Live from CanSecWest: Day 2

On day two HD Moore demonstrated a new feature of his tool, Metasploit, to take complete control over every vulnerable computer on the network in one quick command. Not to be out done Mark Russinovich showed off the many security features of UAC in Microsoft Vista and how they might protect an unknowing user from some of these attacks. Russinovich also showed off a piece of payload-less malware that he wrote that may trick some users into allowing a piece of malicious code to run in an elevated privilege mode.

HD Moore on Metasploit 3

Moore talked a lot about Metasploit 3 which has just been released in its final version. Metasploit is an exploitation framework that allows the user to simply select an attack, a victim and a payload to attack the chosen system. This tool is amazingly powerful and shows us just how important it is to get good testing before we ship. He talked about the ANI vulnerability that allowed for remote code execution on the Vista OS. The Metasploit team was able to get a working plugin for the framework just 3 days after the exploit was known; which was at least one day before the Microsoft Security Response Team could release a patch. This type of vulnerability is simply unacceptable; there needs to be a better mechanism in place for finding these types of problems before they make into the hands of HD and his team of uber-hackers.

Mark Russinovich on UAC and Vista

Russinovich demonstrated many of the new features of Windows Vista that can help protect a user from attacks. The security benefit of these features is significantly increased if developers and testers know how these features work. Not using these features breaks the UAC model two ways: First it causes too many “accept/deny” dialog boxes, thus lowering lessening the influence of that dialog box. If the general user gets too used to granting high privileges to processes they won’t recognize when to deny it when that day comes. Second if a process running with a high privilege has a vulnerability in it then the UAC control will provide no security benefit and the attacker will claim all privileges that the process was using. We’ve seen this kind of high privilege vulnerability being extremely devastating to the user.

After HD Moore’s talk I really started to think about what I thought about a tool like Metasploit that makes it so easy to attack unpached systems. Is it that Moore is simply acting as a necessary part of the natural security ecosystem, or is he building the digital equivalent to the Tommy Gun, which has no benign, legitimate purpose. Is it moral to use such a tool? Is it necessary to use a tool while doing a penetration test, or would discovery of such vulnerabilities without exploitation be enough?

For more information on HD Moore’s tool, MetaSploit see the metasploit webpage at: www.metasploit.org. When Russinovich posts his whitepaper on the new UAC controls in Microsoft Vista I will post the link here, please check back soon.

–Joe Basirico