Cognitive and Scientific Brainology
Security - consulting,assessment,research,solutions,penetration tests.
Face - detect,track,recognize,extract features,learn emotions,character animation.
Face - detect,track,recognize,extract features,learn emotions,character animation.
Archives for: 2012
ADS-B research was worth it - ICAO to create Cyber Security Task Force (CSTF)!
ADS-B research was worth it!
ICAO to create Cyber Security Task Force (CSTF) - Our research is mentioned as key points!
Thanks to Aimee Turner for notifying us.
Errata: In the above PDF, it is wrongly mentioned “Dr. Andrei Costin” - wish I 
. It’s still a long way, until than it should read “PhD candidate”
AthCon3 2012 Day2, Track1, 18:00-18:50 "Advances in BeEF: RESTful API, WebSockets, XssRays enhancements"
Code:
athcon.org | |
Athens, 3-4 May, 2012 | |
Day2, Track1, 18:00-18:50 | |
"Advances in BeEF: RESTful API, WebSockets, XssRays enhancements", | |
Michele Orru | |
| |
"Advances in BeEF: RESTful API, WebSockets, XssRays enhancements" | |
| |
BeEF | |
| |
Demo Using the BeEF restuful api | |
1. beef programatically accessing metasploit | |
2. injects beef into some victim browser | |
3. inject an applet, then use the javascript to java communication to ge tthe hava version based on the hdk | |
4. then in meterpreter sysinfo to get the system info | |
5. then inject the "execute calc.exe" in the victim's machien thru the injjected java applet | |
| |
New additions | |
ajax calls posioning (xml request object is overriding) | |
the module can have the target+_blank not to lose the victim | |
getting the Persistence (history) from the civtim vrowsaer | |
| |
New feature (in a testing branch - to be added soon) | |
websocket support | |
currently beef uses XHR, but for speed needs websocket | |
| |
XHR in beef | |
pro - works everywhere (ie, chrome) | |
cons - (TODO) | |
| |
if beef.browser.hasWebSocket(), don't use XHR pollin, open a websocket channel | |
support: firefox, chrome, safari, also mozwebsocket | |
https://github.com/radoen/beef-radoen - the experimental phase | |
| |
Possibilities with WS | |
real time VNC like hooked browser control | |
faster tunneling proxy (fuzzin thru the hooked browser 4-5 times faster) | |
general faster communication | |
| |
| |
Demo - BeEF with WS | |
launch 1000 XHR-polling vs WS-based request | |
| |
XssRays | |
originally as pure JS-based XSS scanner, then integarted in beef | |
| |
xssrays operation | |
a page with links/forms which do get/post request intra or cross domain | |
it adds the hidden iframe for each of the requests | |
if the iframe is loading, then the resource was XSS-vulnerable | |
it also works CROSS-DOMAINS (respecting the SOP!) |
Ghost is in the Air(Traffic) - BlackHat 2012 - ADS-B ATC hacking - real airplane replay, fake airplane spoofing/impersonation
09/05/12 | by zveriu | Categories: Conference
Ghost is in the Air(Traffic) - BlackHat 2012 - ADS-B ATC hacking - real airplane replay, fake airplane spoofing/impersonation
Downloads
- “Ghost is in the Air(Traffic)” BlackHat 2012 Slides
- “Ghost is in the Air(Traffic)” BlackHat 2012 Whitepaper
Timelines
- Jun-2011 - Jul-2011 - Initial interest and research started
- Jul-2011 - Feb-2012 - Some low-pace experiments, study of specifications, experiments, additional hardware acquisition
- Feb-2012 - Mar-2012 - Revived interest
- Mar-2012 - May-2012 - Development and preparation for BlackHat 2012 application
- May-2012 - Application for BlackHat 2012 application
- 07-Jul-2012 - Whitepaper and slides limited access available to BlackHat 2012 organizers only
- 23-Jul-2012 - Whitepaper and slides public access available to all
Demo Ghost is in the Air(Traffic) - BlackHat 2012 - Airplane replay, fake airplane spoofing/impersonation
[ACSA-2012-16] - Microsoft Office CGM Images Memory Corruption CVE-2012-2524 Remote Code Execution Vulnerability
08/15/12 | by zveriu | Categories: ACSA
[ACSA-2012-16] - Microsoft Office CGM Images Memory Corruption CVE-2012-2524 Remote Code Execution Vulnerability
More on Microsoft security front.
As you might know, MS12-AUG is out on 14 Aug 2012.
Among the patches, there is one which addresses a vulnerability on CGM images corruption that I have reported to MS.
Details follow:
- ACSA-2012-16 - MSOffice CGM buffer overflow crashes
- MS12-057 Vulnerability in Microsoft Office Could Allow Remote Code Execution (2731879)
- CVE-2012-2524 Microsoft Office Memory Corruption Remote Code Execution Vulnerability
Related (older) reports, CVEs, patches:
- MS10-105 - Vulnerabilities in Microsoft Office Graphics Filters Could Allow for Remote Code Execution
- Microsoft Office CGM Image Converter (CVE-2010-3945) Buffer Overflow Vulnerability
- ACSA-2012-05 - MSOffice EPS Stack based overflow crash
Stay secure!
Securely yours,
Andrei
HIP2012 - Overview
Hack in Paris 2012 and Nuid du Hack 2012 are over - these were quite some nice days !
I would like to first thank the organizers, Sysdream and all the crews, for these two great events.
Hack In Paris is a all-in-all fun event, with great audience and smooth organization!
Nuid de Hack, on the over hand is a crazy gathering of enormous number of people under one roof (literally) and where you have the opportunity to meet from fiercful hard core hackers to pretty creative and constructive robot/cnc-mill makers who will share their great ideas and experience as part of the multitude of workshops taking place during the entire night!
AthCon3 2012 - Overview
AthCon3 (2012) was a pleasant surprise - Kris and Kyp and their crew did a great job putting it all together so nicely!
It was a very technical, 1-track 2-day conference in Athens, or better said in a very nice green&quiet country club right outside of Athens.
I have been surprised also by the following facts:
- the audience was mostly young professionals
- the number of attendees was pretty impressive for a hacker/security scene which is not much advertising itself
- the audience definitely featured a pool of both raw and polished talent which could be a gold mine for headhunters
#hitb2012ams - Overview
What can be more fun and crazier than Amsterdam? That’s right - HTIB2012 in Amsterdam !
It is over now and I would like to take this opportunity to thank the reviewers and the organizers for providing the chance to meet them and meet other cool presenters and the extraordinary audience!
Special thanks to Dhillon, @fish_, Yuri, Amy - you guys&gals rock!
Harvesting and Collecting Voice Conference Bridges, Passwords, Pins, Access, Codes
Harvesting and Collecting Voice Conference Bridges, Passwords, Pins, Access, Codes
Sadly, BlackHat 2012 US and DefCon20 refused this short/fast/lightning talk.
Here are the slides for “Harvesting and Collecting Voice Conference Bridges, Passwords, Pins, Access, Codes”.
Here is the CFP submission:
Code:
---------------------------------- | |
Detailed Outline | |
---------------------------------- | |
| |
In this talk, I will try to present: | |
- what are voice bridges (though, I bet everyone used voice conferencing at least once in their lifetime) | |
- various pieces and techniques of the voice bridges harvesting and processing puzzle | |
- what are the possible tools and how to make use of various tools at hand | |
- various ideas on how to (partially) automate all of this for a fast, semi-automated and distributed intelligence gathering | |
| |
I will try to summarize with a few hints which can perhaps make life more secure | |
| |
---------------------------------- | |
Abstract | |
---------------------------------- | |
| |
Voice conferencing is a core platform making enterprises more efficient and driving them forward. | |
Voice conferencing is usually outsource to 3rd party providers and can be implemented/managed in-house. | |
| |
No matter how it's being implemented, the security of the data exchanged over the conference lines represents a concern for the enterprises. This is why security PINs are being used. | |
| |
However, the importance of these security details (like conference ID and conference PIN) is not very well understood and this is one can find these kind of details floating around - on the web, in details of shared/open calendars of Exchange/AD, etc. |
Enjoy!
Securely yours,
Andrei
[XRX12-005] ... and how it relates to ACSA-2011-03, ACSA-2012-01, ACSA-2012-13
06/15/12 | by zveriu | Categories: ACSA
UPDATE: You can subscribe to postscript-sec@andreicostin.com for notifications and tools & PoC releases.
