Taming wild copies: from hopeless crash to working exploit - Chris Evans @scarybeasts of Google's Project Zero
In this talk, we will explore the exploitation of wild copies that lead to memory corruption. We define a wild copy as one where the size of the copy is enormous and the attacker cannot control it. Throughout the evolution of exploitation, we've seen the occasional trick to exploit wild copies, usually relying on a secondary bug or quirk. After recapping some past classics, we'll focus on a real wild copy bug in Adobe Flash, and exploit it without relying on any secondary issues. The exploit will cover advanced instances of modern techniques such as heap grooming, winning race conditions, controlled corruption and Flash-specific exploitation vectors. With any luck, we'll end up calculating all the way to the bar.
I see, therefor I am... You - Jan "starbug" Krissler, T-Labs/CCC
The danger of high resolution photos on (biometric) identification.
Looking at keyboards or screens to spy on passwords? Stealing a touched glass to get fingerprints? These are the techniques from the past. This talk will show you how to use high resolution cameras to steal biometric features (like fingerprint, faces and irises) from a distance, how to extend the distance by the use of infra red imagery and how to use those pictures for fooling the biometric systems. Beside cameras used from a distance it will make use of a hacked mobile phone for acquiring biometric features and to spy on your smart phones display while typing your password using the reflection in your eye.
Smart COM Fuzzing Tool - Explore More Sandbox Bypassing Surface in COM objects - Xiaoning Li and Haifei Li, Intel
Unsafe COM objects are big open area after James Forshaw disclosed that they can be used to bypass Internet Explorer's sandbox mechanism. On Windows default installation, there are a number of COM objects accessible from the sandboxed IE process, in further, the number will increase when more software are installed on the OS. To efficiently evaluate those COM object as well as to provide a common solution for all the scriptable COMs, we've designed a COM fuzzing tool to automatically fuzz all available COM objects. Comparing to previous COM fuzzing tools, this tool has many advantages such as the ability to fuzz binary-related structures, as well as "reference fuzzing" across different methods/properties. Also, we will show some real-world IE sandbox escape vulnerabilities/issues we found during the presentation
A New Class of Vulnerabilities in SMI Handlers in BIOS/UEFI Firmware - John Loucaides and Andrew Furtaki, Intel
This presentation will discuss security of SMI handler components of system firmware including the nature of a new class of vulnerabilities within the SMI handlers of BIOS/UEFI based firmware on various systems. It will also discuss how systems can be tested for these vulnerabilities and what can be done in firmware implementations to mitigate them.
Additionally, the presentation will also discuss how S3 resume affects security of the system and problems with S3 resume boot script in some BIOS implementations recently discovered and presented at 31C3.
Sexrets in LoadLibrary - Yang Yu "tombkeeper", Tencent
Loadlibrary is a very ordinary Win32 API, but it's also have some undocumented features and special application. All these are very useful for exploiting. In this presentation, I will elaborate them.
This presentation will also include three compelling examples:
1. A 0day I reported in 2008, but Microsoft did not treat it as a vulnerability. So it's still work now and I can feel free to disclose it. It affects many development and reverse tools, including Microsoft Visual Studio.
2. A tricky technique which can bypass MySQL UDF "lib\plugin" directory restriction to run arbitrary code.
3. The principle of CVE-2014-1756(MS14-023).
These have never been published.
Attacking WebKit Applications by exploiting memory corruption bugs - Liang Chen, KeenTeam
WebKit is widely used by PC applications, mobile applications and even automobile applications. Historically several logical vulnerabilities had caused WebKit attacking incidents worldwide. Those logical issues almost extinct thanks to the contribution of WebKit community, yet a single memory corruption bug can still be used to pwn WebKit applications on all devices.
In this topic, I will talk about new approaches to bypass/defeat those protections. I will disclose the details of three different types of memory corruption bugs(UAF, heap OOB access, arbitrary freeing) , and the techniques to exploit them on MacOS Safari as well as iOS MobileSafari.
