Open Battle CTF
Virtual Car Hacking Village
HITB Lockdown CTF
|Date: 24th, 25th & 26th April
|Date: 25th April
Time: 10am – 8pm CET
|Date: 26th April
Time: 10am – 6pm CET
Featuring some of the talks and speakers from HITBSecConf2020 – Amsterdam
Date: 25th & 26th April
Time: 10am – 6pm (CET timezone)
Stream broadcast starts 30 mins before
09:30 – STREAM START
10:00 – 60 CVEs in 60 Days
In recent years, the most effective way to discover new vulnerabilities is considered to be fuzzing. I will present a complementary approach to fuzzing called MTE. By using MTE, I managed to get over 60 CVEs, all are logical vulnerabilities, in 60 days across many major software vendors like Microsoft, Facebook, Intel, and more. Some things never die – In this session, we’ll show that a huge amount of software is still vulnerable to DLL Hijacking and Symlinks abuse and may allow attackers to escalate their privileges or DoS a machine. We will show how we generalized these two techniques within an automated testing system called Ichanea, with the aim – finding new vulnerabilities.
11:00 – The State of ICS Security: Then and Now
Praveen Soni, Ashish Gahlot & Shivbihari Pandey
In this presentation, we focus on a lab-scale test bed for a 3 phase power distribution system under industrial PLC control, instrumented with relay, power meters, various ﬁeld protocol switches, supervised by an industrial SCADA system. The main contributions of the paper are (i) case studies of vulnerability assessment of the industrial components of this test bed – components that are being widely deployed in real critical systems throughout the world. (ii) the exploits and their security implications, especially their effect on the physical functioning of the systems; and (iii) mitigation techniques we have deployed to defend against such attacks.
12:00 – Pwning Adobe Reader Multiple Times with Malformed Strings
It’s hard to see vulnerabilities caused by malformed strings nowadays, not to mention the exploitable vulnerabilities. It’s not surprising because all the unsafe functions are banned by SDL in modern software development. However, it may lead to critical security vulnerabilities if the developers did not use the security enhanced functions correctly. In the case of Adobe Reader, it implemented some security enhanced string handling functions itself. But the developers used those functions incorrectly. It’s not a big deal in general cases. However, a type confusion condition can also be triggered easily when handling a malformed string. We can leverage those two conditions to achieve code execution under some circumstances. This presentation will discuss an interesting kind of vulnerabilities which was caused by malformed strings in Adobe Reader. More precisely, four exploitable vulnerabilities will be discussed in detail. Two of them could achieve information disclosure. The other two could achieve code execution directly.
13:00 – LUNCH BREAK
14:00 – Open the Gates – The (in)security of Cloudless Smart Door Systems
Sebastian Neef, Julian Beier & Lars Burhop
When you ring the bell at a larger building, you may assume that you are actually operating a complex network with further call buttons, access control units checking smart cards and opening doors and of course intercom devices. But your call (and video) may also end up on a smart phone or the desktop pc of the people at the front desk. IP-Gateways between the established intercom bus systems and the IP world are used. We will discuss typical scenarios, where the intercom world meets the IP world. We picked two devices to have a closer look and focused on systems for larger installations and which can be used without the Cloud. We also assume such systems to be more widely adopted among enterprises and security conscious users.
15:00 – Hiding In Plain Sight: Analyzing Recent Evolutions in Malware Loaders
Holger Unterbrink & Edmund Brumaghin
Over the past year we have observed a significant increase in the volume and variety of malware loaders being distributed worldwide. Rather than leveraging malvertising and extensive TDS infrastructure, adversaries are now distributing loaders and creating new botnets that can be monetized to perform the spread of malware payloads for criminals seeking to deploy RATs, stealers, and banking trojans. This new generation of malware loaders features increased obfuscation, modularization, and maximum flexibility for the operators of these botnets. This talk will describe this recent shift in malware distribution, how these loaders are being leveraged, and how obfuscation and multi-stage delivery is being used to maximize efficiency and evade detection. We will also cover techniques for hunting these loaders in corporate environment and ways to more easily analyze them.