Small updates on the Xerox security front.
Few days back Xerox issued its Security Bulletin XRX12-005 and the P49 security patch.
[ACSA-2012-03] - Java Print Spooling Data Leak
06/15/12 | by zveriu | Categories: ACSA
Updates on the Oracle Java security front.
Few days back Oracle issued it’s June patch/CPU for Java marked as highly critical and containing a vulnerability (CVSS 2.1) numbered:
- ACSA-2012-03 - Java Print Spooling Data Leak
- Oracle S0154919 “DATA LEAK IN UNIXPRINTJOB AND PSPRINTERJOB”
- Secunia SA49472
- CVE-2012-1717
AthCon3 2012 Day1, Track1, 14:00-14:50 "PostScript: Danger Ahead"
UPDATE: subscribe to postscript-sec@andreicostin.com mailing list for notifications and planned tools & PoC releases.
You can download the presentation here.
Securely yours,
Andrei
Upcoming talks - BlackHat USA, Las Vegas, 25-26 July 2012
06/15/12 | by zveriu | Categories: Conference
Upcoming talks - BlackHat USA, Las Vegas, 25-26 July 2012
It is very good news - my talk “Ghost is in the Air(Traffic)” has been accepted for the BlackHat US 2012.
Looking forward to see old friends and meet new IT-SEC people in Vegas.
UPDATE: Some links in the news
Stay tuned.
Securely yours,
Andrei
AthCon3 2012 Day2, Track1, 14:00-14:50 "Why rootkits suck"
Code:
athcon.org | |
Athens, 3-4 May, 2012 | |
Day2, Track1, 14:00-14:50 | |
"Why rootkits suck", | |
twogunz | |
| |
"Why rootkits suck" | |
| |
Rootkit malfunctions usually reveal that the rootkit is present on the system | |
| |
Rootkit overview | |
remote access | |
intercept data | |
etc | |
transforms the computer in a zombie | |
| |
Rootkits vs Botnets | |
share some common characteristics | |
but are not the same | |
| |
userland vs kernel-land rootkits | |
userland | |
binary replacing | |
binary injecting (detectable by tripwire) | |
process injecting | |
poor means to disguise the presence of the attacker | |
poor means to survive reboot | |
poor means to hide remote connections | |
kernel-land | |
need to interfere with binaries only during the booting phase | |
can provide extensive means for hiding and remote access | |
hard to detect | |
comple (compile? complete?) | |
| |
How do rootkits work | |
replace files on the system with backdoored versions | |
ring zero rootkits hijack function handler pointer in mem to alter normal behaviour | |
| |
Anti rootkits | |
rootkits make visible changes to the system | |
userland rootkits will alter timestamps, dir struct file size | |
kernel land rootkits alter system functions | |
most kernel rootkits focus on the syscall table | |
rootkits need to add files to the filessystem, need to add processes, open ports, etc. | |
anti rootkit tools, rkhunter, chkrootkit, etc. | |
signature scanning does not detect newer versions of rootkits unless they are updated | |
heuristics (didn't get the presenter point) | |
| |
Traditional rootkit detection | |
signature scanning vs integrity checks | |
signature scanning fails for the slightest change in the file structure of the rootkit | |
major fallback of integrity check anti-rootkits is that is relies on know to be sane system state - which makes sense | |
| |
Examples - traditional rootkit detection | |
Shown example: rkhunter - Adore rootkit | |
Shown example: rkhunter - suckit rootkit | |
Shown: Phalanax | |
It is clearly seen that it is easy to go undetected if a filename or directory structure changes | |
| |
chkrootkit uses grep-approach | |
| |
Traditional vs Heuristic Detection | |
Heuristic | |
detects signs of rootkit activity, not the rootkit files themselves | |
Soon available as online service | |
| |
So how are rootkits found | |
They hijack the predictable places | |
| |
Remote access | |
Suspicious signs of crypto inside the network (if there is encrypted traffic over a plain-text protocol) | |
| |
Surviving the reboot | |
need to insert persistent triggers in system files | |
the triggers can be found by analyzing these files (eg.: /etc/rc/init.d) | |
| |
The problem of complex code in Linux Kernel | |
Many changes in 2.6 branch | |
| |
Code quality in rootkit | |
same code does not work on different kernel subversions | |
insufficient testing of code | |
coded in a hurry | |
throwing together many functionalities without a plan | |
portable code vs stable code, but portable code is not necessary stable | |
| |
Rootkit exploits | |
They come with vulnerable code because of hurry development, insufficient testing | |
from buffer overflows to pure logic flaws | |
taking over rootkits in memory using exploits in rootkit itself (phalanx case) | |
magic user ID approach | |
rootkit writers consider that only remote access to shell of rootkit requires authentication, thus local connect to backdoor authentication is either poorly implemented or inexistent | |
a good method is to start PID_MAX - PID_PROCESS_NUMVER and if something fails, something is suspicious there | |
| |
Phalanx exploit - MAGIC_UID flaw | |
haxorgid variable of type gid_t | |
limits GID space 64k | |
bruteforce of GID is easy and see which one drops us to hacker shell | |
after a few little hacks we are in | |
example Phal-hack | |
| |
Compromising the rootkit | |
Full access to rootkit files | |
Recovering hackers password | |
Learn what hackers know about you | |
Learn hacking techniques | |
Important: possibly get a brand new 0day unknown to public | |
| |
Model of a winning rootkit | |
Describes how a perfect rootkit would look like | |
Kernel code is used as a framework to launch and manage userland code | |
good code testing | |
several different hooking techniques to make sure there is always a fallback scenario | |
Ideally, subliminal channel tcp/ip backdoor | |
Timed backdoor programmed to start at certain hours | |
Have several "survive the reboot" techniques | |
Nothing really has to be written to the disk |
AthCon3 2012 Day2, Track1, 11:00-11:50 "Smart Meter PLC - Communication Security worth 0.37 EUR"
Code:
athcon.org | |
Athens, 3-4 May, 2012 | |
Day2, Track1, 11:00-11:50 | |
"Smart Meter PLC - Communication Security worth 0.37 EUR", | |
Stefan Riegler & Johannes Greil | |
| |
"Smart Meter PLC - Communication Security worth 0.37 EUR", | |
| |
EEPROM Contents | |
48bit unique neuron id | |
Spoofing chip id | |
Use EEPROM_LOCK? | |
chip id is at address F000 | |
| |
PL3150 | |
PL 3120 and PL 3150 Power Line Smart Transceivers | |
Memory map - external boot ROM | |
write own neuron boot ROM | |
ignores read/write protects | |
| |
USB PLC Network Interface (U20) (PL20) | |
http://store.echelon.com/item.asp?PID=48 | |
A-band | |
C-band (consumer) | |
| |
Bands | |
CENELEC EN50065-1 | |
C-band consumer | |
HVAC | |
Automation | |
home network | |
| |
A-band utilities | |
reserved for power utilities | |
| |
PL20U (C-Band) vs PL20A (A-Band) | |
The crystal/oscillator | |
A-Band - 10 packets/sec, clock ~ 6Mhz | |
C-Band - 15 packets/sec, clock 10 Mhz | |
| |
U20 USB adapter | |
UID = 0x0920 | |
PID = 0x7500 | |
| |
Toolkit | |
perl p20-usb lonworks sniffer | |
plugin to the wireshark | |
| |
Oscillator soldering + perl kit = gets you transceiver for the A-Band | |
| |
Demo kit | |
Hardware | |
1 sniffer device | |
2 development kit, also support the chip | |
1 of the dev boards is a 3150 with the external boot-rom connected | |
The boards have custom devices with exchange some packets when pressed the power button | |
| |
Software | |
Echelon LonScanner FX Protocol Analyzer | |
| |
The demo | |
Demonstrated the use of the Echelon LonScanner proprietary software | |
Then it demonstrated the packets in the wireshark (saw just the serial unique id broadcast by the device) | |
Then started the perl p20 software in tandem with the wireshark showing packets flowing between the devices | |
| |
Other findings | |
communication channels besides PLC (GPRS, WiFi) | |
etc | |
| |
Further Attacks | |
Currently just the sniffer is implemented | |
Currently No crypto, or authentication attack implemented | |
