by: Nguyen Anh Quynh
Code injection is a popular mechanism to perform dynamic binary instrumentation/patching at run-time. Most public solutions rely on either system manipulation or external tools to watch for binary to be launched, then choose the right time to inject the code into the target. An issue with this approach is that it is unportable, fail to work for static binary, and hinders other analysis tools such as debugger or instrumentation.
This research looks at an alternative mechanism, that is to physically patch the target for code injection. We will describe how we developed some brand new tools to introduce minimal modification to the original binary (while do not change its code semantic), so it can automatically inject external code into itself at runtime. We will present how we achieve this daunting task on all relevant platforms such as Windows, Linux & BSD.
Unlike the traditional approach, our solution does not require any system manipulation, works for all kind of binaries, and never hinder analysis tools.
by: Anshuman Bhartiya
Bug bounty programs are a hot topic these days. More and more companies are realizing the benefits of running a program, and researchers are jumping at the opportunity to grab some swag and make some extra cash from the bugs they find. Reporting security issues has never been as easy, open, and risk-free as it is right now. Everybody wins!
Though that doesn’t mean we should stop there. As researchers, we spend a lot of time doing the same menial tasks for each program: monitoring for new targets, checking for common issues, remembering just which flags you needed to pass to that tool (or even which tool is best for that job). We build new tools, hack together shell scripts, and generally make small incremental changes to our process. But surely there’s a better approach?
Are you sick of repeating the same tedious tasks over and over? Wouldn’t it be nice to have your own bug hunting machine? One that -
Is always watching
Reacts as soon as a new target becomes available
Takes care of those tedious repetitive steps for you
Makes life easy when you want to integrate a new tool/workflow
Doesn’t cost the world to run, and trivially scales
Leverages lessons and technologies battle tested in the dev world to improve your offensive capacity, capability and productivity
Monitors your own infrastructure and reacts before hackers can (while saving you the cost of those Bug Bounty payouts in the meantime)
We call this approach Bug Bounty Hunting on Steroids. We will discuss our research and approach to building such a machine, sharing some of the lessons we learned along the way.
by: Dhiraj Mishra
The discussion flow would start from the importance of browsers, need for security within it, my research and vulnerabilities found, and finally demonstration of zero day, apart from other exploits and attacks, against browsers. The talk would conclude with a discussion around remediation efforts to protect these attacks.
Over the years reliance on browsers has increased many folds. The features provided by browsers, along with its numerous extensions and components, browsers have seen a humongous increase in the number of users using it to browse different services. This provides a huge attack base to "research" and identify potential vulnerabilities which can be exploited in order to improve defensive controls.
The talk I will be presenting is entirely my own work of research. While identifying vulnerabilities in web applications and participate in various bug bounty programs is interesting, I enjoy targeting platforms which are less popular as research topics. Having said that, while security for browsers is a known topic, I've been able to identify, through my research, several vulnerabilities (including a zero day) which will help secure it further.
The issues I will be talking about are completely new within three specific domains - SOP, RCE and Address Bar Spoofing (ABS). These vulnerabilities, along with the attack scenarios are something which I've created through my research. I've also created, from scratch, an exploit code which can be used across several browsers for the same vulnerability. I will be showcasing multiple Metasploit module, I created during my research
by: John Menerick aka Project Nexus
Recent attacks provide insight on cyber assaults which could halt the global economy. Financial systems are little more than a set of promises between various online and real life entities. Processes designed to make financial services safe have created new vulnerabilities. If systemic institutions were compromised, panic could spread. Better testing is needed. However, cracking financial systems is harder than it looks. Project Nexus shows how certain testing methodologies can affect financial services and might even have an impact on our chances for success.
by: Rosalia D’Alessandro, Hardik Mehta (@hardw00t), Loay Abdelrazek (@sigploit)
The presentation will include the following:
Quick introduction of 3G/4G telecom networks
Discuss various ways to access internal network from the access network
Discuss various possible attacks on the IMS platform
Walk-through of how a 3G/4G telecom network node can be compromised.
Discuss various attacks based on signaling protocol (SIP, SS7 , GTP and Diameter)
Simulation based demonstration of exploiting signaling protocols (Release tool modules and demonstration)
Discuss on remediation methodology from such attacks
Open for Questions
The presentation is to highlight various ways to compromise and access telecom operator's network to target following:
Core telecom network infrastructure
Operator's Corporate and Management network
Currently, Sigploit is limited to assess SS7 protocol. We plan to release SIP , GTP and Diameter modules during the presentation, including walk-through and demonstration.
by: Jayesh Singh Chauhan
Nowadays, cloud infrastructure is pretty much the de-facto service used by large/small companies. Most of the major organizations have entirely moved to cloud. With more and more companies moving to cloud, the security of cloud becomes a major concern. While AWS, GCP & Azure provide you protection with traditional security methodologies and have a neat structure for authorization/configuration, their security is as robust as the person in-charge of creating/assigning these configuration policies. As we all know, human error is inevitable and any such human mistake could lead to catastrophic damage to the environment.
