Today's sessions were interesting. The first one was a Chinese researcher (Sun Bing) who has found some vulnerabilities in VMWare and he was discussing them. I sat in the front row, right in front of a speaker and his soft voice and minimal English vocabulary prevented me from groking most of what was presented. From what I gathered his vulns were all concerned with local EoP from user to admin (or system) on Windows boxes running VMWare (i.e. not breaking out of the guest but rather using VMWare flaws to elevate privs on the host OS from standard user to higher). The first one he talked about was basically an .INI file that VMWare uses to figure out where some high-privilege EXE is that it should run (I think it's an extensions process). He showed that basically the ACLs on the .INI were such that standard users could edit it and so replace the path to the VMWare exe with the path to their own EXE. All you had to do was edit the INI and then wait for an admin to start a VM and it would then run the extensions process. This was a recently patched vuln. Then it got harder to understand / follow but it appeared to me that he was able to write an EXE that could talk to the VMWare 'authd' services running at high privilege and get that to write to kernel memory via some interesting IOCTLs? It was hard to follow but he showed his console app running as a standard user being elevated to SYSTEM and he mentioned (again I think) modifyign the EPROCESS blocks in memory. I can't remember if this one was patched yet or not.
EDITED 3/27/2008: I had a chance to talk with Oded from VMWare and clear up my confusion of how the VMSafe security agent technology works so read my Day 2 post if you're interested in more accurate reporting. :) Oded took some blame for the confusion because during some of his demos he was running compiled code on the host OS that was talking to the hypervisor and it wasn't clear that it was compiled (vs a script) etc He talks pretty fast. :) Anyhoo - the demos were using compiled code - and it was using the VMSafe APIs not VProbes and eventually that code will run in just another VM along side the VM that it's protecting / monitoring.
During Oded's presentation a local news crew was there and Dragos interrupted him to announce the rules of the PWN2OWN contest. Here's the breakdown:
Day 1: $20k in reward money (via ZDI) for any remote pre-auth type vuln against a bare OS (so basically wifi driver sploits or network based attacks against a service).Day 2: Attack vector / scope will be increased to local client side apps and the reward goes down to $10k for thoseDay 3: They pile on some prevalant 3rd party apps and / or will install apps upon request (but they can't be lame apps etc.)
I checked after the nearly last presentation and I think they'd only had a sign-up for Day 2's festivities so it doesn't look like any OS's are getting popped for the $20k reward.
After Oded's talk we had Rich Cannings from Google give one of the better talks of the day. He gave us some insight into Flash based XSS attacks and how he ventured into this area. Basically Flash and the underlying ActionScript 2.0 language is full of XSS opportunities - many of which are considered by Adobe to be 'programming errors' by the developers . . . but in some cases the 'developers' are templated code that are spit out by various Flash authoring tools. Someone asked about Silverlight and whether it was vulnerable and Rich said he hadn't tested it. :)
After Rich, Sergio Alvarez from nRuns was up to talk about pwning AV software. His talk was like 80% trying to convince an already very convinced audience about why AV software is actually increasingly a liability vs. an asset. He talked about some flaws he's discovered in, for example, eTrust with CAB file parsing that allowed code execution. He showed some vendor communications he's had with various vendors that were mostly hilarious (one vendors responding that an EIP set to 0x41414141 was 'just a crash' referrencing invalid memory or something to that affect and they didn't see how that was exploitable!). He unfortunately didn't get to any cool demos until the very very end of his talk and he tried using Metasploit on his notebook and didn't seem to have rehearsed things because the audience had to help him through getting remote shells on his victim VPCs using the framework. Great - I just cursed myself - my demos will probably suck.
Well that was my Day 1 - so far I really like the con . . . it's smaller than Blackhat and the audience is pretty cozy and not afraid to shout out questions . . .