...And You Will Know me by the Trail of Bits

Pwn2Own Pre-Game

Dino Dai Zovi — Tue, 29 Nov 2011 21:40:59 +0000

Just in time to get warmed up for Pwn2Own, we are delivering a joint offering of the training courses “Bug Hunting and Analysis 0×65” by Aaron Portnoy and Zef Cekaj as well as “Assured Exploitation” by Dino Dai Zovi and Alex Sotirov in New York City on January 31 – February 3. Students may take either course or both classes for a $1000 discount. Full course information is available in the Pwn2Own PreGame PDF or the full blog post after the jump.

The two-day “Bug Hunting and Analysis 0×65” training (1/31 – 2/1) will take students through a crash course in reverse engineering, vulnerability discovery, and vulnerability analysis with a focus on server-side software vulnerabilities. The two-day “Assured Exploitation” course immediately follows (2/2 – 2/3) and guides students through vulnerability analysis of browser-based memory corruption vulnerabilities and hands-on development of reliable exploits against Microsoft’s Internet Explorer 8 on Windows 7. Taken together, these two complementary classes will give students the knowledge and hands-on experience they need to discover, analyze, and exploit memory corruption vulnerabilities in major server-side and client-side Windows software.

Both courses will be delivered in the same professional training facility with pre-configured machines running VMware Player and custom training VM images. The training facility is located in Manhattan’s financial district, easily accessible by NYC subways, waterways, and helicopter.

Bug Hunting and Analysis 0×65

This 2 day course is structured to impart upon the students the skills necessary to effectively utilize debuggers, disassemblers, and other tools to discover vulnerabilities in binary code. The curriculum will begin by introducing students to the tools and generic techniques that will enable them to actively participate in reversing applications during the rest of the course.

After gaining a basic understanding of the tools involved, the instructors will spend time walking students through case studies from patched vulnerabilities. That is, we will be choosing specific vulnerabilities and walking the students through the methodology used to verify them (debugging) and how the discoverer likely found them (fuzzing, static reverse engineering, dynamic instrumentation, etc). As each flaw is dissected, we will focus on how the student’s arsenal of techniques can be extended to more easily debug applications and eventually discover similar bugs going forward.

We will then begin focusing on automating our tools to build a checklist that we can use to more efficiently reverse engineer a binary code base. We will walk through a complete audit of a default installation (latest version) of a popular enterprise server application culminating in the discovery of over 20 remote pre-authentication 0day vulnerabilities.

Prerequisites

Prospective students should have basic x86 assembly fluency. Previous debugging experience is also required; Our debugger of choice for this class will be WinDBG. Programming experience is required, preferably in Python as the class will be developing IDAPython scripts to aid in RE. Our target platform will be Windows 2003, the student should be comfortable operating in this environment.

Trainers

Aaron Portnoy

Aaron Portnoy is the Manager of the Security Research Team at TippingPoint Technologies. His group is responsible for reverse engineering vulnerability submissions to the Zero Day Initiative program, discovering new 0day vulnerabilities in enterprise software, developing tools to aid in these processes, and architecting competitions such as Pwn2Own. Aaron has discovered critical exploitable vulnerabilities affecting a wide range of vendors including, but not limited to: Microsoft, Adobe, RSA, Novell, Symantec, HP, IBM, SAP, and VMware. He has presented original research in the areas of reverse engineering and vulnerability discovery at conferences such as BlackHat, CanSecWest, BlueHat, RSA, and RECon. Additionally, Aaron has been an invited speaker at the National Security Agency, has been referenced in several published books, and guest lectures on reverse engineering at the Polytechnic Institute of NYU each fall.

Zef Cekaj

Zef Cekaj is a security researcher specializing in vulnerability reversing and discovery. He has reversed and documented hundreds of vulnerabilities and has a history of vehemently arguing with vendors over email regarding exploitability of bugs in their products. Consequently, he enjoys winning such arguments by demonstrating exploits on live systems. His primary interests are in the exploitation of server side vulnerabilities and mitigation circumvention. He is currently researching identified vulnerabilities in popular sandboxing implementations so that he may contribute to The Movement to Liberate Shellcodes (freetheshellcodes.net), of which he is a founder.

Assured Exploitation

Many security professionals have mastered stack overflows and heap spraying, but these techniques are rarely sufficient when developing modern real-world exploits. Reliable exploitation on Vista and Windows 7 systems requires advanced techniques such as heap layout manipulation, return oriented programming and ASLR information leaks. This course focuses on teaching the principles behind these advanced techniques and will give the students hands-on experience developing real-world exploits.