Userland Exploits of Pangu 8 - Tielei Wang, Xiaobo Chen and Hao Xu, Team Pangu
With the release of iOS 8, Apple significantly improved iOS sandbox and code signing checks, and introduced a new security mechanism so-called Team ID validation, with a goal to protect the system programs (i.e., platform binaries) from loading third-party code inside of their address space. Specifically, in addition to performing a code signature validation of all the dynamic libraries that a process links against at launch time, iOS also ensures that a program can only link against any platform library or any library with the same team identifier in its code signature as the main executable. Despite these new challenges, roughly a month after the official release of iOS 8, the Pangu Team surprisingly released Pangu 8, the first untethered jailbreak tool for iOS 8.
This talk will review the security mechanisms in iOS, present the whole jailbreaking workflow of Pangu 8, and then describe the userland exploits of Pangu 8, with a focus on elaborating how Pangu 8 escapes the sandbox and bypasses the code signing checks and Team ID validation.
Attacks on UEFI security, inspired by Darth Venamis's misery and Speed Racer - Rafal Wojtczuk and Corey Kallenberg, LegbaCore
The UEFI firmware is normally the first code to execute on the CPU, putting it in a powerful position to subvert other components of the platform. Because of its security critical nature, the UEFI code resides on a flash chip that is protected against arbitrary writes via a number of chipset protection mechanisms. Besides initializing the platform and bootstrapping to an operating system, UEFI is also charged with instantiating the all powerful System Management Mode (SMM). SMM is neither readable or writable by any other code on the platform. In fact, SMM has the ability to read and write hypervisor protected memory, but the converse is not true. These properties make SMM an ideal place to store a rootkit. Similar to the UEFI firmware, because of these security critical properties, there are hardware mechanisms that protect the integrity and confidentiality of SMM.
This talk will explore attack surface against SMM and UEFI that has not previously been discussed. We will highlight a bug in one of the critical hardware protection mechanisms that results in a compromise of the firmware. We will also directly target a part of the UEFI specification that provides SMM exploitation opportunities. The vulnerabilities disclosed and their corresponding exploits are both prevalent among UEFI systems and reliably exploitable.
The consequences of these vulnerabilities include hypervisor and TXT subversion, bricking of the victim platform, insertion of powerful rootkits, secure boot break, among other possibilities.
FreeSentry: Protecting against use-after-free vulnerabilities due to dangling pointers - Yves Younan, Cisco Talos (formerly Sourcefire/VRT)
This presentation presents a novel mitigation for use-after-free vulnerabilities. Use-after-free vulnerabilities occur when a program marks memory as free, but then subsequently tries to use that memory. Such a vulnerability can lead to remote code execution when exploited. These vulnerabilities are difficult to spot during code reviews because of the complexity of dynamic memory operations, where the free can occur thousands of lines from the actual re-use. Many of these vulnerabilities will also not cause many runtime errors during regular operation, making them hard to detect through automated testing. Due to various mitigations that have been deployed on modern operating systems, these are currently the most exploited vulnerabilities on Windows 7 and higher platforms. The mitigation presented here, FreeSentry, provides protection for these types of vulnerabilities. It provides protection by dynamically tracking memory, when a memory location is freed, all pointers to that location are invalidated. If a use-after-free occurs within a program, the program will attempt to use one of the invalidated pointers and will crash, preventing an attacker from exploiting this vulnerability. Since an attempted exploitation will result in a crash, it can also be used to detect their existence more easily when fuzzing. The presentation will demonstrate the effectiveness of the protection by showing that the mitigation protects against a number of real-world vulnerabilities. However, it has also found new ones, particularly in a popular performance benchmark that was missed by similar mitigations. We will also discuss the performance overhead of our solution.
DLL Hijacking' on OS X? #@%& Yeah! - Patrick Wardle @patrickwardle, Synack
Remember DLL hijacking on Windows? Well, turns out that OS X is fundamentally vulnerable to a similar attack (independent of the user's environment). By abusing various 'features' and undocumented aspects of OS X's dynamic loader, this talk will reveal how attackers need only to plant specially-crafted dynamic libraries to have their malicious code automatically loaded into vulnerable applications. Through this attack, adversaries can perform a wide range of malicious actions, including stealthy persistence, process injection, security software circumvention, and even 'remote' infection. So come watch as applications fall, Gatekeeper crumbles (allowing downloaded unsigned code to execute), and 'hijacker malware' arises - capable of bypassing all top security and anti-virus products! And since "sharing is caring" leave with code and tools that can automatically uncover vulnerable binaries, generate compatible hijack libraries, or detect if you've been hijacked.
