Table of contents

1. Key reports
2. Main track
3. Fast track
4. Defensive Track
5. Workshops
6. Web village

Key reports

This year there will be something unprecedented, unprecedented and unheard of - just two key speakers at ZeroNights. One will open the first day of the event, another will open at the beginning of the second!

Thomas Dallien (aka Halvar Flake)

Machine learning, attack and the future of automation

Thomas Dallien began his activities in reverse engineering and technical means of copyright protection in the mid-90s. Then he immediately began to use reverse engineering techniques to study vulnerabilities. Thomas initiated the heap-exploitation of Windows, comparative analysis of patches and binary files, as well as a variety of other reverse engineering techniques. In 2004, Halvar founded zynamics, a company specializing in reverse engineering technologies. Meanwhile, his research on reverse engineering, the development of exploits using backward-oriented programming and knowledge management technologies applied to reverse engineering, continued to be published. In 2011, “zynamics” was acquired by “Google”, and for several years that followed, Halvar was engaged in protecting technologies for big data and machine learning at every corner discussed at that time. In 2015, Halvar received the Pwnie award and decided to take a year break to travel, read and cut the waves on the surf.

In his report, Thomas Dallien will talk about machine learning and the upcoming fundamental changes in the field of IT today literally do not stop. Although it is difficult to weed out the delusions and myths generated by the general agitation, it is obvious that computer technologies are increasingly moving to the level of abstractions for which classifiers are just as common as branching operators. What about attack research? Does at least the home business have immunity from automation? Or will “AI” (in any of its manifestations) affect it? Or maybe already influenced?

This report will tell you what AlphaGo can teach us, and also identify those areas of the industry where machine learning will take a step forward in the coming years (although it is difficult to say how big it is).

Shay Heron

Encrypted Memory Attacks: Beyond One Bit

Shay Geron is an associate professor of mathematical sciences at Haifa University, the head of engineering and technical services for cloud information security at Amazon. Earlier, Shea was the chief engineer and senior cryptographer at Intel. His areas of interest include cryptography, information security, and algorithmization. Shea is the creator of such instruction sets for processors such as: AES-NI, PCLMULQDQ and seeing VPMADD52 in the near future, as well as various microarchitectural features that contributed to the acceleration of encryption algorithms. He contributed to the development of open source libraries (OpenSSL, NSS), increasing the speed of symmetric encryption, algorithms using public keys and hashing. Shay Heron was one of the architects of the Intel Software Guard Extensions (SGX) technology and was responsible for its implementation and cryptography. In addition, he became the creator of the Memory Encryption Engine.

His report focuses on the security of user data in a virtualized cloud environment, which is a growing concern for both the users themselves and the providers of cloud providers. The hypervisor provides the hosting administrator with the ability to read any memory area of ​​the guest virtual machine. Consequently, there are no guarantees that the administrator does not use these capabilities to gain access to user data. This threat is not prevented, even if the entire memory is encrypted with one (secret) key. Guest virtual machines can be isolated from the administrator if the memory areas are encrypted with a unique key for each guest machine. At the same time, the capabilities of the hypervisor in accessing memory will not be changed, and reading the memory of the virtual machine decrypts the encrypted data of the virtual machine with the wrong key, which does not give the attacker any advantage. This is what guided the developers of technologies that are embedded in the latest processors.

Anyway, the main idea and premise of this report is that any technology that uses unique encryption keys does not guarantee isolation of the administrator hypervisor from guest virtual machines. As an illustrative example, a new type of attack “Blinded Random Block Corruption” (BRBC) will be demonstrated. In the same scenario with unique encryption keys to a virtual machine, the attack allows the cloud provider to use the capabilities of a (trusted) hypervisor to log into the guest virtual machine (not to mention accessing the encrypted memory), which completely compromises the confidentiality of user data. In addition, we will also demonstrate that even non-boolean values ​​can be effectively attacked by attackers, in order to increase the privileges of processes running in protected virtual machines.

This again suggests that memory encryption itself is not a defense-in-depth mechanism from attackers with read / write memory capabilities. Greater security is achieved if the memory encryption mechanism includes an authentication mechanism.

Main track

In addition to keynote presentations, the main track can be heard reports from researchers from around the world. We meet!

Speakers - Yegor Karbutov and Alexey Pertsev
Chat with a hacker
')

Description of the report

Online Support Chats on various services is a thing that happens very often. But how much do you trust third-party solutions and products? We want to share with you our Pentester experience how online chat rooms can broaden the attack surface on a company, its employees, customers and even the chat vendor itself. Consider specific attacks for different platforms, from XSS to RCE, from the Web to mobile applications and desktops. Minimum rocket science, easy report with bikes, real state of affairs and pentester tricks from the bins.
A place for those who want to relax from the binarium and learn about real pentest cases.

