Merken

When your firewall turns against you

Zitierlink des Filmsegments
Embed Code

Automatisierte Medienanalyse

Beta
Erkannte Entitäten
Sprachtranskript
I wrap Al Hack I'm I'm rule is 100 room at the I'll arm if other 17 the
guys on my name is anything who want and undergoing insecticide and today I will talk a little bit of our care control so this is a firewall and other who refer to it so care control
over these devices here is a viable containing stuff like IPS antivirals an and so on and use but it's a dozen companies so before I was doing this research I didn't really know what this company but since then I'll consider customer projects are also there are made so it's very often used and the can you can also make a short very as it about articles companies are using for example the need so so you can really take many companies is this attack of represent hero today I'll just 1 take vector the basically off on 2 different attack vectors the first one is just about a bit but in that stuff so across its good things that you can use the by viscosity this what really to then X and make some of my upload to make common injection but is give disorder day and just talk about the 2nd attack worked or which is more about memory corruption of the expectation to the 2nd attack vector I'm going to exploit this is F check 2 armed execute my own lectures on this device and then exploit appeared to be untrustworthy our and so it just appeared a 1st attack vector Versatec vector was just the possibility to upload to the here there's some change script and 2nd Super just be executed as were purchased on and of course you can't really lots of course it's good when abilities and it was always the fixed just want and don't fix the remote code execution and just the cost of scripting stuff so Uranus and we found 7 times new cross of scripting is or that the signature collectors working just I see you I you're taking into 5 so there's no portal from the from the outside so cannot directly attacked this viable instead of undertaking some victim to victim ghost might upside so all eyes attacker tensor malicious each dimension or telescope called which were forced the victim to send my malicious attack appealed to this fireball and see you I have some problems which I have to solve so 1st of all I have to know that which until at the address the flowers story and the 2nd problem is of course I cannot reader response because of the same origin policy so that means I have to write my exploit completely blind this year this is of order problems on as a mentioned the Internet be addressed and another problem is also that of what we would do if the victim currently not looked in so the 1st the textbook nectarous that stuff was just working against administrators and for the 2nd technique just wanted to make it work against their user because it's not so common that uh someone is locked in a fireball and of course it was that the Bible is the cost of scripting filters or at the server protection to solve the 1st problem that we can use some kind of trick it's a circuits or a very known click of what you can do is on the can just tried to low tech yeah alone from all possible putrescence and just iterating over a possibility addresses entitled it and not because of similar to what is a good reader the response but what I can do is can install a task at hand low on on unload on on their or so I can't attend direct on Lotus successful I can detect here is running on disappeared a somewhat so this way I can identify yeah control in your internetwork and I can use the same trick for on for to that that that the mind if I am currently looking as a user because what I can do is I can justify 2 million in using that's because you're looking at regatta doesn't use image back if you're not letting down there and that of the court and to say I cannot support interlocking you across a 3 for it because there are many look is not protected the across Africa's for it so just as soon as you locked in the repository for a protectionist so this way if you're not locked in a kind start thought of some attack against the internal system from the internet and of the last problem on this articles of this for grave 0 across of scripting of protections so on the Versatec w they're using cross of scripting to bypass across what rejects and this cases we're lucky because they represent a strange toughest be 64 and using this be very but the Bible the productions but for the 2nd attack vector I wanted to directly by this across of this for so that the 2nd attack vector is using top each scripts is the 1st beauty is script so basically is the 1st script you can set the date of this 2nd of the PHP script you can do some stuff with this so they don't and this is a really funny for all years so it's good there 2 floors in this culture and if you click time to read this culture on what sorry if who the 2 of them so what they were going the and they tried to get a closer