| |
TODOs | |
cryptanalysis of used encryption | |
sniff/jam communication | |
dumping the firmware memory of dc/meter (external boot ROM) | |
spoofing of the chip id | |
rewrite chip ip through external boot ROM | |
attack the p2p network protocol/design | |
| |
Security implications | |
Disconnect homes (breaker unit) | |
Manipulation | |
Fraud (most likely from my point of view) | |
Privacy implications | |
| |
Conclusions | |
Still a lot of work to be done, it's just scratching the surface | |
Seems like a prospective avenue (especially in the fraud direction) | |
Security through obscurity does not work |
AthCon3 2012 Day1, Track1, 18:00-18:50 "0-Day - Comodo did it again"
Code:
athcon.org | |
Athens, 3-4 May, 2012 | |
Day1, Track1, 18:00-18:50 | |
"0-Day - Comodo did it again" | |
Glafkos Chralambous & George Nicolaou | |
| |
0-Day - Comodo did it again | |
| |
Comodo Internet Security Home Intrusion Prevention System | |
| |
Disclosure timeline | |
bottom line, they hung up the phone while waiting for their director | |
| |
Comodo techniques | |
hook Nt* and Zw* functions for | |
file access | |
memory access | |
network access | |
registry access | |
placed the hooks on the "wrong" side (what does this exactly mean?) | |
| |
How? | |
inject a pyaload to install hooks in critical user mode functions in ntdll.dll | |
load a library guard.dll which installs the hooks | |
in win 7 64bit: replaces the first instr of the program's EP with a JMP <payload> | |
in other OS: replaces ZwTestAlert first instruction with JMP <payload> | |
| |
0day | |
There is TLS (Thread Local Storage) | |
We can use the TLS to uninstall JMP <payload> when the main thread is created | |
see _IMAGE_TLS_DIRECTORY32 structure | |
AddressOfIndex | |
AddressOfCallBacks; // PIMAGE_TLS_CALLBACK * - this is an interesting array | |
| |
Process of exploitation | |
Create a malicious executable | |
find somewhere to insert IMAGE_TLS_DIRECTORY and code to uninstall the JMP <payload> instruction (and insert it) | |
Point a TLS callback function to the code | |
| |
That’s not all | |
The <payload> address is constant address throughout all installations of the COMODO HIPS in ALL Windows OS | |
Add resource 71B00000 | |
And it contains executable code | |
Game over ASLR - can be used for ROP techniques from any other vulnerable application on the victim machine |
AthCon3 2012 Day1, Track1, 17:30-17:50 "Exploitation Toolkit Codename: Icarus" First Part
Code:
athcon.org | |
Athens, 3-4 May, 2012 | |
Day1, Track1, 17:30-17:50 | |
"Exploitation Toolkit Codename: Icarus" First Part, | |
Glafkos Chralambous & George Nicolaou | |
| |
"Exploitation Toolkit Codename: Icarus" First Part, | |
| |
Finding vulnerability | |
| |
Protocol analyzer (fuzzing or reverse engineering) | |
SPIEE | |
peach | |
General Purpose Fuzzer GPF | |
Sulley | |
Fuzzing is more effective when used in combination with binary analysis | |
| |
Binary analysis | |
Inspector (HB Gary) | |
SecurityReview (Veracode) | |
BugScan (IDA Plugin by Halvar Flake) | |
| |
Vulnerability testing | |
RATS | |
CodSecure | |
?? | |
| |
Reports | |
Crash reports | |
| |
| |
Exploit development | |
Vulnerability classification | |
Exploitability analysis | |
Design exploit skeleton | |
calculate the location in buffer | |
calculate where to close or open injection parameters | |
| |
Skeleton Implementation ANALYSIS | |
Constraints and barriers imposed on the exploit payload | |
Examples: | |
ASLR | |
Space limitations | |
Restricted characters | |
Character escape functions | |
| |
Exploit Generation | |
Generate the initial trigger payload | |
Building ROP technique | |
Encode the web-payload to bypass web-filter | |
Calculate offsets (for ASLR for example) | |
| |
Payload Generation | |
Payload generation | |
Bind shell | |
command execution | |
signed shellcode | |
eggshell | |
Payload "ninjification" | |
To evade the protection technique | |
Signature-based | |
Anomaly-based | |
Integrity checks | |
Code obfuscation | |
Code metamorphism | |
Optional technique | |
Tools: BH2009 ABCodeMutate | |
Payload normalizations | |
Ninjification can alter the code that it requires "normalization" | |
| |
Metasploit | |
Covers only a part of the proposed methodology of ICARUS | |
| |
ICARUS | |
Cover all the steps ("check all boxes") in the methodology | |
Targets multi-platforms (Intel IA32, Intel 64, ARM) | |
Windows/Linux/Other_OS Libraries | |
Input language interfaces: python, C#, etc. | |
Reporting and generating outputs in various formats | |
Reasons not to develop over metsploit the missing parts: | |
metasploit is more a database of exploits | |
icarus wants to be more than this, and not a database of exploits | |
metasploit is slow, runs as ruby/plugin | |
| |
| |
Have classes/interfaces: | |
encoders, elf parser, gen hex pattern, parsers, instruction, instr finder, instr obfuscator, windows aslr, windows dep, | |
| |
Code is about 5-6 k lines of code as of now |
AthCon3 2012 Day1, Track1, 15:00-15:50 "Venue into my work uncovering and exploiting zero days vulnerabilities and advanced fuzzing techniques"
UPDATE: His slides are announced here.
Code:
athcon.org | |
Athens, 3-4 May, 2012 | |
Day1, Track1, 15:00-15:50 | |
"Venue into my work uncovering and exploiting zero days vulnerabilities and advanced fuzzing techniques", | |
Nikolaos Rangos (Kingcope) | |
| |
"Venue into my work uncovering and exploiting zero days vulnerabilities and advanced fuzzing techniques", | |
| |
Very pragmatic and german-style rigorous lecture | |
| |
A very packed presentation of the current state of the art, tools and techniques for vulnerability finding/testing and exploit generation/testing | |
| |
Contained lots of illustrated and commented of examples from real-world 0days (mostly Linux and ProFTP) | |
| |
Need to get the recording and slides/whitepaper since it was a very packed presentation |
AthCon3 2012 Day1, Track1, 12:00-12:50 "Packing Heat!"
Code:
athcon.org | |
Athens, 3-4 May, 2012 | |
Day1, Track1, 12:00-12:50 | |
"Packing Heat!", | |
Dimitris Glynos | |
| |
METASM | |
Very interesting framework | |
in Ruby | |
| |
(lost the rest of the review) |
phdays 2012 Day2, Track1, 12:00, PostScript Danger Ahead
UPDATE: subscribe to postscript-sec@andreicostin.com mailing list for notifications and planned tools & PoC releases.
Securely yours,
Andrei
#hitb2012ams Day2, Track1, 10:30, PostScript Danger Ahead
UPDATE: subscribe to postscript-sec@andreicostin.com mailing list for notifications and planned tools & PoC releases.
You can download my HITB2012AMS presentation here.
Also, thanks to authors of the below overview posts on my presentation:
- HITB2012AMS Day 2 – PostScript – Danger Ahead – Corelan Team
- HitB2012Ams : PostScript – Danger Ahead – Hacking MFPs, PCs and Beyond – Cup Fighter
- HITB Amsterdam Wrap-Up Day #2 - Rootshell.be
You can also check the HITB2012AMS materials.
Securely yours,
Andrei
PHDays 2012 - Overview
Motto: “Во первых, огромное спасибо за замечательную организацю конференции - очень очень приятно учавствовать в PHDays с безупречной организацией!”
PHDays.ru is over and it’s kind of sad - I am already looking forward for the PHDays 2013 and already started to draft thoughts for my next presentation for this very cool conference.
The organization of the conference was fantastic, brilliant, very professional and flawless.
Positive Technologies, the main organizer of this security forum, have taken care of all the smallest details: flights, hotels, airport transfer (which in Moscow is a real hassle if you ever had the experience).
Just a few facts that I am sure say it all:
- the event was free to attend and around 1500-1800 participants have shown up
- it featured 2 days of multi-tracks - there was a minimum 3 tracks and up to 6 tracks in a given hour slot
- I haven’t seen significant delays in this massively packed track list, which is very very impressive - kudos to organizers!
