Well, I’m back in Seattle, having spent a fantastic weekend in Washington, D.C. for ShmooCon 2008 (http://www.shmoocon.org/). Continuing from my previous post about Day 1:
Day 2 had more great talks. First, John Kindervag and Jason Ostrom talked about “VoIP Penetration Testing: Lessons Learned”. Check out their VoIP Hopper tool at http://voiphopper.sourceforge.net/. They did some cool demos showing how a PC can make itself look like a VoIP phone and easily bypass an internal VoIP VLAN, thus placing itself on the internal data network. That’s particularly scary when you consider that VoIP phones are being installed in lobbies, conference rooms, and other semi-public areas. Anybody who has access to such an area can launch this attack. The moral of the story is that VLANs are not a security feature!
Then Shanit Gupta did a talk called “Got Citrix? Hack It!” Pretty cool, although he was relying on the availability of the conference WiFi network for many of his demos, and that network happened to be down at the time. Well, probably shouldn’t rely on the wireless network at a hacker conference, right? Anyway, we has able to show some portions of his demo. Generally, how to violate the application sandbox restrictions that are supposed to be enforced within a Citrix window. For example, if you can get a File Open window, then right-click on an application binary within it, then you can probably run that app on the server. Ditto for navigation and printing tricks from within the browser.
Finally, there was a secret unannounced talk by Mati Aharoni (I think), one of the guys behind Backtrack (http://www.remote-exploit.org/backtrack.html). He showed two live demos. The first was how to modify a tool such as netcat in such a way that it’s no longer flagged as dangerous by anti-virus. This is done by creating a modified version of the tool that decodes itself at runtime. Pretty cool to see him put that all together live! Still, that hack requires that the tool have a writable .text section. I guess in response I’d want my AV to block all PEs with that characteristic, except for perhaps a white list. Plus, if certain encoded versions of a given tool proliferate, it’s just a matter of time before they end up getting flagged as well.