Recently, I had pleasure to attend the ZeroNights 2012 security conference. ZeroNights 2012 is an international conference that covers the technical side of information security. The main scope of the conference is to distribute information about new attack methods, threats and defense tools.
This year’s conference took place last November 19-20 in Moscow, right in the middle of the city with both the Kremlin and the Moscow River nearby. I had some problems finding the venue as it was a bit hidden and it was rush hour, but I was (almost) on time and only missed the welcome coffee and the keynote.
The conference itself had four tracks, and I have to admit that I was lost at times due to the choices available and had to cast lots to decide which track to go for. I would like to highlight the three presentations that impressed me the most.
“No locked doors, no windows barred: hacking OpenAM infrastructure” by Andrey Petukhov, and Georgy Noseyevich
One of the main functional components of enterprise applications and Internet portals is an authentication and access control system (AuthC/Z). This presentation described a popular access control system called ForgeRock OpenAM.
During the presentation Andrey and his assistant Georg showed how it is possible to exploit Server Side Request Forgery and Local File Include vulnerabilities on the said access control system. Combining the two above vulnerabilities and an XML external entity vulnerability, they were able to read files and folders on the server side. Combining the 3 techniques, they wrote a simple fuse module to read files remotely. The fuse module cached files, and then with bash commands is easy to “ls” or “cat” or even “find” everything you need on the server side.
Read the rest of this entry »