Home > Security > Adventures in SoCal (when it's not on fire)

Adventures in SoCal (when it's not on fire)

Ah, just back from Toorcon in San Diego. I’ve been doing Toorcon for years; it’s one of my favorites just from the perspective of everyone being able to hang out freely with no distance between “speakers” and “attendees”. Lots of smart people up to great stuff — Nate McFeters actually told me of a brilliant and obvious (in retrospect) attack against the JVM’s 11 year old DNS Rebinding defenses:

1) Tell JVM to load your code from http://www.attacker.com (attacker IP)
2) Crash JVM
3) Rebind http://www.attacker.com to target IP
4) Tell JVM to load your code from http://www.attacker.com. It won’t go out to the target IP — it actually has a local cache, keyed on hostname only.

Yes, they reimplemented the 11 year old DNS Rebinding bug. *sighs* Apparently it’s fixed, or is about to be anyway.

So one of the really cool things about giving these talks is seeing how people process the information and go off in a hundred different directions. Check this line of thinking out — apparently, the entire plugin API never thought hosts or IPs would ever matter, and people have been hacking that information out of the DOM since. Every once in a while, as a security auditor, you see a system that is clearly designed in such a way that it implies its own exploit. This is a good example.

It’s wandering season! I don’t get to do nearly as many new cons as I’d like (and people have no idea how much it kills me not to be able to accept every invitation), but this month I’m actually hitting not one but two new events. First, I’m flying out for Bar Camp LA this weekend, November 3rd and 4th. Bar Camp is interesting — it’s a sort of “pattern” for a semi-self organizing weekend con that’s gotten syndicated out worldwide. Check out the main Bar Camp Wiki — there’s something like 29 of these coming up in the next few months. I have a lot of fun every time I stop by Los Angeles (understatement), and Bar Camp should be especially interesting as I get to hang out with a whole new crew of smart people, not all of whom are even hackers.

(Side note: Spent some time hanging out with some guys from the Golem Group at Caltech, who were all too happy to show me running simulation code from their entry into the 2007 DARPA Urban Grand Challenge. I got to watch a live recording of the real world as a series of OpenGL Particles. LIDAR is officially awesome. This alone made that day grand; the bouncy castle, the mexican wrestling masks, the lecture on biological logic, and the feather boa put it into an entire new class of awesome.)

Categories: Security
  1. paul
    July 8, 2008 at 5:43 pm

    I am vulnerable to hacking, according to your site. How do I fix this?

  2. Dan
    July 26, 2008 at 10:19 am

    Have you downloaded the latest patches from Microsoft using Windows Update and please tell us what Windows version you are using. Fortunately, I am using Windows 98 Second Edition and am not vulnerable. I await your reply with interest.

    —————————————— break-

    Your ISP’s name server,, has other protections above and beyond port randomization against the recently discovered DNS flaws. There is no reason to be concerned about the results seen below.
    Requests seen for 8f63238a336e.toorrr.com: TXID=12982 TXID=3941 TXID=7778 TXID=50436 TXID=35677

  3. July 26, 2008 at 1:23 pm

    I have seen this on one machine, no matter what you type in it always goes to one site, I cleared the cache a couple of times and rebuted the machine and this seemed to solve the problem. Great work guys.

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: