Infosec 2002UniNet

Español

Presentación

Programa

Desarrollo

English

Presentation

Program

Congress Details

Français

Présentation

Programme

Détails
 
viZard En unos minutos comenzamos la conferencia
georgi shall we start?
viZard Fine
viZard Our next guest is Georgi Guninski
viZard and independent security consultant and author or many bug discoveries
georgi hi people :)
georgi the document is available online at:
georgi http://www.guninski.com/umeet.txt
georgi i am just pasting from it
georgi the pronuniation of my name is avarilable at:
georgi http://www.guninski.com/bgname.html
georgi it sounds strange on some computers
georgi so i have prepared a little chat about client side security
georgi Contents:
georgi *) Disclaimer
georgi *) Importance of client side security
georgi *) Interactions between components/applications on the clients computer
georgi *) Cross application scripting
georgi *) Mixing code and data leads to interesting results
georgi *) Hacking XML
georgi *) Disclaimer
georgi Georgi Guninski bears no responsibility for content or misuse of this 
georgi stuff or any derivatives thereof.
georgi *) Importance of client side security
georgi When it comes to (in)security most people associate it with defacing
georgi websites, breaking into databases and similar stuff and client side
georgi security is on second place. Server side security and client side are connected
georgi - if one compromise a server he may easily attack a lot of clients
georgi (especially if the server hosts application which users download) and on
georgi the other hand if one compromise a client this may greatly help him attack
georgi servers on the internal network. Some real world examples come from the
georgi comments of the defaced sites available at http://www.alldas.de
georgi *) Interactions between components/applications on the clients computer
georgi Some of the vulnerabilities on the client side come from the fact that
georgi applications on the client computer (progamatically) communicate between
georgi themselves. This is especiably noticeable in the windoze world where
georgi activex makes hell. I personally am old-school and strongly prefer pasting
georgi text between terminals instead of some application communicate with other.
georgi The problem is one application may be safe when used alone but when another
georgi application script it, it is quite dangerous. Good example in the windoze
georgi world are vulnerabilities involving IE, Windows Media Player and Office
georgi applications.
georgi *) Mixing code and data leads to interesting results
georgi Another thing that leads to client side vulnerabilities is mixing code and
georgi data. This is kind of similar as in bufferoverflows where a simple strcpy()
georgi may change program flow. In client side attacks usually code and data are
georgi mixed in some file format, probably the most notable being HTML. AFAIK HTML
georgi was designed to allow hypertext linking but nowadays it allows embedding of
georgi ECMAScript and java. On the windows world activex may things worse but allowing
georgi sorry i am mean *BY* allowing
georgi native code run thru the browser. So the browser turns into kind of virtual
georgi machine executing remote code - the virtual machine is tried to be
georgi sandboxed but that not always is the case. 
georgi Office applications also mix code (macros) and content. So it is no
georgi surprise there are so much macro viruses.
georgi Another mixing of code and data is the so called "cross site scripting" -
georgi it allows to inject html and javascript in the response returned by a
georgi trusted web server and basically allows stealing cookies and affects web
-sarnold- i'm going for food, hope to be back shortly ...
georgi services. Currently the solution to this is escaping user input, but I
georgi personally strongly doubt it a *complete* solution may be achieved until
georgi some change in browsers is implemented which stops all scripts after given
georgi tag or point. 
georgi *) Cross application scripting
georgi Here is an example how progammable communications between applications lead
georgi to a vulnerability:
georgi http://www.guninski.com/m$oxp-2.html
georgi So we have a word document which contains activex object - ms spreadsheet
georgi component. We can't embed macros or scripts because they don't get executed
georgi for security reasons. But the ms spreadsheet component is something like
georgi miniexcel which allows embeding of formulas which are also kind of code.
georgi Since in the unix world off by one exploits and double free()s are