because for agreed tokens from the user so the they say they get that get or the post done and the problem this Cholesky if this would work but this is due to the court means that this or URIs of binary or that means that the result is not together to pose parameters of this 0 1 so now they have to select the number of 1 0 0 impose that hash and now they're making you lose compression comparison on between and through the course of a what we're told what does the string and an integer here that means because they don't to make you the type checking on the string will become evident to an integer that means they're always check one-against-one and that means you always by this check the this was the 1st time that was because for great partners the 2nd 1 contained a different by bus so here they're doing this stuff correctly they just get here to get a permit down but the problem is the first one then it they need your check is that both the test and 2 or some conditions and they make the same check is the Hessian and the end some conditions that the system is is set to any value we can again but this by this across Africa's for protect that means that this allows me to execute any action on this computer scripts entities you contain everything what you need is attacked us so you have promote could execution of you'd answer us 1 they have the possibility to make spraying on your talk all across of group think about the same-origin policy and of course as of the subscript which can be used by this address this hadronization because the future is group is leaking out from the point of to the use of that's all for the 2nd attack vector and using the fact that they're using a very or to the binary it's more than 6 years old and are they calling answer relies on user-supplied input and hope everyone knows that Aunt arises a very bad function it was used for many times for to push the finesse of font many box in it on a secure into some guys that black hadn't on talking about PHP 7 answer as exploitation of acidic because so smaller there was using answer lies in the kernel and so on so I can very easily exploit this kind of this stuff here this year difficult which you tried to attack on what we can do is we can set the variable name the value a dentist can set any session labor to any value which is very powerful and after that the 2nd script on just that takes the last this profession variable and course on and so what I'm doing is a just cause set each appears at the last displayed very because some malicious important bank to score on Verizon what an exploit so I'm using your best usually 2004 what industry 5 what being on so will really be the boss font which definite some and I was just starting by analyzing it on my own system so this is just how analyzes working so for example if you have an integer 1 2 3 and close your eyes and it here again this year version of it so it's just saying you're on I for the data type integer then I would not want to stream of example if you have a novel just starboard underbelly or s for string than the length is 4 active string and you can also take uh make some more complex stuff like arrays so if you're a 4 8 3 4 because of 3 elements stored in disarray and it's always the 1st value here is always that key border the index discursive index 0 this index exterior and then the integer 1 2 3 and so on and if you have a look at the source code
of you to be your to see that you can add references so of example if the air and past this area here exists and operates strange so what pitch being delivered the wizard the at a point inside some reference table which is pointing here the 1st element of the array then for the next element so KIsomap spot and as reference table and so on until we come to some reference that stays reference read that means go to the reference David was certain that take this point of and replace this reference here is this value so if you tried to
executed receive a all just print 4 5 6 but because it's referenced
and another very important concept are all very variables of sport in PHP and so this is just the old PHP version of this page 7 of think it changed a little bit but I the important fact here is that this store the value and the type so depending on the type of example the type a string or integer or object but they integrate the value at the the different kinds UGC Europe that this is a union seen here so it's for example on a string and if be interpreted interpreted as a string . 0 and the length the the and you want to see you at that this data structure contains the reference count that means the accounting the references so for example if I have been to point displayed the reference concept is 3 assume as the reference count becomes 0 the members of the treaty and nearly all of it is the old unstressed would this work like this you have something that you have a reference to the state of and then you add some strange coding between the 2 3 they don't so that means that this data here will be freed but they still have a reference and the main problem here is that this reference here is not to include that does not implement the reference count to does not have an influence on the reference count to just have yet to find his some cold which would data then you can use the reference here to access the free data so like every simple use of free bark and this if we number here is that using the SPM object storage um so as the name say Bill object storage is used to store objects you can see views on for example that I fall so the object is the length of 5 could I follow and the people object here and to
