{"id":8344,"date":"2021-03-19T09:44:38","date_gmt":"2021-03-19T08:44:38","guid":{"rendered":"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/?post_type=session&#038;p=8344"},"modified":"2023-05-17T08:05:42","modified_gmt":"2023-05-17T08:05:42","slug":"exploiting-inter-process-communication-with-new-desynchronization-primitives","status":"publish","type":"session","link":"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/session\/exploiting-inter-process-communication-with-new-desynchronization-primitives\/","title":{"rendered":"Exploiting Inter-Process Communication with New Desynchronization Primitives"},"content":{"rendered":"<p><iframe title=\"#HITB2023AMS D2T2 - Exploiting IPC With New Desynchronization Primitives - Martin Doyhenard\" width=\"800\" height=\"450\" src=\"https:\/\/www.youtube.com\/embed\/CTil1laLf98?feature=oembed\" frameborder=\"0\" allow=\"accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share\" allowfullscreen><\/iframe><\/p>\n<hr \/>\n<p>Most organizations, including 90% of Fortune 500 companies, rely on SAP\u2019s software to keep their business up and running. At the core of every SAP deployment, the Internet Communication Manager is the piece of software in charge of handling all HTTP requests and responses. This talk will demonstrate how to leverage two memory corruption vulnerabilities found in SAP&#8217;s proprietary HTTP Server, using high level protocol exploitation techniques. Both, CVE-2022-22536 (CVSS 10) and CVE-2022-22532, were remotely exploitable and could be used by unauthenticated attackers to completely compromise any SAP installation on the planet.\u00a0<strong>\u00a0<\/strong><\/p>\n<p>First, <strong>this presentation will show how, by escalating an error in the HTTP request handling process, it was possible to Desynchronize data buffers and hijack every user\u2019s credentials with advanced HTTP Smuggling<\/strong>.\u00a0 Furthermore, as the primitives of this vulnerability do not rely on parsing errors, a new technique will be introduced to take over systems even in an \u201cimpossible to exploit\u201d scenario: without a proxy! This will include a demo of the first Desync botnet, using nothing more than javascript and Client-Side Desynchronization.<\/p>\n<p>Next, this talk will examine a Use After Free in the shared memory buffers used for Inter-Process Communication. By exploiting an incorrect deallocation, it was possible to tamper messages belonging to other TCP connections and take control of all responses using Cache Poisoning theory. <strong>A real demonstration of how to corrupt an HTTP backend server\u2019s cache using Response Smuggling will be presented<\/strong>.<\/p>\n<p>And, as the affected buffers are also used to contain Out Of Bounds data,<strong> a method to corrupt address pointers and obtain Remote Code Execution will be explained.<\/strong> Finally, all these new exploitation techniques will be analyzed using other HTTP servers and reviewed from a defensive perspective, helping developers and web architects to stop attackers before it&#8217;s too late.<\/p>\n<p><strong>Also, a detection tool for CVE-2022-22536 will be presented, which was designed to hide the technical details and avoid malicious actors to weaponize it.<\/strong> The results of the threat intelligence campaign conducted after the vulnerabilities were patched will be shown as well. The \u201cICMAD\u201d vulnerabilities were addressed by the US Cybersecurity and Infrastructure Security Agency and CERTs from all over the world, and were added to the Known Exploited Vulnerabilities Catalog, proving the tremendous impact they had on enterprise security.<\/p>\n","protected":false},"template":"","class_list":["post-8344","session","type-session","status-publish","hentry"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v23.3 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Exploiting Inter-Process Communication with New Desynchronization Primitives - HITBSecConf2023 - Amsterdam<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/session\/exploiting-inter-process-communication-with-new-desynchronization-primitives\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Exploiting Inter-Process Communication with New Desynchronization Primitives - HITBSecConf2023 - Amsterdam\" \/>\n<meta property=\"og:description\" content=\"Most organizations, including 90% of Fortune 500 companies, rely on SAP\u2019s software to keep their business up and running. At the core of every SAP deployment, the Internet Communication Manager is the piece of software in charge of handling all HTTP requests and responses. This talk will demonstrate how to leverage two memory corruption vulnerabilities [&hellip;]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/session\/exploiting-inter-process-communication-with-new-desynchronization-primitives\/\" \/>\n<meta property=\"og:site_name\" content=\"HITBSecConf2023 - Amsterdam\" \/>\n<meta