Another day has passed here at CanSecWest with a mixed bag of results. Overall the content was, again, quite good, PWN2OWN shows us the future, HallCon and BarCon were all kinds of awesome, and I had two distinct “a ha!” moments.
My first “a ha!” came during DongJoo Ha and KiChan Ahn’s “Is Your Gaming Console Safe?: Embedded Devices, an AntiVirus-free Safe Hideout for Malware.” You might ask “Marcus, what is so compelling here? They’re just gaming consoles,” and that’s true. You know what they also are? Embedded devices with distinctly powerful CPUs. With the growth of home-brew builds (customized operating systems) available for many gaming consoles, more and more these are being looked at as attack and attacker platforms.
One example I found particularly powerful was a Nintendo DS running metasploit to compromise Windows devices. Clearly, a gaming console is just like any other device on the network. The second demo (and the actual “a ha!” moment) was when the presenters actually injected code into the gaming files themselves. Yes, boys and girls, you read that right. It is possible to inject code into games just as you would inject code into any DLL or application. They showed this on both installed games and games downloading from the Internet. I was left a bit unclear as to the limitation on an unbroken gaming console, but the implications are far reaching–a networked device is a networked device. They can all be 0wned. When you combine this with the fact that there is no awareness that malware or attacks can happen on these types of embedded devices along with the fact that people will download and install almost anything without a second thought, the potential for abuse is clear.
The Adobe sessions at CanSecWest this year were one of the main reasons I attended. Adobe is a huge target for cybercriminals and malware writers lately as client-side exploits are quite the trend. While attending Haifei Li’s “Understanding and Exploiting Flash ActionScript Vulnerabilities,” I was very disappointed–mainly because I could not understand the speaker. Later in the day, however, I reviewed the slides and enjoyed my second “a ha!” moment.
The slides are remarkably clear in explaining the essence of ActionScript vulnerabilities. They are due, according to Li, to various program flow-calculating errors in the Verification/Generation Process, and that the Verification Flow and the Execution Flow are not the same. This is a very big deal because code can pass verification mode but during execution mode can still trigger a vulnerability. Byte-code blocks make it difficult for the verification process to recognize the correct flow, which can then result in many ActionScript vulnerabilities. Clearly, ActionScript vulnerabilities and exploits will be with us for quite some time.
The final session that struck home for me was “Welcome To Rootkit Country,” from Graeme Neilso. His targets were atypical of traditional rootkit targets as he focused on firewalls and routers. Neilso’s question “Can the integrity of the OS be trusted?” had many heads nodding in agreement. (I was one of them.) Even I was surprised by the amount of firmware that still uses hardcoded passwords and no integrity checking. Let’s be honest: You are just asking for trouble here. Neilso walked us through rolling your own rooted firmware as well as methods of installing both remotely and locally across a wide variety of firewalls. Again, I walked away believing this more firmly than ever–any device, any OS, any application can be broken or 0wned. At this point I was roped into hallway discussions on the future of embedded-device security, rootkits, and what PWN2OWN really means for the future of the security industry.
When you consider how much infrastructure runs on embedded devices and how enterprises are more and more rapidly adopting mobile technologies, these types of conferences are becoming more relevant than ever.
Although it was really no surprise, the iPhone 0wnage by Charlie Miller during PWN2OWN was a portent of the near future of iPhone exploits and attacks. Miller used a drive-by download attack to 0wn the phone. Like many attacks, the phone user is simply required to surf to a rigged website. This caused a browser crash, but once it was relaunched Miller was able to hijack the entire address book. Pay attention to this type of attack, as it has far-reaching implications. Far more impressive to me was the BlackBerry attack by Vincenzo Iozzo, Willem Pinckaers, and Ralf Philipp Weinmann. By using vulnerabilities in WebKit, an open-source browser recently added to Blackberry, they were able to steal the device’s contact list, image database, and even write a file into it by chaining together a series of bugs. What makes this so impressive? The fact that BlackBerry is an almost unknown system. The attackers had to rely on assumptions on Java Virtual Machine and browser functionality. RIM is said to be planning to add ASLR and DEP in the future; however, because there are established evasions for these defenses, we shall see where this goes.
Today holds one more Adobe session for me, stale pointer theory, and some cool fuzzing.