guide you just articulate the Hessian at for so let's say that I think there should be 1 2 3 4 that means storing inside this hash table at index 1 2 3 4 decide for object so that means the reference count of I fully reborn the same for that big object that the the Hessian stated data so it's pointing to our reference competence of on the problem occurs as soon as we try to find 2 objects which have the same hash so for example if I now have that big object having the same hedge of alright this point here so now that there's no point anymore to life object that means I be freed from memory
but the as you have a reference to it from the reference table because this reference here it's not count in the reference count which is a sinc the main problem because all the all utterance will reduce like this and if you could just implemented a reference count of that would have prevented many many options for us with abilities so the question was can we find 2 objects which have the same hash and the 1st answer is no you cannot because the input for the hedge was convinced that some object number sort of 2 objects the object number 1 and 2 to the river reside in different hashes but you can abuse here another problem of that confusion back to this for example is an outlier on will believe in it was of the foppish definite some and we see here if I'm calling appeared to be in full of encoding pitch being followed by the just go to the beach B-cell ferryboat integrate this variable a 3 and just found that and this macro here is always that dumping it as a string it doesn't check the type so it's basically a type confusion attack so this is the year they are completely ignoring near the depart and just getting the value here
is the dentist macro definitions just integrate this stuff here always as a string and the Pentagon attack this kind of stuff if you just set this turned into a child because the Pappus object and talks and then you can read from any location but this attack here doesn't have a in a text in area because it typically cannot change the PHP code but we can use the same idea for all quite because the
input for this hatched calculation is using this macro here it just say take that the object because you should just store objects in these objects or an integrated always as an object but it must not verified if this object here is really an object so what I can do is I
can just store inside this object so it should not be a video or an integer or string and just use this was set is that of a value in the kind that it resides in the same input for the hedge calculation so see this Europe and using your of object of DTs this has this input so basically it's the 2nd object is the point at all the functions like does the owes you 5 is the type and then have you discover that you and I have chosen discovery value in a very on the and there's specifically security and so that this value here will be exactly the same you have despite the be and of our because it's the publisher of a video not at all it is to 1st keywords to be used as input for the hash calculation that
means that the 2nd of a value we removed this object is the test from the membrane so that members the freedom of a to
go down so discovered that he'll be freed this object data from memory and they're not just look at the neuronal of string is of length 15 15 because the data structures a length of 16 of the set of data structure and the 2 strings is 1 and a for enlightened nation that means that while I'm using a string of length 15 and now I can therefore control over this memory so now this reference is pointing to this freed memory of SDS and I have a look at the stuff away at the market just say OK did about this 5 4 strings that means I can just read from the memory origin should about 2 object that means I can set the function at the function pointers to any interested means can get for quot execution the idea you just 2 problems the first one is addressed the civilization of the things spectators at random locations on so I was American uh quite a long time to find a good trade to come around this so 1 possibility would be to use this PHP script here which is just making even spect . us but the problem is because the same-origin policy you can read it so i'd and decided to just make a very dumb idea just to make heap spraying so an as I showed you already I can set any session but to any value the tender video that means I'm just saying stationary predicts is this a megabyte value such enriched with the same thing about millions on onto the computer he Escobar was completed his
