Пожалуйста, обратите внимание, что пользователь заблокирован
Видосы с экопарти подвезли
youtube.com/watch?v=ITPOdXxeDQc&list=PLaIv9WEAzYZPOtqbCTAUbZeAEEP-vCA5v (полный список)
Для себя выделил парочку интересных докладов...
Exploiting Samsung: Analysis of an in-the-wild Samsung Exploit Chain
Exploring the hidden attack surface of OEM routers
Not Yet Another Fuzzer
Windows Segment Heap: Attacking the VS Allocator
Attack on Titan M, Reloaded: Vulnerability Research on a Modern Security Chip
eBPF ELFs JMPing Through the Windows
Internal Server Error: Exploiting Inter-Process Communication in SAP’s HTTP Server
Exec ASLR: Abusing intel branch predictors to bypass ASLR
Breaking Firmware Trust From Pre-EFI: Exploiting Early Boot Phases
youtube.com/watch?v=ITPOdXxeDQc&list=PLaIv9WEAzYZPOtqbCTAUbZeAEEP-vCA5v (полный список)
Для себя выделил парочку интересных докладов...
Exploiting Samsung: Analysis of an in-the-wild Samsung Exploit Chain
This talk is a detailed technical analysis of a Samsung 0-day exploit chain used in-the-wild. The chain used 3 0-day vulnerabilities. In the talk, I will explain each vulnerability, how it was used and exploited in the chain, how it was fixed, and show a demo. Neither the vulnerabilities nor the exploit chain have been previously shared publicly. Most in-the-wild exploit chains that have been presented in the past have followed the path of browser bugs to a privilege escalation. This novel chain instead uses bugs in the clipboard service and logging before exploiting a bug in the GPU to achieve root access.
The talk makes the information as accessible as possible, even for attendees without a background in vulnerability research and exploitation. The information though is novel and still highly technical so it will also still be interesting for experienced exploit developers.
Exploring the hidden attack surface of OEM routers
In this presentation, we go over the main challenges we faced during our analysis of the top selling router in a local eCommerce, and how we found a zero-click remote unauthenticated RCE vulnerability (CVE-2022-27255). We will do a walkthrough on how we located the root cause of this vulnerability and found that it was ingrained in Realtek’s implementation of a networking functionality in its SDK for eCos devices. Then, we will discuss exploitation and post-exploitation strategies in this type of routers and show a PoC exploit that proves how this vulnerability can be used to execute code and make the device act as a port scanner for its local network.
After that, we will present the method we used to automate the detection of this vulnerability in other firmware images. We reflect on the fact that on most routers this functionality is not even documented and can’t be disabled via the router’s web interface. We take this as an example of the hidden attack surface that lurks in OEM internet-connected devices.
We conclude by discussing why this vulnerability hasn’t been reported yet, despite being easy to spot (having no prior IoT experience), widespread (affecting multiple devices from different vendors), and critical.
Our research highlights the poor state of firmware security, where vulnerable code introduced down the supply chain might never get reviewed and end up having a great impact, evidencing that security is not a priority for the vendors and opening the possibility for attackers to find high impact bugs with low investment and little prior knowledge.
Not Yet Another Fuzzer
Fuzzing, or Fuzz Testing, is the process of finding security vulnerabilities in programs by repeatedly providing invalid, unexpected, fuzzed, or random data as inputs. Since this process is highly dependent on the input interface and the execution environment of the target , fuzzing programs with simple interfaces like command line arguments or files in a usual architecture is very straightforward nowadays, but… What happens when it isn’t a command line program? And if it isn’t on your machine? And if it has another architecture? And if it is for another OS or no OS at all? This can be really tricky, so… With NYAF we’re going to overcome these difficulties by abstracting away from the execution environment and the input interface.
Description
In this talk I’m going to present NYAF, a multi-platform fuzzer based on emulation and guided by the Generation Search algorithm, seen for the first time on the well known SAGE fuzzer.
