This week in Infosec - 2008-08-10
A brief, somewhat-weekly post for non-security people who want to know what’s going on in the security space.
Black Hat / Defcon
Lots of goodness coming out of Las Vegas.
I. Owning the Virtual Infrastructure
Joanna Rutkowska and Rafal Wojtczuk of Invisible Things Labs gave a series of talks about owning virtual infrastructures.
Joanna builds on techniques she used in the Blue Pill Project to install a root kit on a running machine with zero user assistance. The root kit essentially virtualizes the host OS, sliding the Blue Pill between the hardware and the host OS. Scary stuff.
Please, for the love of god and all that is holy, don’t assume that since you went virtual, that you were safe.
If you can own the hypervisor, you can own the hardware, and all the virtual machines.
Joanna and Rafal show how to do it. Though they talk about Xen, assume their research applies to any virtualization platform.
Good stuff.
Posts with more details:
Owning Xen in Vegas!
Our Xen 0wning Trilogy Highlights
Presentations
II. GIFAR
Combining a GIF image and Java JAR applet into a single attack package.
Rich Mogul of Securosis explains best in his blog post, “The Risks of Trusting Content:”
GIFs (and most image file formats) include their header information (the part that helps your system know how to render them) at the beginning of the file, and JARs (java applets, really ZIP files) include their header information at the end. A GIFAR is simultaneously a valid GIF and a valid JAR (albeit with extra bits), meaning that when the file is loaded, it will look like an image (because it is), but as it’s rendered at the end it will run as an applet. Thus you think you’re looking at a pretty picture, since you are, but you’re also running an application.
Note, the application is running in the context of the logged in user, and in the security domain of the website serving the picture.
What happens if one of these is uploaded to your bank’s website?
No reports of this in the wild, but neat stuff.
I’ll likely have more next week, after I get through all the material coming out of Vegas.
New Tools
Karmetasploit
A combination of two awesome tools, Karma and Metasploit.
Karma is a wireless penetration testing tool, and Metasploit is a penetration testing tool that automates exploit payload delivery.
Together these two tools can do tremendous things.
The basics are, you set up a laptop running Karmetasploit. Then, let the owning begin. The box can act like any requested access point, and all traffic will be routed through the laptop… All your bits are belong to us!
Here’s a quick list of fun things you can do with Karmetasploit from Metasploit creator HD Moore on the Metasploit blog:
- Capture POP3 and IMAP4 passwords (clear-text and SSL)
- Accept outbound email sent over SMTP
- Parse out FTP and HTTP login information
- Steal cookies from large lists of popular web sites
- Steal saved form fields from the same web sites
- Use SMB relay attacks to load the Meterpreter payload
- Automatically exploit a wide range of browser flaws
That’s it for now.
Bill