Speaker - Alexey Tyurin
Another look at MitM HTTPS attacks

Description of the report

The goal of TLS / HTTPS is to protect against MitM attacks. We are used to looking at TLS / HTTPS attacks from a cryptographic perspective. And if we take a look at TLS basic architectural solutions? For example, the fact that certificate authentication is possible only to the level of a single host or - even more broadly - a group of hosts. And if we recall that TLS / HTTPS is not some essence in a vacuum, and that modern systems are an interlacing of technologies, protocols and consist of many services, then by adding a little bit of logic and tricks, we will be able to conduct successful MitM -attack on https!

Speakers - Yasil Spelman , Brian Gorentz and Abdul-Aziz Hariri
For the Common Good: Using the VMware RPC Interface for Fun and Benefit

Description of the report

Virtual machines play a crucial role in modern computing systems. With their help, often isolate multiple clients on the same physical server. Researchers and security experts use virtual machines to isolate potentially dangerous code, and then examine and analyze it. It is assumed that when running on a virtual machine, potentially dangerous code cannot be executed anywhere else. However, this method is not completely reliable, since vulnerabilities in the hypervisor of a virtual machine can open access to the entire system. This scenario was once regarded only as hypothetical, but two independent demonstrations at the 2017 Pwn2Own conference showed that this was possible. This report details the connections between nodes in VMware. In addition, the presentation describes the functionality of the RPC interface. We will discuss the methods of automatically intercepting or analyzing RPC requests sent from the guest OS to the main one. We will also demonstrate how to create tools for sending requests to the RPC interface in C ++ and Python for fuzzing. Finally, we will show how to use vulnerabilities like Use-After-Free in VMware by sequentially parsing the fixed vulnerability.

Speaker - Matt Oy
Recent exploit trends, counteraction and detection tactics

Description of the report

When high-level means of counteracting attacks are introduced into the system, attackers have to move away from traditional methods of exploitation. The same happened with the release of Windows 10. Thanks to recent updates of attack prevention technologies, such as Control Flow Guard (CFG), the traditional methods for executing code by rewriting the function pointer are simply outdated. So, there are three main trends in exploit development for Windows 10.

Hunt for read-write primitives to get a full view of memory.
Search for logical vulnerabilities and their exploitation.
Using social engineering to execute malicious code.

Speaker - Alex Matrosov
We betray the BIOS: what is wrong with the guardians of the BIOS

Description of the report

This presentation is intended to be a signal for hardware vendors, BIOS security researchers and security experts, as well as advanced stakeholders who want to know about current UEFI research and threats detected. The situation is serious, but with the right tools and knowledge, we will prevail. In recent years, the security situation of the UEFI firmware has become increasingly critical. On the one hand, increased activity from the community of researchers of information security. On the other hand, more and more information about implants for UEFI appears, for example, these are state-funded implants from HackingTeam. Most often the information becomes public due to leaks, because there are no means for detecting implants for UEFI, and the implants themselves are used for targeted attacks.

The role of UEFI in the world has grown significantly in recent years: the firmware is used in computers and laptops, smart devices, cars, drones, and so on. Fortunately, UEFI security is also improving in many ways. The level of security that is shown by modern suppliers of equipment for enterprises has grown significantly. However, not all suppliers are the same. Unfortunately, some of them do not use modern hardware protection, for example, the protection bits provided by Intel many years ago for SMM and SPI (BLE, BWE, PRx). Since there is no active memory protection at the hardware level, the devices of these manufacturers become easy targets for attackers. In my performance on Black Hat Asia this year, I showed these vulnerabilities by installing a permanent rootkit in SPI flash memory (on a computer with Microsoft Windows 10 and active Secure Boot).

However, hardware manufacturers, such as Intel, introduced protection technologies, such as Boot Guard (starting with Haswell) and BIOS Guard (starting with Skylake). When loading the platform, Boot Guard checks whether UEFI is on the list of trusted components of Secure Boot, and thus protects it from attacks using firmware. With active BIOS Guard, only protected modules can modify flash memory with SPI, which protects against permanent implants. Both technologies run on a separate processor, known as the ACM (Authenticated Code Module), which isolates them from intruders and protects against attacks in a race condition. Such security technologies are sometimes referred to as UEFI rootkit killers. There is no detailed information about these technologies.

