Мануал/Книга [HITCON 2024] слайды

[weaver]

https://hitcon.org/2024/CMT/agenda/

Exploiting overlooked vulnerability in Published work - An analysis of Realtek SoC SDK exploitation
Описание

In 2022, Octavio Gianatiempo and Octavio Galland presented a talk at DEFCON - Exploring the hidden attack surface of OEM IoT devices: pwning thousands of routers with a vulnerability in Realtek’s SDK for eCos OS.

This talk is about Realtek’s SDK vulnerability, highlighting the poor state of firmware vulnerability in consumer products.

The vulnerability affected at least 31 products across 19 different vendors.

I revisited the idea of attacking SDKs, describing the process of applying the research on a similar but different product using the patched SDK.

The research results in finding a new 0-day critical zero-click RCE vulnerability that can be exploited by a remote attacker, which is used as a case study for this talk.


This talk documents how the speaker approaches an IoT device from a research perspective.This is done by demonstrating the process of understanding the bootloading process, extracting the firmware, and setting up the environment for analysis and exploit development.A walkthrough of the exploitation process is included to paint a picture of a practical exploit development process.


This research reaffirms the findings of the previous DEFCON presentation, highlighting the persistent and critical vulnerabilities within the IoT firmware space.

Despite the potential impact of the previous CVE, the response from vendors has been limited.

Only two vendors have actively responded to the patches—either by acknowledging the bug exists and implementing a fix, or by verifying that the vulnerability does not impact their products.


This talk highlights the ongoing challenges in IoT security and the need for continuous research.These vulnerabilities indicate a huge area for security research and improvement.By documenting the research process, from initial exploration to exploitation, this presentation aims to contribute to the broader understanding of IoT security.This talk also hopes to serve as a starting point for researchers who seek to analyze IoT devices.Ultimately, this work emphasizes the critical need for better security practices within the IoT industry and highlights the role of researchers in uncovering and addressing these vulnerabilities.

Слайды: https://hitcon.org/2024/CMT/slides/..._analysis_of_Realtek_SoC_SDK_exploitation.pdf



Clash, Burn, and Exploit: Manipulate Filters to Pwn kernelCTF
Описание

As the successor to the iptables, nftables stands as a crucial network component within the Linux kernel, managing packet filtering and other network-related functionalities. With continuous development and changes, features designed to increase its efficiency, such as batch commit, anonymous chains/sets, and asynchronous garbage collection, have been implemented, which in turn has significantly increased its complexity and made it an attractive target for attackers in recent years.

Since the announcement of the kernelCTF bug bounty, multiple nftables 0-day vulnerabilities have been reported and patched to enhance its security. However, if not careful enough, the security patch may not only mitigate the bug but also introduce new security issues unintentionally. By researching the structural changes in the nftables codebase, we successfully uncover new vulnerabilities despite the intense competition in kernelCTF. Also, we managed to speedrun the exploitation just before Google removed nftables from LTS instance, becoming the last LTS nftables exploitation.

In this presentation, we want to share three nftables vulnerabilities we discovered in a storytelling fashion. We will start with a brief introduction on how nftables works under the hood to familiarize attendees with the basics. After that, we dive into nftables internals and dissect three vulnerabilities discovered during our journey, two of which involved utilizing hard-to-exploit race conditions to pwn the flag. Alongside details of the exploitation, we will also share the roller-coaster story of kernelCTF experiences, filled with dramatic highs and lows, making it a tense and exhilarating journey.

Слайды: https://hitcon.org/2024/CMT/slides/Clash_Burn_and_Exploit_Manipulate_Filters_to_Pwn_kernelCTF.pdf