ZeroNights 2016 program + HackQuest announcement

By a good tradition, we are sharing with you the news of the ZeroNights conference program, our expectations of the event, anticipating new topics and discussions, rejoicing at new speakers and participants. Below we present the news of the program and tell you a little about each report that you will be able to hear on ZN.

Main program

Conference keynote speaker - Michael Ossmann
Welcome to the physical level
')
Each ZeroNights conference is a new world with its own characteristics, opportunities for discoveries and accomplishments. The research universe has no boundaries.

It is not by chance that we chose Michael Ossmann, a well-known researcher in the field of wireless systems security, a hardware developer for highly qualified IT experts, as the keynote speaker at ZN 2016. Michael is a researcher in the field of security of wireless systems, a hardware developer for hackers. Known for open source projects such as HackRF, Ubertooth, and Daisho, Michael founded the Great Scott Gadgets project so that researchers can use new promising tools.

Michael will open the door to the new world of ZN with a report entitled “Welcome to the Physical Level” by inviting us to witness a new discovery. Together we will go through the thorns of abstractions and encapsulations, along paths overgrown with ambiguity and ignorance, and eventually we reach the point at which all our theories and hypotheses will find their confirmation. You will witness miracles previously seen only by brave pioneers of methods such as Packet-In-Packet and Rowhammer. In the wilds of the physical level, we will find long-trodden paths and again go through them, leaving deeper and deeper into the dense jungle of vulnerabilities that have grown alongside the completely explored areas. The physical level, which is the simplest, but often undervalued, and from which, in fact, everything begins, opens up new possibilities.

Michael Ossmann gained fame through open source projects HackRF, Ubertooth, and Daisho, founded the Great Scott Gadgets project, so innovative researchers can use new promising tools.

⬝ Link →

The speakers are Rodrigo Rubira Branco and Rohit Mothe.
DPTrace tool: dual tracing for analyzing potential vulnerabilities
The speakers will talk about the results of their research, in which they examined the possibilities of the practical exploitation of software vulnerabilities using failure analysis. The goal was to create a holistic, feedback-based approach that helps the researcher determine the possibilities of exploiting a software failure (or errors), as well as the degree of its impact. As a result, a semi-automatic crash analysis system was obtained, which allows you to speed up the work on creating exploits.

⬝ Link →

Speakers - Thomas DEBIZE , Mahdi BRAIK
Hadoop Safaris - Vulnerability Hunt
The so-called “Big Data” is one of the most popular areas in IT at the moment due to the need for volumetric analysis of ever-growing traffic. Many companies are now working in this direction, deploying clusters on Hadoop - the most "fashionable" framework for working with Big Data today.

The speakers will talk about the problems or even the “concepts” of Hadoop security, and also show many different vectors for attacks on the cluster. Listeners will learn how to access the coveted Data Lake repository after connecting their laptop to the target network.

⬝ Link →

Speaker - Matthias Deeg
About mice and keyboards: guarding the security of modern wireless input devices
Wireless input devices over the past couple of years have become very popular. From the point of view of the attacker, these wireless devices are an attractive target that allows you to take control of the computer system and get such particularly important data as passwords.

The speaker will present the results of his own research, demonstrate methods of attacks on wireless input devices using the example of exploiting various vulnerabilities.

⬝ Link →

Speaker - Angel Villegas
FIRST: a new look at reverse engineering
The reverse engineer spends a fair amount of time to determine if the file is malicious or not. When using disassemblers, for example, IDA Pro, it can analyze the same processes on several files during their life cycle. It does not matter if static libraries are used, the repeated execution of the code slows down the reverse process. In this presentation, a new FIRST reverse engineering tool will be presented - Function Identification and Recovery Signature Tool - a solution for obtaining information about similar functions, which reduces analysis time and ensures information exchange.

⬝ Link →

Speaker - Enrique Nissim
I know the address of your page: derandomization of the kernel address space of the latest version of Windows 10
The latest version of Windows 10 (Anniversary Update) has again raised the bar for successful exploitation of the vulnerability in the kernel. Microsoft took a step forward when it stopped the leak of GDI objects in the kernel, which was widely used after the infamous group of hackers exploit. Also, with the advent of memory page randomization, the system uses kernel-mode ASLR (KASLR), which requires a memory leak to gain control of the RIP using the ROP or DKOM methods.

This presentation will feature the attack called DrK, “De-randomizing Kernel Address Space”, which was presented at the Blackhat 2016 conference and applied to the randomization of the PML4 structure. By combining TSX instructions and several tricks, it is possible to determine the exact placement of the “PML4 SelfRef Entry”. After that, all known attacks on the page organization of memory can be carried out as if KASLR did not exist at all.