This presentation will talk about the specific possibilities of using them on hardware with the most advanced Intel processors, such as Skylake and Kaby Lake. Most of the available information was obtained from UEFI firmware modules using reverse engineering. These modules (DXE and PEI) can be started, configured and installed using the ACM code. In addition, in the report I will address the weaknesses of such protective technologies. What is wrong with the BIOS guardians? How difficult is it to bypass such protection and install a permanent rootkit from the operating system? You will get answers to these questions in the report.

Speaker - Ralf-Phillip Weinmann
ARM hardware tracing

Description of the report

Iron tracing is a powerful means of obtaining coverage information throughout the system in real time and without wasting resources. The ARM CoreSight architecture includes the Embedded Trace Macrocell technology, which allows access to the trace via the JTAG interface, exported via the ETM port, and reprogrammed to be executed only by software, while being stored in a ring buffer. In Linux version 4.9 and higher, ETM-based tracing can be used without additional configuration, since ARM CoreSight is supported by the performance subsystem. However, on other operating systems, low-level programming is required. This report discusses the availability of ETM-based program execution tracing on systems based on ARMv7 and ARMv8 architectures, and also explains how to set up program tracing yourself and use code coverage information to improve fuzzer efficiency.

Speaker - John Dunlap
Jumping over the fence: comparing and possible improvements to existing JMP transition-oriented programming tools

Description of the report

This report will demonstrate the tools created by the speaker for JOP attacks (Jump Oriented Programming). It will explain how to use a virtual machine to test the Jump device, and it will also demonstrate a tool that helps in the development of exploits with the help of techniques for satisfying constraints.

Speakers - Tangxiang Li (Dragonltx) and Jiashui Wang (Quhe)
Remote code execution on smart devices!

Description of the report

The number of smart devices is growing every day, and this requires increased attention to their safety. Hackers are most attracted to the surface of a remote attack. Zerodium updated the Bug Bounty program and included WeChat, Viber, FB Messenger and other programs in the list. For vulnerabilities that will allow you to remotely run the code in these applications are willing to pay up to $ 500,000.
In this report, we will examine the surface of remote attacks on Android applications and smartphones, as well as smart devices. Then we take a closer look at the many critical vulnerabilities for the implementation of remote attacks. Among them: remote code execution, remote interception of control over the smartphone, remote control of a smart device, and so on. We will be able to control the device through the open port vulnerability and even silently execute code through the pull protocol vulnerability.

Speaker - Stefan Gerling
Nightmare at the front door

Description of the report

We will talk in detail about electromechanical locks. You will learn how such locks work and what are the differences between technologies from different manufacturers. After the review, we take a closer look at the principles of the locks. Then, we will open one lock using an RFID transmitter and an artificially created medium. Wait a minute. It's too easy. Many who have already done so. I will show you how to open locks without a valid RFID transmitter, and also tell you why it is possible and where to find the right tools. Listeners will learn where to find a good castle. We will show an example of secure device and identification.

Speaker - Nguyen An Quyin
Creation of a modern feedback-based fuzzer based on binary files

Description of the report

Fuzzing with code coverage is a new method that is widely used to detect software vulnerabilities. The method has already shown high effect. This kind of phasers work with instrumented binary files, so the phaser can use code coverage information collected at runtime to change the input data to maximize code coverage.

However, the foundation for most coverage-based fuzers is the instrumentation of the source code. Great efforts are being made to bring this method to the world of Windows, where a lot of very important software is available only in binary form. Unfortunately, all modern Windows solutions are limited in the ability to effectively search for vulnerabilities. Their disadvantages include poor performance or the need to use a special processor and the latest version of the OS.

We will introduce Darko, a new fazzer for real sets of binary files with debug information. It has several undeniable advantages.
Tremendous speed: the performance test shows that our fuzzer works much faster than existing solutions.

Intelligence: Darko combines static analysis and analysis of tagged data, which significantly expands the coverage, and also allows you to find vulnerable code much faster.
At the core are only software components: the latest model of processors or OS versions are not needed to operate a fuzzer. Thus, Darko can be deployed where appropriate, including within the virtual machine.

Last but not least. Our solution works on different platforms and architectures, and not just on Windows. Darko also supports all popular OS and processor models (Windows, Linux, MacOS, * BSD, and so on on X86, X86_64, ARM, ARM64, Mips, PPC, Sparc).

In this report, we will talk a little about fuzzing feedback-based coverage and focus on the problems that the available solutions have. Then we will describe how to create a feedback phaser to overcome these problems. Finally, to show the effectiveness of Darko, a list of vulnerabilities registered in CVE will be presented. You are also waiting for some cool demonstrations.