the so that mediators everywhere this year takes about 24 4 seconds and after that
I just go you would is your full control over 2 locations in memory so in this case it was just using a series 0 0 and is Europe's Europe's Europe but you can use here off any location which is pretty cold and the
2nd problem is that excuse invention that means that your data will be Marcus execute the birds of just doing your the standard technique is returned at the programming so on the main binary it's 26 by and megabyte big and is not position independent that means we can just get for example that christopher may look then calculate the basic Restil tool and protect and just for and protect so for example this is the opportune
which I'm using year to obtain the address of and projected then just according and protect make my own code executable I'm just showing all the fixed
on the so Europe began to
school to the website download all the stuff is a virtual machine and uses the euro of their internal appear press distance running then the victim goes from either side it and this
case I'm adding your tobacco output but typically the victim would not see that anything is ongoing here so Europe that but what can be disabled so that know what is seen and sing but in this case I'm just adding it so that you can see what's going on so now I'm trying to vote that on to indentified the the chemical process internetwork some trying to from different IP addresses care controllers you from disappeared as it was not a to note but from disappeared as I was able to handle to care control imagined from is not so this way I know at which appeared less care contours findings it and here is a is the same appeared last year this year from or disappear dressed as it was not possible to load data much so the next step is I Identify from current locked in so you see here this is the useful image which I tried to load as it's not a law that these users not looking and here this is the cost of figures for protect they're trying to broad 1st for to you victim browser so now I was able to log in so the next step is to make the heap spraying so I'm not doing here the spring there and located lots of stuff and memory department suppressed civilization but just here so now the spring finished the next step is the set reinstate state of and then just go on the rise and that this across before agree on by persists and as soon as but this is just a just obtain arose which my system and of course the Metsos was running his routes where then
can for uptake the network the Internet can sniff the PPN maybe because everything's going always you can dump the passwords or as you like and yet this year I'm running this route yeah and of course you can bound presentations and so on an just to serve as the Greek water
bottle of demand response they just say it out there that is running his route is not considered as were nobility and the 1st could execution from the bad stuff is not considered as 1 ability developed fixity they and but also to the other fixed the 2nd 1 ability was just didn't update of you to be binary David just on saying all can be removed the answer rise was a very important to to scripts which I was using but not referenced by any other scriptum systems that don't really have any idea where there there may be sword fight off someone placed there and so it's still PHP 5 to structure and so you just have to find another block in PHP and can still exploited for example can just 1 might be afraid of something that against pitch being against a 6 6 year old versions and the thanks the
Firewall
Schlussregel
Hacker
Computeranimation
Twitter <Softwareplattform>
Computeranimation
Spezialrechner
Streaming <Kommunikationstechnik>
Softwaretest
Standardabweichung
Code
t-Test
Computersicherheit
Skript <Programm>
Quellencodierung
Array <Informatik>
Softwaretest
Dicke
Pay-TV
Reverse Engineering
Digitalfilter
Computervirus
Integral
Exploit
Injektivität
Benutzerschnittstellenverwaltungssystem
Wurzel <Mathematik>
Konditionszahl
Festspeicher
Server
Client
Ordnung <Mathematik>
Zeichenkette
Subtraktion
Kontrollstruktur
Social Engineering <Sicherheit>
Mathematisierung
Content <Internet>
SI-Einheiten
Virtuelles privates Netzwerk
Open Source
Variable
Erwartungswert
Authentifikation
Datennetz
Datentyp
Endogene Variable
Hash-Algorithmus
Vererbungshierarchie
Softwareschwachstelle
Skript <Programm>
Eindringerkennung
Default
Browser
Nabel <Mathematik>
Digitaltechnik
Gamecontroller
Firewall
Resultante
Bit
Punkt
Element <Mathematik>
Atomarität <Informatik>
Adressraum
Gruppenkeim
Versionsverwaltung
Gateway
Computer
Element <Mathematik>
Komplex <Algebra>
Binärcode
Analysis
Internetworking
