CanSecWest Day 1

Random thoughts:

  1. Haven't seen the sun since like . . . Monday morning.

  2. Driving to Canada sucks in the rain.  Multiple accidents inside the 12 or so miles I had to drive in Canada made the Canadian part of the trip about as long as the U.S. part of the trip resulting in about a 4 hour trip that should have been 2.5 hours.  Driving to Canada from Seattle seemed like a good idea at the time . . .

  3. CanSec is awesome because I got a fairly nice, free SWAG jacket (which was awesome because I didn't bring anything water proof to wear in the rain).

  4. CanSec is awesome because they provide alcoholic beverages during breaks (well you have to pay - but at least they are offered).  The Google presenter had a beer during his session to calm him down.  Nice touch - I may do the same. 🙂

  5. CanSec is awesome becuase there is only one track - you get to see ALL the sessions which is nice since I usually end up having to choose between multiple sessions I want to see.

  6. The Vista SP1 pwn2own device is a miniature tablet PC thing with like an 800mhz 32bit processor - so it couldn't run 64bit Vista (I wanted to load 64bit to mess with hax0rs who probably only have x86 shellcode. :))

  7. Apparently the only thing worth eating here is Sushi because that's all anyone I talk to wants to eat!

Today's sessions were interesting.  The first one was a Chinese researcher (Sun Bing) who has found some vulnerabilities in VMWare and he was discussing them.  I sat in the front row, right in front of a speaker and his soft voice and minimal English vocabulary prevented me from groking most of what was presented.  From what I gathered his vulns were all concerned with local EoP from user to admin (or system) on Windows boxes running VMWare (i.e. not breaking out of the guest but rather using VMWare flaws to elevate privs on the host OS from standard user to higher).  The first one he talked about was basically an .INI file that VMWare uses to figure out where some high-privilege EXE is that it should run (I think it's an extensions process).  He showed that basically the ACLs on the .INI were such that standard users could edit it and so replace the path to the VMWare exe with the path to their own EXE.  All you had to do was edit the INI and then wait for an admin to start a VM and it would then run the extensions process.  This was a recently patched vuln.  Then it got harder to understand / follow but it appeared to me that he was able to write an EXE that could talk to the VMWare 'authd' services running at high privilege and get that to write to kernel memory via some interesting IOCTLs?  It was hard to follow but he showed his console app running as a standard user being elevated to SYSTEM and he mentioned (again I think) modifyign the EPROCESS blocks in memory.  I can't remember if this one was patched yet or not.

EDITED 3/27/2008:  I had a chance to talk with Oded from VMWare and clear up my confusion of how the VMSafe security agent technology works so read my Day 2 post if you're interested in more accurate reporting.  🙂 Oded took some blame for the confusion because during some of his demos he was running compiled code on the host OS that was talking to the hypervisor and it wasn't clear that it was compiled (vs a script) etc  He talks pretty fast. 🙂  Anyhoo - the demos were using compiled code - and it was using the VMSafe APIs not VProbes and eventually that code will run in just another VM along side the VM that it's protecting / monitoring. 

