Day 2: A collection of #Blackhat articles: keeping remote track of the event

As a follow up to my article of yesterday "BlackHat slides available and first blogposts", the following is a additional collection of articles I kept track off by staying glued to tweetdeck all day.



Pictures: live pictures from the event (hat tip to mubix)
(Photo under creative commons from angelsk's photostream)

BlackHat slides available and first blogposts

Blackhat was really fast to upload some of their content. You can already get it at

I have already glanced at lockpick forensics, sniffing keyboards with lasers and Breaking the security myths of Extended Validation SSL Certificates. Some really interesting stuff in there!!

Here are some blogposts fresh of the shelf as well:

Speeding up MD5 collision hashing on GPUs, breaking EV SSL, or just breaking SSL all together, I see a trend that says that public PKI is completely broken. Oh, wasn't there a study today that said users ignore SSL warnings anyway?

Keep tuned, I'm seeing tweets that Dan Kaminsky is having a go at X.509 as well. #ssl #epicfail??

Related posts:
(Photo under creative commons from Ben+Sam's photostream)


IE Killbits don't work, or why MS released an OOB Patch yesterday (updated)

Now we know why Microsoft rushed out an out-of-band patch. It seems that shutting down a defective component is not as effective as fixing it. During the upcoming Blackhat talk of Ryan Smith, Mark Dowd and David Dewey it will be demonstrated how to bypass the "kill-bit" mechanism. A measure used by Microsoft to patch an ActiveX vulnerability on June 14th. So Microsoft rushed out to release an out of band patch before the presentation.

Smith has posted a video that demonstrates how they were able exploit a kill-bit copy of IE.

Halvar Flake mentioned the following on his blog:

"The bug is actually much 'deeper' than most people realize, [and] the kill-bit fix is clearly insufficient, as there are bound to be many other ways of triggering the issue,"

So this is why Microsoft is patching the vulnerability within ATL (the msvidctl.dll issue) . This has resulted in vulnerabilities in other crucial Windows files, and perhaps third-party applications whose developers had also used ATL. The following post from Adobe PSIRT blog confirms this:
We evaluated the impact of the vulnerable versions of the Microsoft Active Template Library (ATL) / CVE-2009-0901, CVE-2009-2395, CVE-2009-2493 / Microsoft Security Advisory (973882) on the Adobe product portfolio. We determined that Flash Player and Shockwave Player are the two products that leverage vulnerable versions of ATL. A Security Advisory for Flash Player and a Security Bulletin for Shockwave Player have been posted to our security bulletins and advisories page.
According to their bulleting, only Internet Explorer plug-ins are vulnerable. Firefox users as well as all other Windows-based browsers are not vulnerable. Macintosh, Linux and Solaris versions of Flash Player and Shockwave Player are not vulnerable.

So have a look at MS09-034 and MS09-035!! So until we have details on the Blackhat presentation, I wouldn't recommend using the killbit as only countermeasure for vulnerabilities.

If you want to delve deeper into this matter, the following two articles from the Microsoft Security and Defense blog are worth a read!
Update: A Slashdot story was running on this with this remarkable quote: "What's really scary is that Microsoft has issued 175 killbits fixes so far."

According to this Heise online article, Cisco extensions are also vulnerable. Google hasn't released any details yet.

Last but not least, the verizon business security blog has a very good article on the entire issue, a risk summary and a tool for developers to check their code.

(Photo under creative commons from jlkinsel's photostream)


Microsoft July 2009 Out-of-Band Releases

If you haven't noticed it, Microsoft will release two out-of-band patches tomorrow. Which usually means they have a good reason for doing this. Apply them ASAP.

From the MSRC blog:

We have just published our advance notification for an out-of-band security bulletin release, with a target of 10:00 AM Pacific Time next Tuesday, July 28, 2009.

While this release is to address a single, overall issue, in order to provide the broadest protections possible to customers, we’ll be releasing two separate security bulletins:

1. One Security Bulletin for Visual Studio

2. One Security Bulletin for Internet Explorer

How to follow Blackhat/Defcon without being there

Well, I'm one of the poor souls who couldn't make it to the Blackhat/Defcon fun. Although going to HAR2009 makes up for a lot of it, there are some ways to follow the events in Vegas (real time). ;-)

The first tool is to use twitter and follow the hashtags #defcon and #blackhat. If you have a twitter account, I would recommend installing tweetdeck and setting up two search columns. For those without a twitter account, you can use the Twitter search (and import it through RSS) or even better: which is more interactive.

