Three New Classes of Vulnerabilities with No Cure Whatsoever
LAS VEGASI just sat down with Danny Allan, director of security researcher at Web application security company Watchfire, and he summed it up: For the first time in years, people are walking out of Black Hat presentations shaking their heads, having learned about new classes of vulnerabilities for which there's simply no solution.
No workaround, no nothing, nada, zip.
First, there's Joanna Rutkowska's always-a-packed-crowd-inducing Blue Pill virtualization rootkit, back again a year after its Black Hat debut, built from the ground up, new and improved and still as (nearly) impossible to detect as ever. Matasano's Tom Ptacek and Nate Lawson in a morning session did a valiant job attempting to prove that there's no such thing as 100 percent undetectable, in a session boldly titled "Don't Tell Joanna, The Virtualized Rootkit is Dead."
Um, no. Rutkowska basically took all of their proposed Blue Pill detections and proved that they haven't been tested, testing them herself and finding they fail, for various reasons. Not to say that Rutkowska would ever rub salt in a wound, but then she went and improved on Matasano's Blue Pill detection schemes. They still basically failed. Give me a few hours or a day and go check out eWEEK.com; I'm planning to write on that one in more detail.
At any rate, Blue Pill is one new class of attack for which there is no viable defense. No Blue Pill-derived attack has ever been detected in the wild, fortunately, but as Vista adoption picks up steam, nobody's expecting this rosy state of affairs to last. The more malevolent players online are already discussing Blue Pill; it's just a matter of time before it's put into play as a weapon.
Another no-solution attack, anti-DNS pinning, was presented by David Byrne, with IOActive Director of Penetration Testing Dan Kaminsky coming to the same conclusion from a different direction with his work on the revitalization of an old DNS rebinding bug that's been around since 1996. In a nutshell, from Kaminsky's side of the coin, all he needs to bypass firewalls, penetrate VPNs and remotely cherrypick any resource available on a vulnerable system is to bounce off a lured Web browser.
The DNS problems share a similarity with the problems that have been introduced by pairing XSTL (eXtensible Style Sheet Language Transformations) up with the ability to do arbitrary code execution (as described by Brad Hill, principal security consultant with iSec Partners, in a session called "Attacking Web Service Security: Message Oriented Madness, XML worms and Web Service Security Sanity"). The similarity is that both attack vectors are pure. They're not holes or mistakestheir status as attack vectors is introduced simply by their inherent design.
More on both of those to come, too; check eWEEK.com.
Without going into more details here about these attacks, the takeaway from the show today is that the only solution to many new classes of potential exploit is to build better software. Or, in the case of Blue Pill, to build a better kernel. "As a consumer, I have very little protection," Allan said.
For the first time in years, he said, Black Hat is like a Pandora's box. Do we really want to know about these attacks if there's nothing we can do about them? Well, yes. If the researchers don't release the details, and if they don't get together and talk about them in venues like this, the malicious types will find them first.
Indeed, Blue Pill is a good example of very good disclosure, Allan said. Rutkowska has delivered the details of an entirely futuristic rootkit, arguably far ahead of the time when it will be relevant (i.e., when Vista sees widespread adoption and exploitation makes fiscal sense). The far-sighted disclosure she pursues allows researchers to build defenses before seeing exploits in the wild.
Lord, but this is only Day 1.
OK, bring it on, Black Hat, bring it on.