Real-Time Passive Volatile Memory Inspection Inside Virtual Machines - John Williams, EY
In this talk we introduce memminer, an open-source tool for agent-less, real-time aggregation and analysis of key security indicators within virtualized systems. Memminer builds on existing techniques for volatile memory analysis to provide real-time detection of system anomalies. This tool differs from agent-based solutions in that it periodically accesses these indicators by interfacing with the underlying system indirectly through hypervisor physical memory access. This allows for greater confidence in the integrity of data retrieved from memory and minimized impact to system functioning. Applications of this technique include real-time passive heuristic compromise detection, statistical 0-day malware detection, and data-driven incident response processes. Potential methods to detect and avoid this scanning technique will also be discussed. During this talk there will be a live demo of the tool followed shortly by its release.
NDIS Packet of Death: Turning Windows' Complexity Against Itself - Nitay Artenstein, Checkpoint
What if the best place to defend a system, was also the best place to attack it?
Since the dark days of MS-DOS, the Network Driver Interface Specification (NDIS) API has been at the heart of Windows' kernel networking architecture. As the main bridge between the network adapter and the OS, NDIS drivers form the entrance gate to the system - and the natural place for AV and HIPS vendors to wedge in any traffic filtering functionality.
Unfortunately, NDIS is also a bewildering tangle of byzantine complexity, opaque structures and inadequate documentation, turning it into an explosive breeding ground for packet-parsing bugs and particularly nasty 0-days.
In this talk, we will disclose a remote code execution vulnerability in a leading AV vendor's NDIS driver, and show how we discovered similar vulnerabilities in other AV products. We will dig deep into Windows' kernel-mode networking architecture, and emerge with the knowledge - and the tools - to overcome NDIS' complexity and turn it into your next one-stop shop for RCE vulnerabilities in the Windows kernel.
How many million BIOSes would you like to infect? - Corey Kallenberg and Xeno Kovah, LegbaCore
This talk is going to be all about how the automation of BIOS vulnerability exploitation and leveraging of built-in capabilities can yield highly portable UEFI firmware malware. And how millions of systems will be vulnerable for years, because no one cares enough to patch the BIOS bugs we've found.
So you think you're doing OPSEC right, right? You're going to crazy lengths to protect yourself, reinstalling your main OS every month, or using a privacy-conscious live DVD like TAILS. Guess what? BIOS malware doesn't care! BIOS malware doesn't give a shit!
Despite us disclosing numerous BIOS vulnerabilities, many people still doubt the feasibility of widespread BIOS infections. As newly independent researchers, with no need to get public release approvals, we can now combat that fallacy in the most direct fashion: live demonstrations of BIOS infection across multiple vendors' machines! We're not yet spreading via #badUSB, but stay tuned. ;)
UEFI, Open Platforms and the Defender's Dillema - Vincent Zimmer, Intel
This material will be targeted at end-users and parties building the UEFI Extensible Firmware Interface (UEFI) implementations, especially those based upon the open source edk II.
The discussion will be a bottoms-up view on building a hardened UEFI-based platform with open source edk II and full-opened source platform code, such as Intel Quark, as motivating example. The talk will discuss the intent behind the UEFI and PI www.uefi.org specifications, along with the open source infrastructure www.tianocore.org, with a full example in Quark https://downloadcenter.intel.com/Detail_Desc.aspx?DwnldID=23197 and open hardware such as MinnowMax https://uefidk.com/content/minnowboard-max. Topics such as measured boot, signed update, UEFI Secure boot, network boot, and best practices in creating both the underlying firmware at boot and runtime.
A historical view of some attacks on BIOS, starting circa 1999, and the wave of UEFI-focused attacks, starting 2006, will also be treated, with an eye toward how the best practices can be used to thwart many of these concerns.
Finally, as UEFI is a firmware interface and edk II is software, software cannot solely protect software, so some of the extant and purpose-defined hardware features that help in UEFI defenses will also be reviewed.
Wolf in Sheep's Clothing: Your Next APT Is Already Whitelisted - Fabio Assolini and Juan Andres Guerrero-Saade, Kaspersky
Most APT research is focused on how attackers break into systems and not what they do once they're there. The breach is the infancy stage of an operation to collect and exfiltrate sensitive information from a protected network. Once inside, attackers will use whatever tools are at their disposal to get what they need and thanks to the whitelisting of legitimate tools, they won't come up short!