Speakers - Sergey Temnikov and Vladimir Dashchenko
"Silver Bullet" among vulnerabilities and backdoor. Hunting for more than 30 thousand suppliers using a small token

Description of the report

The report will describe the latest research of the Kaspersky Lab's critical infrastructure protection team, which affect various serious vulnerabilities in the popular token management tool. 15 vulnerabilities were found, including several for remote code execution, multiple DoS vulnerabilities, and one strange software logic feature that allows an attacker to manipulate configuration files and a proxy server for updates, intercept the system user's NTLM hash and perform other questionable actions. The vendor declined to call this an “undocumented function”, stating that these are common vulnerabilities. In this report, we would like to provide technical information about the vulnerabilities and strange functions of popular tokens for licenses.

Speakers - Ido Naor and Amikhai Neiderman
Gasoline is too expensive! Let's make it free.

Description of the report

In this report we will go to the world of fleets and fuel metering. The story begins with the words: "There were two hackers who wanted to get free gasoline ...". Come to our performance to see how we use several exploits to remotely gain control of gas stations, as well as access to particularly important data and rights. It was very easy.

Speakers - Maxwell Koch and Keith Lee
2FA bypass and private key theft for two-factor authentication without social engineering. Submission 2FAssassin.

Description of the report

The effectiveness of two-factor authentication depends on how well the user protects “what only he has”. What if there is a way to steal private keys without social engineering? In this report, two-factor authentication bypass techniques will be demonstrated. We will show with examples from real life how an attacker steals client certificates and private keys in order to authenticate on secure sites, as well as a possible scale of consequences. In addition, we will present our own tool (2FAssassin), which exploits vulnerabilities in order to provoke the leakage of private keys with the subsequent compromise of the whole network with their help. At the end of the report, recommendations will be made to protect personal keys from theft, as well as tips in case the worst case scenario has occurred.

Speaker - Alexey Pertsev
DAO for penetration testers

Description of the report

We live in the world of cryptocurrency boom. Great noise around Smart contract, ICO, DAO and the future of the economy. It’s still early to say what all this will lead to. But to consider how it looks through the eyes of an attacker and where he can put his efforts to obtain benefits, is definitely possible.

Speakers - Nikolay Kolintsev and Mikhail Saplt
Steal in 60 seconds

Description of the report

The conference will be told about the vulnerabilities of modern cars. In live mode, we show:
interception of vehicle control via CAN bus, bus connection, basic data transfer protocol, command falsification, imitation of control units, operation modes of control units;
getting access to the car via CAN-bus, impact on control units, deception of staff immobilizer;
impact on control units via LIN bus, bus connection, basic data transfer protocol, forgery of control unit requests and responses;
access to CAN and LIN buses through GSM alarms, the use of alarms as hardware bookmarks, the use of signaling vulnerabilities to attack a car;
access to CAN and LIN buses through the devices of ERA Glonass, the use of emergency response systems in case of an accident as hardware bookmarks, the use of their vulnerabilities to attack a car;
access to CAN and LIN buses through standard multimedia systems using a BlueTooth-connected mobile phone, obtaining remote access to the mobile device itself, reconfiguring multimedia systems to work as hardware bookmarks, managed via a connected BlueTooth phone;
access to CAN and LIN buses through a standard multimedia system equipped with GSM and WiFi wireless standards, external connection to wireless systems in the car and the use of multimedia as a hardware bookmark for attacking a car;
Prerekvat key information from the optical bus MOST, listening to the cabin, getting coordinates and spying for the car and its driver;
imitation of hardware bookmarks in real control units; flashing of real control units using malware to operate the control unit as a software bookmark.
There will also be demonstrated the implementation of some of these threats on a real car (car theft, the explosion of airbags).

Speaker - James Lee
Games with zero-day vulnerabilities in ActiveX controls for IE11

Description of the report

ActiveX technology allows you to implement external objects. It was implemented in Internet Explorer almost from the very birth of the browser. We will look at this technology and analyze how I discovered a vulnerability during the course of work.

