Speaker: Rodrigo Rubira Branco
Hackers are creating knowledge and sharing information since the inception of technologies. They do have a deep understand on the inner workings of systems and different motivations. Just like a company that faces competition and external challenges, and tries to build their products to face those challenges, improving at each generation (or not), a hacker builds up knowledge and evolves based on that. Given different objectives and targets, they will focus their abilities in separate areas. If a hack seems easy to someone, maybe it is because he already built the knowledge, understood the challenges, but that does not mean somebody else is not in the process of doing so, or that this other person does not have fun while doing it (and thus, really does not care about the real complexity). Different objectives, different measures. And it is possible to have fun, do interesting (and challenging) things while having the usual benefits of a work: in different ways (and each individual needs to understand that, take responsibility for their own decisions and pay the prices for the wrong ones as well). Either in a technical career inside a big corporation, or as an individual collecting bounties (two apparent extremes that share lots of common factors), a researcher needs to makes conscious decisions, which we hope will be discussed in this talk. In the end, the objective is to demonstrate that challenges exist, opportunities as well, and that it is possible to have different ways in life keeping the same fundamentally technical priorities: build knowledge and have fun.
Hacking virtual appliances
Speaker: Jeremy Brown
Virtual Appliances have become very prevalent these days as virtualization is ubiquitous and hypervisors commonplace. More and more of the major vendors are providing literally virtual clones for many of their once physical-only products. Like IoT and the CAN bus, it's early in the game and vendors are late as usual. One thing that it catching these vendors off guard is the huge additional attack surface, ripe with vulnerabilities, added in the process. Also, many vendors see software appliances as an opportunity for the customer to easily evaluate the product before buying the physical one, making these editions more accessible and debuggable by utilizing features of the platform on which it runs. During this talk, I will provide real case studies for various vulnerabilities created by mistakes that many of the major players made when shipping their appliances. You'll learn how to find these bugs yourself and how the vendors went about fixing them, if at all. By the end of this talk, you should have a firm grasp of how one goes about getting remotes on these appliances.
Extracting the painful (Blue)tooth
Speakers: Matteo Beccaro, Matteo Collura
Do you know how many Bluetooth-enabled devices are currently present in the world? With the beginning of the IoT (Internet of Things) and Smart Bluetooth (Low energy) we find in our hands almost a zillion of them.
Are they secure? What if I tell you I can unlock your Smartphone? What if I tell you I'm able to open the new shiny SmartLock you are using to secure your house's door? In this talk we will explain briefly how the Bluetooth (BDR/EDR/LE) protocols work, focusing on security aspects. We will show then some known vulnerabilities and finally we will consider deeply undisclosed ones, even with live demonstrations.
Cisco IOS shellcode – all-in-one
Speaker: George Nosenko
Cisco network equipment has always been an attractive attack target due to its prevalence and the key role that it plays in network structure and security.
This equipment is based on a wide variety of OS (firmware) architectures, types, and versions, so it is much harder to develop a universal shellcode. Publicly available Cisco IOS shellcodes are tailored to specific equipment, have narrow functionality, and are not exactly useful for penetration testing.
This talk is the presentation of a research initiated by our research center to create a shellcode which is as easily portable between different IOS firmwares as possible and which provides a lot of pentesting features because it can dynamically change the shellcode destination at the stage of post-exploitation.
We will also consider the possibility of creating a worm which could spread across the infrastructure, from firewall to router, from router to switch, etc.
Fix it yourself: resolving UEFI vulnerabilities single-handedly
Speaker: Nikolaj Schlej
A vulnerability has been found in your firmware but the vendor isn’t in any hurry to fix it? A patch was released yesterday, but it adds two new bugs instead of resolving the old one?
You’ve had enough. Time to take firmware security into your own hands! This is a talk about finding and resolving known vulnerabilities in UEFI-compatible firmwares.
Big problems with big data – Hadoop interfaces security
Speaker: Jakub Kaluzny
Did "cloud computing" and "big data" buzzwords bring new challenges for security testers?
