Tuesday, August 7th, 2007

I Survived BLACKHAT and DEFCON (Barely…)

Blackhat and Defcon are now officially in history books!  Nate and I had the opportunity to catch up with lots of old friends, as well as make a few new friends in the security world.  Nate and I were lucky enough to get a speaking spot at DEFCON (which was AWESOME) and I’ll be posting the slides and demos on the site within the next few days.

     

I had a lot of questions about the specifics of the Flash demo I finished with during my DEFCON talk.  I’ll be putting up some PoCs on how to force well known web mail servers to take ownership of a custom Crossdomain.xml file, which could allow for crossdomain requests through flash applets (as demonstrated in the DEFCON demo).

     

We also had a lot of questions about URI exploitation.  Nate and I should have some more examples coming soon…  but in the meantime, any questions we didn’t get a chance to answer in Vegas can be sent to our email accounts. 

I’ll be in and out for the next few days as I wrap up some forensics training, so my response may be a little slow.  If anyone is interested in talking about forensics, shoot me an email.

     

Next up on the list for me is HITB Malaysia!  It should be interesting as I’ll be showing how to pull off Anti-DNS Pinning in full blown Java Applets (JVM, not LiveConnect).  It works with IE and no proxy is required!

Posted by xssniper | Filed in Uncategorized

  • http://kuza55.blogspot.com kuza55

    Is the custom crossdomain.xml file issue you demoed by any chance similar to: http://www.hardened-php.net/library/poking_new_holes_with_flash_crossdomain_policy_files.html

    If not, I eagerly await seeing the info, :D

  • rcarter

    it was great to see you man. had a blast on wednesday and thursday night. i’m looking forward to seeing the video of you and nate’s presentation. kick ass at hitb.

  • http://xs-sniper.com BK

    @kuza55 – GREAT article about crossdomain.xml issues. This was probably one of the first papers I read about crossdomain issues in the flash player. I”m sure loadPolicyFile() is RIPE for all sorts of abuse. Any time you put the words “Security” and “Arbitrary” in the same paragraph (as it is in the Flash Player Security document), its usually a bad thing.

    My issue is different, but I would highly recommend that article to anyone looking into the (in)security of the flash player!

  • http://xs-sniper.com/ Nate McFeters (McNasty)

    I just got back to Houston… Vegas will kill a man, I swear to God. Every year I go there I worry more about not making it back.

  • http://kuza55.blogspot.com kuza55

    @BK:
    Heh, I think any time you mention “Flash” and “Security” in the same paragraph its a bad thing, :)

    But that’s cool, /me looks forward to seeing the info, :)

  • http://takyseo.com blackhat

    lol ugh, i spilt my coffee during reading this, good post though

free themes for a free world by tequilo.de and wp.org