Archive for the 'Uncategorized' Category
Tuesday, October 30th, 2007
XS-Snipers at ToorCon 9 and Black Hat Japan
Hey all, Nate here…
In the last two weeks we got the opportunity to speak at both ToorCon and Black Hat Japan. What an awesome experience! Rob Carter and I spoke about the research that our URI Use and Abuse research, including giving video demonstration of all of our exploits. Unfortunately, Billy couldn’t join up with us for the talks due to some other commitments, but he did manage to come out to Japan and got to hang out with us in Tokyo. Rob and I also discussed the future of URI use and abuse and where it is going next… *Nix… and Mac! Just wait till I buy my Mac Book and iPhone!
At ToorCon, Rob and I got to catch up with former co-worker Brett Hardin and had a great time hanging out with him in the Gas Lamp district. We also met Dan Kaminsky and had a chance to talk with him about research and share some Jager Bombs. The weather was amazing, and we were fortunate enough to fly out of San Diego right before the fires started coming. If you saw us present, I recommend you check out our Black Hat presentation below, which is the full version of our research. A lot of things had to be cut out for the 20 minute time slot we were alloted for speaking at ToorCon.
At Black Hat, Billy, Rob, and I hung out all week with Jeff Moss, Dominic, and the Black Hat Crew who treated us like kings, and got a chance to meet such industry renowned researchers as Billy Hoffman, Halvar Flake, and Kanatoko-san just to name a few. Tokyo was a stunning city, I’ve never seen anything quite like it, just skyscrapers for as far as the eye can see. We had a great time in Tokyo, and our presentation seemed to go very well. It was awesome trading war stories with Dom, Moss, Kanatoko-san, Hoffman, and all the speakers.
As promised to all in attendance at our talks, here is the source code to our DUH tools for both Windows and *Nix. In order to use these files, simply rename them to either .bat or .sh, then run them from the command line using either cscript.exe or /bin/sh. Thanks again and as always to Erik Cabetas for the help with DUH 4 Windows! See the Black Hat page in the coming weeks for our video demos, as these are not likely to work from the powerpoint slides. Our updated slides can be downloaded from here.
-Nate, Billy, Rob
Thursday, August 16th, 2007
Dude… where’s my passport?!?!
The XS-Snipers are ready to roll to Malaysia. We’ll be presenting at HITB 2007 on the 6th of September. Our talk will be on some new DNS Rebinding attacks that are pretty legit. It will be nice to finally meet Martin Johns (the guy who basically brought DNS Rebinding pinning back from the dead). I’ll be sure to buy him a couple beers and pick his brain! It will also be really cool if we could meet Mark Abene (Phiber Optik) and Emmanuel Goldstein, those two are larger than life in my book! We might also give a teaser or two about some new attacks we pulled off with the URI abuse.
We’ve had an interesting couple of weeks recovering from DEFCON, including some discouraging feedback about our “disclosure policy”… perhaps we should actually get one of those someday. Surprisingly enough, it wasn’t from the folks at Mozilla, who were actually quite cool and just asked us to work with them in the future (which we will).
We’ve just been featured on /. which has linked to an interview we did with Robert from IDG. Article was pretty nice, however, it’s received some /. criticism for lack of technical content… We also leaked a little pre-release information about a new piece of URI Use and Abuse we are playing with… this one allows us to steal data from a user’s computer thru an XSS exposure and a URI abuse. Interestingly enough, we’ve been blasted a bit on /. because we haven’t released the details of the flaw. Sometimes you can’t win the disclosure game (as I’m sure other security researchers have encountered). We’ve gone through vendor disclosure, third party disclosure, and full disclosure, and we’ve been criticized each and every time…. We’ve got the FULL PoC ready and we’ll release when we’re ready (shoutz to ROB CARTER for all his actionscript and sever side skillz!). I’m sure we’re not alone with our experiences; shoot me an email if you have an interesting disclosure story…
Finally….. I’m sad to say that Mark Hinge and Mark Anderson of Whitedust have hung their hats up! I’ve been a fan of Whitedust over the last few years….you’ll be missed…. If you’re ever in the Seattle area, look me up…
-BK and Nate
Tuesday, August 7th, 2007
I Survived BLACKHAT and DEFCON (Barely…)
Blackhat and Defcon are now officially in history books! Nate and I had the opportunity to catch up with lots of old friends, as well as make a few new friends in the security world. Nate and I were lucky enough to get a speaking spot at DEFCON (which was AWESOME) and I’ll be posting the slides and demos on the site within the next few days.
I had a lot of questions about the specifics of the Flash demo I finished with during my DEFCON talk. I’ll be putting up some PoCs on how to force well known web mail servers to take ownership of a custom Crossdomain.xml file, which could allow for crossdomain requests through flash applets (as demonstrated in the DEFCON demo).
We also had a lot of questions about URI exploitation. Nate and I should have some more examples coming soon… but in the meantime, any questions we didn’t get a chance to answer in Vegas can be sent to our email accounts.
I’ll be in and out for the next few days as I wrap up some forensics training, so my response may be a little slow. If anyone is interested in talking about forensics, shoot me an email.
Next up on the list for me is HITB Malaysia! It should be interesting as I’ll be showing how to pull off Anti-DNS Pinning in full blown Java Applets (JVM, not LiveConnect). It works with IE and no proxy is required!