Fragmentation (overlapping) attacks in IPv6. Have we learned our lesson, yet?

This is a guest post from Antonios Atlasis

It has been a year since fragmentation attacks in IPv6 were last examined publicly (in Black Hat Europe 2012). Issues well known from the IPv4 era appeared again in IPv6. Surprisingly enough, some of the most popular Operating Systems (OS), included ones considered “secure”, were proven to be vulnerable to such attacks, although fragmentation overlapping is strictly forbidden in IPv6 since 2009 (RFC5722). Some other OS, although in a better shape, still appeared to have some issues in specific cases.

But a year has already passed since then and the vendors should have fixed these issues now; or not? Definitely, a significant progress (in some cases) has been made but, is this enough? In the IPv6 Security Summit that will take place during Troopers13, in the “Fragmentation Overlapping Attacks Against IPv6: One Year Later” presentation, various fragmentation overlapping scenarios will be tested to examine if such attacks can still be successful or not. Detailed results of extensive tests will be presented and any non-compliant behaviors will be further discussed regarding the potential security implications.

Continue reading “Fragmentation (overlapping) attacks in IPv6. Have we learned our lesson, yet?”

Continue reading

Troopers 2013 – Third Round of Talks Selected

We’re very happy to announce the third round of Troopers 2013 talks today (first round here, second here).

So much quality stuff… it seems to get (ever) better every year ;-).

Here we go:


Michael Ossmann & Dominic Spill: Introducing Daisho – monitoring multiple communication technologies at the physical layer.

Synopsis: Most communications media can be monitored and debugged at various levels of the stack, but we believe that it is most important to examine them at the physical layer. From there, the security of every level can be investigated and tested. The task of monitoring physical layer communications has become increasingly difficult as we try to squeeze more and more bandwidth out of our links. A passive tapping circuit can be used to monitor a 100BASE-TX connections, but no such circuit exists for 1000BASE-T networks.

Our solution to this problem is Project Daisho; an open source hardware and software project to build a device that can monitor high speed communication links and pass all of the data back to a host system for analysis. Daisho will include a modular, high bandwidth design that can be extended to monitor future technologies. The project will also produce the first open source USB 3.0 FPGA core, bringing high speed data transfer to any projects that build on the open platform.
As a proof of concept at this early stage, we will demonstrate monitoring of a low bandwidth RS-232 connection using our first round of hardware and discuss the challenges involved with the high speed targets such as 1000BASE-T and USB 3.0 that we will take on later this year.

Bios: Michael Ossmann is known for his experience with radio communications technology and open source hardware design, having produced both the Ubertooth and HackRF as well as regularly teaching workshops on software defined radio. He has spoken about his work with software defined radio and Bluetooth at Troopers, Black Hat, DEF CON, ToorCon, ShmooCon and more.

Dominic Spill has been building a Bluetooth packet sniffer since 2007; last year he took over as lead developer for the Ubertooth and has recently begun working with Michael on Daisho. He has previously presented his Bluetooth work at DEF CON, ShmooCon, USENIX WOOT, and Kiwicon.

Both speakers have a passion for building open source tools to allow curious people to examine the technologies and protocols that we use to communicate.

Continue reading “Troopers 2013 – Third Round of Talks Selected”

Continue reading

Troopers 2013 – Second Round of Talks Selected

We’re very happy to announce the second round of Troopers 2013 talks today (first round here).
Some (well, actually most ;-)) of these talks haven’t been presented before, at any other occasion, so this is exciting fresh material which was/is prepared especially for Troopers.

Here we go:


Andreas Wiegenstein & Xu Jia: Ghost in the Shell. FIRST TIME MATERIAL

Synopsis: Security conferences in the past years have made it clear, that common security vulnerabilities such as SQL Injection, XSS, CSRF, HTTP verb tampering and many others also exist in SAP software. This talk covers several vulnerabilities that are unique to SAP systems and shows how these can be used in order to bypass crucial security mechanisms and at the same time operate completely below the (forensic) Radar. We uncovered undocumented mechanisms in the SAP kernel, that allow launching attacks that cannot be traced back to the attacker by forensic means. These mechanisms allow to *actively* inject commands at any time into the running backend-session of an arbitrary logged on user, chosen by the attacker. We named this attack mechanism “Ghost in the Shell”. We will also demo how to use this attack vector to distribute malware to the attacked user’s client machine despite mechanisms in the SAP standard that are designed to prevent this.

