DEFCON 16 – Las Vegas 2008
hack-fu by Matt Hillman
Last week I attended DEFCON 16 in Las Vegas. I went last year as well, so I knew to expect the huge throngs of people, the strange mix of young, old, and crazy-haired and all the usual antics that happens when you gather around 7 thousand hackers in one place.
There's a lot to do at DEFCON besides attending presentations, but this year I was there for business not just pleasure, so I went on a presentation-attending marathon. I must admit that this year there were less "wow" moments as far as the talks were concerned, but there were still some decent talks ands of course lots of opportunities to catch up with friends and acquaintances from around the world.
Here's a list and some comments of the talks I attended:
Popularity: 11% [?]
SSID Script Injection
The administrative web interfaces for many wireless access points (APs) provide users with ‘Neighbourhood Wireless Scan’ functionality. This functionality scans for all accessible APs and displays the details of any APs which are identified. However, examination of these administrative interfaces revealed that a large number of them do not properly sanitise the parameters that are passed to them from any accessible APs.
An attacker could set up a fake AP with a malicious payload in the Service Set Identifier (SSID). The malicious SSID would be displayed in the ‘Neighbour’s Access Points Table’ page of the administrative interface and would be executed when an administrator scanned for APs.
Popularity: 22% [?]
DHCP Script Injection
A number of administrative applications are available which allow users to manage a network DHCP server via a web interface. This allows administrators to set up configuration options and view active DHCP leases.
it was found that a large number of these administrative web applications did not properly sanitise parameters that were passed to them from the DHCP server and therefore an attacker. In particular, a specially crafted DHCPREQUEST message containing malicious JavaScript or HTML code in the DHCP Options Hostname field could be sent to the DHCP server; the malicious code would then be displayed in the DHCP active leases page of the vulnerable administrative application and would be executed when an administrator visited the page.
Popularity: 17% [?]