Orange County Chapter

Program, December 2008

Discovering and exploiting 0-day vulnerabilities on Linux

Monday, December 8, 7-9 pm

Kristian has provided a copy of his slides and an archive of his examples. We also have an audio recording of his presentation.

Have you ever wondered how vulnerabilities are found by security researchers? Would you like to understand the process that a researcher goes through once a bug has been identified? At the UUASC OC December meeting, member Kristian Erik Hermansen will help us understand a bit more about these topics.

Kristian will take us on a journey through a few specific vulnerabilities and how he exploited them. One of the bugs is in a simple cross-platform C application with some protection mechanisms in place. The C source code will be provided to the audience for review. After mulling over the possible attack surfaces of this application, he will then walk through some example exploit scenarios. This will cover exactly each step along the way that may trip up the exploiter and how to circumvent each obstacle. This is not going to be a straight buffer overflow attack in a C application. The method of exploitation will be semi-advanced and will not include overwriting of stack/heap pointers.

The second vulnerability will be in a web application. Kristian will walk through how he discovered and exploited the Google cookie stealing issue published in June of 2008. He will give his thoughts on manual testing versus some of the free webapp security tools available for Linux. He will touch on well-known techniques like XSS, CSRF, and SQL injection.

Finally, Kristian will briefly discuss how he discovered and exploited a file format bug via fuzzing and was able to verify that Google's GMail attachment malware scanner was vulnerable to my crafted concoction.

Kristian is an occasional security dude aged 0x1A. He got into "hacking" in his early teen years by messing around with video game cheats. He extended that interest into software cracking on Windows and network security. Things just seemed to balloon out from there. He started work in the Fortune 500 at seventeen years old, right out of high school, and has since worked for IBM, Cisco Systems, EMC, and others. Now he enjoys riding bicycles long distances, hiking, and playing music. He also needs to fill his time outside of work with intellectual stimulation and gets that done by breaking systems. His day job involves playing defense. He says he is not as smart as most of the famous security guys you have heard about from Black Hat and other places, so you can just imagine what his skills indicate about what the people you don't hear about can do via the Internet :-)

Back to the UUASC Orange County overview