Bios: Andreas Wiegenstein has been working as a professional SAP security consultant since 2003. He performed countless SAP code audits and has been researching security defects specific to SAP / ABAP applications. As CTO, he leads the CodeProfiler Research Labs at Virtual Forge, a team focusing on SAP/ABAP specific vulnerabilities and countermeasures. At the CodeProfiler Labs, he works on ABAP security guidelines, ABAP security trainings, an ABAP security scanner as well as white papers and publications. Andreas has trained large companies and defense organizations on ABAP security and has spoken at SAP TechEd on several occasions as well as at security conferences such as Troopers, BlackHat, HITB, RSA as well as many smaller SAP specific conferences. He is co-author of the first book on ABAP security (SAP Press 2009). He is also member of [LINK], the Business Security Community.

Xu Jia is researching SAP security topics since 2006. His focus is on static code nalysis for ABAP and he is the lead architect for a commercial SCA tool. Working in the CodeProfiler Research Labs at Virtual Forge, he also analyzes (ABAP) security defects in SAP standard software. Xu has submitted a significant number of 0-days to SAP, including multiple new forms of attack that are specific to SAP software. He already presented some of his research at the 16th IBS security conference, 2012 in Hamburg.

Continue reading “Troopers 2013 – Second Round of Talks Selected”

Continue reading

Analysis of Rails XML Parameter Parsing Vulnerability

This post tries to give an overview about the background and impact of the new Rails XML parameter parsing vulnerability patched today.

The bug

The root cause of the vulnerability is Rails handling of formatted parameters. In addition to standard GET and POST parameter formats, Rails can handle multiple different data encodings inside the body of POST requests. By default JSON and XML are supported. While support for JSON is widely used in production, the XML functionality does not seem to be known by many Rails developers.

XML parameter parsing

The code responsible for parsing these different data types is shown below:

# actionpack/lib/action_dispatch/middleware/params_parser.rb 
      Mime::XML => : xml_simple,
      Mime::JSON => :json
def parse_formatted_parameters(env)
        when Proc

        when : xml_simple, : xml_node
          data = Hash.from_xml(request.raw_post) || {}
        when :yaml
        when :json
          data = ActiveSupport::JSON.decode(request.raw_post)
          data = {:_json => data} unless data.is_a?(Hash)

Continue reading “Analysis of Rails XML Parameter Parsing Vulnerability”

Continue reading

Insider Threats in the Cloud

at first a happy new year to all our readers!
And, of course, to everybody else, too ;-). May 2013 bring good things for you all, in particular (but not only) in the infosec space.

At the recent ATSAC 2012 conference a guy from the CERT Insider Threat Center gave a talk on the exact topic. Given that the ENISA Cloud Computing Risk Assessment lists “Cloud Provider Malicious Insider” as one of the top eight risks (out of overall 35 risks evaluated) and we just had some discussion about this in a customer environment, this might be of interest for some readers.

The slides of the talk can be found here.



Continue reading

All Your Calls Are Still Belong to Us – continued

Hi again and a happy new year 2013!

Lets continue were I left you the last time.


The CTL is basically a binary TLV file with 1 byte type, followed by 2 bytes length and finally the data. But as this is far to easy, some special fields omit the length field and just place the data after the type (I guess those are fields with a fixed length). Here is an example CTL file:

Red fields are the types (counting up), green fields are the length (note the missing length on some fileds) and the purple field contains the data (in this case data with a length of 8 bytes and a type 0x05, which is the signing cert serial number btw. [and yes, this is a real example; Cisco signs phone loads with this ‘random’ cert]).

The CTL contains a header with types from 0x01 to 0x0f which is padded with 0x0d. The same header is used for the signed files .sgn from the TFTP server later on. The header describes the file version, the header length, the certificate the file is signed by (further called Signing Cert), the corresponding Certificate Authority, the file name, the files time stamp and finally the signature. The header is followed by multiple cert entries, which again use types 0x01 to 0x0f.  The cert entry contains a role field 0x04 which describes the use of the cert. We are interested in the CAPF cert (0x04) and the Call Manager cert (0x02).
Continue reading “All Your Calls Are Still Belong to Us – continued”

Continue reading