The main goal of the fuzzer is to abstract the program from its natural execution environment (OS/Hardware), and analyze it in a more comfortable and emulated one, to improve the capabilities in terms of analysis, scalability and efficiency. This approach will help with fuzzing on targets like IOT devices, embedded systems, firmware and OS.
Currently, the fuzzer supports the following architectures and platforms:
Architectures:
ARM32
AArch64
X86
x86_64
Platforms:
Windows
MacOs
Linux
UEFI
Bare metal
NYAF is fully written in python and it can be easily extended to improve its functionalities, provide support for another platform or create a custom test case generation method. It primarily uses two python frameworks to work:
Qiling: an advanced binary emulation framework built on top of Unicorn Engine in pure python used to emulate the programs.
Triton: A Dynamic Binary Analysis framework used to implement the concolic execution needed in the General Search algorithm.
The main goal of the talk is to explain, at a high level, the internals of the fuzzer to understand why it can overcome the difficulties that the different environments impose, and the nature of the design decisions needed to reach the fuzzer goals . The main topics to discuss are:
The hardware abstraction: Snapshot taking and emulation.
How to recognize a bug in the execution.
Efficient test case generation: Generational Search using concolic execution.
And at the end, we are going to show a use case for the fuzzer to prove the topics discussed earlier with a real world case.
Windows Segment Heap: Attacking the VS Allocator
Heap overflow and heap memory corruption in general, is a common vulnerability class used to breach the security boundaries provided by the operating system.
Since the early versions of windows, a ripe target for exploiting the heap corruption vulnerabilities used to be the allocator’s metadata. Because of that, heap allocators were hardened to prevent some of the commonly used attacks over time.
Fast forward to the present, and since the early versions of Windows 10, Microsoft has rolled a new heap implementation, the segment heap. In the segment heap, Microsoft has taken some of the past lessons and tried to mitigate and prevent the abuse of the allocator metadata.
In this talk, we will see how it’s possible to work around some of the implemented mitigations to exploit heap overflows by abusing the segment heap metadata. Specifically, we will target the VS allocator, which is one of the primary allocators in the segment heap. Some unique characteristics of the attacks:
-Pure attacks on the segment heap implementation: techniques can be used anywhere segment heap is utilized (eg kernelmode, usermode) regardless of the underlying heap configuration.
-There is no reliance on the actual overflow data. On the contrary, the attack can sometimes work better when dealing with totally random data.
-Finally, we also publish a windbg JS extension that exports various internal segment heap structures useful for exploit development.
Attack on Titan M, Reloaded: Vulnerability Research on a Modern Security Chip
The Titan M chip was introduced by Google in their Pixel 3 devices, to reduce attack surface and protect against hardware-level vulnerabilities. Our team at Quarkslab has been studying it for quite some time now, and in this talk we will share our takeaways on how we performed vulnerability research on such a constrained target. From plain static analysis, to fuzzing and dynamic symbolic execution, we will compare the different results we obtained, as well as the limitations of each approach. Finally, we will dive into CVE-2022-20233, a vulnerability that was only allowing to set a single byte to 1. We will show how we managed to obtain code execution from it and leak secrets from the secure chip, practically defeating its protection.
eBPF ELFs JMPing Through the Windows
eBPF tracing is a hot new technology in the EDR and infrastructure space providing high speed instrumentation and telemetry on events, processes, and network connections. Last year, Microsoft released a completely new implementation of an eBPF tracing system for Windows which is destined to become a primary telemetry provider in the near future. eBPF for Windows has a complex architecture that leverages program analysis to verify unsigned user code via abstract interpretation before running it in a kernel context so integrity of the software is paramount. This research will be the first public work to analyze the new eBPF for Windows implementation for security vulnerabilities. Our presentation will discuss the capabilities and security model of eBPF for Windows followed by details of the design and attack surface which will include the eBPF API, the trusted static verifier and JIT engine, and the kernel implementation of trace hooks and telemetry providers. During our deep dive into the implementation details we will uncover vulnerabilities at multiple layers and discuss how they were found with demos of fuzzing Windows eBPF components and real-time bug discovery.
