Stop talking, it's time to break.
2 weeks left before the start of the 2015 ZeroNights conference
Friends, here we come to the finish line. There are only two weeks left until our meeting! The conference program is fully formed, the final schedule of two days is posted on our website, you can read it here: 2015.zeronights.ru/assets/files/ZNagenda2015.pdf .
Well, we briefly describe those performances that have not yet been told to you before, so that you know what to expect from the upcoming event. So, in order. Go!
Main program
"Attacks on hypervisors using firmware and hardware"
Speaker: Alexander Matrosov
Description of the report
In this presentation, we will look at the scope of attacks on modern hypervisors using vulnerabilities in system firmware, including the BIOS, as well as hardware emulators. We will demonstrate several successful attacks on hypervisors, ranging from VMM DoS, elevating privileges to the hypervisor level, and further, to the SMM level from within the virtual machine. We will also show how using a rootkit in the system firmware embedded using exploiting these vulnerabilities can compromise information from virtual machines and explain how the problems of the system software can be used to analyze data protected by the hypervisor, including VMCS structures, EPT -Tables, HPA, IOMMU, etc. To simplify the testing of hypervisor security, we will open to the public new modules for the CHIPSEC framework.
')
“S [c] rum is everywhere. Or how to interrupt continuous integration "
Speaker: Andrey Plastunov
Description of the report
More and more developers are turning their attention to the tools of continuous integration, integrating them into their infrastructure a little more than completely. But do they know what dangers await on the way to a bright SCRUM future? In the report we will try to answer this question. So, typical attacks on developers' infrastructure through continuous integration tools will be considered, as well as a number of identified bugs in various open source and not-so products.
“When opened, the warranty is void, or attacks on MPLS networks”
Speaker: Georgi Geshev
Description of the report
Multiprotocol Label Switching (MPLS) —multiprotocol switching using tags — is by far the most popular technology commonly used to provide large-scale reliable data transport services, as well as to transmit delay sensitive traffic (voice and video). As it turned out, MPLS remains a highly unexplored area.
In his report, Georgi will talk about the main research in the field of MPLS, the critical vulnerabilities that it contains and may adversely affect the work of leading vendors. The speaker will present the main types of existing MPLS, describe the concept and define the terminology. The audience will also get acquainted with the network topology and key traffic management strategies.
The report will present a number of techniques, using which an attacker can obtain information on internal LSR IP addresses, thus partially or fully revealing the MPLS backbone Label Switching Router (LSR) connection scheme. The report will also examine various scenarios of attacks on the infrastructure of service providers and, further, on buyers of MPLS domains. It should be noted that none of the attacks presented in the report require access to the MPLS backbone. In other words, the presented attacks are implemented from the perspective of an MPLS network client.
In conclusion, both general solutions and recommendations will be announced, as well as suggestions for vendors that will make it possible to protect MPLS networks from attacks as much as possible.
In his report, Georgi will talk about the main research in the field of MPLS, the critical vulnerabilities that it contains and may adversely affect the work of leading vendors. The speaker will present the main types of existing MPLS, describe the concept and define the terminology. The audience will also get acquainted with the network topology and key traffic management strategies.
The report will present a number of techniques, using which an attacker can obtain information on internal LSR IP addresses, thus partially or fully revealing the MPLS backbone Label Switching Router (LSR) connection scheme. The report will also examine various scenarios of attacks on the infrastructure of service providers and, further, on buyers of MPLS domains. It should be noted that none of the attacks presented in the report require access to the MPLS backbone. In other words, the presented attacks are implemented from the perspective of an MPLS network client.
In conclusion, both general solutions and recommendations will be announced, as well as suggestions for vendors that will make it possible to protect MPLS networks from attacks as much as possible.
"SmartTV: how to assemble an insecure device in the modern world"
Speaker: Sergey Belov
Description of the report
SmartTV, like other IoT, is increasingly penetrating our lives. Programmers write their applications for them and of course make mistakes. This report will present various application vulnerabilities, some of which are specific to SmartTV. Also, various attack vectors will be considered through the applications on the TV itself.