- there was an entire real mini-TV crew, running live editing, transmission and recording in a very professional manner (this was a bit unusual, since speakers could not connect their laptops to video output, but it was an interesting experience after all)
- the organizers thrown a very nice live rock concert as a closing event (PS: I have insanely enjoyed “Дорогая я купил тебе ХУРМУ” cover)
- it was entirely awesome to meet the PTSecurity organizer crew as well as all the other distinguished speakers!
It is needless to say that the unlimited rivers of various alcoholic drinks (and NOT just vodka!) along with very fine russian delis were there during the entire conference.
Sadly, I have missed most of the CTF action going on there, but the fun part is that CTF had a ‘dumpster-diving’ exercise - the idea is brilliant ! Perhaps the next time the organizers could throw an ‘un-shred challenge’ twist to the ‘dumpster diving’ part 
You can also check some of the talks wrap-ups I wrote:
- phdays 2012 Day2, Track4, 10:00, Breaking havoc using a Human Interface Device
- phdays 2012 Day2, Track3, 16:00, Light and dark side of code instrumentation
- phdays 2012 Day2, Track2, 13:00, To Recover Plaintext Passwords of Windows Users
- phdays 2012 Day1, Track2, 11:00, Smartcard vulnerabilities in modern banking malware
- phdays 2012 Day2, Track1, 17:00, How to hack a telecom and stay alive 2. Owning a billing
- phdays 2012 Day2, Track1, 15:00, Life cycle and detection of bot infections through network traffic analysis
- phdays 2012 Day2, Track1, 09:00, Abusing Calypso phones
- phdays 2012 Day1, Track1, 17:00, Demo section Seeing once is better…
- phdays 2012 Day2, Track1, 12:00, PostScript Danger Ahead
There is also a main posting on HABR
Again, thanks to whole PHDays2012 crew, to the speakers and to the attendees! Hope to see you all there next year as well.
Securely yours,
Andrei
#hitb2012ams Day1, Track1, 10:30, Turning Android Inside Out
Code:
http://conference.hitb.org/hitbsecconf2012ams/ | |
Amsterdam, 2012 | |
Day1, Track1, 10:30 | |
Ivo Pooters | |
Turning Android Inside Out | |
| |
Presented a forensic scenario where | |
A guy was found dead and had an android phone | |
This device was cloned with dd | |
A guy from SwiftLogic was arrested for suspicion on leaking private and sensitive information/schematics | |
This device was cloned with nandump | |
| |
MTD block device | |
dd -> bad it has no out of band (OOB) bytes | |
nandump -> wise choice | |
| |
Cellbrite ufed | |
android emulator | |
doesn’t like foreign images | |
load dyaffs2 support into linux kernel | |
| |
when using nansim | |
need correct parameters to load the right size of the image loaded | |
need to write the OOB bytes in the OOB-based image, so that the yaffs2 filesystem is correctly loaded | |
| |
50.56.29.109/ss | |
contains PDFs from the SwiftLogic | |
basic user: norby | |
basic pass: aaassspp | |
| |
Dead guy phone evidence | |
Looked up on twitter 'yob taog', the SwiftLogic guy | |
| |
Found com.andrIOd.mm | |
not in android market at all | |
looks like very custom, non-public application | |
looks like was installed on SwiftLogic guy by the selling shop/accomplice just hours before SwiftLogic guy picked up the phone in the shop | |
interesting fact – SwiftLogic guy put a status on Facebook/Twitter that is going to pick up his new shiny phone very soon and is excited about that | |
| |
Found com.vzw.smsProvider | |
| |
Live analysis | |
android emulator + adb | |
wireshark | |
adb, dalvik debug monitor logcat | |
| |
Static analysis (relid more on this) | |
see Fortinet talk for better tool list | |
apk-tool | |
jd-gui | |
etc | |
| |
com.andriod.mm | |
triggers on SD card mount | |
zips all the filed on the SDcard | |
uploads to the IP mentioned above | |
sends SMS to the dead guy | |
| |
http://www.dfrws.org/2011/challenge/results.shtml | |
http://www.dfrws.org/2011/challenge/index.shtml | |
| |
Rooting a phone can tamper evidence | |
So, developed in-memory temporary rooting techniques | |
in .NL, rooting is not a problem | |
in .US, it is kind of a problem |
#hitb2012ams Day1, Track1, 09:00, KEYNOTE 1 Getting Ahead of the Security Poverty Line
Code:
http://conference.hitb.org/hitbsecconf2012ams/ | |
Amsterdam, 2012 | |
Day1, Track1, 09:00 | |
Andy Ellis | |
KEYNOTE 1 Getting Ahead of the Security Poverty Line | |
| |
Tools mentioned | |
Low orbit ion canon | |
High orbit ion canon | |
Havy - "democratization of SQL injection" | |
Idea is that it brought to the commodity level the exploitation tools and techniques | |
| |
If you take away the risk, people will try to absorb more risk (i.e. the safer the technology in the car, the higher the speed they tend to driver => less victims because of the technology, but more accidents) | |
| |
FluffyBunny | |
check the story | |
| |
bitly.com/AkaVscar | |
bitly.com/AkaVscan |
#hitb2012ams Day1, Track1, 11:30, One Flew Over The Cuckoos Nest: Automated Malware Analysis
Code:
http://conference.hitb.org/hitbsecconf2012ams/ | |
Amsterdam, 2012 | |
Day1, Track1, 11:30 | |
Claudio Guarnieri | |
One Flew Over The Cuckoos Nest: Automated Malware Analysis | |
| |
Pros | |
presented a reasonable list of items which should be anyway common-sense pros items | |
| |
Cons | |
commercial solution are very expensive | |
environment could be detected | |
difficult to successfully automate | |
without proper consumption of the results, they are useless | |
| |
Preparation | |
define requirements and expectations | |
design analysis environment | |
integrate into a larger threat analysis result framework | |
| |
Questions to be answered | |
Why? | |
What? | |
What? | |
Who? | |
How? | |
| |
Decide the category of the exploits | |
cuckoobox.org | |
PDF | |
Office | |
PHP, perl scripts | |
browser exploits | |
| |
CUCKOO framework | |
malwr.com | |
multiple Google SoC grants | |
| |
Integration | |
what are the other threat frameworks does it integrate with | |
| |
Links | |
cuckoosandbox.org | |
blog.cuckoosandbox.org | |
malwr.com | |
honeynet.org | |
| |
Threat analysis frameworks | |
wiki pages generator | |
CIF | |
mostly in-house developments | |
mostly custom systems | |
cannot name an public or FOSS one |
phdays 2012 Day2, Track4, 10:00, Breaking havoc using a Human Interface Device
Code:
phdays.com, phdays.ru | |
Moscow, 2012 | |
Day2, Track4, 10:00 | |
Nikhil Mittal, | |
Breaking havoc using a Human Interface Device | |
| |
Nikhil Mittal | |
Abusing HID devices | |
| |
Pen-testing overview | |
enum+intel -> vuln scan -> exploit -> post-exploitation -> report | |
| |
Best case scenario exploitation | |
memory corruption bugs | |
server side | |
client side | |
mis-configs | |
open file shares | |
sticky slip passwords | |
man in the middle | |
unsecured dumpsters | |
human | |
| |
Worst case scenario | |
no public exploits available | |
not allowed on the system | |
countermeasure blocking | |
exploit completed but no session was generated | |
hardened systems | |
patches in place | |
countermeasures blocking scans and exploits | |
security incident monitoring and blocking | |
no network access | |
need alternatives | |
| |
Need new methos to break into systems | |
bad guys get smarter | |
not as easy is it used to be | |
| |
HID anyone? | |
what could go wrong? | |
HID are considered dumb devices | |
but seems we can give it brains | |
meet teensy | |
| |
Teensy | |
usb microcontroller | |
storage ~ 130 kb | |
there is also teensy++ | |
pjrc.com | |
pjrc.com/teensy/projects.html | |
similar to Arduino dev board | |
programmed using Arduino dev env (ADE) | |
need just a simple plugin for Arduino (teensyduino) | |
| |
Installation | |
Windows | |
install serial.exe (virtual serial driver) | |
install teensyduino | |
For Linux | |
avr and avr-gcc packages required | |
| |
Usage (Arduino + Teensyduino) | |
