ZeroNights 2015: Hack now - Save the future

Hackers create knowledge and share information from the birth of high technology. They really deeply understand how the systems are built from the inside, but they motivate each of them something different. As a company, faced with competition and external challenges, seeks to create products that respond to these challenges, and improve it with each new version (or not), so the hacker accumulates knowledge and develops thanks to them. Since different hackers have different goals and objectives, they direct their talents to different areas. If someone hacking some system seems to be easy, he probably already got the relevant knowledge and figured out the task, but this does not mean that someone else cannot be at the beginning of the same path, follow it with passion and attention to the complexity of the system.
')
Different goals - different means. Work can be loved, interesting and difficult, but still work with all its traditional advantages. Everyone has his own life, and everyone should understand this, take responsibility for their own decisions and pay for mistakes. Like climbing the career ladder of a technical specialist in a large corporation, and hunting for bugs on loose bread (and there is a lot of common between these two extremes), a researcher must make informed decisions, and we will discuss them in this report. The ultimate goal is to show that there are both difficulties and opportunities, and that you can arrange your life very differently, while remaining faithful to the main priorities: to acquire knowledge and have fun.

Virtual devices are now being used everywhere, because virtualization is omnipresent, and hypervisors are common.

More and more large vendors provide virtual clones of their products, previously available only in the form of a physical installation. As in the case of the Internet of things and CAN-buses, everything is just beginning, and vendors are already late. They are not ready, first of all, for the appearance of a huge attack surface teeming with vulnerabilities. In addition, many vendors believe that virtualized software for the user is a convenient opportunity to evaluate the product before purchasing the physical version, so this version of the product is more accessible and easier to debug using the capabilities of the platform on which it is running.

In my report, I will analyze the real cases of the appearance of various vulnerabilities due to errors that many large players make when delivering virtualized software. You will learn how to find such bugs yourself, find out how vendors approached the task of fixing them and whether they solved it at all. As a result of the report, you will firmly know how the task of remote code execution on a virtual device is solved.

Do you know how many Bluetooth devices are in the world right now? With the advent of the Internet of Things and Smart Bluetooth technology (saves energy), there have been an incredible amount of them.

Are they safe? What if I tell you that I can unlock your smartphone? What if I tell you that I can open a new SmartLock lock that has a door locked in your house? In this report, we briefly explain how the Bluetooth protocols (BDR / EDR / LE) work, with an emphasis on their security. Then we will show some known vulnerabilities and, finally, top secret, even demonstrate them.

Cisco networking equipment has always been an attractive target for attacks, due to the widespread use and the key role that this equipment plays in building network infrastructure and its security. This equipment has a wide variety of architectures, types and versions of operating systems (firmware) that manage Cisco network equipment, which makes it very difficult to develop a universal shell code. Shell codes for Cisco IOS, which are available in the public domain, sharpened for specific network equipment, are not distinguished by wide functionality and are of little use during penetration tests.

This report will discuss the results of the study, which was undertaken by our research center, in order to create the most portable shell-to-portable between Cisco IOS firmware, which gives penters a wide range of possibilities, thanks to the ability to dynamically change the assignment of the shell code at the post-exploitation stage. Also consider the possibility of the emergence of a "worm" that spreads through the network infrastructure from the firewall to the router, from the router to the switch, etc.

There was a vulnerability in your firmware, and the manufacturer is not in a hurry with the update? Or was the update released yesterday, but instead of fixing the old vulnerability, they added two new ones?

Enough of this, it's time to take the security of the firmware in your hands! This report is about how to independently detect and close currently known vulnerabilities in UEFI-compatible firmware.

What are the new challenges for security auditors that have become fashionable “cloud technologies” and “big data”?

If you do not take into account the complexity of Hadoop installations and the number of interfaces, using standard techniques you can test the vulnerabilities of web applications, SSL security and other encryption. We checked the prevalent Hadoop environments and found a number of critical vulnerabilities that could cast a shadow over the big data reputation.