"Security at KNX, or how to steal a skyscraper"
Speaker: Egor Litvinov
Description of the report
Modern shopping / business centers, hotels contain various automation systems. Conventionally, it can be divided into "trunk" such as BACnet and "terminal" in particular KNX. In the course of this report, we will consider the situation when, having settled in a hotel room and connecting to the “smart” button of a bus connected to KNX, we will be able to access other KNX bus segments and be able to attack other building automation systems.
“Mathematical model of vulnerabilities and attacks for checking user input errors”
Speaker: Ivan Novikov
Description of the report
The report attempts to provide a rigorous mathematical model for describing typical vulnerabilities based on user input validation errors. A theory is proposed for classifying and defining the properties of such objects. As practical results, examples are given of bypassing open intrusion detection tools based on the attack vectors generated within the described model.
“Maximum CSP Return: Deep Dive”
Speaker: Sergey Shekyan
Description of the report
Content Security Policy (CSP) is used to determine restrictions imposed on web content and is designed to prevent cross-site scripting and similar attacks. This report will address the various difficulties associated with creating and deploying these policies. The speaker will talk about how an attacker can use a reporting system for his own purposes, as well as what differences exist between the CSP specification and its specific implementations. In addition, the report will present various tools designed to simplify the process of creating and verifying CSP.
“Meet Choronzon - the concept of intelligent evolutionary fuzzing”
Speakers: Nikolaos Naziridis , Zisis Sialveras
Description of the report
In the course of the report, a file fuser will be considered, using evolutionary algorithms for the mutation of the prototype file (seed file) and certain user-defined data to study the parts of each format of interest. The architecture will be presented, the design problems encountered, as well as the solutions found will be described.
In addition, the results of comparing different types of fuzzing, sample file selection, strategy evaluation, as well as an overview of fuzzing tools and techniques available to a security specialist will be shown.
In addition, the results of comparing different types of fuzzing, sample file selection, strategy evaluation, as well as an overview of fuzzing tools and techniques available to a security specialist will be shown.
"ESIL - universal IL (Intermediate Language) for radare2"
Speaker: Anton Kochkov
Description of the report
ESIL stands for 'Evaluable Strings Intermediate Language'. Its purpose is the ability to describe the semantics of any instruction of any processor (from VLIW DSP, up to 4-bit Intel 4004). ESIL can also be interpreted using a virtual machine built into radare2. This report will provide a brief introduction to the topic of various ILs and describe the main differences from them, and what led to the idea of ​​its creation. Practical examples of the use of ESIL, its conversion into other similar languages ​​(OpenREIL) and future development will be described.
“Did you get your token?”
Speakers: Jin Long and Young Jietao
Description of the report
As new versions of Windows are released, Microsoft is constantly working to improve defense mechanisms against all sorts of exploits, for this purpose, circumvention techniques are being actively studied, which lead to elevation of privileges in the system.
The focus of the presentation will be the basics and principles of privilege sharing in Windows. The internal structure of the token, how it supports the DACL, mandatory level and privilege checks, and the theme of the sandbox framework will be discussed. We will discuss the basics of the processes to be protected, and, of course, the practical aspects of the sandbox, especially related to the junction points - junctions.
The focus of the presentation will be the basics and principles of privilege sharing in Windows. The internal structure of the token, how it supports the DACL, mandatory level and privilege checks, and the theme of the sandbox framework will be discussed. We will discuss the basics of the processes to be protected, and, of course, the practical aspects of the sandbox, especially related to the junction points - junctions.
“How to build your own Echelon system. Attacks on 3G modems »
Speaker: Timur Yunusov
Description of the report
Vulnerabilities of 3G modems and routers are not new. In this speech, all attack vectors will be put together: how to penetrate a remote or local modem, turn it into a tracking device, with which you can intercept victim’s location information, read and write SMS, infect other computers and modems, and even intercept voice traffic. The study involved more than 10 modems and routers available on the market.
“[Real] BGP Security Status”
Speakers: Alexander Asimov , Artem Gavrichenkov
Description of the report
BGP is the cornerstone of the modern Internet. It is this protocol that ensures global reachability of services around the world. Unfortunately, the BGP architecture has a number of problems affecting all members of the global network: from telecom operators to end users.
The report will discuss the main anomalies that arise at the BGP routing level, such as BGP prefix hijacking and route leaking, as well as the current level of threats and possible countermeasures.
The report will discuss the main anomalies that arise at the BGP routing level, such as BGP prefix hijacking and route leaking, as well as the current level of threats and possible countermeasures.