Speaker - Ayoub Elaassal
The fall of the CICS system: in the world of transactions through hacking
CICS - Customer Information Control System - is the most widely used transaction processing system in the world, through which more than 20 billion transactions pass every day. Basically, it is deployed on IBM z / OS systems.

In fact, with high probability we can assume that when a person withdraws money from an account, CICS applications are used at some stage of the operation. This also applies to various banking transactions, including the creation of an account, the management of refunds, the payment of taxes, etc.

The report will dispel the myths around this important system, the speaker will also explain how it works, and pay close attention to how to abuse some of its functions, to read and edit business files with impunity, access other applications, remotely execute code without authentication ...

The report will feature the Cicspwn tool, created to help penetration testing specialists to verify the security of the CICS system and the exploitation of its key vulnerabilities.

⬝ Link →

Speaker - Patrick Wardle
Cheat death - hide in recovery mode to survive after reinstalling OS X
Traveling with your Mac to exotic countries and catching a virus? Experience dictates: clean and reinstall OS! On a Mac, you can switch to OS “Recovery Mode”, clean the infected volume, and then install a clean OS X. Unfortunately, this will no longer work.

The report will reveal a malicious code that can infect OS in recovery mode (directly from OS X), which allows it to survive a complete reinstallation of OS X. But do not panic! We will discuss the ideas of protecting the OS when restoring.

⬝ Link →

Speakers - Ilya Safonov , Alexander Matrosov
Excite project: the whole truth about the character version to protect the BIOS
The researchers are working on an Excite project that uses the S2E platform (Selection Symbolic Execution) and Intel's Simics virtual platform to look for vulnerabilities in the BIOS, including such a well-known class of vulnerabilities, like SMM call-out. All the tools and approaches in this report are considered within the framework of real vulnerabilities that were discovered with their help. It will also discuss the limitations and problems arising from the approach of symbolic execution to ensure the safety of the BIOS.

⬝ Link →

Speaker - Alexander Ermolov
Guarding rootkits: Intel BootGuard
Intel BootGuard is a new BIOS hardware protection technology against modifications that a computer system vendor can permanently turn on during the production phase. The report will describe in detail the technology itself, the related and unrelated undocumented subsystems (Intel ME, boot code inside the CPU and not only). Also, students will learn how over the years a cloned error on the production of several vendors allows a potential attacker to use this technology to create a hidden rootkit in the system that is not deleted (even by the programmer).

⬝ Link →

Speakers - Roman Bazhin and Maxim Malyutin
JE TPLOW is dead, long live JETPLOW!
The NSA software documents published by Edward Snowden made a lot of noise. However, until recently it was impossible to see how it all works. The publication of the leak from The Shadow Brokers provided such an opportunity. Roman Bazhin and Maxim Malyutin did not sit on their hands, but conducted an independent study, the results of which they will tell at the conference. A deep analysis of the “leaked” JETPLOW will be presented and compared with their data. Also, guests of the conference will be invited to look at possible options for the development of the situation with the tab, a conversation will be held about how things are with other Cisco equipment. In conclusion, we will show methods for detecting such bookmarks.

⬝ Link →

Speaker - Ali Abassi and Majid Hashemi
Strike pin control in programmable logic controllers
Embedded systems interact with and control the outside world through input / output (I / O) mechanisms. Input / output of embedded systems must be particularly reliable and secure in the case of systems designed to perform mission-critical tasks. The input / output of the embedded system is controlled by pins. This report will examine the security issues of pin management of embedded systems. In particular, speakers will demonstrate how an intruder can compromise the integrity and availability of I / O in an embedded system by using certain pin and non-interrupt control operations.

⬝ Link →

Speaker - Alexander Matrosov and Yevgeny Rodionov
Rootkits in UEFI firmware: myths and reality
Recently, the topic of security firmware UEFI extremely relevant. In recent years, there have been many publications discussing vulnerabilities found in UEFI. They allow an attacker to compromise the system at one of the most privileged levels and gain complete control over the victim's system. In this report, the authors will examine the most relevant types of attacks on UEFI firmware from a practical point of view and analyze the applicability of the described attacks to real-world scenarios: can such vulnerabilities be easily used in real rootkits (OS-> SMM-> SPI Flash)?

⬝ Link →

Speaker - Mariano Graziano
Critical analysis of complex attacks with code reuse using ROPMEMU
Code reuse attacks based on the concept of return-oriented programming (ROP) are gaining increasing popularity every year. Initially used as a way to bypass the protection of operating systems from the implemented code, now such attacks are used as a method of hiding malicious code from detection and analysis systems. The author proposed ROPMEMU, which is a complex system of a variety of different techniques for analyzing ROP chains and restoring their equivalent code in a form that can be analyzed by traditional means of reverse engineering.