Select "USB Type" -> Keyboard+Mouse+Joystick | |
C++ like syntax | |
two functions required (setup() and loop() ) | |
setup() first time you connect you connect a device | |
loop() keeps running after setup() | |
| |
====================== | |
| |
void setup() | |
{ | |
Keyboard.print("Hello World") | |
} | |
| |
void loop() | |
{ | |
} |
phdays 2012 Day2, Track3, 16:00, Light and dark side of code instrumentation
Code:
phdays.com, phdays.ru | |
Moscow, 2012 | |
Day2, Track3, 16:00 | |
Dmirty Evdokimov, | |
Light and dark side of code instrumentation | |
| |
Static binary instrumentation tools | |
dyninst | |
eel | |
atom | |
pebil | |
eresi | |
tau | |
vulcan | |
bird | |
slan (4514N) | |
| |
Debuggers | |
sw/hw breakpoints (hw only 4 => mostly sw) | |
scripting | |
windbg + pykd | |
ollydbg + ptyhon = immunity debuggers | |
gdb+pythondfb | |
python libs: buggery, idapythonm, immlib, lldb, pydbg, pydbgeng, pygdbm python-ptrace, vtrace, winappdbg | |
deubber and application works at the same level | |
eg: better to do this kind of instrumentation ... | |
| |
Dynamic binary instrumentation | |
aka virtual code integration | |
is a process to control and analysis of own code into a process already in the memory | |
dba tools: | |
small plugins (win=dll libs, *nix=so libs) | |
dba tools: | |
instrumentaiton routines | |
executed just once, the place where we need to add our code | |
at this stage the instrumentation introduces our code | |
analysis routines | |
this gets called when the above detected place is reached (can be called multiple times) | |
compared to debuggers, there is no need to switch context | |
| |
Modes | |
user mode vs kernel mode | |
| |
Mode of work | |
start to finish | |
attach | |
| |
Mode of exec | |
there is a graph JIT vs PROBE | |
interpretaiton modew | |
valgrind, useful for heavy and slow analysis (memory leaks for huge processes like Oracle DB, etc,) | |
probe-mode (MORE performance) | |
instruction overwrite | |
jit-mode (MORE functionality) | |
binary -> disasm -> disasm instrumentation -> recompile -> original code never executed, just merely an instrumented equivalent | |
| |
DBI Frameworks | |
DBI::Intro from zeronights conf | |
Frameworks | |
PIN (Intel) | |
DynamoRIO (HP) | |
DynInst (Maryland & Vinsconsin Universities) | |
Valgrind (FOSS worldwide) | |
Nirvana (MS) | |
command line example given | |
| |
Levels of granularity | |
instruction | |
basic block | |
trace/superblock | |
function | |
requires symbols, otherwise better to use instruction level | |
section | |
events | |
binary image | |
| |
Self-modifying code and DBI | |
in case the code is self-modifiable, in the cache of the DBI engine, the cache contains NOT the code which got executed, but the one replaced by the malicious code | |
how to detect | |
write-protected code pages | |
checking store address | |
inserting extra code | |
| |
Overhead | |
O=X+Y | |
X=N*Z | |
Y=K+L | |
O=tool overhead | |
N=number of times function is called | |
Y=analysis routines overhead | |
TODO | |
| |
Rewriting instructions | |
fixed length instruct (ARM) | |
variable length instruct (x86, x64) | |
graph with distribution by instruction length (TODO) |
phdays 2012 Day2, Track2, 13:00, To Recover Plaintext Passwords of Windows Users
Code:
phdays.com, phdays.ru | |
Moscow, 2012 | |
Day2, Track2, 13:00 | |
Benjamin Delpy, | |
To Recover Plaintext Passwords of Windows Users | |
| |
mimikatz::sekurlsa::tspkg | |
| |
http://blog.gentilkiwi.com/securite/pass-the-pass | |
| |
MS introduces SSO with NT 6 to improve RemoteApps | |
| |
KB says it work with "Default credentials" | |
it can be user/domain/(pass|hash|ticket) | |
in all cases seems to be vulnerable to pass-the-hash attack | |
| |
Some interesting APIs/symbols | |
TSObtainClearCreds | |
TSRevealPassword | |
TSCredTableLocateDefaultCreds | |
| |
LsaEnumerateLogonSessions | |
for each UID | |
tspkg!TSCredTableLocateDefaultCreds | |
TODO | |
| |
LsaEnumerateLogonSessions | |
for each UID | |
tspkg!TSGlobalCredTable | |
RtlLookupElementGenericTable | |
LsaUnprotectMemory | |
| |
We have just to: | |
tspkg:TSGlobalCredTable | |
SeckPkgFunctionTable -> LsaUnprotectMemory | |
LSA_SECPKG_FUNCTION_TABLE (MSDN/KB link) | |
| |
mimikatz::sekurlsa::wdigest | |
Hashes | |
HA1=MD5(username:relam:password) | |
HA2=MD5(methiod:digestURI:[...]) | |
| |
LsaUnprotectMemory | |
at offset 0xb4 of LSA_SECPKG_FUNCTION_TABLE | |
_DigestCalcHA1@8 | |
| |
LsaProtectMemory | |
at offset 0xb0 of LSA_SECPKG_FUNCTION_TABLE | |
| |
LsaEnumerateLogonSessions | |
for each UID | |
TODO | |
| |
Using TsPkg and WDigest password can be revealed on all Windows | |
WDigest | |
XP, 2003 | |
Vista, seven, 2008, 2008r2 | |
8 | |
TsPkg | |
XP SP3 (manual install) | |
Vista, seven, 2008, 2008r2 | |
8 | |
| |
wce (TODO find what is wce) had not copied this talk TsPkg functionalities | |
| |
WinDBG | |
!process 0 0 lsass.exe | |
.process /i 83569040 | |
g | |
.reload /user | |
bp TODO | |
g | |
| |
mimikatz::sekurlsa::livessp | |
| |
LsaEnumerateLogonSessions | |
for each UID | |
search linked list LUID | |
LsaUnprotectMemory | |
| |
mimikatz::sekurlsa::kerberos (nt 6) | |
mimikatz::sekurlsa::kerberos (nt 5) | |
| |
MS implementaation of Kerberos | |
For password auth | |
password hash for shared secred but keeping password in memory |
phdays 2012 Day1, Track2, 11:00, Smartcard vulnerabilities in modern banking malware
06/05/12 | by zveriu | Categories: ACSA
Code:
phdays.com, phdays.ru | |
Moscow, 2012 | |
Day1, Track2, 11:00 | |
Aleksandr Matrosov, Eugene Rodionov, | |
Smartcard vulnerabilities in modern banking malware | |
| |
Impact since 2010 | |
| |
Blackhole | |
| |
Nuclear pack Apr 2012 | |
carders moved from blackhole to nuclear pack | |
| |
New in nuclear pack | |
added check for legitimate user | |
Java is one of the main vectors in attacking users | |
| |
Example: google search for "евровидение 2012" | |
contains an injected iframe with yandeXXX.<trololo>.ru - valid looking domain | |
this helps to void the AV/IDS detection of randomly generated domains | |
then the iframe redirects to an exploit | |
| |
Russia | |
provides detection of 70% of worldwide carders activity | |
3x increase in detection rate from Nov 2011 till Jun 2012 | |
| |
Biggest botnets | |
Origami, Gizmo, Dudorov | |
| |
BK-LOADER (BootKit) | |
Ringo bundle (ZeroKit or 0kit) | |
First bootkit to modify volume boot record | |
version 1.0, 11/02/2011 | |
| |
Carberp sample | |
Around 3000 bots receiving volume boot record BK debug messages | |
Looks like GSVSoft supplied some parts of the BK code | |
After screenshot publication, their start (because of high traffic incentive) -> started redirecting users to blackhole | |
| |
Rovnix, Carberp with BK, Rovnix.B | |
VBR | |
Polimorphic VBR | |
Malware driver storage | |
| |
Anti-debugging | |
Removes hooks of HIP systems | |
WinAPI functions called by hash, not by name | |
| |
Cards | |
Attacks on APDU level | |
| |
crackme.esetnod32.ru | |
win ipad | |
win amazon kindle | |
| |
Feisty | |
if there is any delay in protocol or program execution, the malware changes it's behaviour | |
malicious plugins not saved on disk, directly loaded into kernel memory |
phdays 2012 Day2, Track1, 17:00, How to hack a telecom and stay alive 2. Owning a billing
Code:
phdays.com, phdays.ru | |
Moscow, 2012 | |
Day2, Track1, 17:00 | |
Sergey Gordeychik, | |
How to hack a telecom and stay alive 2. Owning a billing | |
| |
(Lost 20 minutes of the talk) | |
| |
Lots of VPN | |
VPN is good, but need GOOD configuration | |
| |
The lords of the net | |
Admins! | |
a large network = MANY admins | |
web-accessible KVM/RDP | |
many servers = | |
| |
password of admin never is lock-out policy | |
| |
TCP 1337 over SSL | |
ShoutCast radio streaming server | |
Location: an administrator workstation | |
just search his email with word "password" | |