Team Hackerd performances - RuCTFE 2015 review
Speakers: Irina Burdova, Alexander Bersenyov, Mikhail Vyatskov
Description of the report
At the ZERONIGHTS conference, representatives of the Hackerdom team Irina Burdova, Alexander Bersenyov and Mikhail Vyatskov will tell you how RuCTFE is organized, international online competitions such as attack and defense. Also, experts will analyze the course of the game RuCTFE 2015 and the vulnerabilities inherent in the services. ZN guests will learn what technologies the gaming infrastructure is built on, how the testing system works. Also at the time of the conference, everyone will be given the opportunity to feel at the place of the participants, to look and try to hack the proposed services. Speeches by the organizers of RuCTFE will take place on the first day (main program) and on the second day (FastTrack section) of the conference.
Workshops
"Practical object-oriented reverse engineering"
Speakers: Alexander Matrosov , Evgeny Rodionov
Description of the report
As part of the workshop, the authors will address the problem of reversing complex threats developed using object-oriented programming. Analysis of this type of malware requires the use of a number of new approaches, different from those used to analyze malware developed using procedural programming languages.
The workshop will begin with an introduction to the fundamentals of reversing object-oriented code: the authors will talk about the specifics of the structure of object-oriented code and approaches to its analysis.
In the following, we will demonstrate the use of various tools and techniques that are based on the analysis of object-oriented code with examples of malware used in recent high-end targeted attacks: Animal Farm, Sednit, Equation, Duqu 2.
The workshop will also cover such topics as C ++ malicious code, analyzing in a cluster environment using high-end intermediate presentation. The authors will consider examples written in C ++ and compiled with MS Visual C ++.
Topics:
Participants of the workshop will receive:
Requirements for participants of the workshop:
The workshop will begin with an introduction to the fundamentals of reversing object-oriented code: the authors will talk about the specifics of the structure of object-oriented code and approaches to its analysis.
In the following, we will demonstrate the use of various tools and techniques that are based on the analysis of object-oriented code with examples of malware used in recent high-end targeted attacks: Animal Farm, Sednit, Equation, Duqu 2.
The workshop will also cover such topics as C ++ malicious code, analyzing in a cluster environment using high-end intermediate presentation. The authors will consider examples written in C ++ and compiled with MS Visual C ++.
Topics:
- Understanding of C ++ code generation and its identification on the example of an assembler: types of structures, use of inheritance and polymorphism, effective use of RTTI information
- Differences
- Application of static analysis / tools for the reconstruction of object-oriented views
- Automatic C ++ code reversing using IDApython and Hex-Reys Decompiler SDK;
- Analysis of malicious code with an object-oriented structure: Animal Farm, Sednit, Equation, Duqu 2
- IDA Pro and Hexrays decompiler fitting for analyzing malware in a clustered environment
Participants of the workshop will receive:
- Understanding object-oriented and non-positional codes in the light of reversing
- Practical experience of using IDA Pro and Hex-Reys decompiler for calculating complex data types
- Fundamentals of plug-in development for Hex-Rays decompiler
- Practical skill of analyzing complex threats: Animal Farm malware, Sednit, Equation, Duqu 2, etc.
Requirements for participants of the workshop:
- 3-4 hours
- Availability of an installed version of Hex-Rays IDA with a decompiler
- Understanding of the approaches in the field of malware-reversing
- Experience as developers on MS VisualC ++ and Python v2.7
“On the way to (not) correct anonymity. Basic methods of digital contraception and personal data hygiene
Speaker: Vlad
Description of the report
To date, there are enough funds to ensure anonymity and privacy online, but not everyone understands their work to such an extent as to protect themselves completely. It is not enough just to install the software, you need to eradicate all possible channels of information leakage.
As part of this workshop will be told about the observance of anonymity on the Internet,
obvious and not quite obvious things about the modern ways of identifying users, both technical and social, are discussed and shown about the importance of data privacy, when the “I have nothing to hide” approach affects not only those who have “nothing to hide”, but also yourself
The purpose of this workshop is to consider and eliminate information leakage channels on the entire OSI model.