Learn how to embed an elliptic asymmetric backdoor into an RSA module using the Elligator. Understand that all TLS security can be fiction if only one CA certificate with an imperceptibly embedded backdoor gets into the interlocutors' certificate store. Find out how someone has studied cryptographic backdoors in practice in the interests of intelligence, regardless of legal restrictions.

Almost all of the reports on vulnerabilities in SCADA end in stunning physical attack scenarios with chilling consequences. They are echoed by Hollywood films and numerous publications in the media, so now everybody is dedicated to the art of calling cybergaddon: you crack something that goes beyond the SCADA system, gas will immediately rush to the right place, and the world will go crazy. And since no one really understands what kind of SCADA it is, then at the conference a speaker can hang an audience noodles on his ears.

This report is an express course on the action program after hacking SCADA. If an evil alien remotely attacks a rather complicated process, he doesn’t have magically exhaustive knowledge about this process, and he has to solve a number of intermediate tasks before the final attack. How is the process controlled? What commands does he understand? What features can be exploited? Without answers to these questions is not enough. You can embed any data, but this still does not guarantee the ability to arbitrarily control processes. The physics of the process and the intricacies of control logic can be a great confusion for the villain of the map. As an example, we will bring the traffic lights to a catastrophic state, so that students will gain practical knowledge about SCADA hacking. The report includes all stages of a cyber-physical attack with a description of the tasks performed at each stage, and nontrivial workarounds that sometimes have to be resorted to by an attacker.

It is assumed that by the end of the presentation, students will be able to bring the charlatans to the clear water and are inspired to create their own interesting and original attacks on SCADA with arbitrary physical consequences.

The heart of any modern ICS infrastructure is a data bus. In most cases, it is based on a family of Ethernet technologies. The report deals with attacks on the main elements of the bus - industrial switches. Methods will be shown to replace the firmware of switches using various vulnerabilities and weaknesses in the “default” configurations. Compromising such a switch allows you to get almost unlimited control over the process: you can interfere and change data within various connections between the PLC and SCADA, between the gateways and the PLC, forge data sent to the HMI and logging systems, etc. All this can result to the fact that the operator will not control the real state of the technological process and, as a result, to stop the process or the accident. In addition, the possibility of permanent implementation (by compromising the bootloader) of the code in the switch will be considered.

Thanks to graphics technologies, many APIs have appeared in the kernel mode drivers that are available for the 3rd protection code. If you create materials for a computer game or video player, you will have to use one of the low-level functions provided by the Windows Display Driver Model to interact with the kernel driver. Graphic operations are resource-intensive, complex and accessible to an unprivileged user. This study focuses on finding vulnerabilities in low-level interactions of the 3rd ring with 0th within WDDM and through the GDI user mode library. The presentation will show fuzzing statistics and techniques, as well as vulnerabilities found in Intel, NVIDIA and ATI drivers.

Any modern corporation passes external pentest, audits and other checks of the “control” of information security. There are many different approaches to these processes. Some of them are slightly better in efficiency than automated scanning, while others claim to simulate a real attack. I will tell you about our approach to “penetration testing” and the story of a two-month survival game.

In 2015, Adobe Flash exploitation remains in vogue among security researchers, as well as among cybercriminals. After all, this is a player consisting of a single code base and working in all modern browsers and on all operating systems. Such conditions allow you to attack different platforms with one exploit.

The history of Flash exploits based on damage to vector objects began in 2013, when the first exploit for Lady Boyle CVE-2013-0634 was released. In 2014, the CVE-2014-0322 vulnerability suggested a simpler approach: damage to the Vector.length field, which allows reading and rewriting the memory of the IE process, creating ROP shellcode and starting it. This is a very powerful approach used in all new exploits (including the leaked HackingTeam resources).

Only in July 2015, Google and Adobe invented a new countermeasure technology that protects the end user, but the developers of exploit packs do not care.

We in Yandex have our own behavioral analysis technology developed for such exploits, and in our presentation we will share the key principles on which it is based. We will also give instructions on the development of a behavioral analysis system for detecting complex Flash exploits.