georgi exploitable, there is some chance this also may be exploitable. Here comes
georgi the "=Host()" function. According to the help file that is sold with Office
georgi XP it "Returns the container object that is hosting the Spreadsheet
georgi component". So RTFM often helps. In this case we do something like the ".."
georgi trick. After the Word document object is gotten, it is possible to invoke
georgi its SaveAs() method and specify filename in the windows startup folder
georgi which gets invoked on login.
georgi *) Hacking XML
georgi XML is gaining more and more popularity, so probably it may be target of
georgi security attacks. XML also kind of mixes code and data thru xml stylesheet,
georgi which may turn profitable for attacks. Attacks based on xml stylesheets are
georgi available at: 
georgi http://www.guninski.com/oraxsql.html (Oracle)
georgi http://www.guninski.com/iexslt.html (IE) 
georgi that's all folks :)
cronos georgi thnx : )
Session Start: Mon Apr 15 15:37:36 2002
viZard uff
tomac plas plas
viZard PLAS PLAS PLAS PLAS PLAS 
viZard PLAS PLAS PLAS PLAS PLAS 
viZard PLAS PLAS PLAS PLAS PLAS 
walterla Clack clack clack..
robotito everybody to the coffee shop
cronos georgi abit of a slow responce here, there is quite a few things happening at the same time
viZard Thanks Georgi
sarnold georgi: thank you for your presentation :)
sarnold georgi: all too often, the client is overlooked
Stash just a question... Don't you think that this kind of risks you've just explained, compromises all internal security, even more than external security?
georgi np :)
MJesus clap clap clap clap clap clap clap clap clap clap
MJesus clap clap clap clap clap clap clap clap clap clap
MJesus clap clap clap clap clap clap clap clap clap clap
MJesus clap clap clap clap clap clap clap clap clap clap
MJesus thanks !!
sarnold georgi: I've even seen bug reports in mail clients ignored completely, because it would require a corrupt server to exploit the problems ...
Cuqui plasplasplasplasplasplas
Cuqui plasplasplasplasplasplas
Cuqui plasplasplasplasplasplas
maximus holaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
georgi Stash: sorry but what do you mean by "external"
Guadalupe buenas tardes desde PERU
georgi sarnold: bring em to bugtraq ;)
sarnold georgi: sadly, that _was_ on bugtraq :(
cronos please post the quetions in #qc, wee need to leave the channel on +m for a few minutes more
georgi sarnold: can't remember this at the moment but sounds serious
cronos las preguntas se hacen en el canal #qc, gracias
viZard georgi, join #qc to read the questions please
cronos viZard your irc client bailed out just before he finished
viZard just before? uff, what a relief
sarnold join us tomorrow
sarnold I expect milton amador to talk about transparent squid proxying/caching with cisco systems
cronos georgi a 100+ people read your conference here
cronos today
sarnold rik van riel will discuss intellectual property laws in the face of DMCA, SSSCA, and other legislation
sarnold and probably KF will discuss format string vulnerabilities
cronos thanks for taking the time to share with us
cronos this is the first time we do this, so we will have a few bubus onthe way, but we hope to get better
cronos please post all questions on #qc, thanks
cronos las preguntas a el canal #qc, gracias
sarnold #redes is still doing the english translation from the first presentation ...
sarnold MJesus has mentioned that #fyq is also doing translations at the moment
cronos there is a small lag between the presentations in #infose and the trans. at #fyq
sarnold < vanguardi:#qc> georgi: how do you see C# and .net (and passport) in terms of their security features? and how do they differ in your view from java's security implentation?
sarnold < georgi:#qc> i have not played with them so i can't give opinion < georgi:#qc> but having in mind there are java holes
sarnold < georgi:#qc> and i have heard that C# allows something like pointers 
sarnold                     probably they are dangerous
sarnold < georgi:#qc> if i remember correctly i read something like microsoft has disallows c# from the internet zone and allow it only from itranet - www.theregister.co.uk
sarnold < deneb:#qc> georgi: in your opinion, most flaws in common browsers are due to their design or implementation? Is possible a secure design for a browser?
sarnold < georgi:#qc> deneb: most of the bugs are by implementation, but activex is brain damaged by design
sarnold < VadER:#qc> so, georgi, what do you think is more important for client-side security, content filtering or users education?