Keep an eye on the Security Bloggers Network (RSS) and a Technorati search (RSS). A lot of security bloggers will be covering the event.

You can also monitor Flickr for the tag 'defcon17' (RSS) (couldn't find the one for Blackhat).

I think that's more then enough to follow the event except for a live video stream. ;-)

If you have some tips of your own, please mention them below.

Related posts:

(Photo under creative commons from Kyle Wegner's photostream)


Preparing your laptop (or iPhone) for a security/hacker conference

With Blackhat and Defcon about to begin, I thought it might be a good idea to review an old article from last year: "Preparing your laptop for a security conference".

The 2 main resources from that article are still online:

The general advice is saw other bloggers give was:
  • Don't use the wireless, try to stick to 3G (and use tethering if possible)
  • Even if you use 3G, encrypt it (VPN, SSH-tunnel).... I read that an UMTS mitm was going to be demo'ed at Vegas next week.
  • Leave your data at home, backup the drive, reinstall a clean OS, reimage when you come back (also applies to iPhones)
Remember that even when using the wired access, there are risks (arp poisoning). So be careful or you'll end up on the wall of sheep. I'll mention one last article:
But never never use a service that doesn't encrypt all the traffic. The safest still is to leave your gear at home. Have fun.

Now if you'll excuse me, I have some preparing to do for HAR2009!

Feel free to suggest additional tips below.

Update: Try to get a fixed IP. Running a DHCP client can get you in trouble. Two days ago, a vulnerability was found in dhclient. (hat tip to Jon). I'm guessing a lot of linux boxes will get owned in Las Vegas.

(Photo under creative commons from Blog Story's photostream)


Remote root exploit in DD-WRT httpd daemon.

Due to a meta-character vulnerabilityin the httpd servers, users that run DD-WRT on their routers are vulnerable to a remote root exploit.

More information can be found on the DD-WRT Forum at

Although this daemon usually listens on the internal interface only, there are still ways to exploit it:

Metasploit now has in the 3.3 Dev SVN an exploit for embedded device Linux distribution DD-WRT. This exploit module abuses a metacharacter injection vulnerability in the HTTP management server of wireless gateways running DD-WRT. This flaw allows an unauthenticated attacker to execute arbitrary commands as the root user account. It was argued that this exploit is of low impact by some since the distribution only listens for HTTP connections thru the internal interface. In this example of using the exploit the exploit will be used thru a pivot obtained thru a client side exploit from which we will pivot, do a discovery, finger print the device and exploit it. In the following example we will start by showing our IP of the attacker machine, receiving the Meterpreter shell and showing the target box IP thru a cmd shell (For details, see Pauldotcom)

DD-WRT developer Sebastian Gottschall says the bug fixed firmware version "DD-WRT V24 preSP2" can already be downloaded.

(Photo under creative commons from patrick h. lauke's photostream)

0-Day in Adobe Flash, also executable from Acrobat Reader (updated)

SANS ISC is one of the first to report on this:

First, several AV companies reported that they detected this 0-day exploit in PDF files, so at first it looked like an Adobe Reader vulnerability. However, the vulnerable component is actually the Flash player or, better said, the code used by the Flash player which is obviously shared with Adobe Reader/Acrobat. This increases the number of vectors for this attack: the malicious Flash file can be embedded in PDF documents which will cause Adobe Reader to execute it OR it can be used to exploit the Flash player directly, making it a drive-by attack as well.

And indeed, when tested with Internet Explorer and the latest Flash player (version 10), the exploit silently drops a Trojan and works "as advertised". Another interesting thing I noticed is that the Trojan, which is downloaded in the second stage, is partially XOR-ed – the attackers probably did this to evade IDSes or AV programs scanning HTTP traffic. At the moment, the detection for both the exploit and the Trojan is pretty bad (only 7/41 for the Trojan, according to VirusTotal).

