Slowly but surely, I'm catching up on my blogging backlog. As I posted before, Day 2 of CanSecWest was a long day, with presentations running from 9am to 9pm. Here are some of the highlights:
Barnaby Jack's talk, Exploiting Embedded Systems - The Sequel!, was mostly the same as last year's talk with a couple notable exceptions. Last year, he exploited a UPnP stack overflow in the DI-524, while this year it was a 0day in the DI-604 which he didn't provide further details on, other than the fact that it was a null pointer exception. This is significant because NPEs are often assumed to be unexploitable -- you get an access violation, and the program crashes because the null page isn't mapped. Ah, but what if 0 is a valid memory address? In the ARM9E processor, this happens to be where the exception vectors live. When certain events occur the processor looks to these locations to determine where to jump. For example, when there's a software interrupt, it jumps to the address stored at 0x00000008. It's even better than a stack overflow! But for all those embedded systems programmers scrambling to review their code, don't worry, you can avoid this simply by configuring the ARM to store the exception vectors starting at 0xFFFF0000 instead. Problem solved. There were a few glitches getting the demo to work properly (people were flooding the wireless network), but overall the talk was well-received.
I also enjoyed Mark Russinovich's presentation on Vista Internals: User Account Control, Protected-Mode IE, and Bitlocker, in which he outlines many of the features implemented in Vista in order to solve the problem of running as an unprivileged user without sacrificing functionality that users expect (e.g. the ability to install programs). For anyone like myself who hasn't really paid much attention to Vista, it was a great primer; for anyone who has it was probably boring. But come on, it's the SysInternals guy, can't go wrong with that. He even said "Process Explorer" a couple times when he intended to say "Task Manager" -- old habits die hard.
HD Moore's Live Free or Hack Hard: Metasploit 2007 was impressive as always. Not much to say other than they've added a ton of new features and the interface is getting better all the time. What's really amazing is the tiny amount of code required to extend its functionality. Of course you have to learn Ruby first.
Marcel Holtmann from RedHat presented Wii Control You, in which he demonstrated a Linux driver for the Nintendo Wii controller and his progress on reverse engineering the PS3 controller. Good stuff.
Finally, Luis Miras spoke on Other Wireless: New ways to get Pwned in which he focused on wireless controllers using RF, specifically keyboards and mice. He simply tapped in to the datapath between the microcontroller (MCU) and the transmitter IC, then reversed the communication protocol by observing the patterns generated in response to certain keypresses. Once the protocol was deciphered he could attach his own MCU to generate any traffic pattern desired. Sadly, the demo was a bust because his trusty PICSTART microcontroller died in transit. You can always count on Luis for an interesting talk; however, the "oh crap" moment of this one had nothing to do with hijacking keyboards and mice, but rather the fact that the other published applications for the transmitter IC include car alarms and home security systems.
Lightning talks were the reason this day didn't end until after 9pm. There were about 15 of them, the best of which included:
Then everyone went out and knocked a few back on Microsoft's nickel. Not a bad way to end the day.