We will tell you:
We will teach you:
Requirements for participants of the workshop:
As part of this workshop will be told about the observance of anonymity on the Internet,
obvious and not quite obvious things about the modern ways of identifying users, both technical and social, are discussed and shown about the importance of data privacy, when the “I have nothing to hide” approach affects not only those who have “nothing to hide”, but also yourself
The purpose of this workshop is to consider and eliminate information leakage channels on the entire OSI model.
We will tell you:
- Identification of mobile devices by MAC address in Wi-Fi networks using the example of getshopster.com API
- About calculating the version of the operating system based on the features of the TCP stack implementation
- About the correct OS settings in the VPN-Only mode and the dangers posed by modern versions of Windows
- About de-anonymization through social networks and leaks through application software (Skype, Office, PDF)
- About the interesting use of DHCP and IPv6
- That NAT is not a firewall
We will teach you:
- Correctly configure standard tools for anonymous and confidential surfing the Internet, depending on the OS
- How and what specialized tools to use in a given situation.
- Confidential communication and file transfer using PGP using the GnuPG open implementation example
- Fight browser tracking, scan local addresses remotely
Requirements for participants of the workshop:
- 2-3 hours
- Knowledge of Russian language
- Laptop with Windows / Mac OS / Linux; Smartphone with Android, iOS
Fasttrack
"Vulnerabilities of Yota telecommunications software"
Speaker: Mikhail Firstov
Description of the report
Pocket router - easily accessible equipment these days, with the development of wireless 4G networks, we can be truly mobile and consistently communicate
with unlimited tariffs without falling out of the status of “Online” for days on end, but are we going to get in touch safely?
The issue of the safety of 3G modems and telecommunications equipment has often become a reason for heated discussions on safe network connectivity, this time we
analyze in detail the software 4G router YOTA Many. In addition to the XSS and CSRF found vulnerabilities that are acceptable for web infrastructures and services in the network
The RCE bug was discovered, with the help of which another question appeared - the issue of anonymity and user security.
with unlimited tariffs without falling out of the status of “Online” for days on end, but are we going to get in touch safely?
The issue of the safety of 3G modems and telecommunications equipment has often become a reason for heated discussions on safe network connectivity, this time we
analyze in detail the software 4G router YOTA Many. In addition to the XSS and CSRF found vulnerabilities that are acceptable for web infrastructures and services in the network
The RCE bug was discovered, with the help of which another question appeared - the issue of anonymity and user security.
"Analysis of the reconstruction of the intermediate presentation for the analysis of complex malware"
Speakers: Alexander Matrosov , Evgeny Rodionov
Description of the report
Malicious software (malware) is a serious threat, the number of new samples is growing exponentially day by day. In addition to this, targeted attacks using malware are no longer the exception, but rather the rule. Analysts and companies use different types of automation to cope with this problem, but the gaps still remain. Reverse engineering is becoming increasingly challenging due to the increasing workload and the tight time frame for it. This is directly reflected in the research process, and the prevention of new threats becomes even more difficult.
In the present paper, the authors will discuss common reverse techniques using an intermediate presentation (thanks to the Hex-Rays team for their help in this study) in a clustered environment. The presented results demonstrate different types of use of this approach, for example, for the detection of algorithmic similarity between VPO groups.
The higher level of abstraction provided by the Hex-Rays tool is based on an abstract syntax tree (ctree). This feature facilitates the study of DGA (domain name generation algorithms), custom cryptography and specific parsers for these configurations. In order to reduce the number of false results when identifying metadata in some C ++ compilers, such as virtual function tables and RTTI, the authors created object-oriented artifacts directly from the analyzed VPO.
Already more than 2 million samples of malware are analyzed, of which their characteristics are highlighted, and this is a serious information base allowing to improve the analysis and fight against future threats. Using this knowledge, other researchers in this field will be able to isolate ctree (syntactic trees) from new samples and compare them with the millions obtained earlier.
All materials presented during the presentation, as well as the source materials of the analyzed samples, will be available to researchers, along with new ideas for further development. The plugin developed by Hex-Rays Decompiler, along with tools for analyzing / automating the allocation of the characteristics of malware, will also be available to the audience on GitHub.
An updated version of the BlackHat Las Vegas 2015 report will be presented at ZeroNights.
In the present paper, the authors will discuss common reverse techniques using an intermediate presentation (thanks to the Hex-Rays team for their help in this study) in a clustered environment. The presented results demonstrate different types of use of this approach, for example, for the detection of algorithmic similarity between VPO groups.