It appears that even when JavaScript support is disabled in Adobe Reader that the exploit still works, so at the moment there are no reliable protection mechanisms (except not using Adobe Reader?). Regarding Flash, NoScript is your best help here, of course.
An alternative FF plugin is Flashblock. For IE, you can deploy a killbit.

Applying the kill bit for the following CLSID will prevent the Flash plugin from running:


More information about how to set the kill bit is available in Microsoft Support Document 240797.

So be careful with handling pdf files for now. According to some tweets from AV experts, this exploit is being used in PDFs in targeted attacks.

Update: Adobe has a summary on their website on the issue including a way on how to disable the swf component on Acrobat Reader)
Deleting, renaming, or removing access to the authplay.dll file that ships with Adobe Reader and Acrobat v9.x mitigates the threat for those products, but users will experience a non-exploitable crash or error message when opening a PDF that contains SWF content. Depending on the product, the authplay.dll that ships with Adobe Reader and Acrobat 9.x for Windows is typically located at C:\Program Files\Adobe\Reader 9.0\Reader\authplay.dll or C:\Program Files\Adobe\Acrobat 9.0]\Acrobat\authplay.dll. Windows Vista users should consider enabling UAC (User Access Control) to mitigate the impact of a potential exploit. Flash Player users should exercise caution in browsing untrusted websites. Adobe is in contact with Antivirus and Security vendors regarding the issue and recommend users keep their anti-virus definitions up to date. (Source: Adobe PSIRT)
Adobe hopes to release a patch for the issue by the 30th of July.

(Photo under creative commons from Arthaey's photostream)


Nmap 5.00 Released with new additions: ndiff, ncat; nse and better performance!!!

This is awesome news. Nmap version 5.00 has been released. It is the first major release since 4.50 in 2007. Here is a more detailed overview of the changes.

To have a quick glance, here are the top 5 improvements in Nmap 5:

  1. The new Ncat tool. It will do data transfer, redirection, and debugging.
  2. Ndiff is a scan comparison tool. It will make it easy to automatically scan your network daily and report on any changes
  3. Nmap's 5.0 performance has improved dramatically.
  4. Nmap Network Scanning, the official Nmap guide to network discovery and security scanning.
  5. The Nmap Scripting Engine (NSE) . It allows users to write (and share) simple scripts to automate a wide variety of networking tasks. New scripts include a whole bunch of MSRPC/NetBIOS attacks, queries, and vulnerability probes; open proxy detection; whois and AS number lookup queries; brute force attack scripts against the SNMP and POP3 protocols; and many more.
This just looks awesome. Playing with NMAP 5.0 goes on to my TODO list for the next month!

(Photo under creative commons from libraryman's photostream)


According to Child Support groups, Net filtering is a waste of money

Australia was one of the first countries to deploy massive Net filtering. The main reason was to fight online child pornography (as usual reason). Now the Children support groups are criticizing the measure.

In a joint statement with lobby group GetUp, both Save the Children Australia and the National Children's & Youth Law Centre believe the resources could be better spent on law enforcement agencies battling to eradicate child pornography on the internet. (from Australian IT)
So why have these Net filters at all? The following wikileaks article caught my eye: Australia secretly censors Wikileaks press release and Danish Internet censorship list, 16 Mar 2009

The first rule of censorship is that you cannot talk about censorship.

In late 2008, Wikileaks released the secret Internet censorship list for Denmark, together with a press release condemning the practice for lack of public or judicial oversight. Here's an extract from the press release:

The list is generated without judicial or public oversight and is kept secret by the ISPs using it. Unaccountability is intrinsic to such a secret censorship system.
Most sites on the list are still censored (i.e must be on the current list), even though many have clearly changed owners or were possibly even wrongly placed on the list, for example the Dutch transport company Vanbokhorst.
The list has been leaked because cases such as Thailand and Finland demonstrate that once a secret censorship system is established for pornographic content the same system can rapidly expand to cover other material, including political material, at the worst possible moment -- when government needs reform.
Two days ago Wikileaks released the secret Internet censorship list for Thailand. Of the 1,203 sites censored this year, all have the internally noted reason of "lese majeste" -- criticizing the Royal family. Like Denmark, the Thai censorship system was originally promoted as a mechanism to prevent the flow of child pornography. (Source: wikileaks)
Emphasis added by myself. So why do these lists need to be kept secret? When wikileaks released the secret Australian censorship list, it seemed that "half of the sites on the list are not related to child porn and include a slew of online poker sites, YouTube links, regular gay and straight porn sites, Wikipedia entries, euthanasia sites, websites of fringe religions such as satanic sites, fetish sites, Christian sites, the website of a tour operator and even a Queensland dentist." (source:

So who decides what gets on this list. If they have the possibility, they WILL use these systems as "they" see fit. So common sense hasn't set in yet. The next country to jump into the deep end is New Zealand.

If you thought that net filtering and grandiose firewalls were the exclusive preserve of West Island (or "Australia", as the locals like to call it), think again. New Zealand is showing that it, too, is ready to play its part in the great Antipodean censorship stakes.

Last week, the Department of Internal Affairs (DIA) announced it was setting up a filter system that will allow internet service providers to stop people accessing child pornography.

The filter system has already been trialled in hundreds of thousands of New Zealand households, and Internal Affairs deputy secretary Keith Manch confirmed that the voluntary system will block access to around 7000 websites carrying images of child sexual abuse. (Full story at The Register)

In the end, criminals will circumvent these filters and citizens will be limited by secret black lists in what they can view and what not. Money down the drain. And a step closer to totalitarian states.

Related posts:
(Photo under creative commons from S@Z's photostream)

Oracle & Microsoft Patch Tuesday and a Firefox 0-day

Yes, only a day after the discovery of an Internet Explorer ActiveX (Office) 0-day, it's time for black Tuesday with a surprise. (see previous post)

For the Microsoft patch overview, the one from Swa Fransen over at SANS ISC is still advisable.

Then Oracle followed suit with their quarterly patch cycle:

And to finish, an exploit was posted to milw0rm (who came back) that affects Firefox 3.5 and possible earlier versions. The mozilla blog above has a workaround by temporary disabling the javascript.options.jit.content setting in about:config. Additionally, using NoScript stops it as well, successfully detecting the PoC’s attempt to access file://.

Be safe.

Related posts:

(Photo under creative commons from Libby's photostream)

Fake OpenSSH 0-day, don't run 0pen0wn.c

There were some rumors of an 0-day OpenSSH vulnerability doing the rounds. It seems this was just a hoax. Compromised systems were due to brute force attacks.

Damien Miller (openSSH) responded that he still has not gotten a single piece of evidence of a 0-day exploit. He summarizes some of the possible attacks and argues that its very unlikely that openSSH can be compromized in those ways. It seems that the actual hacks were brute-force password attacks that actually succeeded. (Source: secgeeks)
Fueled by this hoax, the anti-sec group released some fake shellcode. As some victims that tried it and quickly found out, it will trash your system. So don't run it. If you want a detailed analysis of the shellcode disssasembled, Thierry Zoller posted a good analysis on his blog.

The anti-sec group is also known for the Astalavista and Imageshack incident. See also "Hacker group declares war on the security industry" (Heise)

(photo under creative commons from quinn.anya's photostream)


Active exploitation of Office Web Component ActiveX vulnerability. ISC level raised to yellow.

A critical security vulnerability in an Office Web Component that allows attackers to gain control of a Windows PC has been identified (Microsoft Security Advisory 973472). When using Internet Explorer, code execution is remote and may not require any user intervention.

According to Microsoft and the SANS Internet Storm Center, this vulnerability is being exploited in the wild. SANS ISC Threat level has been raised to yellow to raise awareness of this issue.

Currently there is no update but Microsoft has released a Fix-it tool to disable the vulnerable control in Internet Explorer.

This tool probably sets the two CLSIDs you need to set the killbit:


The following twitter account is relaying up to date information:

The latest tweets reported millions of computers being infected in China. If you're not a twitter user, you can also monitor the Twitter account through this RSS feed.

Alternatively to setting killbits, you can switch to an alternative browser.

This advisory discusses the following software.