We will pay special attention to:

• the main techniques used in recent exploits for the Adobe Flash player;
• The Vector <...>. length Google validation technique and its circumvention;
• approaches to reducing the risks from exploiting Abode Flash vulnerabilities and how to circumvent them (bypassing Adobe Flash Control Flow Guard);
• our experience in detecting such exploitation attempts.

Frida is a programmable toolkit for dynamic binary instrumentation that allows you to drastically shorten the development cycle of tools for dynamic analysis and reverse engineering. It has an API based command line interface. It is written in portable C, released under an OSS-license that is convenient for business, and contains bindings to the languages ​​Python, Node.js, and others. This is the best tool for dynamic binary instrumentation for any of the modern platforms (Windows, Mac, Linux, iOS, Android or QNX).

The workshop is intended for listeners who want to get up-to-date information about the latest dynamic instrumentation technologies on computers and mobile devices. We begin with an introduction to the Frida API and command line interface, and then learn how to write a reversing tool from scratch.

Requirements for participants of the workshop:

• 2-3 hours
• Knowledge of English
• Preferably a laptop with Windows, Mac or Linux, optional - jailbreaked / rooted iOS / Android device

On the basis of AVR MK built a lot of modern devices - from amateur projects based on the Arduino to IoT, automotive subsystems and industrial controllers. This workshop is an attempt to summarize the entire set of experience in exploiting buffer overflows in AVR firmware.

Despite the abundance of information on this topic on the Internet, there is still no practical “in and out” guide on this topic.

In the course of the workshop, we will discuss the specifics of reverse engineering of AVR-based firmware, talk about the features of Harvard architecture and discuss existing tools for operating AVR. We will discuss methods for building ROP chains and how radare2 can help. In addition, let's talk about the techniques of post-exploitation and the creation of a permanent presence in the firmware.

Workshop plan:
Part 1. General information about AVR devices:

• Introduction
• Harvard architecture
• Features MK AVR
• Brief Introduction to AVR Assembler
• AVR bootloaders
• Tools for the development, debugging and operation of the AVR

Part 2. Pre-operation:

• The first steps
• Methods for obtaining firmware
• A bit about reverse engineering of printed circuit boards
• Vulnerability Scanning - Fuzzing and Static Analysis
• AVR "libc"
• What is watchdog
• Examples and exercises

Part 3. Operation:

• Basic concepts
• Types of exploitable vulnerabilities
• Sources of ROP Gadgets
• Building ROP chains
• Examples and exercises

Part 4. Post-exploitation:

• Permanent presence
• Examples

Practical exercises will be conducted using the emulator in Atmel Studio and Arduino boards.

Requirements for participants of the workshop:

• 3 hours
• Knowledge of Russian language
• Installed radare2 or IDA Pro
• Wednesday Atmel Studio (we will issue a flash drive with the distribution)
• A laptop
• Micro USB cable

Many use vulnerability scanners without understanding the algorithms of their work, so they often get a non-optimal result. And if the scanner gives out false-positive, or vice versa, it cannot find vulnerabilities that are quietly held by hands, then most pentesters simply accept or use a set of scanners. Burp Suite allows you to write your own plugins, so many of its shortcomings can be fixed with your own hands. In the framework of the current workshop, we will show the basic principles of plug-in development, which methods and why it should be used in this or that case.

The theoretical part will be fixed practical training. Development will be shown using two languages ​​- Python and Java, with consideration of the fundamental differences and advantages of a language in the context of Burp Suite. After the workshop, you will no longer be afraid of describing the API in Javadoc format.

Requirements for participants of the workshop:

• 3-4 hours
• Knowledge of Russian language
• Required: computer, Burp Suite Professional. The free version of Burp Suite does not include a vulnerability scanner, the workshop will be devoted to the development of which
• Minimal knowledge of Python or Java
• Java development environment (Eclipse, IntelliJ IDEA), JDK 1.7 / 1.8. Recommended, even if you have never written Java code before. It's easy, and in the workshop we show the advantages of Java