The course will start off with an in-depth review of the exploitation mitigations introduced in modern operating systems. The instructors will demonstrate their limitations through simple examples and gradually develop the basic exploitation techniques into more complicated methods applicable to real-world exploitation. Unlike most other exploitation courses, we will focus on approaching exploitation as a creative problem-solving process rather than an exercise of applying cookbook techniques to common types of vulnerabilities. Most of the course will focus on the hands-on application of the material through exercises and leading the students through the development of reliable exploits for recently patched vulnerabilities in widely used software. Each student will finish the class with their own personally developed exploit for the Aurora vulnerability in Internet Explorer that evades ASLR and DEP and reliably exploits Windows 7.

This training will cover:

In-depth review of GS, ASLR, DEP, SafeSEH and SEHOP exploitation mitigations
Heap implementation details and manipulation of the heap state (including the Windows 7 heap)
Building primitives for heap layout control in new applications
Return oriented programming and shellcode development
Implementing a universal bypass of DEP and ASLR in Internet Explorer 8
Multistage stack pivots

Prerequisites

Students are expected to be familiar with the basic exploitation techniques for stack and heap overflows on Windows, as described in the Shellcoder’s Handbook and similar books. They should be comfortable using assembly level debuggers and have basic familiarity with reverse engineering. The material in this course is designed to be challenging, but we believe that with the help of our expert instructors any dedicated student will be able to master it.

Trainers

Dino Dai Zovi

Dino Dai Zovi, currently an independent security consultant and researcher, has been working in information security for over 9 years with experience in red teaming, penetration testing, software security, information security management, and cybersecurity R&D. Mr. Dai Zovi is also a regular speaker at information security conferences having presented his independent research on memory corruption exploitation techniques, 802.11 wireless client attacks, and Intel VT-x virtualization rootkits over the last 10 years at conferences around the world including DEFCON, BlackHat, and CanSecWest. He is a co-author of the books “The Mac Hacker’s Handbook” (Wiley, 2009) and “The Art of Software Security Testing” (Addison-Wesley, 2006). In 2008, eWEEK named him one of the 15 Most Influential People in Security. He is perhaps best known in the information security and Mac communities for winning the first PWN2OWN contest at CanSecWest 2007.

Alexander Sotirov

Alexander Sotirov is an independent security researcher with more than ten years of experience with vulnerability research, reverse engineering and advanced exploitation techniques. His recent work includes exploiting MD5 collisions to create a rogue Certificate Authority, bypassing the exploitation mitigations on Windows Vista and developing the Heap Feng Shui browser exploitation technique. His professional experience includes positions as a security researcher at Determina and VMware. Currently he is working as an independent security consultant in New York. He is a regular speaker at security conferences around the world, including CanSecWest, BlackHat and Recon. Alexander served as a program chair of the USENIX Workshop on Offensive Technologies and is one of the founders of the Pwnie Awards.

Registration

Each class is $2500 per student if payment is received by January 6^th, or $3000 after. Sign up for both classes and save $1000! Early registration is recommended because the class size is limited and may be sold out. Fill out form below or email ddz@theta44.org to register for one or both trainings or if you have any questions. We accept payment through both PayPal and Google Checkout and we’ll send you an invoice through whichever one you prefer.

[contact-form]

iOS 4 Security Evaluation

Dino Dai Zovi — Wed, 10 Aug 2011 15:18:08 +0000

This year’s BlackHat USA was the 12th year in a row that I’ve attended and the 6th year in a row that I’ve participated in as a presenter, trainer, and/or co-organizer/host of the Pwnie Awards. And I made this year my busiest yet by delivering four days of training, a presentation, the Pwnie Awards, and participating on a panel. Not only does that mean that I slip into a coma after BlackHat, it also means that I win at conference bingo.

Reading my excuses for the delay in posting my slides and whitepaper, however, is not why you are reading this blog post. It is to find the link to download said slides and whitepaper:

Apple iOS 4 Security Evaluation: [Slides ] [ Whitepaper ] [ Code ]

Attacker Math 101

Dino Dai Zovi — Tue, 09 Aug 2011 04:27:03 +0000

At SOURCE Boston this year, I gave my first conference keynote presentation. I really appreciate the opportunity that Stacy Thayer and the rest of the SOURCE crew gave me. The presentation was filmed by AT&T and you can watch it on the AT&T Tech Channel. Another thanks goes out to Ryan Naraine for inviting me to give an encore presentation of it for Kaspersky’s SAS conference in Malaga, Spain.

If slides are more your style, you can check out the more recent version from Kaspersky’s SAS 2011: Attacker Math 101.

NYC Assured Exploitation Training

Dino Dai Zovi — Tue, 03 May 2011 21:35:24 +0000

On June 8-9, right before SummerC0n, Alex Sotirov and I will be giving a special New York City edition of our Assured Exploitation training class. This is a great opportunity for anyone who was unable to take our class at CanSecWest this year. The two-day class costs $2500 per student for registrations received before May 25 and $3000 per student for registrations received afterwards. We accept payment via Purchase Order, major credit cards, and PayPal. Group discounts are also available (contact us for a price quote). To register, e-mail me (ddz at theta44 dot org) or fill out the form below. For full details, see below or download the full course description.

