• United States



Live from CanSecWest: Day 2

Apr 23, 20073 mins
Data and Information Security

On day two HD Moore demonstrated a new feature of his tool, Metasploit, to take complete control over every vulnerable computer on the network in one quick command. Not to be out done Mark Russinovich showed off the many security features of UAC in Microsoft Vista and how they might protect an unknowing user from some of these attacks. Russinovich also showed off a piece of payload-less malware that he wrote that may trick some users into allowing a piece of malicious code to run in an elevated privilege mode.

HD Moore on Metasploit 3

Moore talked a lot about Metasploit 3 which has just been released in its final version. Metasploit is an exploitation framework that allows the user to simply select an attack, a victim and a payload to attack the chosen system. This tool is amazingly powerful and shows us just how important it is to get good testing before we ship. He talked about the ANI vulnerability that allowed for remote code execution on the Vista OS. The Metasploit team was able to get a working plugin for the framework just 3 days after the exploit was known; which was at least one day before the Microsoft Security Response Team could release a patch. This type of vulnerability is simply unacceptable; there needs to be a better mechanism in place for finding these types of problems before they make into the hands of HD and his team of uber-hackers.

Mark Russinovich on UAC and Vista

Russinovich demonstrated many of the new features of Windows Vista that can help protect a user from attacks. The security benefit of these features is significantly increased if developers and testers know how these features work. Not using these features breaks the UAC model two ways: First it causes too many “accept/deny” dialog boxes, thus lowering lessening the influence of that dialog box. If the general user gets too used to granting high privileges to processes they won’t recognize when to deny it when that day comes. Second if a process running with a high privilege has a vulnerability in it then the UAC control will provide no security benefit and the attacker will claim all privileges that the process was using. We’ve seen this kind of high privilege vulnerability being extremely devastating to the user.

After HD Moore’s talk I really started to think about what I thought about a tool like Metasploit that makes it so easy to attack unpached systems. Is it that Moore is simply acting as a necessary part of the natural security ecosystem, or is he building the digital equivalent to the Tommy Gun, which has no benign, legitimate purpose. Is it moral to use such a tool? Is it necessary to use a tool while doing a penetration test, or would discovery of such vulnerabilities without exploitation be enough?

For more information on HD Moore’s tool, MetaSploit see the metasploit webpage at: When Russinovich posts his whitepaper on the new UAC controls in Microsoft Vista I will post the link here, please check back soon.

–Joe Basirico

Joe Basirico - Security Analyst Joe studies security and develops tools that assist in the discovery of security vulnerabilities and general application problems. His primary responsibility at Security Innovation is to deliver security courses to software teams in need of application security expertise. He has trained developers and testers from numerous world-class organizations, including Microsoft, HP, EMC, Symantec and Joe is also responsible for participating in customer security process assessments as well as security engineering activities such as security design reviews, security code reviews, and security testing and security deployment reviews. Joe holds a B.S in Computer Science from Montana State University. John Carmichael - Security Researcher John leverages his strong lab development, programming and security process skills to deliver factual and useful training courses to testers and developers. John is a skilled software and Web developer with deep expertise in several different languages and environments. He has made many contributions to the open source software community by developing an open source structured drawing tool implemented in Python, testing several release candidates of the Sarge installer for the Debian Linux distribution, and writing a soon to be released Windows OS crash analyzer product. John has a B.S. in Computer Science and Business Administration from the University of Vermont and is currently working toward an M.S. in Computer Information System Security from Boston University.