| |
WiFi access | |
WEP instead of WPA | |
reason = WPA is slow | |
since WEP is fast, so fast was the password cracking as well :) | |
found voip cisco call manager | |
level 15 for the network | |
| |
Pentester tips | |
don't miss anything on the perimeter | |
a strange service not being able to fingerprint -> might be a very BIG hole in fact | |
keep in mind 3rd party hosts | |
use old-school tools and techniques | |
sometimes old holes are found, when the newest threats are patched | |
check the WEB necessary | |
don't forget the admin side/aspects | |
| |
Subscribers | |
Subs are WITHIN the perimeter of network | |
many attacks are easier to perform from subs side | |
| |
General problems | |
network access control weakness | |
intransigent attacks | |
protection of the equipment | |
web applications for subscribers | |
eg.: play online games, manage account, etc. | |
| |
Network access control errors | |
scanned 192.168.x.x | |
22 ssh was open, though 23 telnet was closed | |
445 udp share smb was still open, though 445 TCP was closed | |
some cisco had default passwords | |
which subsequently has lead to some passport server passwords | |
which gets us more cisco passwords | |
etc | |
| |
Hosting | |
local network for collocated/dedicated servers | |
attack against infrastructure (DNS) | |
eg: Secunia hacked via DNS spoofing | |
shared hosting | |
| |
Network access control errors | |
gprs/edge/3g, traditionally stick to NAT | |
other clients are invisible | |
this is not always true | |
perhaps due to config errors | |
in the subnet 10.x, other subscribers could be seen | |
a lot of M2M unpatched devices (Kiosks) behind NAT with logic "behind NAT - unhackable" | |
| |
SNMP 'private' on a GGSN | |
Joke => some barcode | |
| |
Joke | |
captive portal (when credit expires on the net usage example) | |
has LAMP | |
but had mod_proxy -> used as a proxy -> leads to the backbone/technological network via the proxy –> pwn! | |
| |
Web portals and services for subscribers | |
are often placed into the DMZ together with OTHER_SPECIAL servers | |
Subs also reuse passwords or a flawed SSO is installed | |
Eg: | |
games server | |
proxima CMS, path traversal + SQLi + configuration error = root | |
found other 20 web apps on the same machine – all web apps used for subscriber related use/access | |
| |
Contractors | |
perimeter level attacks | |
require system access.vpn | |
corporate policy are not applicable (in the proper sense) - just connect and get your work done | |
eg: | |
a host was looking for a wifi AP | |
brought up fake AP | |
the host connected to fake AP | |
the host allowed guest access in windows | |
the host had the distributive for DSL subs | |
the password was in the distributive | |
the password matched the production xDSL management software | |
eg: | |
some contractors are external – screenshot with Chinese cmd.exe window | |
| |
Pentester tips | |
the laptop of the contractor is NOT a telecom good, IS a contractor good | |
the subscriber data is NOT a telecom data | |
so important to know what belongs to telecom, and what NOT | |
we are ONLY searching for vulnerabilities | |
MINIMALLY exploit the vuln | |
we use ONLY our own resources for demos | |
a fickle client | |
client: enter the portal, abuse the leaked password send me the screenshot | |
pentest: NO, here is the password, go enter yourself and check it | |
contractors are never to be hacked! | |
| |
Playing inside | |
changes are highly dynamic network | |
some errors can cause failures and facilitate frauds | |
| |
Going ahead | |
while inside the network | |
find things to break? | |
better is to: own the directory and own the net | |
own the net | |
net gets you traffic | |
traffic gets you passwords | |
own the directory | |
directory gets you passwords | |
etc | |
| |
Owning the NET | |
equipment vulnerabilities | |
cisco, huawei - is a real hassle to update/patch the vulnerabilities | |
FORGOTTEN (!) systems – example: | |
they found a switch – it was NON-configured! | |
FUN part – NON-configured BUT uptime 2 years! | |
pentesters configured it :) - "properly" configured! | |
etc | |
| |
Example | |
WPA-PSK for AP found | |
Hard time to physically find the given AP | |
Is inside the data center | |
gives access directly to the telecom without any hacks | |
| |
Backups | |
sometimes the backups of configuration are often pulled over the net | |
just sniff and collect the password | |
| |
Scenario1 - bruteforce | |
some default passwords work for a bootstrap-list of outlook web-access users | |
once outlook web-access obtained | |
gets us the list of users from the directory | |
expand the list of users to bruteforce | |
go back to step1 | |
once inside the network, use NULL session to get the list of users, go back to step1 | |
| |
scenario4 - relay attacks | |
don't forget to use | |
cannot be conceptually patched by design of challenge-response, where there is no authentication of the server (like in kerberos) | |
| |
scenario5 - service desk again | |
| |
scenarioN | |
50% cases works well | |
get into the sysvol share on the server | |
any user on the net has auth to see it | |
sometimes you find scripts with password hardcoded/changed in the script itself | |
post-exploitaion | |
Incognito - access token manipulation | |
Pass-the-hash - for windows | |
mimikatz into metasploit | |
| |
Some billing IT servers | |
look like any other web-server with DB | |
no-patch windows | |
oracle -> scott/tiger, no patches at all | |
IIS + ASP.NET | |
IMPORTANT -> billing=confidential information of subs => ask the telecom to get you a similar test system which doesn't contain confidential data |
phdays 2012 Day2, Track1, 15:00, Life cycle and detection of bot infections through network traffic analysis
Code:
phdays.com, phdays.ru | |
Moscow, 2012 | |
Day2, Track1, 15:00 | |
Fyodor Yarochkin, Vladimir Kropotov, | |
Life cycle and detection of bot infections through network traffic analysis | |
| |
Carbert | |
check if a live-user - mouse move | |
if live-user, then proceed to infection | |
have a random but long enough delay before contacting the C&C | |
otherwise, possibly a sandbox analysis - don't proceed | |
| |
Java exploits jar/class where on FTP | |
user anonymous | |
pass java version, eg. Java1_6.30@ | |
helps to get the proper version exploit from the exploit loader | |
| |
Detection during infection | |
infection | |
obfuscated IP address (like a number) | |
password = java version | |
exploitation | |
download the updates .exe | |
post exploitation | |
check_system.php | |
| |
What are we building | |
analyze DNS traffic | |
currently only DNS traffic | |
WHOIS (including team cymru whois) | |
| |
DNS traffic analysis | |
dictionary-based, know names | |
| |
DNS domain detection – by return codes | |
rcode: 3 (non-existing domains) | |
rcode: 2 (failed servers) | |
| |
all DNS packets are indexed | |
cross-correlation through database & whois queries | |
easy to automate | |
further steps | |
| |
Detection flow | |
failed dns lookups | |
mine whois cross-correlation | |
identify domains with same characteristic, but which are pinged and resolved | |
then render those in the sandbox | |
| |
Detection by visualization | |
parallel coordinates | |
see Alexander Dulanoy CIRCL.LU | |
| |
Demo video | |
trc_herd.sh | |
a lot of domains from .ro in the honeypot | |
fun trivia – scripts/programs in the sandbox are loaded and executed, but the execution is faked and shows random output (eg. Some Spanish phrases, etc.) | |
| |
Specifics in russian malware | |
loader | |
exploit packs | |
a lot of glue code and infrastructure to put it all together | |
a little dirty/ugly and the aim is fastest monetization of the target | |
| |
Specifics in chinese malware | |
some javascript | |
most probably just a single neat file | |