Internal Server Error: Exploiting Inter-Process Communication in SAP’s HTTP Server
More than 400,000 organizations, including 90% of Fortune 500 companies, rely on SAP’s software to keep their business up and running. At the core of every SAP deployment is the Internet Communication Manager (ICM), the piece of software in charge of handling all HTTP requests and responses.
This talk will demonstrate how to leverage two memory corruption vulnerabilities found in SAP’s proprietary HTTP Server, using high-level protocol exploitation techniques. Both techniques, CVE-2022-22536 and CVE-2022-22532, were remotely exploitable and could be used by unauthenticated attackers to completely compromise any SAP installation on the planet.
First, by escalating an error in the HTTP request-handling process, this presentation will show how to desynchronize ICM data buffers and hijack every user’s account with advanced HTTP Smuggling. Furthermore, as the primitives of this vulnerability do not rely on parsing errors, a new technique will be introduced to take over a system, even in an “impossible to exploit” scenario - without a proxy! This will include a demo of the first desync botnet, using nothing more than JavaScript and Response Smuggling concepts.
Next, this talk will examine a Use After Free vulnerability in the shared memory buffers used for Inter-Process Communication. By exploiting an incorrect deallocation, it was possible to tamper messages belonging to other TCP connections and take control of all responses using Cache Poisoning and Response Splitting theory.
Finally, as the affected buffers are also used to contain Out Of Bounds data, a method to corrupt address pointers and obtain Remote Code Execution will be explained.
The Internet Communication Manager Advanced Desync (ICMAD) vulnerabilities were addressed by the US Cybersecurity and Infrastructure Security Agency, as well as CERTs from all over the world, proving the tremendous impact they had on enterprise security.
Exec ASLR: Abusing intel branch predictors to bypass ASLR
Address Layout Randomization (ASLR) is used to mitigate memory corruption attacks by randomizing virtual addresses of a process. Also, using speculative execution, modern CPUs rely on branch predictors to choose the next instruction to be fetched in the CPU pipeline.
In this talk we present a new spectre v2 based technique for abusing branch predictors in order to bypass ASLR on Intel CPUs. Our attack abuses the fact that not only the attacker can pollute the branch target buffer such as in a spectre-like scenario, but victims can also trigger a branch misprediction in the attacker process, leading the attacker to speculatively jump to the same protected address. Using a second cache side channel the attacker can then retrieve the address, completely bypassing the ASLR for the target process. On a real intel processor hosted on google cloud, we were able to successfully recover the victim’s address in a fast and (somewhat) reliable 0day attack.
With some demos, we will explore some x86 internal related topics such as side channel attacks, speculative and out of order execution, as well as the research work done.
Breaking Firmware Trust From Pre-EFI: Exploiting Early Boot Phases
Vulnerabilities in System Management Mode (SMM) and more general UEFI applications/drivers (DXE) are receiving increased attention from security researchers. Over the last 9 months, the Binarly efiXplorer team disclosed 42 high-impact vulnerabilities related to SMM and DXE firmware components. But newer platforms have significantly increased the runtime mitigations in the UEFI firmware execution environment (including SMM). The new Intel platform firmware runtime mitigations reshaped the attack surface for SMM/DXE with new Intel Hardware Shield technologies applied below-the-OS.
The complexity of the modern platform security features is growing every year. The general security promises of the platform consist of many different layers defining their own security boundaries. Unfortunately, in many cases, these layers may introduce inconsistencies in mitigation technologies and create room for breaking general security promises, allowing for successful attacks.
In this presentation, we will share our work exploring recent changes in the UEFI firmware security runtime using one of the most recent Intel CPUs as an example. The presentation will cover the evolution of firmware mitigations in SMM/DXE on x86-based CPUs and a discussion about the new attacks on Intel Platform Properties Assessment Module (PPAM), which are often used in tandem with Intel SMI Transfer Monitor (STM).
These topics have never been publicly discussed from the offensive security research perspective.
