«Vulnerabilities in the software of Yota telecommunication equipment»
Speaker: Michael Firstov
Mobile routers are easy to access these days. Rapidly evolving 4G networks together with unlimited tariffs enable true mobility and let us always stay connected. But is it really safe?
There have been numerous talks about 3G router and telecommunication equipment security. This time we’ll analyze in details YOTA Many 4G router software. Besides the already revealed XSS and CSRF vulnerabilities, acceptable for web infrastructures and services there was revealed RCE bag, thus there is a new issue – issue of user anonymity and security.
«Distributing the reconstruction of high-level intermediate representation for large scale malware analysis»
Speakers: Alexander Matrosov, Eugene Rodionov
Malware is acknowledged as an important threat and the number of new samples grows at an absurd pace. Additionally, targeted and so called advanced malware became the rule, not the exception. Analysts and companies use different degrees of automation to be able to handle the challenge, but there is always a gap. Reverse engineering is an even harder task due to the increased amount of work and the stricter time-frame to accomplish it. This has a direct impact on the investigative process and thus makes prevention of future threats more challenging.
In this work, the authors discuss distributed reverse engineering techniques, using intermediate representation (thanks Hex-Rays team for support us in this research) in a clustered environment. The results presented demonstrate different uses for this kind of approach, for example to find algorithmic commonalities between malware families.
A higher level abstraction of the malware code is constructed from the abstract syntax tree (ctree) provided by Hex-Rays Decompiler. That abstraction facilitates the extraction of characteristics such as domain generation algorithms (DGA), custom encryption and specific parsers for configuration data. In order to reduce the number of false positives in some C++ metadata identification, such as virtual function tables and RTTI, the authors created the object-oriented artifacts directly from the analyzed malware.
The extracted characteristics of 2 million malware samples are analyzed and the presented results provide a rich dataset to improve malware analysis efforts and threat intelligence initiatives. With that dataset, other researchers will be able to extract a ctree from new samples and compare to the millions we performed.
As an additional contribution, the gathered representation together with all the raw information from the samples will be available to other researchers after the presentation; together with additional ideas for future development. The developed Hex-Rays Decompiler plugin and analysis/automation tools used to extract the characteristics will also be made available to the audience on GitHub.
«Hooked browser network based on BeEF and Google Drive»
Speakers: Denis Kolegov, Oleg Broslavsky, Nikita Oleksov
The talk is devoted to the possibility of enabling a hooked browsers interaction mechanism within BeEF via Google Drive. Current BeEF installation suggests direct interaction of a hooked browser and BeEF server. As a consequence, it's impossible to maintain high anonymity and non-detectability level. We’ll have a look at one of the ways of solving this task by means of building Google Drive based network.
«Knowledge based approach for fast Internet resource discovery or Data Mining in the service of nmap.»
Speakers: Sergey Ignatov, Omar Ganiev
Nowadays, more and more are beginning to use IDS / IPS, SIEM solutions to identify and respond to attacks. And if the fact of the outside network scan of multiple ports does not cause the alert, the same fact from inside the network says that you are already hacked and it's urgent to apply the measures. Therefore, the problem of quick heuristic identification of open ports without being blocked raises during the internal network pentest. It is also useful when scanning large external address ranges.
«ORM2Pwn: exploiting injections in Hibernate»
Speakers: Mikhail Egorov, Sergey Soldatov
Modern Java applications are not working with DBMS directly, instead they use interlayer in the form of Object-relational mapping mechanism. One of the popular ORM solutions is Hibernate ORM. Hibernate uses special HQL language to write requests for entities stored in DBMS. Applications that use ORM are liable to HQL injections. In the talk the new method of exploiting HQL injection in Java applications that use Hibernate ORM will be presented. Authors will show an extension for the popular utility Burp Suite, intended for exploiting HQL injections.
«What should a hacker know about WebDav? Vulnerability review in WebDav implementations.»
Speakers: Andrei Efimjuk, Mihail Egorov
Today WebDav is used to access online services for storing files, such as Yandex Disk, box.com, 4shared.com, DriveHQ, CloudMe and others. Also, popular CMS systems can enable access to repository with WebDav protocol content. Authors tested WebDav implementations breakdown strength in different popular applications and services. The talk is devoted to the vulnerabilities discovered in WebDav protocol.
Stay tuned for updates!