Black Hat Europe - day 2

Posted by   Virus Bulletin on   Oct 20, 2014

IPv6 versus IDPS, XSS in WYSIWYG editors, and reflected file downloads.

After a busy first day, I was somewhat glad that the talks on the second day of Black Hat Europe appealed slightly less to my personal tastes and interests, as this gave me a chance to meet some old and new friends, and to have those conversations that perhaps form the heart of a security conference.

I did attend three talks though, each of which was very interesting.

Early in the morning, Antonios Atlasis, Enno Rey and Rafael Schaefer gave a presentation on IPv6. A few years ago, I wrote an article about the security implications of the switch to IPv6, the most important takeaway from which was that IPv6 isn't just IPv4 with longer addresses - it is a new protocol, in which many things work rather differently, and this has implications for security.

One thing that distinguishes IPv6 from IPv4 is the ability to use 'extension headers'. These make the protocol rather flexible and allow for future extensions that we haven't even though of. But, as Antonios, Enno and Rafael showed, combined with packet fragmentation, these extension headers tend to confuse intrusion detection and prevention systems (IDPS).

The researchers were able to evade many such a system this way - which they showed in a number of live demos. They had, of course, contacted the vendors, but a lack of response had encouraged their decision to go full disclosure.

Ashar Javed is writing a Ph.D. thesis at the University of Bochum, while earning money on the side from bug bounties paid to him for finding cross-side scripting (XSS) vulnerabilities in web-based WYSIWYG editors.

In his presentation, Ashar not only showed that all such editors are vulnerable, he also explained in great detail how one goes about finding such vulnerabilities. Finally (and, judging by the questions as well as this blog post, most controversially), Ashar shared a simple trick with the audience for blocking XSS attacks. He offered a bounty to anyone who could find a vulnerability in an editor set up this way. Despite more than 82k attempts — he keeps track of attacks through his web server logs — it has yet to be broken.

The final talk of the conference was one which had received some attention beforehand: Trustwave SpiderLabs researcher Oren Hafif speaking about reflected file downloads (RFD). I had been slightly sceptical about the seriousness of the issue, but Oren quickly convinced me that the issue he addressed is one to take seriously.

Using a surprisingly simple trick that reminded me both of XSS and of the incorrect parsing that is the basis of the Shellshock exploit, Oren was able to create URLs on popular domains such as or that downloaded malware onto the machine of anyone accessing such links.

Fixing RFDs is not going to be easy, given the large number of websites that reflect user input, typically via a JSON response. Google and Microsoft, both of whom had been informed about RFD vulnerabilities in their sites in May, have now fixed this issue and one would hope for other vulnerable sites to follow quickly. At the same time, it wouldn't hurt for client-side security software to be aware of RFD attacks.

With four parallel streams and an 'Arsenal session', I only attended about one fifth of the presentations. Among those that I missed was that of Xeno Kovah (The MITRE Project), whose presentation on BIOS-level attacks was well received at VB2014. Those that I did see, though, were all well presented and interesting.

Thanks to Xavier Mertens, whose blogs (day 1, day 2) helped me refresh my memory on the talks I attended.

Posted on 20 October 2014 by Martijn Grooten



Latest posts:

New paper: Collector-stealer: a Russian origin credential and information extractor

In a new paper, F5 researchers Aditya K Sood and Rohit Chaturvedi present a 360 analysis of Collector-stealer, a Russian-origin credential and information extractor.

VB2021 localhost videos available on YouTube

VB has made all VB2021 localhost presentations available on the VB YouTube channel, so you can now watch - and share - any part of the conference freely and without registration.

VB2021 localhost is over, but the content is still available to view!

VB2021 localhost - VB's second virtual conference - took place last week, but you can still watch all the presentations.

VB2021 localhost call for last-minute papers

The call for last-minute papers for VB2021 localhost is now open. Submit before 20 August to have your paper considered for one of the slots reserved for 'hot' research!

New article: Run your malicious VBA macros anywhere!

Kurt Natvig explains how he recompiled malicious VBA macro code to valid harmless Python 3.x code.

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.