Kernel <Informatik>
Arbeit <Physik>
RPC
Font
Flächeninhalt
Parametersystem
Lineares Funktional
Internetworking
Dokumentenserver
Physikalischer Effekt
Applet
Web Site
Quellcode
Ein-Ausgabe
Exploit
Elektronische Unterschrift
Funktion <Mathematik>
Automatische Indexierung
Ganze Zahl
Projektive Ebene
p-Block
Versionsverwaltung
Speicherverwaltung
Quader
Systemverwaltung
Hausdorff-Dimension
Gruppenoperation
Vektorraum
Zahlenbereich
ROM <Informatik>
Code
Wurm <Informatik>
Task
Physikalisches System
Systemprogrammierung
Ganze Zahl
Tensor
Adressraum
Proxy Server
Entscheidungsunterstützungssystem
Booten
Biprodukt
Strom <Mathematik>
Bildgebendes Verfahren
Hardware
Fehlermeldung
Elektronische Publikation
Vektorgraphik
Rechenzeit
Paarvergleich
Token-Ring
Physikalisches System
Vektorraum
Paarvergleich
Endogene Variable
Last
Parametersystem
Injektivität
Bus <Informatik>
Entropie
Vorwärtsfehlerkorrektur
Benutzerführung
Objekt <Kategorie>
Punkt
Schlüsselverwaltung
Hochdruck
Indexberechnung
Parser
Element <Mathematik>
Computeranimation
Zeichenkette
Softwaretest
Ganze Zahl
Flächeninhalt
Code
Speicherabzug
Attributierte Grammatik
Booten
Innerer Punkt
Vektor-autoregressives Modell
Tabelle <Informatik>
Objekt <Kategorie>
Bit
Subtraktion
Hash-Algorithmus
Punkt
Jensen-Maß
Freeware
Versionsverwaltung
Zahlenbereich
Information
Zählen
ROM <Informatik>
Rechenbuch
Computeranimation
Homepage
Variable
Softwaretest
Code
Datentyp
Hash-Algorithmus
Speicherabzug
Strebe
Elektronischer Programmführer
Speicher <Informatik>
Datenstruktur
Tabelle <Informatik>
Videospiel
Dicke
Sichtenkonzept
Konvexe Hülle
Speicher <Informatik>
Variable
Objekt <Kategorie>
Exploit
Ganze Zahl
Automatische Indexierung
Betafunktion
Festspeicher
Ein-Ausgabe
Codierung
Zeichenkette
Tabelle <Informatik>
Objekt <Kategorie>
Hash-Algorithmus
Jensen-Maß
Zahlenbereich
Oval
Zählen
Information
Bildschirmfenster
ROM <Informatik>
Code
Computeranimation
Smoothed Particle Hydrodynamics
Datentyp
Hash-Algorithmus
Softwareschwachstelle
Unschärferelation
Gammafunktion
sinc-Funktion
No-Free-Lunch-Theorem
Indexberechnung
Speicher <Informatik>
Ein-Ausgabe
Variable
Quick-Sort
Konfiguration <Informatik>
Zeichenkette
Objekt <Kategorie>
Ausreißer <Statistik>
Flächeninhalt
Betafunktion
Parametersystem
URL
Makrobefehl
Zeichenkette
Tabelle <Informatik>
Objekt <Kategorie>
Punkt
Hash-Algorithmus
Luftreibung
Jensen-Maß
Luenberger-Beobachter
Lie-Gruppe
Rechenbuch
Computeranimation
Videokonferenz
Softwaretest
Datentyp
Hash-Algorithmus
Strebe
Lineares Funktional
Stoß
Konvexe Hülle
Computersicherheit
Speicher <Informatik>
Ein-Ausgabe
Rechnen
Objekt <Kategorie>
Garbentheorie
Ganze Zahl
Betafunktion
Makrobefehl
Zeichenkette
Kontrollstruktur
Baumechanik
Computer
Dicke
ROM <Informatik>
Computeranimation
Videokonferenz
Adressraum
Randomisierung
Skript <Programm>
Plot <Graphische Darstellung>
Zeiger <Informatik>
Datenstruktur
Randomisierung
Softwaretest
Lineares Funktional
Dicke
Datentyp
Raum-Zeit
Folientastatur
Default
Zeiger <Informatik>
Variable
Arithmetisches Mittel
Objekt <Kategorie>
Zeichenkette
Token-Ring
Exploit
Funktion <Mathematik>
Menge
Festspeicher
URL
Speicherverwaltung
Speicherverwaltung
Zeichenkette
Kontrollstruktur
Festspeicher
Reihe
Gamecontroller
URL
ROM <Informatik>
Computeranimation
Speicherverwaltung
Kontrollstruktur
ROM <Informatik>
Code
Computeranimation
Keller <Informatik>
Wurm <Informatik>
Physikalisches System
Exploit
Funktion <Mathematik>
Code
Adressraum
Optimierung
Speicherverwaltung
Virtuelle Maschine
Abstand
Computeranimation
Demo <Programm>
Quelle <Physik>
Subtraktion
Prozess <Physik>
Browser
Wasserdampftafel
Snake <Bildverarbeitung>
Baumechanik
Kombinatorische Gruppentheorie
Gesetz <Physik>
Netzadresse
Computeranimation
Internetworking
Figurierte Zahl
Bildgebendes Verfahren
Funktion <Mathematik>
Datennetz
Konvexe Hülle
Routing
Physikalisches System
Menge
Exploit
Festspeicher
Gamecontroller
Speicherverwaltung
Aggregatzustand
Kontrollstruktur
Systemverwaltung
Versionsverwaltung
Information
ROM <Informatik>
Computeranimation
Physikalisches System
Proxy Server
Code
Endogene Variable
Computersicherheit
Softwareschwachstelle
Skript <Programm>
Skript <Programm>
Binärcode
Web Site
Routing
Spiegelung <Mathematik>
Physikalisches System
p-Block
Endogene Variable
Funktion <Mathematik>
Wurzel <Mathematik>
Zustand
Phasenumwandlung

Metadaten

Formale Metadaten

Titel When your firewall turns against you
Untertitel Lightning Talks
Serientitel REcon 2017 Brussels Hacking Conference
Teil 02
Anzahl der Teile 20
Autor Freingruber, René
Lizenz CC-Namensnennung 4.0 International:
Sie dürfen das Werk bzw. den Inhalt zu jedem legalen Zweck nutzen, verändern und in unveränderter oder veränderter Form vervielfältigen, verbreiten und öffentlich zugänglich machen, sofern Sie den Namen des Autors/Rechteinhabers in der von ihm festgelegten Weise nennen.
DOI 10.5446/32398
Herausgeber REcon
Erscheinungsjahr 2017
Sprache Englisch
Produktionsort Brüssel

Inhaltliche Metadaten

Fachgebiet Informatik

Ähnliche Filme

Loading...