UPDATE: A location has been selected for the training (1 New York Plaza in lower Manhattan).

The class curriculum also includes:

In-depth review of GS, ASLR, DEP, SafeSEH and SEHOP exploitation mitigations
Heap implementation details and manipulation of the heap state (including Windows 7 heap)
Building primitives for heap layout control in new applications
Bypassing DEP and ASLR
Return oriented programming and shellcode development
Implementing a universal bypass of DEP and ASLR in Internet Explorer 8
Multistage stack pivots

All hands-on exercises in the course will be performed in virtual machines provided by the trainers. You will need a laptop with VMware Workstation 6 or later, or VMware Fusion 2 or later if using a Mac. The minimum hardware requirements for the laptop are 2GB of memory (3GB or more recommended) and a processor equivalent to a 2.4GHz Core2 Duo.

To register, e-mail me (ddz at theta44 dot org) or fill out the following contact form.

[contact-form]

Upcoming Events in 2011

Dino Dai Zovi — Tue, 11 Jan 2011 19:35:14 +0000

I’m going to start out 2011 pretty busy on the information security events circuit. Here are some of the events that I’ll be participating in over the first few months in 2011:

“The Mac Exploit Kitchen” (Workshop w/ Vincenzo Iozzo) at BlackHat DC
“Mac Hackin’ 2: Snow Leopard Boogaloo” Presentation w/ Charlie Miller) at IT-Defense
“iOS Security in the Enterprise” Round-Table at IT-Defense
“The Vulnerability Disclosure Debate Continues” Panel at RSA
“Assured Exploitation” Training w/ Alex Sotirov at CanSecWest
Keynote at SOURCE Boston

So there you have it: a workshop, a presentation, a round-table, a panel, a training, and a keynote on both coasts of North America and both sides of the Atlantic. I win at conference bingo! I’m pretty excited about giving my first ever conference keynote presentation at SOURCE. I’ll be giving a food-for-thought type of presentation, not the technical sort that I’m used to. However, just to keep things interesting, I might randomly drop some 0day in the middle of the presentation anyway.

Hacking at Mach 2!

Dino Dai Zovi — Tue, 11 Jan 2011 19:27:51 +0000

At BayThreat last month, I gave an updated (and more much sober) version of my “Hacking at Mach Speed” presentation from SummerC0n. Now, since the 0day Mach RPC privilege de-escalation vulnerability has been fixed, I can include full details on it. The presentation is meant to give a walkthrough on how to identify and enumerate Mach RPC interfaces in bootstrap servers on Mac OS X. Why would you want to do this? Hint: there are other uses for these types of vulnerabilities besides gaining increased privileges on single-user Mac desktops. Enjoy!

“Hacking at Mach 2!” (PDF)

Memory Corruption, Exploitation, and You

Dino Dai Zovi — Wed, 10 Nov 2010 17:50:26 +0000

At the NY/NJ OWASP meeting last week, I gave an experimental high-level (i.e. not really technical) talk that I call “Memory Corruption, Exploitation, and You.” The talk is essentially a few rants stapled together, all relating to exploits, but also trying to predict where attackers in the wild will be headed in the next couple of years. One of the points that I tried to make (and will be trying to make in upcoming talks as well) is that the threat environment has changed from what I call “getting hacked by accident” (non-targeted mass malware attacks) to an increased prevalence and awareness of targeted attacks in the wild, often using 0day vulns/exploits and custom malware. Responding to this requires changing several aspects of our mindset about network defense and vulnerability handling.

I gave an earlier version of the talk at BSidesSF (video here) and here are the updated slides that I gave at OWASP.

KARMA Demo on the CBS Early Show

Dino Dai Zovi — Wed, 21 Jul 2010 17:03:45 +0000

Although I haven’t done any development on KARMA for a little over 5 years at this point, many of the weaknesses that it demonstrates are still very present, especially with the proliferation of open 802.11 Hotspots in public places. A few weeks ago, I was invited to help prepare a demo of KARMA for CBS News and the segment actually aired a few weeks ago. If you’re like me and don’t have one of those old-fashioned tele-ma-vision boxes, you can check out the segment here.

Unfortunately, they weren’t able to use the full demo that I prepared. The full demo used a KARMA promiscuous access point to lure clients onto my rogue wireless network with a rogue network’s gateway routed outbound HTTP traffic through a transparent proxy that injected IFRAMEs in each HTML page. The IFRAMEs loaded my own custom “Aurora” exploit, which injected Metasploit’s Meterpreter into the running web browser. From there, I could use the Meterpreter to sniff keystrokes as they logged into their SSL-protected bank/e-mail/whatever. The point was that even if a victim only uses the open Wi-Fi network to log into the captive portal webpage, that’s enough for a nearby attacker to exploit their web browser and maintain control over their system going forward. Perhaps that was a little too complicated for a news segment that the average American watches over breakfast.