Apart from complexity of Hadoop installations and number of interfaces, standard techniques can be applied to test for: web application vulnerabilities, SSL security and encryption at rest. We tested popular Hadoop environments and found a few critical vulnerabilities, which for sure cast a shadow on big data security.
illusoryTLS: Nobody But Us Impersonate, Tamper, and Exploit
Speaker: Alfonso De Gregorio
Learn how to embed an elliptic-curve asymmetric backdoor into a RSA modulus using Elligator. Find out how the entire TLS security may turn to be fictional, if a single CA certificate with a secretly embedded backdoor enters the certificate store of relying parties. Discover how some entities might have practically explored cryptographic backdoors for intelligence purposes regardless of the policy framework.
Hack like a movie star: Step-by-step guide to crafting SCADA payloads for physical attacks with catastrophic consequences
Speaker: Marina Krotofil
Nearly all talks on SCADA vulnerabilities are concluded with the sweeping scenarios of physical attacks with the thrilling catastrophic consequences. Mirrored in Hollywood movies and copious mass media publications, the art of cybergeddon hacks is now known to everybody: you hack into whatever can be considered as “SCADA” and the next moment “all gas flows there” and the world goes nuts. And because nobody knows what the hell that SCADA anyway, “fake it until you (hopefully) make it” works nicely for SCADA talks, shamelessly making monkey of the audience.
This talk will give the attendees a crash-course on what to do once one hacks into SCADA. An evil alien targeting a remote process of a respectable complexity is not immediately gifted with a complete knowledge about the process and follows a series of stages before getting to the final attack. How is the process controlled? Which commands does it understand? How do exploitable features look like? All that knowledge is indispensable. And even though it is always possible to inject any input one wants that will not necessarily amount to being able to control processes at will. Process physics and control logic interlocks might annoyingly get in the way of the villain. On the example of forcing traffic light kit into horribly catastrophic states the attendees will gain practical knowledge of SCADA hacking. The talk will take the audience through all the stages of a cyber-physical attack covering the tasks to be completed at each stage and non-trivial detours an attacker may have to take to practically achieve her goal.
Hopefully by the end of the presentation the audience will feel empowered to confront the charlatans and enlightened to design own cool and authentic SCADA attacks with the desired physical consequences.
Modifying the firmwares of industrial switches
Speaker: Alexander Ermolov
The data bus is the heart of any modern ICS infrastructure. It is typically based on Ethernet technologies. This talk reviews the attacks on the major element of the data bus: industrial switches. I will show how to replace firmware on a switch by using various vulnerabilities and “default” misconfigurations. Compromising such a switch gives one virtually unlimited opportunities to control the technological process: they can cut into a connection and modify data between PLC and SCADA or PLC and gateways, forge the data transmitted to HMI and logging systems, etc. As a result, the operator may not be able to control the actual state of the technological process, which may lead to process termination or system failure. We will also consider the possibility of permanently injecting code into the switch (by compromising the loader).
Direct X – direct way to Microsoft Windows kernel
Speaker: Nikita Tarakanov
Graphics technologies expose a large number of APIs in kernel mode drivers that need to be accessible by ring 3 code. Whether you are creating a resource for a video game or a video player you will end up using one of the low level functions that the Windows Display Driver Model provides for interaction with kernel driver. Graphics operations are intensive, complex and accessible as unprivileged user. This research focuses on how to find vulnerabilities in low level, common ring 3 to ring 0 interactions as defined by WDDM and exposed through GDI user mode library. On this presentation we will show you fuzzing statistics, methodologies, and vulnerabilities found on Intel, NVIDIA and ATI drivers.
«Attacking hypervisors using firmware and hardware»
Speaker: Alexander Matrosov
In this presentation, we explore the attack surface of modern hypervisors from the perspective of vulnerabilities in system firmware, such as BIOS and in hardware emulation. We will demonstrate a number of new attacks on hypervisors based on system firmware vulnerabilities with impacts ranging from VMM DoS to hypervisor privilege escalation to SMM privilege escalation from within the virtual machines.
