Hacking-Lab @ CodeMash 2017

What is CodeMash?

CodeMash is a conference for software developers and IT security professionals. It takes place every year in Sandusky, Ohio, in the U.S.

The event consists of two parts: two days of training sessions (called “PreCompiler”), followed by two days of conference with sessions. It attracts about 3’000 visitors and takes place in the Kalahari resort, which hosts, besides a huge conference center, the largest indoor water park in the U.S.

What the heck did Hacking-Lab do there?

Hacking-Lab was asked to run a Capture-The-Flag tournament at the conference. Ivano and myself took this chance and decided to visit the conference as a sponsor.

Booth

We had a sponsor booth during the conference part. Many people showed up, and we had a lot of interesting discussions! We also gave a lot of “swag” (stickers, USB chargers, etc.).

Capture-The-Flag Tournament

As mentioned above, we were running the official Capture-The-Flag (CTF) tournament of the conference. Even though it was running in parallel with all the interesting sessions at the conference, 100 participants signed up and did a great job! There was quite a neck-and-neck race between the top three, jslagle, CodingWithSpike and fire.eagle!

Win-a-shirt Challenge

Besides the CTF, we also ran a “Win-a-shirt” challenge. It was necessary to solve a small puzzle (simple cipher written in JavaScript), in order to grab a Hacking-Lab t-shirt at our booth. 110 conference visitors did so, and are happy owners of a cool t-shirt now!

    

Training Session

In the “PreCompiler” part, we had a successful, four-hour training sessions. 80 showed up and took the chance to learn about Hacking-Lab. We assisted them in getting ready for the CTF, and they could solve some “Step-By-Step” challenges in Hacking-Lab.

Talk and Sessions

I gave a sponsor talk with the title “Capture-The-Flag Done Right: Attack/Defense System”. I explained our attack/defense system (which we used at the European Cyber Security Challenge), and made some live-demos. Besides that, we also had an “after dark” session, and a couple of “open space” sessions, where we supported CTF players.

       

Conclusion

The CodeMash conference is simply amazing! We were really impressed. Great atmosphere, friendly people, and well organized. The location is great, too. Hacking-Lab will be definitely back next year! There are already plans to run a second competition next year, in addition to the CTF. It should be more like a scavenger hunt, with puzzles and riddles. Perhaps, pretty much like our Hacky Easter events.

Black Hat USA 2016 / DEF CON 24

At the beginning of August, as every year, two of our security analysts attended the most renowned IT security conferences Black Hat USA and DEF CON to learn about the latest trends and research. This year’s Black Hat conference, the 19th edition, took place at the Mandalay Bay Conference Center while DEF CON 24 was located in Paris and Bally’s in Las Vegas.

Welcome to Las Vegas

In the following, we are going to summarize a selection of the talks attended.

Continue reading

Black Hat USA 2015 – part 2

For the second part of our report about Black Hat USA 2015, we decided to change topic, and switch from web application security to two hot topics nowadays: Security in Internet of Things and mobile security. We encourage you not only to read this summary but also to go online and take a closer look at the videos or the slides. We aimed at giving you all the relevant links for each talk.

Remote Exploitation of an Unaltered Passenger Vehicle

Presented by Charlie Miller & Chris Valasekvideo

One of the most publicized talks before Black Hat even started, was the manipulation of the Jeep car. Some content of this talk could already be seen on YouTube weeks before the Black Hat conference. Therefore, the expectation for this presentation were really high.

BH_passenger_vehicleCharlie and Chris, the two speakers, mastered the pressure in a very sovereign way. They presented the whole attack, from discovering the cars that could be hacked remotely, to the point of completely take control over the car’s management interfaces, including components affecting the driving features such as the car’s breaks. Besides the technical details of the car architecture and the attacks used to circumvent some of the car’s security mechanism, they fill the talk with funny stories occurred during the months of research. An example was how they managed to explain to the garage mechanic repairing their test car why the display of the media center got suddenly black, “without” any obvious reason for it. These funny stories together with the demonstration videos make the talk worth of watching it.

In conclusion, despite the cool presentation and the nice techniques used, this talk illustrates the fatal consequences of poor security in the Internet of Things. A lot of objects nowadays are connected to the Internet and can be managed remotely. If the security mechanisms implemented are not sufficient to circumvent malicious attacks the outcome can be very scary, like for example a car remote controlled by an hacker. If you are interested in IoT security and want to know more about attacks and how to protect against these, don’t miss our new and upcoming Compass Security course for Internet of Things next year.