sarnold < georgi:#qc> VadER: sure, you may be quite compromised by client side. more than hacking your web server
sarnold < vanguardi:#qc> georgi: how do you find bugs? do you run a test scripts and see what happens? do find most of them on purpose using known possible programming security exploits?
cronos voy a quitar em +m , pero por favor,mantengamos la calma aca para que el conferenciante pueda hablar. I will take the +m here, but please limit the msgs here to the topic just presented, thanks
sarnold < georgi:#qc> vanguardi: i just test non standard things. no special methodology
sarnold < VadER:#qc> Do you think personal firewalls are a tool that can help windoze users to keep safe from this kind of attacks? There are some versions with some actions/content filtering
sarnold < georgi:#qc> VadER: sure personal fwl is much better than nothing but it can't solve everything. it does not help much against unknown malware i think
georgi re
cronos we will take questions here, it might be better, please limit the msgs to the topic presented
cronos thanks
georgi sorry but i don't see the question
cronos georgi some of the questions are being posted in #qc
georgi cronos: i answered some and then i dropped
cronos i just took the +m here, so people can ask from this channel 
MJesus pero que se contesten aqui todas, ok ?
sarnold < robotito:#qc> is it posible, when somebody actives any kind of scripting in the kmail/evolution, to this kind of vulnerabilities?
sarnold < georgi:#qc> robotito: have not checked evolution yet
sarnold any more questions for georgi? 
*** Cielote has joined #infosec
cronos alguna otra pregunta para georgi?
sarnold georgi: I want to thank you for giving a lecture here at Uninet; hopefully, with what we learn from this lecture series, we will be able to run the next one more smoothly :)
cronos georgi i do not have any question, i hardly ever use MS, much less Expolerer
sarnold georgi: and, hopefully, by then, companies will begin to take client-side security seriously.
kdev any other lecture today ???
cronos one more
deneb The major problem which we incounter, it's educate our users, that they many time don't know how to turn on a PC-
cronos ohh, i did not know that borja suspeneded his
cronos deneb most of the windows users i have seen do not have a clue about security issues
georgi <MJesus> georgi, please could talk a little, about attacks for XML ? (at #infosec, if you like)
horacio system's message: "User Error. Replace user and hit any key"
georgi MJesus: do you expect me to disclose a 0day? :)
MJesus yes
MJesus :))
eid0 jeje
georgi MJesus: sorry but don't have a 0day at hand ;)
MJesus ok, thanks!
viZard Georgi, Thanks a lot for this talk
deneb XML attacks seems a promising way, is there a method particolar for findings one again?
* cronos side note: if any one is interested, my presentation is on http://www.linux-tech.com/fswan.html , i offered my space so we could allow other people here, thanks
georgi deneb: look at the examples i gave
viZard Georgi, Thanks a lot for this talk, i personally enjoyed a lot :))
*** Anarion has quit IRC (leaving)
MJesus clap clap clap clap clap clap clap clap clap clap
MJesus clap clap clap clap clap clap clap clap clap clap
MJesus clap clap clap clap clap clap clap clap clap clap
MJesus clap clap clap clap clap clap clap clap clap clap
horacio clap clap clap
horacio clap clap clap
viZard PLAS PLAS PLAS PLAS PLAS PLAS (virtual applause)
horacio clap clap clap
horacio clap clap clap
MJesus clap clap clap clap clap clap clap clap clap clap
viZard PLAS PLAS PLAS PLAS PLAS PLAS 
viZard PLAS PLAS PLAS PLAS PLAS PLAS 
viZard PLAS PLAS PLAS PLAS PLAS PLAS 
viZard PLAS PLAS PLAS PLAS PLAS PLAS (on feet)
jose_n clap*1000
viZard PLAS PLAS PLAS PLAS PLAS PLAS 
viZard PLAS PLAS PLAS PLAS PLAS PLAS 
viZard PLAS PLAS PLAS PLAS PLAS PLAS 
viZard PLAS PLAS PLAS PLAS PLAS PLAS 
viZard PLAS PLAS PLAS PLAS PLAS PLAS 
deneb MITICO!!!!! MITICO!!!!
Linuxusr will Jaime Sanchez: Identificación TCP/IP be translated to english and posted some where?
kiel for(::) clap
MJesus clap clap clap clap clap clap clap clap clap clap
MJesus clap clap clap clap clap clap clap clap clap clap
MJesus clap clap clap clap clap clap clap clap clap clap
MJesus clap clap clap clap clap clap clap clap clap clap
MJesus clap clap clap clap clap clap clap clap clap clap
viZard all logs will be posted at http://infosec.uninet.edu very soon
MJesus BRAVO BRAVO BRAVO 
MJesus BRAVO BRAVO BRAVO 
MJesus BRAVO BRAVO BRAVO 

Generated by irclog2html.pl 2.1 by Jeff Waugh - find it at freshmeat.net!