16:00 – Building Next-Gen Security Analysis Tools with Qiling Framework
Lau Kai Jern & Simone Berni
qiling.io is a sandbox emulator framework with a rich set of Python API to enable highly customizable analysis tools built on top. Using emulator technology inside, our engine can run the executable binary in a cross-platform-architecture way, so we can analyze Windows PE files on Linux Arm64, IoT firmware based on Mips on MacOS, and so on. This talk introduces the internals of Qiling, in which we briefly discuss the design & implementation of our engine, binary loader, dynamic linker, to OS environment, essential system components and APIs to enable binary emulation. As a framework, Qiling paves way for users to quickly & easily build new security tools, without requiring much low-level knowledge. This presentation focuses on how to build a series of advanced applications, ranging from cross-platform coverage-guided fuzzer, malware sandbox, to IoT emulation for vulnerability research. Each case will be discussed in detail, so the audience build more exciting tools. To conclude, we will officially announce version 1.0, as well as the next steps for Qiling Framework
17:00 – Exploiting Directory Permissions on macOS
In this talk I will talk about how can we exploit applications on macOS (including macOS itself), where some of the directory / file permissions are incorrectly set. The incorrectness of these settings it’s not trivial at first sight because understanding these permissions are not intuitive. We will see bugs from simple arbitrary overwrites, to file disclosures and privilege escalation. The concepts applicable to *nix based system as well, however this talk focuses on macOS bugs only. We will also cover different techniques about how to control contents of files, to what we don’t have direct write access.
18:00 – END
Lockdown Livestream – 26th April
09:30 – STREAM START
10:00 – Documents of Doom – Infecting macOS via Office Macros
In this talk, we will begin by analyzing recent macro-based attacks that target Apple’s desktop OS, highlighting their macOS-specific exploit code and payloads. Next, we’ll detail a novel exploit chain, that starts with CVE-2019-1457, leverages a new sandbox escape and a full bypass of Apple’s stringent notarization requirements. Triggered by simply opening a malicious (macro-laced) Office document, no other user interaction required, in order to persistently infect even a fully-patched macOS Catalina system.
10:30 – From Man-in-the-Middle to Privesc and RCE: Exploiting the Netlogon Protocol
In this talk I would explain an attack I discovered against the Netlogon Remote Protocol (CVE-2019-1424; patched by Microsoft in November 2019), which allows a man-in-the-middle attacker to log in as any (local administrator) user to a domain-joined Windows system. This means that once an attacker can intercept and modify traffic between a Windows system and a domain controller (for example after ARP spoofing, setting up a malicious WiFi access point or stealing a laptop using Bitlocker in TPM Only mode), can use a simple and reliable exploit to gain privileged remote code execution. Before diving into the details of this attack, the talk would first cover the details of Netlogon and its relation to NTLM; prior work that abuses Netlogon to enable NTLM relay attacks (CVE-2015-005, CVE-2019-1019); as well as the obscure custom cryptographic schemed used by the protocol to authenticate users and protect messages.
11:00 – The DNA of Hidden Cobra – A Look at a Nation State’s Cyber Offensive Programs
Ryan Sherstobitoff & Thomas Roccia
The actor known as Hidden Cobra is thought to have been linked to the North Korean intelligence services and has been involved in numerous operations dating back to 2007. Over the course of 2018, McAfee ATR discovered several major campaigns linked to Hidden Cobra using complex and hidden implants aimed at gathering intelligence on targeted victims, disrupting their operations and generating hard currency through large crypto-currency and banking heists. This talk will be a deep dive into the techniques, tactics and procedures of Hidden Cobra as well as the developments in this actor’s complex toolkit including several new implant frameworks. This talk goes into detail about McAfee ATR’s various investigations into Hidden Cobra and what we have learned as a result. We will also discuss the various partnerships with International law enforcement in our efforts to uncover and expose back-end operations used by Hidden Cobra. We will discuss the behind the scenes of the Operation Sharpshooter, a case that took us from an isolated incident to the exposure of a long running back-end operation.
12:00 – Prisoner Number 6
Containers is a very interesting field of research as far as security is concerned. Millions and millions of Linux containers are spun-up a day, some of them are privileged. Privileged containers are a breed of their own, and using the –privileged flag is only one of many ways to spin up a privileged container. Privileged containers may spin up as a result of necessity (e.g. some of Kubernetes containers are privileged) or as a result of a misconfiguration. In this session we introduce the idea that privileged containers are an opening into an organization’s network and demonstrate some of the methods we found to exploit them, using the Play-with-Docker (https://labs.play-with-docker.com/) container website. Attendees will see how we use a number of different methods, such as loading a Linux kernel module into the Play-with-Docker kernel, exploiting devices present in the container to read and write host’s files, and more.