StageFright: Scary Code in the Heart of Andorid

Presented by Joshua Drakeslidesvideo

Mobile security became very popular in the last Stagefright_bug_logoyears. One of the presentation at Black Hat 2015 that received most reactions regarding mobile security was certainly StageFright. StageFright is an Android’s Multimedia Framework library written primarily in C++. It handles all videos and audio files and also MMS. The weaknesses found inside this library, a buffer overflow, was also baptized StageFright and permits an hacker to execute arbitrary operations on the victim device through remote code execution and privileges escalation. The talks showed a proof of concept that didn’t require user interaction but get directly executed when an MMS was received on an Android device. It means, the number of the victim, together with knowing that the OS of his cellphone is an Android, is the only information that an hacker needs to know to perform the attack.

The StageFright weakness was rated so high that Deutsche Telekom decided for example to disallow the transmission of MMS on his network.

Some proofs of concept performed by Compass Security showed that the attack vector is not as straightforward to exploit as explained during the talk and that the payload need to be adjusted depending on which version of OS is in use. However, the consequences can be fatal if the attack is a minimum targeted. As mitigation there are several approaches: First of all apply the Android patch. If this cannot be achieved, disable automatic retrieval of MMS messages. However, this is not supported in all MMS applications and does not cover the download through the web browser. As the ultimate solution one can block the reception of text messages from unknown senders.

References:

Black Hat USA 2015 – part 1

Black Hat USA is the most famous IT security conference in the world that every year congregate thousands of security experts and interested to Las Vegas. For its 18th year the conference took place in the glamorous Mandalay Bay Conference Center in Las Vegas. And as every year, two security analysts of Compass Security have attended the conference to learn about the latest trends in IT security.

Mandalay Bay Resort & Casino

For the first part of the post we have chosen two talks concerning web security that show elegant techniques for a penetration tester or attacks on new frameworks. We encourage you not only to read this summary but also to go online and take a closer look at the videos or the slides. We aimed at giving you all the relevant links for each talk.

FileCry XXE

Presented by Xiaoran Wang & Sergey Gorbaty – slideswhitepapervideo

External Entity Attacks (short XXE) is not a new attack vector and the possibilities to exploit these have been already studied by many researchers.

In a nutshell, XML allows inclusion of external resources and the parser will include these automatically. This type of attacks was mostly seen as a server side vulnerability to achieve server side resource inclusions and potentially arbitrary command executions. The two researchers of Salesforce presented a very elegant attack that exploits XXE on client side bypassing the Same Origin Policy.

Many libraries in the past were affected by XXE, so also the Microsoft library MSXML3.0. This library is deprecated and replaced by the non-vulnerable MSXML6.0 library. However, it is still available in older version of IE, for example IE 6. In IE it is possible to force the browser to switch to compatibility mode. By just putting the meta tag <meta content=”IE=6″ http-equiv=”X-UA-Compatible”> in a web page the browser is forced to switch mode and loads also the dll of the deprecated library. Afterwards, the deprecated library can be used, as showed in this short code snippet:

xmlDoc = createDocumentFromText(text,"3.0",null);
xmlDoc.loadXML(text);

The next step was to think about a method to bypass the SOP. The parser uses the browser engine as a resolver for external entities in order to enforce SOP. A redirection handler on the attacker controlled site was introduced that made a redirection to the external entity. IE only checks SOP for the initial request but does not enforce SOP in the case of a redirection.

With this method it was possible not only to bypass SOP but also to read out arbitrary files on the filesystem of a victim visiting the hacker website. There are some limitations in the attack: First the content of the file read should not contain characters like \x00, &, %. Therefore, most of the html pages cannot be retrieved with this method. Second, in order to retrieve files on the filesystem, the exact filename and path should be known to the attacker. Here the list provided by the researchers:

  • victim file/site cannot contain null-byte
  • most HTML pages are not vulnerable
  • the first few hundred characters are vulnerable
  • JSON pages are vulnerable
  • binary files are not vulnerable
  • works only on Windows 7 and below
  • all IE versions though

The patch for this vulnerability was released by Microsoft on April 2015 therefore, if you have patched your system, you should be safe.

Server-Side Template Injection: RCE for the modern webapp

Presented by James Kettle – whitepaper – video

Template engines are nowadays popular frameworks to represent dynamic data via web pages. If unsafely used, application could be misused to perform server side template injections. This talk focused on how to detect such vulnerabilities and determine which template engine is used. In case of a template injection the consequences could be fatal: remote code executions can be achieved, turning every vulnerable application into a potential pivot point.

The speaker presented a very well structured approach on how a penetration tester can analyze an application to find such flaws. The first step would be detect a template injection. This is in general the most difficult step. This vulnerability can appear in two distinct contexts, a plaintext and a code context.

For example sending the request {7*7} and receiving 49 in the response could be an indicator for a plaintext context template injection. In most of the cases where a plaintext context template injection is present, it is also possible to find a XSS vulnerability. Otherwise, with a code context template injection, XSS is in general not possible. But it is possible to inject HTML tags, for example by sending }}<tag>.

