Aieee! Demons! (or: our Black Hat Talks)
Thomas Ptacek | June 27th, 2006 | Filed Under: Disclosure, Malware, Matasano, New Findings
There’s a quick piece on our work in Dark Reading:
Tom Ptacek, a researcher for Matasano, a security consulting firm, says during the past few months he and his colleagues discovered disturbing vulnerabilities in systems management software while testing out their thesis that non-Internet applications are ripe for attack. Ptacek wouldn’t name any specific management products that fell prey to his firm’s staged attacks, but he says they included major systems management vendors that handle things like patch management. This represents a $2 billion to $3 billion market, he says.
This is as good an opportunity as any to announce our three Black Hat talks:
Do Enterprise Management Applications Dream of Electric Sheep?, with Dave, the topic of the article cited above.
PDB: The Protocol Debugger, Jeremy’s talk, which presents “gdb for network protocols”; set breakpoints on protocol fields, single-step protocols. Cool.
Hardware Virtualization Based Rootkits, Dino’s talk, on how rootkit authors can leverage Intel VT-x to hide rootkits beneath the OS, and techniques to detect it.
I’ll let Jeremy and Dino talk more about their respective talks. Meanwhile, back to me and Dave’s.
Matasano has a thesis. It’s pretty straightforward: if your application hasn’t been sitting in front of firewalls for the past 10 years, exposed to Internet attackers, it probably has not been adequately tested. “It’s 1997 back there”.
Unsurprisingly, it’s looking like our (no-brainer) prediction is panning out. We did SAN last year. Over the past several months, we’ve taken an increasingly deep look at management apps. These are the products that install tiny(-looking) bits of code on your servers and desktops, and communicate with them from a central management server. Yep. They have problems.
We’re not in a position to pre-announce vulnerabilities. We have lots of them. But they follow a pattern:
Agent-Based Management Systems Create A Single Point Of Failure, which is kind of their whole point. But the same forces that allow an admin to verify the configurations of 1000 machines with a single button click also allow attackers to, well, I’ll refer you back to Dino’s talk.
Agent-Based Management Systems Flip The Client/Server Relationship, which is to say, in both the “agent” and the “server”, both clientside and serverside attacks are relevant. That’s because breaking any of the 1000+ agent deployments on your network gives you a vantage point to talk to to the management server, when it inevitably calls you up and asks your status.
These issues, plus a general pattern of 1990s-era C programming in the software itself, add up to the potential for mass-casualty attacks. Some of the vulnerabilities we found are not only blind, remote, serverside, and agent-facing, but also cross-platform, not requiring customized shellcode to launch.
So, I guess what I’m saying is, you should care about this.
Are you running agent-based management apps? We’d love to talk more to you about them. Dave and I are going to be spending some time in July rounding out the menagerie of weirdness we’ve uncovered to date with whatever new programs we can get our hands on.
