Michele Manzotti's personal site

Back from Black Hat March 18, 2012

I’m just back from the Black Hat Europe 2012. It was a great experience in a beautiful atmosphere. All talks were interesting for some reason however I found the presentations below (not in a specific order) really exciting.

CANAPE: Bytes Your Bits
Michael Jordon – James Forshaw

Testing and exploiting binary network protocols can be both complex and time consuming. More often than not, custom software needs to be developed to proxy, parse and manipulate the traffic. CANAPE is a new Windows tool we are releasing at Blackhat which takes the existing paradigm of Web Application testing tools (such as CAT, Burp or Fiddler) and applies that to any network protocol. CANAPE provides a user interface that facilitates the capture and replaying of binary network traffic, whilst providing a framework to develop parsers and fuzzers.

This presentation will follow a worked example of using CANAPE to analyse the Citrix ICA binary protocol, allowing the discovery of a heap corruption bug that can be used to gain remote code execution on Citrix clients.

Ling Chuan Lee – Chan Lee Yee

There are different types of font available within Windows and two groups of categories exist: GDI fonts and Device fonts. This talk will cover the GDI TrueType & GDI Bitmap fonts only on Windows platform.

In GDI, one typically to create font is filling in a LOGFONT Structure and then calling CreateFontIndirect which returns a font handle. As expect from the name, a LOGFONT structure is a logical font, if the user draw some text using that font handle, GDI will look for a matching physical font to draw the text. If it doesn’t find any match font name, it will use some other font.

The resulting outcome is that the font fuzzer is working at the lower level through physical font API’s provided by the GDI itself. For instance, API functions GetFontData, GetGlyphIndices and even ExtTextOut when used with the ETO_GLYPH_INDEX flag. Font fuzzer in this talk is aim to trigger the font vulnerabilities published in internet, two vulnerability in Windows Kernel MS11-077 and MS11-087 in handling crafted font will be discussed in this talk.

Alexey Sintsov

In the talk an overview of some ways to break Lotus through the Domino Controller (includes 0day bug) will be presented.

Mariano Nunez Di Croce

Global Fortune 1000 companies, large governmental organizations and defense entities have something in common: they rely on SAP platforms to run their business-critical processes and information. In this scenario, cyber-criminals looking to perform espionage, sabotage or financial fraud attacks know that these systems are keeping the business crown jewels.

But, how difficult is for them to break into an SAP system today? Are we properly protecting the business information or are we exposed?

Five years ago, we were invited to hold the first public presentation on real-world cyber-threats to SAP systems at BlackHat Europe 2007. Since then, we have performed specialized Penetration Tests against the SAP platforms of several of the largest organizations of the world, enabling us to get an educated answer to those questions.

Join us in this new presentation to learn:

How a cyber-attacker may break into an SAP system, completely anonymously.
Which are the Top-10 technical vulnerabilities found in real-world SAP implementations.
How protected are SAP systems from attacks over the Internet and internal networks.
How feasible it is to detect attacks in real-time and/or forensic investigations.
Which are the most effective measures to secure this business-critical platform.

This presentation will feature live demonstrations of attacks, war stories and statistics from real-world assessments.

Ben Williams

After a thorough examination of a number of common Security Gateway products over the past few months I have determined that Security Gateway Web User Interfaces are often vulnerable to security flaws, which could enable an attacker to gain control of the UI, bypass controls within the application, and in many cases control the underlying operating system.

Based on this research I have reported over 30 vulnerabilities, complete with proof-of-concept exploits to the vendors of these products.

This presentation will discuss vulnerabilities common across these products, weaknesses in product design, and some interesting attack vectors where external attackers can exploit Security Gateways via the UI, even where the attacker has no direct access to the UI.

Enno Rey – Daniel Mende

Modern “Enterprise” VoIP solutions are complex beasts. They usually encompass application servers (e.g. for mailboxes and to provide CTI functions), “infrastructure systems” for authentication or crypto stuff and “intelligent” phones.

In the end of the days the inherent complexity means that – while “traditional” VoIP attacks (like re-directing, sniffing and reconstructing calls) might no longer work – we’ve been able to severely compromise any enterprise VoIP environment we’ve pentested in the last twelve months. Based on a number of warstories, in this talk we’ll first lay out the relevant attack vectors and the protocol or device level vulnerabilities enabling those.

We will then focus on Cisco’s Unified Communications solution that seemingly disposes of a mature, certificate based crypto framework protecting both the signaling and the media transport. Well, seemingly. When closely inspecting the relevant parts and messages, it turns out that at some point all the key material can be replaced by attacker chosen keys. Which effectively means that we’re down to cleartext-like attacks again…

For the first time we’ll publicly provide a detailed technical explanation of the underlying vulnerabilities, show a live demo sniffing calls in a presumably fully encrypted environment and – of course 😉 – release a tool automating a number of steps of the complex overall attack. A discussion of potential mitigating controls, both on a technical and on the provisioning process level, completes the talk.

Sumit Siddharth – Tom Forbes

The presentation will discuss the vulnerability XPATH Injection in depth and we will cover advanced exploitation techniques. We will talk about xpath 2.0 and how an attacker can not just obtain the XML document but also obtain files outside the current document. We will discuss how to exploit vulnerabilities blindly and the case when the application does not reveal anything (ie. compare this to a time based sql injection). Exfiltrating data over out of bound channel such as HTTP, DNS will also be discussed followed by some real life examples of the vulnerability found in the wild. Finally we will release an open-source tool to automate exploiting this vulnerability with all advanced exploitation features built in.

Antonios Atlasis

IP fragmentation attacks is not a new issue. There are many publications regarding their exploitation for various purposes, including, but not limited to, OS fingerprinting, IDS/IPS insertion/evasion, firewall evasion and even remote code execution. The adoption of the new IP version, IPv6, has opened new potential exploitation fields to the attackers and pen testers. In this paper, it will be examined whether fragmentation issues still remain in IPv6 implementation of some of the most popular Operating Systems and whether they can also be used for the aforementioned purposes. To this end, several fragmentation attacks will be presented and their impact will be examined. As it will be shown, most of the popular OS, such as Windows, Linux and OpenBSD are susceptible to such attacks. In each case, the corresponding proof of concept code is provided. As it will be explained, such attacks, under specific circumstances can lead to OS fingerprinting, IDS insertion/evasion and firewalls evasions. Finally, these tests will also show which OS appears to be the most immune to IPv6 fragmentation attacks.

All talks are here.