property=\"article:modified_time\" content=\"2023-05-17T08:05:42+00:00\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data1\" content=\"2 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/session\/exploiting-inter-process-communication-with-new-desynchronization-primitives\/\",\"url\":\"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/session\/exploiting-inter-process-communication-with-new-desynchronization-primitives\/\",\"name\":\"Exploiting Inter-Process Communication with New Desynchronization Primitives - HITBSecConf2023 - Amsterdam\",\"isPartOf\":{\"@id\":\"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/#website\"},\"datePublished\":\"2021-03-19T08:44:38+00:00\",\"dateModified\":\"2023-05-17T08:05:42+00:00\",\"breadcrumb\":{\"@id\":\"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/session\/exploiting-inter-process-communication-with-new-desynchronization-primitives\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/session\/exploiting-inter-process-communication-with-new-desynchronization-primitives\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/session\/exploiting-inter-process-communication-with-new-desynchronization-primitives\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Session\",\"item\":\"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/session\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Exploiting Inter-Process Communication with New Desynchronization Primitives\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/#website\",\"url\":\"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/\",\"name\":\"HITBSecConf2023 - Amsterdam\",\"description\":\"#HITB2021AMS\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Exploiting Inter-Process Communication with New Desynchronization Primitives - HITBSecConf2023 - Amsterdam","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/session\/exploiting-inter-process-communication-with-new-desynchronization-primitives\/","og_locale":"en_US","og_type":"article","og_title":"Exploiting Inter-Process Communication with New Desynchronization Primitives - HITBSecConf2023 - Amsterdam","og_description":"Most organizations, including 90% of Fortune 500 companies, rely on SAP\u2019s software to keep their business up and running. At the core of every SAP deployment, the Internet Communication Manager is the piece of software in charge of handling all HTTP requests and responses. This talk will demonstrate how to leverage two memory corruption vulnerabilities [&hellip;]","og_url":"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/session\/exploiting-inter-process-communication-with-new-desynchronization-primitives\/","og_site_name":"HITBSecConf2023 - Amsterdam","article_modified_time":"2023-05-17T08:05:42+00:00","twitter_card":"summary_large_image","twitter_misc":{"Est. reading time":"2 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/session\/exploiting-inter-process-communication-with-new-desynchronization-primitives\/","url":"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/session\/exploiting-inter-process-communication-with-new-desynchronization-primitives\/","name":"Exploiting Inter-Process Communication with New Desynchronization Primitives - HITBSecConf2023 - Amsterdam","isPartOf":{"@id":"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/#website"},"datePublished":"2021-03-19T08:44:38+00:00","dateModified":"2023-05-17T08:05:42+00:00","breadcrumb":{"@id":"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/session\/exploiting-inter-process-communication-with-new-desynchronization-primitives\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/conference.hitb.org\/hitbsecconf2023ams\/session\/exploiting-inter-process-communication-with-new-desynchronization-primitives\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/session\/exploiting-inter-process-communication-with-new-desynchronization-primitives\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/"},{"@type":"ListItem","position":2,"name":"Session","item":"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/session\/"},{"@type":"ListItem","position":3,"name":"Exploiting Inter-Process Communication with New Desynchronization Primitives"}]},{"@type":"WebSite","@id":"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/#website","url":"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/","name":"HITBSecConf2023 - Amsterdam","description":"#HITB2021AMS","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"}]}},"_links":{"self":[{"href":"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/wp-json\/wp\/v2\/session\/8344"}],"collection":[{"href":"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/wp-json\/wp\/v2\/session"}],"about":[{"href":"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/wp-json\/wp\/v2\/types\/session"}],"wp:attachment":[{"href":"https:\/\/conference.hitb.org\/hitbsecconf2023ams\/wp-json\/wp\/v2\/media?parent=8344"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}