How We’ll Miss You So, Black Hat ’06…

Las Vegas was an absolute blast! Not just because Arbor had an awesome turn-out for its annual poker tournament (nice job, Lisa and Robin!), but also because the Black Hat sessions that we attended were amazingly strong. Having attended the conference for a number of years now, I was glad to see that CMP Media’s acquisition of Black Hat hadn’t adversely impacted the content that Jeff Moss is renowned for pulling together. A sincere thanks for what was truly a great con!

Each of us from the ASERT that attended this year had various thoughts on the sessions we attended. So, instead of a stream of overlapping blog posts, I compiled our thoughts into what you see below. We encourage you to follow the links and learn as much as you can about the various research these folks are doing…you can be certain we’ll be doing the same.

Device Drivers
Jon Ellch aka johnny cache & David Maynor

These two scared everyone who brought their laptop to the conference in the hope of using the wireless network. In the first half of their talk, they described the process of enumerating wireless drivers. Driver enumeration is interesting, but innocuous, and they both must have known that starting with such an innocuous topic would calm the audience before the storm. In the second half of their talk, Maynor proved that enumeration was very helpful when you’ve already done vulnerability analysis of several wireless drivers. To avoid disclosing the actual shellcode used in their exploit, Maynor showed a video in which a Dell laptop attacked an old PPC-based Mac laptop to install a rootkit. Then, Maynor simply connected to the backdoor (a bound shell listening on a socket) and had a root shell (albeit without any line buffering or shell prompts) on the Mac. Needless to say, none of us used our laptops for wireless Internet access anywhere near the conference.

PDB: The Protocol DeBugger
Jeremy Rauch & Dino Dai Zovi

Jeremy glued together some disparate pieces of code (including libevent) to create a C-written gdb-style protocol debugger with a modular interface allowing it to load Ruby-written modules (of which they’ve two). The demonstration was interesting, but not without issues, as the problem of TCP re-transmits isn’t currently handled by the debugger. Definitely an interesting concept, regardless. The proof-of-concept revealed that Python would have been a much more natural choice for developing the system. Sure, there’s a divide between the Python and Ruby camps, however, in our collective opinion, Python is the “lingua franca” of high-level languages in security. Taking into account the fact that libdnet has built-in Python extension, the existence of Dug’s pyevent and dpkt modules for Python libevent and protocol decoding/composing respectively, the amount of work spent developing the underlying glue could have been spent improving the debugger itself. Not trying to be too hard on Jeremy, though. He’s a sharp dude with some interesting ideas.

Punk Ode—Hiding Shellcode in Plain Sight
Michael Sutton & Greg MacManus

An excellent talk all-around. They had clearly explained and demonstrated how simple it was for anybody to hide exploits in plain-sight for specific kinds of attacks. Using their methods, which simply hide the malicious data as legitimate data inside of images, and presumably video, any attacker could leverage this technique to easily bypass many network security products that analyze network packets looking for specific attacks. While this kind of attack is very interesting, there are also many others ways of achieving the same results. More information available here.

Hacking World of Warcraft: An Exercise in Advanced Rootkit Design
Greg Hoglund

This was one of the best talks at the conference. Very entertaining, and it definitely had something for everybody. Hoglund described “The Supervisor,” a kernel-level rootkit made specifically to bypass “The Warden,” Blizzard Entertainment’s anti-cheating technology. This effectively allows anyone running “The Supervisor” to cheat and get away with it. Supervisor allows Hoglund to inject his own instructions into the World of Warcraft client, allowing him or others to take control of the client while also cloaking the contents of the injected instructions by replacing page tables corresponding to the modified memory with another page table filled with A’s. When The Warden next attempted to scan the system’s memory in order to look for any signs of cheating, it would only come across as bunch of As, rather than the actual instructions. Brilliant…and Hoglund’s presentation was flawless and entertaining as ever.

Subverting Vista Kernel For Fun And Profit
Joanna Rutkowska

Joanna’s presentation on exploiting the 64-bit version of Microsoft’s Windows Vista operating system was, without question, our favorite talk of the conference. She skipped the introductory section found in many technical talks and jumped right into a very straightforward method of exploitation: consuming enough system resources to force the OS to page non-wired memory to disk, thereby allowing her to modify the on-disk representation of this memory, and finally releasing those system resources, allowing the modified memory to be paged back in to the system. She then described how to exploit the virtualization features found in AMD’s newest dual-core processors to inject a hardware virtualized rootkit while seamlessly world switching a non-virtualized and running Vista platform into a hardware virtualized context. If Paris Hilton had been in the audience, she’d have agreed that this portion of talk was “hot”. The first half of the talk and, more so the second half, seemed to be a bit technical for some members of the audience, judging by the questions asked. That said, most people we spoke with afterwards agreed that it was the best session of all of Black Hat 2006.

4 Responses to “How We’ll Miss You So, Black Hat ’06…”

August 10, 2006 at 7:09 am, Domber said:

Thx for the hint about the WoW Rootkit … pretty interesting stuff.

August 10, 2006 at 1:29 pm, Dino Dai Zovi said:

[…] I’m taking the bait. I am somewhat of a programming language geek and actually love debating the pros/cons of various languages and whether some of them (i.e. bourne shell) are well suited to certain tasks (i.e. fuzzing). However, claiming that a specific language is the best tool for any job is the silly sort of argument that someone who knows *one* high-level language tends to make. Sometimes the right language for the job in the hands of good programmers lets you make a cool few million bucks in one summer. Sometimes, your exploits must be written in OCaml (if you haven’t already tried it, pattern matching is *phenomenal* for writing network protocol stacks). Try and reverse that binary! […]

August 17, 2006 at 5:23 pm, Haroon Meer said:

We did a pdb little brother as part of our “tale of two proxies” talk at the same show. I used python (but mainly so that i could steal scapys packet structures/code :>

We bumped into the tcp re-transmit issue too, but i suspect it can be fixed relatively easily by faking window updates (size 0) to both client and server (effectively becoming a pdb style int3)

My code is far messier, but ill throw it up soonishly..

August 19, 2006 at 12:30 pm, Steo said:

Nice article. Thanks.

Comments are closed.