Black Hat/Defcon hackfests next week promise rollicking action

Rigorous and sometimes raw disclosure of network vulnerabilities will all be part of the action at next week’s back-to-back hackfests, Black Hat and Defcon in Las Vegas.

Exploits that can lure wireless LAN users into phony access control points, plus discussions of how to break into computers by manipulating coding errors will be hot topics. At one session, AirTight Networks will demonstrate how phony WLAN access points can be set up to trick a WLAN user into using them -- an attack AirTight says neither its intrusion-prevention system (IPS) nor anyone else’s can stop.

“We call it ‘multipot,’ and we accidentally stumbled upon this observation in our own testing,” says Pravin Bhagwat, CTO at AirTight, about its planned demo at Defcon.

Click to see: Wireless LAN security threat

The ‘multipot’ attack, according to Bhagwat, is a variation on the Evil Twin ploy, in which a single WLAN access point is given a spoofed Service Set Identifier based on the SSID of a legitimate wireless access point, something done through WLAN sniffing.

“With Evil Twin, the attacker sits in the path of the network, monitoring the user with the purpose of stealing log-in credentials and observing other traffic,” says Bhagwat. Today’s IPS can thwart this by breaking the connection by keeping track of authorized access points, he says.

But to his dismay, Bhagwat says AirTight has found if the attacker has set up two or more controlled Evil Twin access points to lure in a single WLAN user, the IPS is ineffective at repelling the attack.

“You kill one connection but the new one is enabled,” says Bhagwat. “Why can’t you knock both off at the same time? Because you need a sensor to transmit and it can only transmit one at a time. It’s a cat-and-mouse game.”

Bhagwat says AirTight will be doing the Multipot demonstration at Defcon because “there’s a need in this industry to become aware of this so new technologies can be developed.” AirTight says it’s experimenting with a new defense but doesn’t expect to be able to publicly reveal it until later in October.

A session at Black Hat that could provoke discussion will show how it’s possible to remotely compromise servers by exploiting poor software coding called dangling pointers that developers might leave in C or C++ applications.

Danny Allen, director of security research at Watchfire, which will be demonstrating the attack, describes a dangling pointer as a software error in which a pointer that’s supposed to indicate a specific address in memory holding a particular software object is actually pointing to an address in memory that doesn’t hold anything.

“Dangling pointers were never deemed to be a security risk, but we’ll show a way to automate remote command execution to alter the pointer to look at the place where we have the ability to write code,” says Allen. “You can automate where you want malicious code to be. We’re not trying to find your dangling pointers for you, but we’ll show how they can be exploited to take root control of the machine.”

Microsoft earlier this month released a patch for Microsoft Internet Information Server after Watchfire recently showed Microsoft how a dangling-pointer code flaw it had left unfixed for two years could be manipulated, says Allen.