We will also show how a firmware rootkit based on these vulnerabilities could expose secrets within virtual machines and explain how firmware issues can be used for analysis of hypervisor-protected content such as VMCS structures, EPT tables, host physical addresses (HPA) map, IOMMU page tables etc. To enable further hypervisor security testing, we will also be releasing new modules in the open source CHIPSEC framework to test issues in hypervisors when virtualizing hardware.
«Introducing Choronzon: an approach to knowledge-based evolutionary fuzzing»
Speakers: Nikolaos Naziridis, Zisis Sialveras
The framework that will be presented is a file format fuzzer that uses evolutionary algorithms to mutate seed files and specific user-defined knowledge to focus on interesting parts of each format. We will present its architecture, the engineering problems we faced as well as the solutions we came up with. Moreover, we will exhibit results from comparing different fuzzing, seed selection and seed evaluation strategies, along with an overview of the state of the art fuzzing tools and techniques available to the security professional.
«Warranty void if label removed – attacking MPLS networks»
Speaker: Georgi Geshev
Multiprotocol Label Switching (MPLS) is certainly the most prevalent service provider technology used by major players to build and offer highly scalable value-added services allowing reliable transport of data and latency-sensitive traffic like voice and video. It turns out MPLS has remained largely unexplored by the security community and very little security research has ever been done in this area.
This talk will be a walk-through of research findings from assessing multiple MPLS implementations and the various key weaknesses that were found to affect a number of leading vendors. General MPLS and MPLS related terms and concepts will be briefly introduced to the audience, followed by an overview of a typical service provider network, classic topologies and basic traffic engineering strategies.
Several network reconnaissance techniques will be presented that allow an adversary to partially or, in some cases, fully reveal the MPLS backbone Label Switching Router (LSR) interconnections by leaking internal LSR IP addresses. The attack scenarios against service provider infrastructure will then be followed by attacks on customers of the MPLS domain. It should be noted that none of the examples and demonstrations require access to the MPLS backbone, i.e. attacks are executed from the perspective of a client of the MPLS domain.
This talk will be concluded with both general and, where applicable, vendor specific best practices and recommendations on reducing the attack surface of an MPLS network.
«Getting the most out of CSP: a deep dive»
Speaker: Sergey Shekyan
Content Security Policy is used to declare web resource content restrictions. It prevents exploitation by cross-site scripting (XSS) and related attacks. We will explore challenges of creating and deploying a policy, how reporting might be abused, and deviations between the specification and implementations. You will also learn about tools to help create and verify the efficacy of your CSP.
«Did you get your token?»
Speakers: Daniel (Jin Long), Azure (Yang Jietao)
Microsoft keeps evolving its security mechanisms while releasing new versions of Windows. These new introduced security features harden the system by invalidating bunch of exploit techniques, while bringing in new opportunities and stimulating new privilege bypass techniques research. This presentation focuses on the basics and principles of Windows privilege separation, describes the internal structure of token, how it supports DACL, privilege and mandatory level check, and how sandboxes mechanisms are built upon it.
The basics of protected processes will also be discussed, as well as some practical sandboxes bypass techniques, especially the one related to junctions.
«ESIL – universal IL (Intermediate Language) for Radare2»
Speaker: Anton Kochkov
ESIL stands for 'Evaluable Strings Intermediate Language'. ESIL is used to describe semantics of any instruction for any processor (from VLIW DSP to 4-bit Intel 4004). At the same time ESIL may be interpreted using Radar2 virtual machine. Author will provide a brief introduction into various IL mentioning their differences. Also he'll tell how developers came to the idea of creating it.
Audience will be presented with practical cases of ESIL implementation, its conversion into other similar languages (OpenREIL) and possibilities of the further development.
- What is IL?