The higher level of abstraction provided by the Hex-Rays tool is based on an abstract syntax tree (ctree). This feature facilitates the study of DGA (domain name generation algorithms), custom cryptography and specific parsers for these configurations. In order to reduce the number of false results when identifying metadata in some C ++ compilers, such as virtual function tables and RTTI, the authors created object-oriented artifacts directly from the analyzed VPO.
Already more than 2 million samples of malware are analyzed, of which their characteristics are highlighted, and this is a serious information base allowing to improve the analysis and fight against future threats. Using this knowledge, other researchers in this field will be able to isolate ctree (syntactic trees) from new samples and compare them with the millions obtained earlier.
All materials presented during the presentation, as well as the source materials of the analyzed samples, will be available to researchers, along with new ideas for further development. The plugin developed by Hex-Rays Decompiler, along with tools for analyzing / automating the allocation of the characteristics of malware, will also be available to the audience on GitHub.
An updated version of the BlackHat Las Vegas 2015 report will be presented at ZeroNights.
"Network of controlled browsers based on BeEF and Google Drive"
Speakers: Denis Kolegov , Oleg Broslavsky , Nikita Oleksov
Description of the report
The report describes the study of the possibility of implementing the mechanism of interaction of controlled browsers (hooked browsers) via Google Drive within the framework of the BeEF framework. The current implementation of BeEF assumes direct interaction between the monitored browser and the BeEF server, which does not allow for a high level of anonymity and non-detectability. The report is supposed to consider one of the ways to solve this problem by building a network based on Google Drive.
“What does a hacker need to know about the WebDav protocol? Overview of vulnerabilities in WebDav implementations
Speakers: Andrey Efimyuk , Mikhail Egorov
Description of the report
Today, the WebDav protocol is used to access online file storage services, such as Yandex.Disk, box.com, 4shared.com, DriveHQ, CloudMe, etc. Also popular CMS systems have the ability to provide access to the repository with content via the WebDav protocol. The authors tested the "strength" of the WebDav protocol implementation in various popular applications and services. The report will discuss the vulnerabilities found in the implementation of the WebDav protocol.
"ORM2Pwn: exploiting Hibernate injections"
Speakers: Mikhail Egorov , Sergey Soldatov
Description of the report
Modern Java applications do not work directly with the DBMS, but use an additional layer in the form of the Object-relational mapping mechanism. One of the popular ORM solutions is the Hibernate ORM. Hibernate uses a special language HQL to write queries to entities stored in the database. Applications that use ORM are subject to HQL injections. The report presents a new method of operating HQL injections in Java applications using Hibernate ORM. The authors will present an extension for the popular utility Burp Suite, designed to exploit HQL injections.
“We increase the performance of scanners using Data Mining”
Speakers: Sergey Ignatov , Omar Ganiev
Description of the report
Nowadays, IDS / IPS, SIEM solutions for identifying and responding to attacks are becoming more and more common. And, if outside the network the fact of scanning several ports does not force the alert, then the same fact from the inside of the network indicates that you have already been hacked, and you need to take urgent measures. Therefore, when testing the internal network, the question arises of how you can quickly identify the most likely open ports from the available information, bypassing security features. This is also useful for externally scanning large address ranges.
“Obfuscation of interpreted programming languages ​​in practice”
Speaker: Alexander Kurilin
Description of the report
Convenience and ease of development have made programming languages ​​interpreted and compiled into byte-code widely used tools for creating modern software. However, one of the key drawbacks of such languages ​​is the simplicity of their decompilation and static analysis. In this report, from a practical point of view, the issues of obfuscation and protection of the executable code of these languages ​​from decompiling and restoring private software algorithms will be considered.
Defensive Track
“Security Event Correlation with Esper”
Speaker: Nikolay Klendar
Description of the report
The report focuses on the capabilities of the Esper library for complex processing of security events (correlations). The report will examine the basic and advanced features of the library, as well as the application that allows you to quickly detect attacks, suspicious activity and other anomalies.