most probably they have a longer-term vision than just quick exploitation and monetization | |
| |
Recommendation | |
do not use AV, since if it's active, malware can enable AV evasion and start running on fake/strange execution paths | |
use passive monitoring and cross-correlation methods | |
default deny policy | |
short-life-span domain names would help a lot of these domains | |
| |
Questions | |
Q: are there any fake C&C in the wild to study honeypots? | |
A: haven't seen fake C&C |
phdays 2012 Day2, Track1, 09:00, Abusing Calypso phones
Code:
phdays.com, phdays.ru | |
Moscow, 2012 | |
Day2, Track1, 09:00 | |
Sylvain Munaut, | |
Abusing Calypso phones | |
| |
Sylvain Munaut | |
last 3 years with GSM | |
doing it as a hobby | |
| |
Why modify hardware | |
cheap way to play with the protocol | |
there are tools, but with limitations | |
access to only layer2 and up | |
require expensive hardware | |
| |
Target hardware | |
motorola c123 | |
chosen because supported by osmocombb | |
it's a reference implementation | |
there are plenty phones based on calypso ti | |
really cheap phone, easy to find even if broken | |
| |
Will look into Um interface | |
between MS and BTS | |
| |
GSM Um layer1 | |
several GSM bands | |
uplink (UL): phone -> network | |
downlink (DL): network -> phone | |
freq domain duplexing | |
there are channels -> frequency translation | |
| |
GSM Um layer1 | |
Fully synchronous | |
BTS is the clock master | |
it is a TDMA (nightmare) | |
frames -> timeslots -> bursts of transmission | |
| |
4 types of bursts: | |
normal bursts -> more than 90% of the traffic | |
frequency correction burst (FCCH): sent by BTQ | |
sync burst (SCH): sent by BTS | |
access burst (RACH): sent by MS to request a channel | |
| |
History | |
OsmocomBB - FOSS implementation of a BB | |
gives control ONLY over layer2 and layer3 | |
didn’t provide enough flexibility for Sylvain’s research | |
| |
Why Layer1? | |
Ciphering is applied in Layer1 | |
Gives power to play with bits for various ciphering/crypto attack | |
Follow freq hopping | |
Save uplink and downlink | |
| |
Typical RX chain | |
Antenna - can be replaced | |
RX filter - can be removed if needed | |
ignore the problem - in a lab the signal is strong, the filter cannot filter efficiently | |
otherwise - requires removing, soldering skills | |
RF mixer - selects which freq the phone is received | |
for UL - it is designed for it, works fine | |
for DL - needs removal to be able to tune to required freq | |
Analog baseband - no problem to remove, it's just an ADC | |
DSP-core | |
ROM based, cannot change :( | |
ARM-core | |
running the OsmocomBB firmware, can be modified just fine, we have full control (break the keys, send traffic to wireshark, etc.) | |
| |
DSP-core problems | |
TI has/needs a way to patch bugs | |
means there is way to patch the ROM | |
ARM is the master -> DSP will execute the tasks from ARM | |
There is NO "sniff the network" task | |
Need to implement one | |
DSP has a bootloader to upload code and execute in RAM | |
didn't work " - TI security feature, when executing from RAM, the ROM is locked :( | |
the fix is - in ROM there must be a memcpy() so that it can be used to bypass | |
bruteforced the location of the memcpy() location in the ROM (neat! – bruteforcer source is lost, but can be recreated based on TODO.c by going over memory location, calling the address as if it was memcpy and see if the memcpy occured) | |
took about one day/evening to dump | |
so, using memcpy able to read/dump the ROM -> then load into RAM | |
DSP ROM | |
have the word by word copy of the ROM | |
loaded into IDA PRO | |
known entry point (how?) | |
CPU of DSP is supported by IDAPro | |
seems like written by different teams/devs | |
no calling conventions | |
some routines are very optimized | |
reading ASM code for an unknown architecture is a pain | |
there are a lot of indirect calls | |
calls a function pointer and the pointer is in the RAM | |
DSP patching works by modifying a DSP function pointer tables | |
idea is to modify the function pointers | |
the modified table/pointers are load in the bootloader process | |
uses interrupts and IO access to trace importan functions | |
RAM interrupt | |
DMA interrupt | |
A5 unit IO | |
DMA unit IO – for burst RX buffer | |
RIF unit IO – for burst TX buffer | |
putting it all together allows to write any bits we want to the ARM without any modulation problems | |
| |
Current work | |
modify a phone to act as a BTS | |
not interested in doing FULL COMPLIANT BTS | |
but want SMS, voice calls, etc | |
i.e. provide minimal service BTS | |
motivation | |
another cheap tool for GSM research | |
portable fake BTS | |
just prove it's doable | |
idea is not new | |
first theoretical post about 2 years ago on the list (TODO find the post) | |
| |
MS vs BTS | |
the roles/frequencies are reversed | |
the upper layers can be run on the PC and modified in the FOSS sources | |
receiving bursts and the low level functionality at layer1 is harder to do | |
layer1: | |
annoying is that BTS is continuously transmitting even though it has nothing to transmit because phones look for a high-power RF channel to tune into | |
to keep it cheap, BTS not necessarily tx/rx simultaneously (receive, 3 frames later can switch to transmit) | |
transmit FCCH/TCH | |
receive RACH | |
clock master | |
requires a stable enough reference, otherwise the phones will not lock onto your fake (phone-emulated!) BTS | |
| |
Phone as a BTS | |
the TX/RX chain is pretty much there in the hardware | |
create DSP patch | |
look at TX path for transmit arbitrary data | |
required multi slot TX | |
cannot transmit all the time | |
but need to do your best | |
drives the power amplifier a little bit since it's above the specs | |
re-use OpenBTS as it is for the upper layers | |
1st process - does the main job, calls smaller tasks | |
2nd process - a small task _tranceive_ job | |
need just to reimplement the _tranceive_ job | |
duplex | |
sol1: use 3 phones, hard because need to externally synchronize all of them, TODO recall other reasons | |
sol2: not 100% reliable, but works most of the time - tx as much as you can, and then RX and do your best | |
Tt.R.ttt | |
(T) real BTS-like transmit, then (t) noise to be there on the channel, then switch to RX which is (.) a dead slot, then (R) receive RX from captured mobile phones, then switch again (.) to transmit, then 3 more noise (t) transmits TX | |
it provides ONLY 1 channel, but works | |
it doesn't allow voice calls | |
but SMS, LU, etc. are supported | |
clock sync | |
brilliant idea - use a commercial cell to lock onto | |
because the phone already has this code and functionality, then it's the first thing they tried :) | |
use this clock reference and our fake BTS/sniff phone will relay to other phones the clock reference (acquired from the commercial/surrounding BTS) | |
other option | |
remove the 64mhz oscillator and replace with a very precise, temperature-stable clock source, would be nice to be able to hook suck a clock directly to some exposed pins of the phone and with smallest hardware modifications to deliver this clock signal to appropriate pins on the board | |
| |
Stability issues | |
when it works -> works reliably | |
when it doesn't work -> it doesn't work reliably either :) | |
the random behaviour is dictated by the Fn(the clock reference cell, the current cell the phone camps on), result may vary | |
demo | |
registered to the demo | |
then got the welcome SMS form the OpenBTS | |
| |
Thanks | |
Dieter Spaar | |
LaF0rge | |
David Burgess | |
Andreas "jolly" | |
TODO | |
| |
Docs | |
wiki with | |
| |
Sylvain Munaut | |
Present @ hackspace neuron | |
friday 19:30 (calypso, gsm, openbts) | |
staruday 17:30 (tetra, gmr) |
phdays 2012 Day1, Track1, 17:00, Demo section Seeing once is better...