Affected Software

  • Microsoft Office XP Service Pack 3
  • Microsoft Office 2003 Service Pack 3
  • Microsoft Office XP Web Components Service Pack 3
  • Microsoft Office 2003 Web Components Service Pack 3
  • Microsoft Office 2003 Web Components for the 2007 Microsoft Office system Service Pack 1
  • Microsoft Internet Security and Acceleration Server 2004 Standard Edition Service Pack 3
  • Microsoft Internet Security and Acceleration Server 2004 Enterprise Edition Service Pack 3
  • Microsoft Internet Security and Acceleration Server 2006
  • Internet Security and Acceleration Server 2006 Supportability Update
  • Microsoft Internet Security and Acceleration Server 2006 Service Pack 1
  • Microsoft Office Small Business Accounting 2006
Non-Affected Software
  • Microsoft Office 2000 Service Pack 3
  • 2007 Microsoft Office Suite Service Pack 1 and 2007 Microsoft Office Suite Service Pack 2
  • Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats Service Pack 1 and Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats Service Pack 2
  • Microsoft Forefront Threat Management Gateway, Medium Business Edition
  • Microsoft Internet Security and Acceleration Server 2000 Service Pack 2
(Photo under creative commons from TedRheingold's photostream)

HostileWRT: the misconceptions about the Hadopi Router

So the three strike law has been passed in France (slashdot). In my previous blogpost I mentioned an article about the Hadopi router. A firmware made to infect routers, reroute traffic through other routers and infect those as well, just to challenge the Hadopi law.

The whole story first launched by a French newspaper, seems to have been one big misconceptions. The Hadopi router firmware is actually HostileWRT, it's based on openWRT and can automate the cracking of wireless security passwords. It's intention was to prove the insecurity of wireless network and has nothing to do with the Hadopi law. Who, by the way has become worse, because in this form, instead of getting disconnected from the net, can lead up to 3 years in jail.

For other sources, check Be carefull what you read about the Hadopi router (CrunchGear).

(Photo under creative commons from inju's photostream)


Big Brother 2009: Has the rebellion started?

A lot of legislation and surveillance measures have appeared these last years that endanger the civil rights and liberties of the people. Measure like the EU Dataretention, internet filtering or the three strike law (for example in France: HADOPI) are all measures that are starting to make me shiver.

Are we slowly evolving to a censorship system akin to the Chinese Great Firewall? A lot of these measures are implemented either to combat child pornography or terrorism. But is it the right way? What are we sacrificing?

More and more awareness about this issue is being raised and more projects have started to circumvent censorship of any kind. The CCC already had Tor on a stick called the Freedom stick for the people in China and other repressive states.

Some of the internet filters are based on DNS filters which can easily be bypassed by setting up your own DNS server or using OpenDNS, a freely available DNS service.

Two recent projects have arisen as a protest against Dataretention and the three strike law respectively: and the HADOPI router firmware (

Smallsister is aimed at anonymizing email:

At this point one issue has caught our immediate attention and that is data retention. This legal tools forces Telephony and Internet Service Providers to store information on their users. For instance who is behind an Internet-address or a telephone number. Not only that it also requires to register who tried to call whom and who has been e-mail whom. For users that would mean that certain things can’t be secret anymore. For instance: a whistle blower should go through a great pain to reach a journalist to break a story that would correct wrong. Or what about a company that tries to do a deal and fears to be frustrated by a foreign government that would pass information on to a local, competing company (as happened with Airbus and Boeing for instance). We intend to do something about that. So we look at anomizing e-mail. (source:
The HADOPI router is aimed at proving that an IP address is not a good identifier to link to people. Law cases of the RIAA suing people that didn't even own a computer proved that case quite well. Although I'm a bit divided by the method that the HADOPI firmware uses (cracking wireless keys) and re-routing packets through the routers of neighbours. (update here) It does prove a point that laws shouldn't be used to fix broken business models.

So are governments starting an uphill battle about control of the internet? I know only one thing, if kids can bypass school filters by using DNS VPNs and anonymous proxies, people will find a way to bypass this as well.

How can we educate governments that this is the wrong way?

(sarcasm) Yes, we are living in a world where people using linux are found to be suspicous! (/sarcasm) Click the link, it's a real story!

Related posts:
(Photo under creative commons from dolescum's photostream)