I spent the last week at the “Hacker Summer Camp” of Black Hat and DEFCON. Besides meeting people and enjoying the dual craziness of the DEFCON crowd and the Black Hat business hall, we also gave a well received lecture – Escalating Insider Threats using VMWare’s API. Ofri Ziv, Head of GuardiCore labs, presented a backdoor we discovered in VMware’s remote administration API, enabling vSphere users to quickly and easily take over guest machines without providing guest credentials
(Check out our slides).
I had time to go to quite a few talks. As usual, some were good, some had an interesting subject but were more appropriate for a blog post and some were just great. I thought of sharing with you some of my favorites:
1. “Attacking Battle Hardened Windows Servers” At DEFCON, Lee Holmes, security architect at Microsoft reviewed the Just Enough Administration feature in PowerShell. Using a combination of Roles and Virtual Accounts, administrators can utilize one time locked down credentials per task. In this situation, compromised credentials don’t matter, since they are heavily limited and automatically disabled in a short timeframe. Amazingly, he covered that in 10 minutes.
In the next nine minutes, Lee covered a series of code injection vulnerabilities that enable attackers to bypass these protections. He concluded by explaining how Microsoft methodically closed these vulnerabilities and released the tool used for that purpose.
Embedded research is back. Both Christopher Domas and Nitay Artenstein presented high quality embedded research, undocumented CPU features and bugs in Wi-Fi firmware.
3. Domas gave a great lecture on undocumented instructions in x86 CPUs. The trick to find these instructions involves a subtle edge case in the x86 specification, creating a difference between unknown and incorrect instructions. Using this trick he discovered a multitude of undocumented instructions and at least one hardware security bug. Unfortunately, details on these unknown opcodes were not available but hopefully we’ll see someone continue his research online.
4. Attacking developer machines with Docker. Sagie Dulce presented how to take a series of classic attacks and adapt them to attacking Docker engines. A malicious website can send a blind HTTP request that will startup a new Docker instance. From there, using LLMNR network poisoning the attacker escalates her privileges until she can persistently run code on the developer’s machine. While no single part of the attack is new, tying these together to attack a docker engine is novel. Thankfully the attack relies on a setting that will be off by default on newer versions of docker.
As usual, Black Hat and DEFCON were both fun and educational. This year I didn’t have time for any contests but I’m looking forward to next year’s Web CTF and lockpicking village!