Joshua Smith

https://bsidesaustin2018.sched.com/event/DuGQ/how-not-to-patch-command-injection-bugs

In 2014 ZDI received a report of a command injection vulnerability in Dell's Sonicwall GMS Virtual Appliance. Normally this type of analysis is relatively simple. However, this analysis took a windy path from the JSP web interface through two XMLRPC sockets, to a binary, which delegated to shell scripts, which sourced yet another shell script that actually parsed attacker-supplied input. All this, just… Show more

https://bsidesaustin2018.sched.com/event/DuGQ/how-not-to-patch-command-injection-bugs

In 2014 ZDI received a report of a command injection vulnerability in Dell's Sonicwall GMS Virtual Appliance. Normally this type of analysis is relatively simple. However, this analysis took a windy path from the JSP web interface through two XMLRPC sockets, to a binary, which delegated to shell scripts, which sourced yet another shell script that actually parsed attacker-supplied input. All this, just to make simple host modifications. Presumably, the code complexity drove the developers to patch this bug at the webapp level, instead of closer to the root cause. The resultant patch was immediately bypassed and the subsequent patch was also flawed.

A few months later, other researchers reported an additional attack vector involving direct communication with one of the XMLRPC sockets to trigger the same underlying vulnerability outlined in the very first ZDI report.

Ultimately, it appears the soft chewy center remains, but the crunchy outer shell has been significantly hardened, and thus, the hunt continues. This talk will detail the various patch attempts, how they failed or succeeded, and how they were analyzed, bypassed, and exploited with a Metasploit module we are releasing. We'll also discuss the much more comprehensive defense measures currently implemented by the developers. Show less

The HDMI (High Definition Multimedia Interface) standard has gained extensive
market penetration. Nearly every piece of modern home theater equipment has
HDMI support and most modern mobile devices actually have HDMI-capable outputs,
though it may not be obvious. Lurking inside most modern HDMI-compatible
devices is something called HDMI-CEC, or Consumer Electronics Control. This is
the functionality that allows a media device to, for example, turn on your TV
and change the… Show more

The HDMI (High Definition Multimedia Interface) standard has gained extensive
market penetration. Nearly every piece of modern home theater equipment has
HDMI support and most modern mobile devices actually have HDMI-capable outputs,
though it may not be obvious. Lurking inside most modern HDMI-compatible
devices is something called HDMI-CEC, or Consumer Electronics Control. This is
the functionality that allows a media device to, for example, turn on your TV
and change the TV’s input. That doesn’t sound interesting, but as we'll see in
this presentation, there are some very surprising things an attacker can do by
exploiting CEC software implementations. Then there's something called HEC or
HDMI Ethernet Connection, which allows devices to establish an Ethernet
connection of up to 100Mbit/s over their HDMI connections (newer HDMI standards
raise the speed to 1Gbit/s).

Don't think your mobile phone implements CEC? You might be wrong. Most modern
Android-based phones and tablets have a Slimport(r) connection that supports
HDMI-CEC. Ever heard of MHL (Mobile High-Definition Link)? Think Samsung and
HTC (among other) mobile devices, and many JVC, Kenwood, Panasonic, and Sony car
stereos – as many as 750 million devices in the world so far. Guess what? MHL
supports HDMI-CEC as well. Let's explore, and own, this attack space. Show less

CVE-2014-8361 (ZDI-15-155, Realtek rtl81xx chipset SDK miniigd vulnerability), recently disclosed by the Zero Day Initiative, provides a depressing example of why near-intractable vulnerabilities will continue to plague the tech industry - and will only get worse as we fully embrace the Internet of Things.

One characteristic of the so-called Internet of Things (IoT) is short development and deployment cycles. The typical IoT device competes in a market where short time-to-market is as… Show more

CVE-2014-8361 (ZDI-15-155, Realtek rtl81xx chipset SDK miniigd vulnerability), recently disclosed by the Zero Day Initiative, provides a depressing example of why near-intractable vulnerabilities will continue to plague the tech industry - and will only get worse as we fully embrace the Internet of Things.