What was intersting was that the next speaker was a dude from VMWare! 🙂  Oded (the speaker) is a researcher at VMWare and he was here to show off the new VMSafe technology that they are soon to be releasing.  Basically from what I gathered in his talk - they are going to allow their VMM / Hypervisor to run an interpreted language (he didn't say if it was C or Javascript based on some proprietary language).  With your script running inside the hypervisor - you'll be able to make various API calls to find out the state of 'things' in a Virtual Machine the hypervisor is . . . hypervisoring.  Did I mention that your code or other 3rd party code will be running inside the hypervisor?  🙂  It was funny (to me) because he had just gotten done talking about TPM's as the root of trust and their limitations (the limitations being that the TPM stores measurements of the boot process and then it's done - it doesn't do anything post OS boot etc.) and then he says in the new VMWare model the hypervisor can be thought of as the root of trust . . . like right after he got done telling us that he's gonna let 3rd party code party in it.  Should be interesting. 🙂  I'd love to see their threat models. 🙂  Anyhoo - the new VMSafe model seems to basically be some 'security agents' tasked with monitoring / protecting the guest OSs and they run (I think) on the host OS - (I need to take better notes) and they talk to the hypervisor to find out stuff about what's happening inside a given guest OS / VM.  He mentioned a minimal 3% perf hit at one point.  What sort of thngs can these agents do?  Well I'll admit - some pretty cool stuff!  These agents can for example examine the pages of virtual memory inside of the guest OS . . . so one of the demos he showed was packed malware evading an AV package inside the guest OS (becuase it was unpacking in memory) - but then outside the guest OS after the malware was unpacked in memory the pages of memory were scanned from this 'agent' which is querying the hypervisor to get at pages of executable memory it's interested in.  He also did a demo where he 'recorded' a VM session (really cool technology that I wish we had in VPC) . . . so he took a VM - ran some malware in it while he was recording and then when he played that back - his agent was able to detect the malware on play back.  So think about it from an intrusion / incident response standpoint.  Maybe you have terabytes and terabytes of storage and you can set an important VM to record in some sort of circular log format (not sure if they can do THAT yet) . . . if you find out about a compromise or intrusion you can maybe create an agent to talk to the hypervisor and when you play back that recorded session you may be able to pinpoint when it happened etc.  It was all pretty interesting stuff IMHO.  For me I couldn't really get past the (presumed) increase in attack surface they are exposing in the hypervisor by allowing these 3rd party's to write code (even if they are just calling APIs to query the hypervisor or poll it).  On the other hand - if you can run an agent on the host OS - you can probably own any of the guest OSs so this may not really matter in the greater scheme.  I have to do more sustained thinking on whether I think this is all a good idea or not.  Basically the demo's seemed to be geared towards host based IPS / IDS but at the hypervisor level outside of the guest OS . . .

During Oded's presentation a local news crew was there and Dragos interrupted him to announce the rules of the PWN2OWN contest.  Here's the breakdown:

Day 1: $20k in reward money (via ZDI) for any remote pre-auth type vuln against a bare OS (so basically wifi driver sploits or network based attacks against a service).
Day 2: Attack vector / scope will be increased to local client side apps and the reward goes down to $10k for those
Day 3: They pile on some prevalant 3rd party apps and / or will install apps upon request (but they can't be lame apps etc.)

I checked after the nearly last presentation and I think they'd only had a sign-up for Day 2's festivities so it doesn't look like any OS's are getting popped for the $20k reward.

After Oded's talk we had Rich Cannings from Google give one of the better talks of the day.  He gave us some insight into Flash based XSS attacks and how he ventured into this area.  Basically Flash and the underlying ActionScript 2.0 language is full of XSS opportunities - many of which are considered by Adobe to be 'programming errors' by the developers . . . but in some cases the 'developers' are templated code that are spit out by various Flash authoring tools.  Someone asked about Silverlight and whether it was vulnerable and Rich said he hadn't tested it. 🙂 

After Rich, Sergio Alvarez from nRuns was up to talk about pwning AV software.  His talk was like 80% trying to convince an already very convinced audience about why AV software is actually increasingly a liability vs. an asset.  He talked about some flaws he's discovered in, for example, eTrust with CAB file parsing that allowed code execution.  He showed some vendor communications he's had with various vendors that were mostly hilarious (one vendors responding that an EIP set to 0x41414141 was 'just a crash' referrencing invalid memory or something to that affect and they didn't see how that was exploitable!).  He unfortunately didn't get to any cool demos until the very very end of his talk and he tried using Metasploit on his notebook and didn't seem to have rehearsed things because the audience had to help him through getting remote shells on his victim VPCs using the framework.  Great - I just cursed myself - my demos will probably suck.

Well that was my Day 1 - so far I really like the con . . . it's smaller than Blackhat and the audience is pretty cozy and not afraid to shout out questions . . .

Skip to main content