As it has been quite a while since I have talked about KARMA, here are a few updates on the weaknesses that it demonstrated:

Windows XP SP2 systems with 802.11b-only wireless cards would “park” the cards when the user is not associated to a wireless network by assigning them a 32-character random desired SSID. Even if the user had no networks in their Preferred Networks List, the laptop would associate to a KARMA Promiscuous Access Point and activate the network stack while the GUI would still show the user as not currently associated to any network. This issue was an artifact of 802.11b-only card firmwares (PrismII and Orinoco were affected) and is not present on most 802.11g cards, which is what everyone has these days anyway.
Even with a newer card, Windows XP SP2 will broadcast the contents of its Preferred Networks List in Probe Request frames every 60 seconds until it joins a network. Revealing the contents of the PNL allows an attacker to create a network with that name or use a promiscuous access point to lure the client onto their rogue network. Windows Vista and XP SP3 fixed this behavior.
Mac OS X had the same two behaviors, except that Apple’s AirPort driver would enable WEP on the wireless card when it had “parked” it. However, the WEP key was a static 40-bit key (0×0102030405 if I recall). Apple issued a security update in July 2005 and credited me for reporting the issue.
On 10/17/2006, Microsoft released a hotfix to fix both of the previous issues on Windows XP SP2 systems that Shane Macaulay and I had discovered and presented at various security conferences over the previous two years.
Newer versions of Windows (XP SP3, Vista, 7) are only affected if the user manually selects to join the rogue wireless network or the rogue network beacons an SSID in the user’s Preferred Networks List.

Although the leading desktop operating systems found on most laptops have addressed the issue, most mobile phones now support 802.11 Wi-Fi, which may give KARMA a chance to live again!

BlackHat USA 2010

Dino Dai Zovi — Wed, 21 Jul 2010 16:03:56 +0000

BlackHat is going to be a busy one for me this year because I am still trying to quit my nasty over-committing habit. But hopefully, I should have something that interests just about everybody.

If you love/hate Macs and like hacking, you should check out the Mac Hacking Class training that I am giving with Vincenzo Iozzo. We’ll be covering a lot of material including discovering and exploiting vulnerabilities, Mac OS X and Mach internals, and writing exploit payloads.

If Windows is more your style, you should check out my presentation, Return-Oriented Exploitation. I’ll be talking about using a variety of return-oriented techniques to bypass DEP/NX and ASLR on modern Windows operating systems, using my exploit for the “Operation Aurora” Internet Explorer vulnerability as an example and live demo. My presentation will be on Thursday at 1:45pm in the Exploitation Track (Augustus 1-2).

Finally, if you don’t really care about Macs or Windows, but do love security vulnerabilities and/or the infosec drama circus (b/c who really cares about the actual work we do?), you should check out the Pwnie Awards. For the 4th year in a row, Alex Sotirov and I have organized the Pwnie Awards to celebrate the achievements and failures of the information security industry. Along with our fellow esteemed judges (Dave Aitel, Mark Dowd, Halvar Flake, Dave Goldsmith, and HD Moore), we will be hosting the Pwnie Awards at 6:00pm on Wednesday, July 28th or July 29th (there seems to be some confusion on exactly which day it’ll be on and where currently). Follow the Pwnie Awards on Twitter for late-breaking updates.

Mac OS X Return-Oriented Exploitation

Dino Dai Zovi — Wed, 21 Jul 2010 15:31:02 +0000

In The Mac Hacker’s Handbook and a few Mac-related presentations last year, I described my return-oriented exploitation technique for Mac OS X Leopard (10.5) for x86. This technique involved returning into the setjmp() function within dyld (the Mac OS X dynamic linker, which is loaded at a static location) to write out the values of controlled registers to a chosen location in writable and executable memory. By subsequently returning into that location, a few bytes of chosen x86 instructions could be executed. Performing this sequence twice will allow the attacker to execute enough chosen instructions to copy their traditional machine code payload into executable memory and execute it. In Snow Leopard (10.6), Apple has removed setjmp() from dyld, so I had to go back to the drawing board.

For my talk at REcon this year, Mac OS X Return-Oriented Exploitation, I applied my recent research in return-oriented programming and exploitation to Mac OS X to develop a few techniques against Snow Leopard x86 (32-bit) processes. I also talk about why attackers don’t really have to care about 64-bit x86_64 processes on Snow Leopard just yet. If you missed REcon this year (and why would you ever allow that to happen?!), you can download my slides here: Mac OS X Return-Oriented Exploitation.