One characteristic of the so-called Internet of Things (IoT) is short development and deployment cycles. The typical IoT device competes in a market where short time-to-market is as important as the features the device provides. A key enabler of these rapid processes is utilization of commercial off-the-shelf (COTS) components. In order to take full advantage of COTS parts, IoT vendors are dependent on the Software Development Kits (SDKs) provided by the parts' suppliers. The SDKs reduce the complexity and duration of the IoT vendors' own software development effort. In some cases, the SDK may be minimal, consisting mainly of a few application programming interfaces (APIs). When hardware is involved, the SDK usually also includes a driver for the hardware.

Commonly, however, these SDKs consist of myriad pieces including debuggers, dedicated integrated development environments (IDEs), miscellaneous tools, documentation, and sample code. One could say they sometimes include everything but the kitchen sink. In some cases the SDK ships with production code that the IoT vendor may utilize directly and, knowingly or unknowingly, ship with the product without modification. The product may even be dependent on this code and unable to function properly without it. Therefore, a vulnerability in an SDK component can have far-reaching implications, especially if the component is widely used and the vulnerability is publicly reachable. Show less

This article was first published in PenTest Magazine, Vol.2 No.9 ISSN: 2084-116 Issue 09/2012(17) September.

Ever wanted a tour of the Metasploit Framework (MSF)? If you have basic command line skills, and a working knowledge of networking and how hosts are compromised, you can take a guided tour from someone who started as a tourist and ended up as a tour guide. You’ll see how you can use MSF for all sorts of tasks and learn to write your own magic for yourself or to share. The tour… Show more

This article was first published in PenTest Magazine, Vol.2 No.9 ISSN: 2084-116 Issue 09/2012(17) September.

Ever wanted a tour of the Metasploit Framework (MSF)? If you have basic command line skills, and a working knowledge of networking and how hosts are compromised, you can take a guided tour from someone who started as a tourist and ended up as a tour guide. You’ll see how you can use MSF for all sorts of tasks and learn to write your own magic for yourself or to share. The tour doesn’t make every possible stop, but you’ll be informed, entertained, and well on your way to mastering Metasploit. Show less

To see the video of the presentation: http://blip.tv/sourcebarcelona2011/metasploit-hacker-s-swiss-army-knife-5860160

Metasploit: Hacker's Swiss Army Knife
(Jonathan Cran, Rapid7 / Joshua Smith JHUAPL)

Metasploit is a well-known exploit development and pentesting framework, but its power is not limited to only those domains. Taking a shotgun approach to the presentation, the speakers will show attendees how to tap metasploit to automate and simulate attacker actions, create… Show more

To see the video of the presentation: http://blip.tv/sourcebarcelona2011/metasploit-hacker-s-swiss-army-knife-5860160

Metasploit: Hacker's Swiss Army Knife
(Jonathan Cran, Rapid7 / Joshua Smith JHUAPL)

Metasploit is a well-known exploit development and pentesting framework, but its power is not limited to only those domains. Taking a shotgun approach to the presentation, the speakers will show attendees how to tap metasploit to automate and simulate attacker actions, create and automate a test lab, perform network device (such as ips/ids) testing, schedule regular regression tests, train defenders, and generally how to bend Metasploit to your will. Attendees are encouraged to bring a helmet, this is a demo- and code-heavy presentation!

Jonathan Cran (jcran) is the Director of Quality Assurance and an engineer with the Rapid7 Metasploit team. He's consulted and performed technical security assessment for a wide range of verticals and maintains a blog at www.pentestify.com. Joshua Smith (kernelsmith) is a security engineer at the Johns Hopkins University Applied Physics Laboratory (JHUAPL) , performed penetration testing for the US military for 3 years, and is an active member of the Metasploit community. Show less