13:00 – LUNCH BREAK
14:00 – Fuzzing File System Implementations to Uncover Security Bugs
Vulnerability research and especially “fuzz-testing” has become an ever-growing field recently. Finding (exploitable) vulnerabilities and developing effective countermeasures are an essential result from analyzing the inner workings and general system internals of complex systems. File systems are no exception to this and are an often overlooked component on both the attacker and defender side. This session presents our research on evaluating the robustness of multiple well established and newer file systems on BSD based systems. We will develop general guidelines about how to approach this area of research efficiently by narrowing down possible attack surfaces. Afterwards, we will dig deeper into important aspects of how to automate our ideas to efficiently fuzz kernel file system implementations.
15:00 – Breaking and Securing Cloud Platforms
In early 2019 we conducted an in-depth survey of cloud services and identified a large number exposed or badly configured cloud services. Many think of exposed S3 buckets when talking about exposed cloud services, but we have identified a much larger variety of issues. Some lead to sensitive data disclosure, others could lead to access control/authentication bypass or authentication credentials disclosure. Exposed container services pose significant risks, when reachable from the Internet. We identified some in-the wild cases where attackers exploited some of these vulnerabilities and used them in variety of attacks – from attacks against online shopping platforms and inserting credit card harvesting code to plain deployments of botnets and crypto-mining software. We discuss these cases and explain how attackers were able to take advantage of the exposures. Many attackers consider cloud deployments as a weaker link and often target this link to target organizations. We present a defender view on cloud services and explain how to improve security of cloud deployments by hardening cloud services and ensuring that certain aspects of cloud configurations are done right. We conclude the presentation with best practices we have been using and would recommend organizations to use in their cloud deployments.
16:00 – Army of Undead: Tailored Firmware Emulation
The exploding number of embedded systems, like network cameras, routers and programmable logic controllers (PLCs) of the past years raise the question how secure these devices are and which connections are established in the background. As these devices are often concepted as closed systems, a popular possibility is emulation of the firmware of such devices. Past projects like FIRMADYNE by Chen et al. and Automated Dynamic Firmware Analysis at Scale by Costin et al. showed that emulation of such devices is possible, but only by doing manual modifications on the Linux kernel and restricted to few architectures. During this talk, comprehensive methods for tasks like finding the file system root, determining the exact instruction set and emulating the target firmware in an automated manner will be discussed. All these steps can be done by simple scripts and open-source components without changing the code of any kernel.
17:00 – Bugrank: A Community Bug Bounty Platform
Thanh ‘Red Dragon’ Nguyen, Anthony Lai & Nguyen Anh Quynh
In this talk we introduce Bugrank – a bug bounty and bug reporting platform for the community. We will cover the design and architecture, and provide a walkthrough of its functions. The entire code base will be open sourced so anyone can set up their own bug bounty platform.
17:30 – Virtual Lab: Bare-metal Reverse Engineering & Hardware Hacking
Thomas Roth & Dmitry Nedospasov
Part 1: Bare-metal reverse engineering with Ghidra
After a brief introduction to bare-metal code and the ARM Cortex-M architecture we jump right into reverse-engineering ARM firmware. First, we analyze some simple crackmes, look at some useful scripts and tools and learn some tricks to efficiently navigate firmware. Next, we’ll analyze the actual BootROM of a popular series of microcontroller and identify an attack vector for a low-level hardware attack. Participants are welcome to ask questions and encouraged to follow along. Please join the HITB #virtuallab channel on Slack
Part 2: Glitching for fun and profit
After Identifying the potential vulnerability in Ghidra, we will now devise a strategy to exploit this vulnerability in the underlying hardware. This will include, preparing the ARM microcontroller for the attack, wiring up the circuit to induce the fault and programming an FPGA to control the system boot and perform the attack in real time. And, instead of just showing slides on how such an attack could be performed, we will solder it live, running through all the issues together and answering questions as we go along.
Software required to follow along:
– Ghidra 9.1.2: https://ghidra-sre.org/
– SVD-Loader: https://github.com/leveldown-security/SVD-Loader-Ghidra
18:30 – END