“Analyze it: we collect modern SIEM based on Open Source components for analyzing logs on a large scale”
Speaker: Daniel Svetlov
Description of the report
When it comes to detecting intrusions with OpenSource, there is no shortage of software selection. There are AIDE, OSSEC, Snort, Suricata, Bro IDS. Let's add here more logs from antiviruses, firewalls and network equipment. All these systems have their own log formats, various user interfaces and can generate from several thousand alerts per day. In such a situation, there is an acute problem of collecting all these events, analyzing them, and receiving notifications by mail. At the same time, sometimes you want a couple of mouse clicks to make the necessary selection of events and build graphs on them. The existing SIEMs on the market either cost a lot or are free, but greatly reduced versions of paid products. The report will show how to build a system for analyzing OSSEC, Snort, Suricata and Cisco ASA logs with Elasticsearch, Logstash and Kibana with SQL-like search, flexible email notification management, scalable multi-tier architecture out of the box. At the end of the presentation, a link to the ansible playbook will be given, which will install all the necessary components on the server and configure them so that you can start analyzing your logs without wasting time.
"Banking Trojans: a look from the other side"
Speaker: Alexey Levin
Description of the report
We, as developers of the client-bank system, are constantly confronted with the theft of money from bank customers using Trojans. The most dangerous Trojans use automatic loading and hiding of payments on the client’s computer with the java-program changing behavior on the fly. The report is dedicated to such Trojans, protection from them and technologies that we develop for this. We will talk about the tools we use, consider the effectiveness of these tools, discuss additional protection methods (for example, monitoring constant-pool integrity and using invokedynamic).
"Automation of web application scanning - Yandex experience"
Speaker: Eldar Zaitov
Description of the report
Anyone who tries to implement application security scanning as a process faces a similar set of difficulties. We will tell about the evolution of our scanning process, technical (and not only) aspects of automation, we will share our solutions.
"Banking SDL do it yourself"
Speaker: Yuri Shabalin
Description of the report
Usually, banks are not expected to have an adequate approach to information security, especially to such a new technical direction, like the SDL. Is it always like this? I will tell you how I develop the direction of safe development at Alfa-Bank, and outline the main problems that have been encountered and how to solve them.
Yandex will sum up the results of the competition for finding vulnerabilities in Yandex. Browser on ZN
Partner of the ZN conference, Yandex, announced the month of searching for vulnerabilities in Yandex Browser. The initiative's goal is to find out if there are any weak points in the new security system that Yandex specialists are not aware of yet.
The conditions of the contest are simple: anyone can try to hack the browser and inform the company about the found vulnerability. Participants who have discovered the most serious problems will receive a cash reward. The prize for the first place will be 500 thousand rubles, for the second and third - 300 thousand and 150 thousand rubles, respectively. Yandex is interested in vulnerabilities that can violate the confidentiality or integrity of user data. The types of errors that will be taken into account are listed in the contest rules .
Messages can be sent before November 20 through a special feedback form . The results of the competition will be announced on the 26th day at the ZeroNights-2015 conference. If you cannot be there, do not worry: the names of the winners will be published also in the Yandex.Browser club .
Attention - competition from Qiwi - at ZERONIGHTS
At the ZERONIGHTS conference, guests of the event will be able to take part in the search for vulnerabilities in the QIWI payment terminals. Three fully working terminals (including the “transparent” model that users love) will be available throughout the conference.
Prohibited:
- carry out destructive actions with the terminal, which can lead to its physical damage
- carry out attacks on the bill acceptor’s sensors (fake bills, fishing, attacks on the COM port)
Permitted:
- use master keys for physical access to terminal equipment
- connect additional equipment to the terminal
Of interest are vulnerabilities that lead to the release of the shell of Windows and making fake payments using data received from the terminal. Depending on the criticality of the detected program errors, the reward can be up to 200 thousand rubles and will be paid in the framework of the current bug bounty Qiwi program.
And yes, of course! At the conference there will be souvenir stickers, T-shirts and other small, but such pleasant pleasures :)
Please note that registration for the ZERONIGHTS 2015 conference closes at 21:00 on November 23. After this time, tickets for the event will not be available. This year we decided to limit ourselves to registering online, so, on the spot, to pay for participation, unfortunately, will not work. We kindly ask you not to postpone the visit to this page for the last days, because, as always, there are a lot of those who want it: 2015.zeronights.ru/registraciya.html .
Source: https://habr.com/ru/post/270729/
All Articles