Few vulnerable scenarios:
- Your security groups/policies, password policy or IAM policies are not configured properly
- S3 buckets and Azure blobs are world-readable
- Web servers supporting vulnerable ssl ciphers
- Ports exposed to public with vulnerable services running on them
- If root credentials are used
- Logging or MFA is disabled
Knowing all this, audit of cloud infrastructure becomes a hectic task! There are a few open source tools which help in cloud auditing but none of them have an exhaustive checklist. Also, collecting, setting up all the tools and looking at different result sets is a painful task. Moreover, while maintaining big infrastructures, system audit of server instances is a major task as well.
CS Suite is a one stop tool for auditing the security posture of the AWS/GCP/Azure infrastructures and does OS audits as well. CS Suite leverages current open source tools capabilities and has custom checks added into one tool to rule them all.
Cloud Security Suite is an open source which adheres to GPL V3 (GNU General Public License v3.0). This paper is written for the release of the version 3.0 of the tool.
The major features include:
- Simple installation with support of python virtual environment and docker containers
- GCP Infra Audit
- Initiate all tools/audit checks in one go
- AWS Infra Audit:
Easify your “open source setup” pain.
Compilation of all audit checks in one place
Centralised portable reports
Audits individual systems
- AWS Instance Audit
IP based auditing
Region independent Audit (Public IP)
Supports both public and private IPs for Default region
Automatic Report Generation and Fetching
Portable HTML report
- JSON output
- Integration of AWS Trusted Advisor
- Azure Infra Audit
- Azure IP based Auditing
- Report generation of the Diff between the current and last scan
by: Boris Larin and Anton Ivanov
At the end of 2017 we discovered an Adobe Flash Player zero day vulnerability (CVE-2017-11292) that was used by the BlackOasis APT. This shows that Adobe Flash Player still is a good target for threat actors. CVE-2017-11292 is a particularly interesting logic bug that lead to type-confusion vulnerability, and there are no public reports describing it.
In our presentation we will cover the following things:
1. What exploitation techniques are currently used by threat actors in Flash exploits
2. A detailed description of CVE-2017-11292
3. Also we will talk about how to find new vulnerabilities in Adobe Flash Player
We will present and release our self-made ActionScript3 processor module and debug plugin for IDA Pro. These tools complement each other, and have shown some good results in debugging exploits in-the-wild.
We analyzed AVM and discovered how to boost analysis with the rich possibilities of IDA Pro and API.
by: Aseem Jakhar
IoT is getting a lot of attention these days. Lot of startups are coming up with innovative IoT based solutions. Security researchers have started to look at security of IoT. However, one of the biggest road blocks for security researchers is the toolset. Currently, there are tools both hardware and software that focus on specific work or protocol, but there are none focussing on IoT as a domain itself. Some are not mature yet, some are only PoCs etc. Also, knowledge of hardware is required to assess hardware security go the sensors. These two limitations are restricting security professionals from entering into IoT security domain. If you are among the researchers waiting to get into IoT security - Your wait is over.
The primary focus of this talk is to introduce the attendees to the open source IoT Security Testing framework - Expl-IoT and enable them to use it as well as write plugins for new IoT based exploits and analysis test cases. We are currently working on the expliot website (www.expliot.io), where we will post all news and updates about the framework. All you need to do is just download and install the framework.
As we started digging deeper into IoT security, one thing was evident that there was a lot of time being spent in understanding IoT tools and protocols. So, we decided to create a flexible and extendable framework that would help the security community and us in writing quick IoT test cases and exploits. The objectives of the framework are:
1. Easy of use
3. Support for hardware, radio and IoT protocol analysis
We released Expl-iot beta version (in ruby) 2017 - https://bitbucket.org/aseemjakhar/expliot_framework We are currently working on the python3 port to support more hardware/radio functionality and have deprecated the ruby version. We will release it in a month. The new beta release is envisioned to have support for UART(serial), ZigBee, BLE, MQTT, CoAP (next version will have support for JTAG, I2C and SPI) and few miscellaneous test cases. This talk would give attendees a first-hand view of the functionality, how to use it and how to write plugins to extend the framework.
The rough flow of the talk would be
- IoT Attack Surface
- IoT security testing road blocks
- Introduction to Expliot
- Limitations of IoT protocols
- Attack demos
- Extending Expliot with your own plugins
by: Patrick Wardle
"In the ever raging battle between malicious code and anti-malware tools, firewalls play an essential role. Many a malware has been generically thwarted thanks to the watchful eye of these products.
However on macOS, firewalls are rather poorly understood. Apple's documentation surrounding it's network filter interfaces is rather lacking and all commercial macOS firewalls are closed source. This talk aims to take a peek behind the proverbial curtain revealing how to both create and 'destroy' macOS firewalls.
In this talk, we'll first dive into what it takes to create an effective firewall for macOS. Yes we'll discuss core concepts such as kernel-level socket filtering - but also how to communicate with user-mode components, install privileged code in a secure manner, and simple ways to implement self-defense mechanisms (including protecting the UI from synthetic events).
