July 2nd, 2008

Tiller Beauchamp on the Recon 2008 conference

Posted by Nathan McFeters @ 12:58 pm

Categories: Hackers, Vulnerability research, Exploit code, ~Special Series~, Contributors, Kernel-level Exploits, Reverse Engineering, Recon 2008, Tools, Research

Tags: Kernel, Conference, Novell NetWare, LDAP, Operating Systems, Servers, Directory Services, Enterprise Software, Software, Hardware

Guest Editorial by Tiller Beauchamp

Earlier this month I had the opportunity to present RE:Trace at the Recon conference, a reverse engineering conference held every other year in Montreal, Canada.  The conference consisted of three days of training and three days of talks in a single track.  Topics include reversing polymorphic malware, overcoming code obfuscation and anti-debugging techniques, local privilege escalation through the ALPC kernel interface on Vista, and hacking OS X. The technical level of the conference was excellent and everything was very well organized from the nightly events to the downloadable presentation videos on the conference network.

There were so many interesting talks, but since I cannot cover them all, here are some highlights:

Gerardo Richarte presented two small tools to assist in reverse engineering code.  One of these tools was more of a methodology and he called it iterative decompilation.  The idea is to reverse parts of a program into high level  code one piece at a time.  He would first examine a function’s behavior in assembly and then re-implement the function in C.  By compiling this C into a DLL and patching it into the process at runtime he could replace the original code with his own implementation and test to ensure it had the same behavior.  Following this processes he can reverse the important parts of an application in a progressive fashion.

Craig Smith from Neohapsis presented on using virtual machine to implement code obfuscation.  Don’t think VMWare virtual machines here.  Instead think custom instruction sets and a runtime interpreter.  He covered the basics of this technique which were popularized by honeynet SOTM32 challenge.  The idea is to create a custom instruction set and then use it to implement the logic you want obfuscated. You can apply  this approach to hide system calls or important calculations. The bottom line is that a small effort on the developers part can create a lot more work for the reverser. More details and his sample code can be found on the Neohapsis blog.

Isn’t Netware dead?  Well, pretty much, but Nicolas Pouvesle ran into it enough times (twice) that he decided to explore it, and by explore it I mean serious kernel exploit fu.  One of his biggest challenges was coming up with a payload that was generic enough to work across the many versions of Netware. He could not do a simple connect back shell, because in Netware there is no system level user, which means that there is no shell!  There is a system console, however interfacing with it involves converting between bitmaps and character buffers and injecting keystrokes. This approach still did not work on all Netware version, so Pouvesle found a way to create a user within the LDAP database that Netware uses for administrative web interface access. Creating LDAP users could only be achieved with library calls and not kernel calls so he jumped through more hoops to get visibility of those libraries from the kernel and resolve their encrypted symbols.  His slides from slideshare can be found here.

Overall this was an excellent conference and I recommend it for anyone involved in reverse engineering.  For those of you interested, more information is posted on the Recon website.

* Tiller Beauchamp is an information security professional and noted researcher.  He is perhaps best known in the security and Mac communities for creating the RE:Trace framework, a Ruby-based framework for interacting with the powerful DTRace tool for vulnerability research.  He blogs with fellow researcher and co-creator of the RE:Trace framework at the POP/POP/RET blog and can also be seen at the upcoming Black Hat Las Vegas 2008 conference.

Nathan McFeters is a Senior Security Advisor for Ernst & Young's Advanced Security Center in Chicago. The views and opinions expressed in this article are his own and do not represent the views and opinions of Ernst & Young Advanced Security Center or Ernst & Young, LLP. Nathan has performed web application, deep source code, Internet, Intranet, wireless, dial-up, and social engineering engagements for numerous clients in the Fortune 500 during his career at Ernst & Young and has spoken at a number of prestigious conferences, including Black Hat, DEFCON, ToorCon, and Hack in the Box. He can be found at his Pwn* blog and XS-Sniper, a blog with Billy Rios. See his full profile and disclosure of his industry affiliations.