Nettitude Blog

Black Hat 2015 Wrap Up – Part I

Posted by Luis Gomes on Aug 24, 2015 12:00:27 PM

This year, Black Hat (BH) 2015 came, as it usually does, with major security flaws and some “dojos” aside from the major android vulnerabilities we were exposed to and other types of security issues that are much less talked about, but still expose serious problems. Over the next couple of blog posts we’ll look at wrapping-up some of the vulnerabilities that fell under the shadow of Certigate and other super star vulnerabilities exposed at the BH 2015 USA conference.

Abusing XSLT for Practical Attacks

Base Knowledge
As a base knowledge before the real subject(vulnerability) is explained, XSLT is a language for transforming XML documents into other XML documents, text documents or HTML documents. You might want to format a chapter of a book using XSL-FO, or you might want to take a database query and format it as HTML.
This language can be used either by client side processors (i.e. web browsers) or server side processors (standalone parsers or libraries from programming languages).

Reference: http://www.w3.org/standards/xml/transformation Reference: http://www.w3.org/standards/xml/transformation

Summary
The flaw discussed on this quick review is mostly a technique that uses XSLT to produce documents that are vulnerable to new exploits. XSLT can be leveraged to affect the integrity of arithmetic operations, lead to code logic failure, or cause random values to use the same initialization vector. Error disclosure has always provided valuable information, but thanks to XSLT, it is possible to partially read system files that could disclose service or system passwords. Finally, XSLT can be used to compromise end-user confidentiality by abusing the same-origin policy concept present in web browsers. All the research and PoC can be found in the official paper : https://www.blackhat.com/docs/us-15/materials/us-15-Arnaboldi-Abusing-XSLT-For-Practical-Attacks-wp.pdf.

Abusing Windows Management Instrumentation (WMI)

Summary
As technology is introduced and subsequently deprecated over time in the Windows operating system, one powerful technology that has remained consistent since Windows NT 4.01 and Windows 95 is Windows Management Instrumentation (WMI). Present on all Windows operating systems, WMI is comprised of a powerful set of tools used to manage Windows systems both locally and remotely. As attackers increasingly utilize WMI, it is important for defenders, incident responders, and forensic analysts to have knowledge of WMI and to know how they can wield it to their advantage. This Flaw was revealed mostly on how WMI can be used as a rudimentary intrusion detection system (IDS), and how to perform forensics on the WMI repository file format.

Figure 1 - WMI Architecture Figure 1 - WMI Architecture

Figure 2 - WMI Attack Example Figure 2 - WMI Attack Example

Figure 3 - WMI Attack Example Figure 3 - WMI Attack Example

Template Injection is only apparent to auditors who explicitly look for it, and may incorrectly appear to be low severity until resources are invested in assessing the template engine's security posture. This explains why Template Injection has remained relatively unknown up till now, and its prevalence in the wild remains to be determined.

Full Article at: https://www.blackhat.com/docs/us-15/materials/us-15-Kettle-Server-Side-Template-Injection-RCE-For-The-Modern-Web-App-wp.pdf

 

To contact Nettitude's editor, please email media@nettitude.com.

Topics: Author review, Uncategorized

About Nettitude

Nettitude is the trusted cyber security provider to thousands of businesses around the world. We stop at nothing to keep your data and business secure in an age of ever-evolving cyber threats.

Our experts use an award winning Threat Intelligence led approach that incorporates real-time data, ensuring that your company is protected at every stage of its journey.

Receive an update when we post!

Recent Posts