⬝ Link →

Speaker - Ivan Novikov
Hacking ElasticSearch
The report will discuss the popular data indexing and search system ElasticSearch. The security issues of the entire technological stack required for the implementation of this technology in modern web applications will be considered:

• Wrapper classes (so-called “drivers”) for popular platforms (php, nodejs, Java, python);
• Protocol of the program interaction (API) ElasticSearch;
• Built-in interpreter;
• Service interaction with the file system.

A retrospective of all detected vulnerabilities will be given and assumptions about possible future problems will be made. The report presents new vulnerabilities and practical methods for their exploitation. There are also examples of the most common mistakes made in the implementation of this technology, based on the conducted web application security audits.

⬝ Link →

Speaker - Sen Ne and Ling Liu
Components of Tesla Motors Gateway
The vehicle gateway is a microcontroller that controls the exchange of data between different CAN channels. In the Tesla car, it also serves as a link between Ethernet and CANBus for transmitting / filtering messages transmitted from the infotainment system to the internal CANBus network. Currently, gateways play an important role in the internal networks of vehicles, especially if the car is connected to the Internet (the so-called cars with network capabilities). In the report, the experts will describe the process of designing and implementing car sluices, as well as reveal the secrets of the gateway functioning in the Tesla car. In particular, they will talk about how to restore the source code of the gateway firmware, how the gateway manages the services: shell, file system, network, registration, etc.

⬝ Link →

Speaker - Mikhail Stepankin
Advanced web application fuzzing
The report will discuss the methods of fuzzing web applications to search for complex injections (not just SQL). Automated web application scanners often perform only basic checks for vulnerabilities, and they are simply blocked with WAF. However, manual analysis does not cover all possible cases. The author has developed his own tool for fuzzing web applications, which combines automatic and manual analysis to search for complex injections. Also in the report will be told about vulnerabilities in PayPal and Yahoo servers, which were found by the author using the presented tools.

Link →

Speaker - Alexander Bolshev
How to cheat ADC, part 3 or tools for attacks on devices converting analog data to digital
We are used to working with digital systems, but the world around us is analog. In order to somehow influence it, or vice versa, to obtain information about it, digital devices use data conversion mechanisms (in the simplest case, ADC (analog-to-digital converter)). Analog signals with specific characteristics can be interpreted differently by different ADCs, even if they are connected to the same line. This can lead to a “false perception” of the state of a process control system or to incorrect data at the sensor output, which, in turn, will also affect the process. In this report, we will look at various tools and methods of influencing conversions from analog to digital data that will allow us to conduct attacks against automated process control systems, embedded systems and other systems.

Link →

Speaker - Alexey Rossovsky
Life stories about hacking low-cost phones
Reports about hacking top phone models are quite a lot. But the phones from the lower price category is undeservedly deprived of attention. Although they are also sold and used in the market. In the framework of this report, the speaker will tell about a number of cases when the phone was unlocked or patched from the budget price category. The following topics will be covered: Intel XMM mobile chipset, important AT commands, OTA operation using MITM, flashing Qualcomm-based devices, exploiting ARM devices, getting root with SELinux enabled and much more.

⬝ Link →

Speakers - Alexander Evstigneev and Dmitry Kuznetsov
Cisco Smart Install. Pentester features
The report will look at previously unpublished bugs in Cisco Smart Install, which, in aggregate, take control of Cisco switches that support Smart Install features.

⬝ Link →

Speakers - Yuri Drozdov and Lyudmila Drozdova
An approach to developing LPE exploits on Windows 10 with the latest security updates
The report describes the difficulties of writing LPE exploits on Windows 10 and methods for overcoming them. Emphasis will be placed on a new way to manage handles of gdi objects (in the latest Windows 10 update), as well as on how this affected the operation process. Briefly discussed and other features of Windows 10, affecting the process of operation.

⬝ Link →

Reports on the Defensive Track
We have already formed a pool of hurricane reports for the Defensive Track section, and today we are announcing the first part of the speeches. We remind you that the main feature of this slot is the presentation of real experience and descriptions of practical works from the original source. This is not about “introducing a product”, this is about “how to make everything work better without any extra expenses”. Content “from hackers and for hackers”. And most importantly - it is for those who need results and experience, and not advertising.

Speakers - Catherine Puhareva and Alexander Leonov
Enterprise Vulnerability Management
The speakers will talk about how to choose a solution, talk about the intricacies of Vulnerability management and vulnerability intelligence, advise how to efficiently organize the process of patch- and vulnerability- management. There will also be a discussion about Nessus customization and the Vulnerability Scanner as a valuable asset.

⬝ Link →

Speakers - Natalia Kukanova and Igor Gots
20% of investments and 80% of the result. How to implement the requirements of information security and not to lose internal freedom
As part of this presentation, the speakers will talk about how, in a dynamic network, you can build a scheme for monitoring the implementation of basic information security requirements for employees' workplaces. They will talk in detail about the technologies with which the NAC (Network Access Control) principles were implemented in the Yandex network, and what difficulties the specialists faced from both an organizational and a technical point of view.