Of course any security tool, including firewalls, can be broken. After looking at various macOS malware specimens that proactively attempt to detect such firewalls, we'll don our 'gray' (black?) hats to discuss various attacks against these products. And while some attacks are well known, others are currently undisclosed and can generically bypass even today's most vigilant Mac firewalls.
But all is not lost. By proactively discussing such attacks, combined with our newly-found understandings of firewall internals, we can improve the existing status quo, advancing firewall development. With a little luck, such advancements may foil, or at least complicate the lives of tomorrow's sophisticated Mac malware!"
by: Craig Smith
A lot of security is being moved into hardware. This doesn't fix security, it just makes it smaller. Security professionals have a good handle on network and application security, however when it comes to doing hardware testing, things are not as easy as they seem. One of the biggest reasons why hired security teams fail to deliver successful hardware engagements often comes down to deficiencies in scoping. This talks describes several stories of failures during hardware engagements and how you can work with vendors to have successful hardware engagements. This talk will give you the tools to properly scope out engagements that will provide great results and give your client the best bang for their buck.
by: Joshua Crumbaugh
Lessons learned and audio from a real social engineering call that gave me access to a bank vault. This talk has been extremely popular and requested worldwide.
by: Michel Chamberland
IoT use is growing rapidly through a research study sponsored by Trustwave, it was revealed that sixty-four percent of organizations surveyed have deployed some level of IoT technology, and another twenty percent plan to do so within the next twelve months. The result of this will be that, by the end of 2018, only one in six organizations will not be using at least a minimal level of IoT technology for business purposes. While IoT devices are exploding in deployments, still very little is being done to secure these solutions. The security defenses being employed within this domain tend to be at least a decade old and of insufficient strength to hold back today's attackers. In this same Trustwave sponsored survey, it was found that only twenty-eight percent of organizations surveyed considered their IoT security strategy to be very important. This combination makes IoT devices very attractive targets for malicious attackers, red teamers and others interested parties.
One of the most common ways to analyze and find vulnerabilities in IoT devices is through the use of their JTAG ports. In this talk, we'll be discussing what JTAG is and how it can be used in order to find vulnerabilities in IoT devices. The presentation will cover a bit of history about JTAG and will then jump into the technical details on how to find JTAG ports, what software and hardware tools can be used to identify pinouts, and how to extract and debug the firmware running on a target device. Several examples and small demos will be used during the presentation to show practical applications of the lessons being conveyed. Finally, pointers will be provided as to what to look out for once you have achieved access to a device via JTAG.
by: Erez Yalon
For sensitive and highly secured systems, even just being connected is considered an unacceptable risk. For these, to keep a high protection against data leaks, an air-gap is necessary. As technology changes and advances, attack surfaces grow, and these air-gaps get harder to maintain. Today we show new ways of breaking air-gaps and exfiltrating sensitive data. from taking advantage of vulnerable IoT devices in the room, to abusing Google's Android vulnerable design. We will cover the basics of air-gap, mention past research, show and discuss our findings and move to PoC live demos of air-gap breaking and exfiltration of data by BT and undetected light waves and by NFC and radio.
by: Salvador Mendoza
Relay and replay attacks are more prevalent in the payment industry than ever, becoming more complex and sophisticated day by day. We are not just seeing simple skimming techniques but complex attack vectors that are a combination of technologies and implementations involving SDR, NFC, APDU, hardware emulation design, specialized software, tokenization protocols and social engineering.
In this talk, we will discuss what exactly relay and replay attacks are, what kind of hardware and software is used. Also we will talk about how anyone already has the hardware necessary to carry out one of these attacks or for $35 dollars or less someone can create a device to do so. We will show real scenarios where these technologies combined with RFID emulation can be used to exploit any type of NFC transaction. But even worse, how the same attack methods could exploit new NFC implementations for years to come.
by: Jordan Santarsieri
SAP is a core part of the business-critical infrastructure of 95% of the biggest companies in the world, these companies rely on SAP to perform their most sensitive daily operations such as processing employees payroll and benefits, managing logistics, managing suppliers / customers, material management, releasing payments to providers, credit cards processing, business intelligence, etc.
Due to its complexity, broad attack surface and the fact that most security audit trails do not come activated by default, SAP its quickly becoming a highly desired target for malicious attackers that are looking to exploit several security issues to perform espionage, sabotage and fraud attacks.
Join me on this completely new and highly technical talk on which I’m going to explain trough several live demos, how attackers are compromising SAP security platforms, how they backdoor these platforms and how you can apply different forensic techniques to determine if your platform has been compromise and what information has been accessed.
Binary Patching for code injection
Bug Bounty Hunting on Steroids
Call Of Duty - Modern Browser Warfare
Cracking Financial Systems
Cyber Security Threats to Telecom Networks
Defending cloud Infrastructures with Cloud Security Suite
Exploiting ActionScript3 interpreter
Expl-iot: Hacking IoT like a boss
Fire & Ice: Making and Breaking macOS firewalls
How (not) to fail at hardware
How to rob a bank over the phone!
IoT and JTAG Primer
Mind the (Air) Gap
NFC Payments: The Art of Relay & Replay Attacks
SAP Incident Response, how to attack and defend!