There's no need for attackers to reinvent the wheel in order to bypass attack mitigation techniques and common anti-malware protections. A benevolent library, application, administrative tool, codec, or interpreter becomes a tool for attack groups to carry out their stratagems beyond the front door. Operating assumptions about the integrity of "benevolent code" create security blind spots that are being exploited by attackers.
To better understand how threat actors are misusing whitelisted resources, we plan to present an analysis of cases where financial malware and APT attacks have accessed or even bundled legitimate software in-the-wild in order to carry out their operations. We focus on the response of antimalware software and security mitigations present on the system and how these were effectively bypassed by the misuse of "benevolent software".
This is an important discussion to have with a technical audience in a constructive venue to discuss how we can adopt technologies that offer greater real world protection and not just a false sense of security. By tackling head first a discussion of common failures, we hope to highlight measures and overall designs that companies and governments should adopt in the interest of their own protection.
There's Something About WMI - Christopher Glyer and Devon Kerr, Mandiant
This presentation will describe the purpose and components of Windows Management Instrumentation (WMI) from the incident response and forensics perspectives. Attendees will learn how targeted threats are using WMI during each phase of the compromise, case studies and examples, the artifacts generated by those activities, some of the tools used to interact with WMI, using WMI for persistent access that defeats antivirus and application whitelisting, and the benefits of enabling WMI trace logging for additional detection and improved analysis.
Credential Assessment: Mapping Privilege Escalation at Scale - Matthew Weeks, root9b
In countless intrusions from large retail giants to oil companies, attackers have progressed from initial access to complete network compromise. In the aftermath, much ink is spilt and products are sold on how the attackers first got a shell and how the malware they used could or could not have been detected, while little attention is given to the credentials they found that turned their access on a single-system into thousands more. This process, while critical for offensive operations, is often complex, involving many links in the escalation chain composed of obtaining credentials on system A that grant access to system B and credentials later used on system B that grant further access, etc. We’ll show how to identify and combat such credential exposure at scale with the framework we developed. We comprehensively identify exposed credentials and automatically construct the compromise chains to identify maximal access and privileges gained, useful for either offensive or defensive purposes.
From baseband to bitstream and back again: What security researchers really want to do with SDR - Andy Davis, NCC Group
Over the last few years low-cost Software Defined Radio has increased in prominence within the security researcher community, allowing bespoke wireless protocols that previously were prohibitively expensive to intercept, to be received and demodulated. This has started a revolution in wireless security research, however unless you have a background in RF, it's an extremely steep learning curve for people who are more familiar with networks and software. Therefore, this talk will demystify what can be a highly mathematical discipline and provide the fundamental information that security researchers want to know i.e:
- How to intercept an unknown wireless digital signal, identify the modulation scheme and bit rate and recover the data bits that were transmitted
- How to take some digital data, modulate it onto a carrier signal at a specific bit rate and transmit it wirelessly
(and the precautions you need to take to ensure you don't break the law when you do the second part)
Bootkit via SMS: 4G access level security assessment - Kirill Nesterov and Timur Yunusov
When spring came to one country we've got the desire to hack stuff not in frowzy office but in the open air. All of a sudden, along with snowdrops, telecom operators billboards appeared which advertised the fastest, the cheapest and the best. Before diving into the internet with the new gadget we decided to test how these ads correspond to reality... To our reality.
Having developed a test set, we started to research how safe it is for clients to use 4G networks of the telecommunication companies. During the research we have tested SIM-cards, 4G USB modems, radio components, IP access network. First of all we looked for the vulnerabilities that could be exploited remotely, via IP or radio network.
And the result was not late in arriving. In some cases we managed to attack SIM-cards, "clone" phone and intercept traffic without boring rainbow tables, we were able to update remotely USB modem firmware, to change password on a selfcare portal via SMS and even to get access to the internal technological network of a carrier.
Further attack evolution helped to understand how it is possible to use a simple SMS as an exploit that is able not only to compromise a USB modem and all the communications that go through it, but also to install bootkit on a box, that this modem is connected to.