⬝ Link →

Speakers - Pavel Grachev and Alexey Karyabkin
Monitoring and analysis of email messages, or a tool for detecting cyber attacks on the knee
In this speech, one of the most popular attack vectors on organizations will be examined - mass mailings of malware, phishing, and phishing (targeted attacks). The speakers will tell how they built the defense, what they faced and how they overcame the difficulties. Topical issues of the application of modern technologies and commercial solutions to identify and combat cyber attacks will be addressed. In the practical part
Speakers will demonstrate their own "bike" (solution to detect cyber attacks). Development of the idea ZeroNigths 0x04: ( link ).

⬝ Link →

Speakers - Evgeny Sidorov and Eldar Zaitov
Manage the digital signature of applications in a large company
All mobile applications and almost all desktop applications must be signed with an electronic signature of the developer. When you try to deploy a key management system for signing applications, you may encounter a number of difficulties. To solve them, the speakers created their own solution, which can sign applications for Android, Windows (usermode, kernel mode), Java applications and applets, and which they will tell during the report.

⬝ Link →

Speaker - Igor Bulatenko
Report
Fear and hate two-factor authentication
More and more companies are beginning to think about the need to introduce two-factor authentication systems. In this matter, it is very important not to be mistaken with the choice of solution and methods of implementation, since there is always a balance between usability and security. The report will explain what you should pay attention to when making decisions, and what difficulties you may encounter during implementation.

⬝ Link →

Speakers - Teymur Kheirkhabarov and Sergey Soldatov
Himself Threat hunter
Due to the fact that fully customized tools of compromise are becoming increasingly popular, as well as widespread attacks carried out without the use of malicious software, corporate information security services have urgently faced the need to identify software and network attacks that are not detected by classical means of protection. Now “Threat hunting is fashionable, but the speakers will tell the truth about how to do it yourself.

⬝ Link →

Speaker - Mikhail Sosonkin
Automate iOS scanning using the blackbox method
Today, application security for the iOS system has become a topic of great urgency. During this presentation, the interiors of the CHAOTICMARCH (automation tool) will be demonstrated, as well as methods for monitoring and monitoring application actions. If you are planning to create your own project to assess the security of iOS, or you need help in automating the analysis of limit values, then this report is what you were looking for.

⬝ Link →

Without further ado - reports from the FastTrack section
Many people know and love this section - here, in the Security StandUp format, quickly, cheerfully, with a twinkle, the participants present their small research, tell about the new hacker tool or find. So please ask and love - FastTrack on ZN!

Speaker - Ksenia Gnitko
Neurotechnology is safe
⬝ Link →

Speaker - Igor Kirillov
HexRaysPyTools
⬝ Link →

Speaker - Andrey Kovalev
You are not like that ...
⬝ Link →

Speaker - Anton Lopanitsyn
Hit below the belt. Bypassing modern WAF / IPS / DLP
⬝ Link →

Speaker - Georgy Zaitsev
Reversing golang
⬝ Link →

Speaker - Denis Kolegov
BIG-IP F5 Configuration Vulnerabilities: Detection and Correction
⬝ Link →

HackQuest 2016 Announcement

Every year, before ZeroNights, we run the traditional HackQuest. Its essence is to solve tasks related to different areas of practical security (reverse / binary pwn / web hacking / etc) and receive an award. Winners get an invite and an eternal place in the Hall Of Fame, as well as nice bonuses (already at the conference). Dates of hackquest'a this year - from October 31 to November 7. The rules are the same:

• The duration of the quest is 7 days, from 8 pm on October 31 to 8 pm on November 7;
• Every day - one task. On the decision - 24 hours;
• Who is the first to solve the task will receive an invitation to the conference;
• Solving the task second or third, you can get points. The second speed participant will receive 0.5 points, the third - 0.25. Having earned 1 full point, the participant will receive an invitation (note that 2 or more points are entitled to only one invite).
• Upon request, the organizers may request a description of the task solution (we are for fairness and honesty);
• It is forbidden to give hints or communicate answers to other participants;
• It is forbidden to hand over the answer more than once (under a different account).

The quest will be available at (the site is in the process of preparing for the launch of a new quest). I can say that this year there will be a very big bias towards reverse / hardware / binary pwn. And some tasks will be extremely, extremely difficult (as well as years earlier).

This is not all the news of the program. Soon we will delight you with a story about the activities at the conference and present our coolest workshops. We are often asked recently: “Are there any more ZN tickets left?” We answer: “Of course, we did, but only three weeks before the sales were closed;)” If you have not registered yet, you can do it and also pay your participation here :

→ Registration .

See you at the conference!