life difficult with URL scrambling - kind of like ASLR for web apps. Your injected script has to make several requests via AJAX to retrieve and parse the URL mapping for the current session. I have an example script.

Static analysis with Dehydra A new patch for GCC from Mozilla, Dehydra, allows the scripting of custom static analysis rules using Javascript via the SpiderMonkey engine. How does this make your life easier on the first two days of a code audit? Interesting semantic searches to perform on C++ code bases, advantages and limitations of this approach.

Pattern-matching hex editors Introducing my toy pattern-matching hex editor, haxedit, which can visually demonstrate the effectiveness of various pattern-matching algorithms on arbitrary binaries.

Auto-WEP key cracking with ITX This has become so trivial, people are playing for time with average scores under 3 minutes. Tips and tricks for working around the idiosyncrasies of airtools in an embedded environment.

Porting Network Security Tools to the iPhone Probably drop this, since it's all on the App Store now ...