Posted by Virus Bulletin on Oct 20, 2014
IPv6 versus IDPS, XSS in WYSIWYG editors, and reflected file downloads.
After a busy first day, I was somewhat glad that the talks on the second day of Black Hat Europe appealed slightly less to my personal tastes and interests, as this gave me a chance to meet some old and new friends, and to have those conversations that perhaps form the heart of a security conference.
I did attend three talks though, each of which was very interesting.
Early in the morning, Antonios Atlasis, Enno Rey and Rafael Schaefer gave a presentation on IPv6. A few years ago, I wrote an article about the security implications of the switch to IPv6, the most important takeaway from which was that IPv6 isn't just IPv4 with longer addresses - it is a new protocol, in which many things work rather differently, and this has implications for security.
One thing that distinguishes IPv6 from IPv4 is the ability to use 'extension headers'. These make the protocol rather flexible and allow for future extensions that we haven't even though of. But, as Antonios, Enno and Rafael showed, combined with packet fragmentation, these extension headers tend to confuse intrusion detection and prevention systems (IDPS).
The researchers were able to evade many such a system this way - which they showed in a number of live demos. They had, of course, contacted the vendors, but a lack of response had encouraged their decision to go full disclosure.
Ashar Javed is writing a Ph.D. thesis at the University of Bochum, while earning money on the side from bug bounties paid to him for finding cross-side scripting (XSS) vulnerabilities in web-based WYSIWYG editors.
In his presentation, Ashar not only showed that all such editors are vulnerable, he also explained in great detail how one goes about finding such vulnerabilities. Finally (and, judging by the questions as well as this blog post, most controversially), Ashar shared a simple trick with the audience for blocking XSS attacks. He offered a bounty to anyone who could find a vulnerability in an editor set up this way. Despite more than 82k attempts — he keeps track of attacks through his web server logs — it has yet to be broken.
The final talk of the conference was one which had received some attention beforehand: Trustwave SpiderLabs researcher Oren Hafif speaking about reflected file downloads (RFD). I had been slightly sceptical about the seriousness of the issue, but Oren quickly convinced me that the issue he addressed is one to take seriously.
Using a surprisingly simple trick that reminded me both of XSS and of the incorrect parsing that is the basis of the Shellshock exploit, Oren was able to create URLs on popular domains such as google.com or bing.com that downloaded malware onto the machine of anyone accessing such links.
Fixing RFDs is not going to be easy, given the large number of websites that reflect user input, typically via a JSON response. Google and Microsoft, both of whom had been informed about RFD vulnerabilities in their sites in May, have now fixed this issue and one would hope for other vulnerable sites to follow quickly. At the same time, it wouldn't hurt for client-side security software to be aware of RFD attacks.
With four parallel streams and an 'Arsenal session', I only attended about one fifth of the presentations. Among those that I missed was that of Xeno Kovah (The MITRE Project), whose presentation on BIOS-level attacks was well received at VB2014. Those that I did see, though, were all well presented and interesting.