Portcullis Labs » OMC

Graham “@gsuberland” Sutherland’s 44CON presentation

OMC — Fri, 11 Sep 2015 13:16:32 +0000

Graham recently gave a presentation at 44CON’s community night entitled “GET IN THE RING0″ on the subject of Windows kernel drivers.

His talk covered:

Same basic concepts as writing usermode apps
Some additional bits
- Talking between usermode / kernelmode
- Major functions, IRPs, IOCTLs
- Special concepts like IRQLs
(mostly) officially documented on MSDN!
(most of) the rest is reverse engineered

You can find the slides here.

The post Graham “@gsuberland” Sutherland’s 44CON presentation appeared first on Portcullis Labs.

Burp Extension

OMC — Wed, 26 Aug 2015 12:09:36 +0000

At Portcullis, one of the more frequent assessments we perform are web application assessments. One of the main challenges we face during these assessments is to look for information that can either help escalate our privileges or allow us to gain access to different functionalities of the web application. Unauthorised access to functionality can often be considered an issue however, testing for this can also lead to information about the type of web server an application is running on, the underlying host and its version.

To check whether an application is out-of-date or is there are any known vulnerabilities associated with said version we must first obtain the server and version information. This can often prove time consuming and can be subject to human error. To improve effectiveness and reduce occurrence of human error we developed a BurpSuite extension that checks whether the server discloses any information within the response headers and automatically adds the issue to an issues list.

In addition to checking for disclosed information, the extension with also make a request to the web server’s main page for the latest version and compare this to the application in question to confirm that the application in question is the most up to date available. The most common web servers, and some others, are already bundled with the extension. However, the extension also provides a configuration tab in which the headers that are checked for information disclosure can be modified, removed or added. This also applies to the software, URLs and REGEX used to access the latest versions.

In the above image, you will see that there are two other pieces of functionality bundled with the extension. The first, following the same line of enquiry as the previous (checking the server’s response headers), the extension is also able to check for missing security headers. As before, whilst most of the security headers are already bundled with the extension, it is possible to add more/alternative headers to be check for. Additionally, there is an option to add an informational issue if any of the security headers are found.

The second functionality is a default burp state restorer. Following good practice, a new assessment would start with a clean burp state. To improve efficiency, instead of repeatedly loading the same path state, you can use the extension to load a state file from any chosen path. This will save you at least 4 clicks and you won’t forget to configure anything when starting burp.

Finally, the last piece of functionality provided by the extension is a new tab on the request and response editor window that parses a JSON object and prints it with indentation, making it easier to read. This will prove useful when dealing with web services or AJAX requests with JSON responses.

It should be noted that when reporting the information disclosure and the missing headers issues, only one issue is reported per host. In cases where different finding appear in later responses, further issues will be added with the new findings.

The source code of the application can be found at : https://github.com/eonlight/BurpExtenderHeaderChecks

This blog post was written by Ruben

The post Burp Extension appeared first on Portcullis Labs.

EMF Camp 2014 talk

OMC — Thu, 28 Aug 2014 17:15:14 +0000

We recently announced our sponsorship of EMF Camp 2014, were ready to go Portcullis flags in tow and will be heading on over to Milton Keynes to help get EMF ready.

While there we will not only be sponsoring the Lounge where people can come and enjoy a space to relax and drink beer and setting up Portcullis Village where people can visit us and exchange ideas but we will be having members of Portcullis hosting talks throughout the weekend.

How Many Bugs Can A Time Server Have? Friday 29th @ 14:00PM Stage B

Portcullis members Tim Brown and Mike Emery will be talking about a number of new advisories to be released by Portcullis during the event including remote root in a network device. The attack surface area will be broken down, with the bugs in each area exposed. The impact of the finding as a whole will then be discussed, with the consequences potentially reaching far beyond the compromised device itself!

Minimal Effort Web Application Security (a.k.a. how to make my job harder) Sunday 31st @ 12:00 Stage C

Portcullis member Graham Sutherland will be presenting his quick tips on making your web applications more resistant to common attack vectors, without putting a lot of effort in. Graham says “In some cases, simply adding a like to a configuration file can completely prevent entire classes of attack from being viable”. Graham will take a look at hardening against XSS, SQL injection, click jacking, password cracking, and a few other bits if there’s time. “With any luck, you’ll make my job a lot harder!”

For those spoilt for choice both talks will be featured in our EMF blog to be posted after the event.

The post EMF Camp 2014 talk appeared first on Portcullis Labs.