Code:
phdays.com, phdays.ru | |
Moscow, 2012 | |
Day1, Track1, 17:00 | |
Multiple speakers | |
Demo section Seeing once is better... | |
| |
=================================== | |
| |
Afanasiev Mihail (Gleg.net) | |
| |
Finding SCADAs | |
Services: ERIPP, Shodan | |
Identification: WinCC, TODO for others | |
| |
Advantech web access 0day sql injection | |
blind sql injection in proj and node http params | |
used CANVAS framework to symbol by symbol enumeration from pUserPassword table | |
| |
Carel PlantVisor PRO demo 2.0 blind sql injection 0day | |
select + current_settings('data_directory') - | |
true/false=substr(sym, sym_num) | |
used CANVAS framework | |
tomcat, postgresql, win2008 | |
| |
Ge Fanuc HMI/SCADA CIMPLICITY 8.1 | |
directory traversal | |
win xp sp3 | |
CIMWebServer.exe (port 80) | |
used CANVAS framework | |
| |
Pure web-base scada | |
atvise | |
integraxor | |
| |
=================================== | |
| |
Mobile trojan in-action | |
artiom 4aikin | |
positive technologies | |
| |
Total malware samples (MacAfee) | |
reportsrp-quaterly-threat-q4-2011.pdf | |
| |
Past android malware | |
easy to detect | |
example | |
angry birds bonus level by [some chinese chars] | |
requires access to sms and calls | |
demo | |
send SMS upon installation | |
| |
Present android malware | |
Users became smarter | |
easy to get the malware | |
drive-by download & SocEng | |
hard to detect | |
all latin chars in the naming | |
local exploits for privilege escalation | |
installs services to deny malware removal | |
demo | |
some russian malware developer | |
used SocEng: named "communication security update" | |
requires: "load at boot" and "internet connection" only | |
missing from the list of applications | |
only found in settings: com.Security.Update | |
using phone as proxy server | |
| |
Future android malware | |
rise of malware/trojans for mobile platforms | |
exploits: local and remote | |
motivations: fraud, mobile banking | |
cross-application vulns - already real | |
| |
=================================== | |
| |
Insecure Citrix | |
| |
how to own virtual servers | |
| |
citrix xenserver | |
cloud infrastructure | |
open hypervisor XEN | |
| |
(missed rest of the track) :( |
[ACSA-2012-12] - HP WJA Multiple XSS vulnerabilities
05/28/12 | by zveriu | Categories: ACSA
[ACSA-2012-12] - HP WJA Multiple XSS vulnerabilities
First, I would like to thank HP SSRT security team for great communication and cooperation on the report.
Other advisory numbers: HPSBPI02779 SSRT100855, CVE-2012-2011
HP WJA
- uses non-secure transport protocol (read MITM)
- does not implement or at least verify secure-hashing i.e. authenticated&authorized origins of the DOWNLOADED files
- has several XSS vulnerabilities (perhaps many more to be discovered)
[ACSA-2012-05] - MSOffice EPS Stack based overflow crash
05/28/12 | by zveriu | Categories: ACSA
[ACSA-2012-05] - MSOffice EPS Stack based overflow crash
For a specially crafted EPS file, inserting it as a picture in one of the mentioned applications will result in a stack based overflow in the EPSIMP32.FLT
EPSIMP32.FLT is a graphical filter used to process cetain embedded file-types into MSOffice documents.
Specifically, EPSIMP32.FLT will process EPS (Encapsulated PostScript) files.
MS confirmed crash, but marked as NOT exploitable.
Other advisory numbers: MS-12305cw
More details here.
[ACSA-2012-11] - HP SmartInstall updates non-secure-verified and non-origin-verified are enabled by default for non-privileged users
05/28/12 | by zveriu | Categories: ACSA
[ACSA-2012-11] - HP SmartInstall updates non-secure-verified and non-origin-verified are enabled by default for non-privileged users
NOTE: this was a valid security advisory when discovered, but because of bad timing for reporting, the issue is confirmed as fixed by side-effect of firmwares signature verification patch by HP during Nov 2011.
More details here
Security Bulletins - [ACSA-2012-15] - SA47855 Ghostscript Windows buffer overflows OutputFile
04/04/12 | by zveriu | Categories: ACSA
Security Bulletins - [ACSA-2012-15] - SA47855 Ghostscript Windows buffer overflows OutputFile
THe GhostScript for Windows security advisory [ACSA-2012-15] reported by me and marked as highly critical in SA47855, now have been fixed. It is greatly advised to upgrade to GhostScript 9.05.
Download here the original advisory and PoC samples.
Security Bulletins - Xerox XRX12-003
Security Bulletins - Xerox XRX12-003
Xerox started to roll out fixes for some of my security advisories (ACSA).
So, here we go:
XRX12-003 v1.1
Upcoming talks - Hack In Paris, Paris, 22-23 June 2012
03/07/12 | by zveriu | Categories: Conference, Hack In Paris
Upcoming talks - Hack In Paris, Paris, 22-23 June 2012
It’s been great news for me that my talk “PostScript: Danger ahead!” have been accepted for Hack In Paris security conference.
Upcoming talks - PHDays, Moscow, 30-31 May 2012
03/07/12 | by zveriu | Categories: Conference, PHDays.ru
Upcoming talks - PHDays, Moscow, 30-31 May 2012
I am happy to announce that my talk “PostScript: Danger ahead!” have been accepted for PHDays security conference.
Perhaps this years preffered topics could be “vote rigging: techniques, detection and protection", “automating vote monitoring“, “vote processing devices“
See you in Moscow!
Upcoming talks - HITB-AMS, Amsterdam, 24-25 May 2012
Upcoming talks - HITB-AMS, Amsterdam, 24-25 May 2012
I feel delighted to have my talk “PostScript: Danger ahead!” accepted for HITB-AMS.
Eager to be back in Amsterdam, especially for this awesome quad-track conference with great-looking training menu and talks list.
Stay tuned and see you in Amsterdam!
Upcoming talks - AthCon, Athens, 3-4 May 2012
03/07/12 | by zveriu | Categories: Conference, AthCon
Upcoming talks - AthCon, Athens, 3-4 May 2012
I am happy to announce that my talk “PostScript: Danger ahead!” have been accepted for AthCon.
See you in Athens - who knows, maybe some “riot hacking” event, technology or talk will be presented !
Intelligence gathering by harvesting voice conference details and tapping into calls
Surprisingly, I have submited on 21 Nov 2011 a lightning talk proposal for CanSecWest12 titled “Intelligence gathering by harvesting voice conference details and tapping into calls”.
Interview questions - Microsoft MusiWave Paris
02/15/12 | by zveriu | Categories: AskAmit
Found in deep&lost archives. It’s been a long time wanted to post it here. Here it goes.
In June 2009, myself and Igor went for an interview at MusiWave in Paris (acquired by Microsoft at that time, hence the hecktic hirings).
Jumping ahead, I am happy I didn’t end up working there .
[ACSA-2012-04] HP JetDirect Download Manager for Windows suspicious "backdoor" functionality
[ACSA-2012-04] HP JetDirect Download Manager for Windows suspicious “backdoor” functionality
Jumping ahead, Secunia confirmed that from their point of view the “HP JetDirect Download Manager” is not backdoored/infected. Nevertheless, I’m posting the details for the interested ones.
My suspicions lied within this functionality:
Code:
"Model found in backdoor file!" | |
"FirmwareFileManager::ReadFirmwareBackDoorFile" | |
"FirmwareFileManager::ReadBackDoorfile" |
28C3 (Chaos Computer Club Kongress 2011) presentations
28C3 (Chaos Computer Club Kongress 2011) presentations
Video - Hacking MFPs - PostScript:um, you’ve been hacked
Download slides:
...on Google Hall of Fame...
Have open my New Year with myself closing Google Hall of Fame October-December 2011 (I guess it was the last entry of 2011, since I submitted during last days of December)
More details about why I ended up there will follow, hopefully at one of the next conference talks.
Stay tuned. Stay secure.
zveriu_biz 
686769 
Ads
Cognitive and Scientific Brainology
A deep dive into brain's curiosities
| << | Current | >> | |
| Jan | Feb | Mar | Apr |
| May | Jun | Jul | Aug |
| Sep | Oct | Nov | Dec |
Friends
Categories
- All
- ACSA (10)
- AskAmit (12)
- Conference (35)
- DailySpammer (11)
- Fun (8)
- In real life (8)
- On the web (22)
- GSM (2)
- Hardware (12)
- RFID (1)
- Security (6)
- Software (28)
Archives
- October 2012 (1)
- September 2012 (2)
- August 2012 (1)
- July 2012 (2)
- June 2012 (26)
- May 2012 (3)
- April 2012 (1)
- March 2012 (5)
- February 2012 (2)
- January 2012 (3)
- November 2011 (2)
- June 2011 (1)
- More...
Misc
XML Feeds
What is RSS?