- Intermediate Language – introduction
- MAIL, BitBlaze (VineIL/VEX)
- RREIL and OpenREIL
- Differences between ESIL and other similar languages
- Reverse Polish notation – speeds up machine analysis
- String presentation – simplifies comprehending and editing
- Universality – created with regards to various architectures
- Expandability – new operations and callbacks
- Supported architectures
- Practical usage (+ demo)
- Code sections emulation
- Shared checkout (native + ESIL emulation)
- VM emulation used in malware
- Emulation results autodisplay in reverse assembler
- Conversion into other languages – OpenREIL
- Radeco IL and Radeco decompiler
- ESIL as initial data for Radeco
- Why a decompiler has been developed
- Radeco IL intermediate representation description
- Ways of future development
- More supported architectures
- Visual debugging and trace with ESIL
- Integration with SMT solvers
- Decompilation – Radeco
The Border Gateway Protocol is the thing that makes the world go round. It provides all the tools necessary to manage the connections between networks and to make those networks reachable and accessible from all over the world. Unfortunately there are plenty of problems in the core architecture of BGP that affect everyone in the global network, from Internet service providers to the end-users.
During the talk, the most important anomalies at the BGP layer — prefix hijacking and route leaking — are covered, and the current level of the alert is going to be discussed along with proposed countermeasures.
Speaker: Ivan Novikov
Lead information security expert in Wallarm, CEO. Engaged in web application security since 2004, author of multiple researches. Awarded for finding vulnerabilities in Google, Facebook, Twitter, Nokia, and Yandex several times. Spoke at international conferences, such as BlackHat US, HITB AMS, ZeroNights, PHDays. Currently, actively develops the web application attack detection algorithms which are used in Wallarm WAF to protect complex highload projects.
Speaker: Sergey Belov
SmartTV together with other IoT are gradually becoming part of our daily life. Mistakes are inevitable when programmers make applications for them. In this talk application vulnerabilities will be covered, some of which are specific to SmartTV. Also, we’ll have a look at different attack vectors via applications to the TV.
Speaker: Jeremy Brown
The web client is critical software to secure from any perspective. No matter if you're an organization or a casual client, you're typically just as vulnerable as anyone else. OSes are often supplemented with hardening toolsets or built-in mitigations as an extra measure to avoid compromise, but as with all things, they aren't completely solid either. Thus the need for systems that break systems, some of which deploy fuzzing and almost all of them work to find implementation bugs. Browser fuzzing has been explored and improved in many different ways over the past several years. In this presentation, we'll be primarily talking about a mutation engine that provides a somewhat novel technique for finding bugs in a still-ripe attack surface: the browser's rendering engine. This technique has the flexibility to be applied even more broadly than browsers, for example, there's initial support for fuzzing PDF readers. We'll also be discussing the tooling and infrastructure areas of the process, detailing what's needed to build a system that will scale and enable your fuzzing strategies to be successful. Finally, we can conclude the talk with some incubation results and how you can start making use of these fuzzing techniques today to find the bugs you need to exploit browsers or identify and fix the code responsible for each vulnerability..
Speaker: Timur Yunusov
Vulnerabilities in 3G modems and routers is not a new issue. In this talk all the attack vectors will be brought together: how to penetrate into a local or remote modem, turn it into surveillance device, using which you could intercept information about the victim’s whereabouts, read and write SMS messages, infect other computers and modems, and even intercept voice traffic. More than 10 modems and routers were analyzed in the research.
Speaker: Yegor Litvinov
Modern shopping malls and business centers use different automation systems. All of them can be divided into ‘magistral’ such as BACnet, and 'terminal’ to which KNX relates. In the talk we’ll consider a situation when after checking in a hotel room and establishing connection with a ‘smart’ button linked up with KNX bus, we will be able to access other KNX bus segments and attack other facility’s automation systems.
Speaker: Andrey Plastunov
More and more developers turn their attention to the tools that enable continuous integration, implementing them almost completely in their infrastructure. But do they really know what are the obstacles they’ll face on their way to the radiant SCRUM future? We’ll try to answer this question in our talk. Thus, we’ll talk about the typical attacks at developers’ infrastructure via continuous integration tools, and show some of the bugs revealed in various open source (and not exactly) solutions.
Stay tuned for updates!