This post is about padding oracle vulnerabilities and the tool for attacking them - “Poracle” I’m officially releasing right now. You can grab the Poracle tool on Github!
At my previous job — Tenable Network Security — one of the first tasks I ever had was to write a vulnerability check for MS10-070 — a padding oracle vulnerability in ASP.net. It’s an interesting use of a padding oracle vulnerability, since it leads to code execution, but this blog is going to be a more general overview of padding oracles. When I needed to test this vuln, I couldn’t find a good writeup on how they work. The descriptions I did find were very technical and academic, which I’m no good at. In fact, when it comes to reading academic papers, I’m clueless and easily frightened. But, I struggled through them, and now I’m gonna give you a writeup that even I’d be able to understand!
By the way, the Wikipedia page for this attack isn’t very good. If somebody wants to summarize my blog and make it into a Wikipedia page, there’s now a source you can reference. :)
On a related note, I’m gonna be speaking at Shmoocon in February: “Crypto: You’re doing it wrong”. Among other things, I plan to talk about padding oracles and hash extension attacks — I’m really getting into this crypto thing!
Ethics of password cracking/dissemination
It’s rare these days for me to write blogs that I have to put a lot of thought into. Most of my writing is technical, which comes pretty naturally, but I haven’t written an argument since I minored in philosophy. So, if my old Ethics or Philosophy profs are reading this, I’m sorry!
Faking demos for fun and profit
Earlier this month
Last year (if this intro doesn’t work, I give up trying to post this :) ), I presented at B-Sides Ottawa, which was put on by Andrew Hay and others (and sorry I waited so long before posting this… I kept revising it and not publishing). I got to give a well received talk, meet a lot of great folks, see Ottawa for the first time, and learn that I am a good solid Security D-lister. w00t!
Before I talk about the fun part, where I completely faked out my demo, if you want the slides you can grab them here:
http://svn.skullsecurity.org:81/ron/security/2010-11-bsides-ottawa/. You can find more info about the conference and people’s slides at the official site. And finally, here’s a picture of me trying to look casual.
B-sides conferences, for those of you who don’t know, are awesome little conferences that often (but not always) piggyback on other conferences. They are free (or cheap), run by volunteers, and have raw and technical talks. B-sides Ottawa was no exception, and I’m thrilled I had the chance to not only see it, but take part in it. I really hope to run our own B-sides Winnipeg next year!
Update on my life, conferences, career, etc
It’s been awhile since I’ve written on my blog, and I apologize. I’m at a job now where I actually spend my day working instead of pondering, so it’s hard to find time! :)
So, what’s new with me?
I’m working on some cool new Nmap stuff right now, so I’m hoping to write about that in the next couple months. Web application fingerprinting isn’t something I’ve seen done much, but I’m hoping Nmap can make some good progress on it with the help of Yokoso, Nikto, and some other resources.
Who’s going to Shmoocon?
I’m heading to Shmoocon on Feb 4 - 8, so two things:
a) Who wants to meet up? I have plans on the Saturday, but not much else yet.
b) Please don’t hack me while I’m gone. ;)
Thanks for everybody who came out to my Toorcon talk! I had a great weekend, even the part where I got stuck in San Fransisco and spent two full days getting home. Oops :)
A couple people asked me if I’d put up my slides, so here you go:
(If you want the original OpenOffice format, directory listings are enabled on that server)
Thanks once again, and it was great to meet all of you!