Black Hat 2009: Drive-by Improvements
Some of my colleagues from Symantec and I attended Black Hat in Las Vegas this past week. Wednesday was the first day of talks and there were some very interesting topics discussed. For me, the highlights were the following talks:
• “Stoned Boot Kit,” by Peter Kleissner
• “Using Guided Missiles in Drive-Bys: Automatic browser fingerprinting and exploitation with Metasploit,” by Egypt
• “Attacking Interoperability,” by Mark Dowd, Ryan Smith, and David Dewey
The papers for these presentations are available on the Black Hat website, but I did manage to talk to most of the presenters and get their views on various topics. In this post I’ll talk about the “Using Guided Missiles in Drive-Bys” and follow up with info on the other talks in later posts.
In his presentation “Using Guided Missiles in Drive-Bys,” James Lee (a.k.a. “Egypt”) outlined a new way of detecting what browser a visitor to a website is using without relying on the User Agent string, which can be easily forged. He has added this functionality to the Metasploit framework and he has also added code to allow the most appropriate exploit to be chosen for that browser version, as well as adding code to use the most stable exploits first and least stable exploits last.
Of course, detecting a visitor’s browser version is not a new idea and most Web exploit packs already contain this functionality to some degree. James mentioned Mpack, Firepack, Neosploit, and Luckysploit as examples of packs that already detect the visitor’s browser version—some more crudely than others. One of the most comprehensive detection algorithms I have seen used is in the Traffic Directing System “Kallisto TDS” shown below. Kallisto relies solely on the User Agent however, which as already mentioned can be easily changed (there are plug-ins available for various browsers to change your User Agent). So, although Kallisto’s code shown below is very comprehensive, the solution that James presented takes this idea one step further.
James’ code uses features of the DOM that are only available in certain browsers; for example, he showed that the window.opera object is only available in the Opera browser. Not only that but a call to window.opera.version() will return the browser version and a call to window.opera.buildNumber() returns even more specific information. Using techniques such as these for each browser and OS he is able to identify the software used by visitors to a website more accurately than solely relying on the User Agent string.
This is a nice feature to have in the MetaSploit framework, but I am certain that the creators of Web exploit packs will be sure to pick up this code and use it to their own advantage also. In fact, James mentioned to me that he has already seen exploits used outside of MetaSploit that had literally copied and pasted previous code he had developed for MetaSploit into the malicious Web page, which is not a good sign unfortunately. For further details about the techniques used check out James’ paper on the BlackHat website.
Now that the conference has wrapped up, I’ll follow up with information on the other talks shortly.