After having detected the vulnerability, the second step is to determine the template engine in use. If it is not possible to find it out by inspecting error messages or server banners, a penetration tester can send different payloads to evaluate differences in the response. The speaker showed a very useful diagram to accelerate this task:

payloads

Afterwards, the possibilities to exploits such a vulnerability are infinite. For example, with the FreeMarker template we can send the following payload to extract the user running the service:

<#assign ex="freemarker.template.utility.Execute"?new()> ${ ex("id") }

As one can directly see, the consequences of having such a vulnerability in his own web page would be terrible. However, during the presentation, the speaker didn’t explain in depth how such a flaw would arise. The developer has to completely misunderstand the usage of a template to make such error occur. This could happen if template code is not loaded statically from the filesystem but created dynamically with some input taken from the user. Or it could occur through the intentional exposure of template markdown in an attempt to offer rich functionality to the end-user.

References:

Blackhat and DEF CON USA 2014

Black Hat USbh14A in Las Vegas is one of the biggest IT security conferences in the world. Every year, thousands of security-interested people attend the conference that is held in the infamous Mandala Bay, in the heart of Las Vegas. And as every year, two security analysts of Compass have participated the conference to learn about the latest trends in IT security.

Black Hat easily combines the transfer of the latest top-class security know-how and networking among the attendees with a social frame around the conference.

This paper summarizes some of the most interesting talks we’ve attended during these six days (BSidesLV, Passwords14, Black Hat and DEF CON). We encourage you not only to read this summary but also to go online and take a closer look at the videos or the slides. We aimed at giving you all the relevant links for each talk.

You can download the paper here:  blackhat_2014_paper_v1.0.pdf

RHUL Information Security Group (ISG) Weekend Conference

Each year, the world renowned Royal Holloway University of London (RHUL) Information Security Group (ISG) invites potential, current and past students to join the weekend conference and meet with well regarded security researchers and experts from academia, UK government and the industries. Part of the tradition is to to have dinner at the wonderfull and well-preserved Founder’s Building (1881).

royal_holloway_founders_building

I felt very honoured to be explicitely invited to present part of my MSc thesis results in such well regarded environment.

Colin Walter, Director of Distance Learning, ISG: “As our top project students this year, it is my great pleasure to invite you each to give a short presentation at the next annual summer school for students and alumni of the distance learning MSc in Information Security, to be held at Royal Holloway on Sat/Sun 7-8 September 2013.”

Conference topics included risk management and information security accreditation programs, e-crime and bot net behaviour, cloud encryption and key management aspects, various communication protocols analysis as well as latest developments in side channel attack resistance.

Certificate revocation checking

Keith Vella Licari, currently with Deloitte Malta, provided insights into its master thesis on certificate revocation checking protocols. He discovered shortcomings which demand for improvement in the way certificate checking is currently done.

CRL OCSP Lightweight OCSP
Can easily become large
and unwieldy
Ambiguous answer
(good|revoked|unknown)
Pre-produced responses
Timeliness (delay until next
update)
Only definitive answers are
digitally signed
Only definitive answers are
digitally signed
Scalability (self-inflicted
DDoS)
Optional protection against
replay attacks
No protection against
replay attacks
Table 1: Keith Vella Licari, Towards a reliable revocation status checking method, Main Issues
.

Table 1 provides an overview of the issues of the protocols subject to analysis. In order to provide improvement over the findings, Keith has formally proposed an alternative protocol (RSDP). He is currently asking for torough peer review of its proposal. I encourage readers, affiliated to either OWASP or hacking-lab.com to take on the challenge.

Defense by Nature

David Naccache, cryptographer and professor at the Université Panthéon-Assas in Paris and member of the École normale supérieure Computer Laboratory, presented current research focusing on improvement of resistance to side-channel attacks. The study aimed to improve resistance for communication between of-the-shelf controllers/CPUs and memory parts. The approach taken basically involves transmission of empirically identified “fake” values along with the data to camouflage the communication emission.

The concept lends it an idea from nature where animals which share a common predator mimic the look-a-like of a poisonous counter-part (Müllerian mimicry) to get away disregarded. Some would actually call that approach “Security by Obscurity”. However, applying the technique to emission channels basically allows masking the leaked information to appear to be something else. All under the assumption the attacker and the designed have comparable analytical capabilities in terms of probes sensitivity and measurement equipment sampling rate. Thus, the approach could allow for better resistance of standard electronic components on the price of some factors larger memory than really needed.

References

Slides and videos will be pusblished soon. Check http://www.isg.rhul.ac.uk/dl/weekendconference2013/sunday.html