Speaker - Lucas Apa
Breaking Robots to Skynet

Description of the report

Robots are becoming mainstream. In the near future they will be everywhere: on military missions, in operating rooms, on the construction of skyscrapers, in stores, hospitals and commercial companies, in bed, at the stove and at family evenings.
The ecosystem of robots is growing and is increasingly changing the lives of people, society and the economy. At the same time, they can pose a serious threat to people, animals and organizations if they use unsafe technology. If the attacker takes advantage of the vulnerability in the robot, his physical capabilities can be used to damage property, company finances, or to create situations that threaten people's lives. Robots, in fact, are computers with arms, legs and wheels, so potential threats to their environment increase exponentially, and the vector of such threats has not been considered in detail in computer security before.
In a recent study, we discovered several critical vulnerabilities in household and industrial sharing robots from reputable manufacturers. We passed all the findings to the developers and now it’s time to reveal the technical details, threats and ways of compromising the various components of the ecosystem of robots with the help of practical exploits. In live demonstrations, we show different exploitation scenarios in which there is cyber espionage, dangerous internal threats, damage to property and much more.
Using realistic scenarios, we will describe how modern robot technologies are unsafe and why hacked robots are more dangerous than other vulnerable technologies. Our goal is to make robots safer and prevent exploitation of vulnerabilities that can cause serious damage to companies, customers and what is around.

Speaker - Nicholas Alejandro Economou
Using GDI to run malicious code in ring0 primitives: Reboot

Description of the report

The evolution of modern Windows kernel-using techniques for attacks forces suppliers to make tremendous efforts to ensure software is protected against exploits, including using sandboxes in Chrome, Edge, Firefox, and the latest versions of Office.
At the same time, Microsoft has strengthened its attempts to protect the Windows kernel and, in particular, the Windows 10 kernel, by adding important protections against exploits to each new version (most fully in the Anniversary and Creators Update). In 2015, as a result of a well-known incident with the Hacking Team, there was a leak of kernel exploits with new techniques for using GDI objects, which are described in detail in the first report “Using GDI to run malicious code in ring0 primitives”.
With the advent of Windows 10 Anniversary Update (RS1), some of this technology has been neutralized. A year later, in the second version of the same report, new techniques were introduced for the use of GDI objects. In April of this year, with the release of Windows 10 Creators Update (RS2), another part of this technology was neutralized. Despite Microsoft's attempts to eliminate the vulnerability, the latest techniques for using GDI objects remain as effective as in previous versions before Anniversary Update (RS1).
In the new presentation I will talk about a reliable way to run the code in Windows 10 Fall Creators Update using these techniques. At the end I will demonstrate how to get out of the Microsoft Edge sandbox using the techniques described.

Speaker - James Forshaw
Using access tokens to bypass the UAC system

Description of the report

(UAC), , Admin-Approval, , Windows Vista. UAC , . , UAC - , Microsoft , . , , , . , Microsoft Windows 10 . , , Over-The-Shoulder Windows 10.

Fast Track

Fast Track, 15 , , .

—

, , . , , . (CVSS 10) TrendMicro DDEI ( 7 2017 ), .

—
Meterpreter DNS-

DEF CON RUSSIA (DC#7812) Meterpreter. Meterpreter DNS-. ( ) . ( ).

—
callback-

callback-.

—
Heartbleed: MITM

, - ? , Heartbleed. : , , . , MITM. , . ; , ; , , «».

—
!

, , . . , . hashcat «» .

—
React

React — javascript- UI. , React-. React HTML-injection, “” XSS-. “CSS injection” CSS-in-JS .

—
CSRF-

Cross-Site Request Forgery (CSRF) «» AppSec. -, - CSRF. / -, , , CSRF. , CSRF- . CSRF . Burp'a, .

—

, — . , . , , . . , USB . , Teensy Digispark.

Defensive Track

Defensive Track , . .

— e
secure by design -

, , , . – , – , .

, , , . , , , , , . – , -.

, secure-by-design .

—
:

. , .

—
Compressed signature and Public key recovery with GOST R 34.10-2012

, , , .

—
. Manual

— , . , , , , . , , .

—
SDL

aka Secure development lifecycle (SDL) . , , agile'a, . , , bottleneck. , SDL, , . , , .

—
Securing clouds in GCP

2016 Spotify Google Cloud Platform. :
~ 1300 Projects
~ 5000 GCS Buckets
~ 14000 Compute instances
~ 200 CloudSQL instances
~ 6400 Google Groups
~ 1000 AppEngine instances
, , , . Spotify Google Forseti, , . Forseti, , .

—

« »: do not roll your own crypto. , . - , . , , , , .

—
Windows

. , , - , .

— ,
Angine ABAC Framework

(ABAC), , (). ABAC, XACML .
DSL ALFAScript, ALFA. ALFAScript Lua, XML- (Java, Python, Scala ..), ABAC. ( XACML), Lua (runtime) . Lua- .
, , , , , , . ALFAScript Lua . HTTP MySQL.

—
Hunting for Credentials Dumping in Windows Environment

, «Credentials Dumping». , . – mimikatz/pwdump/wce .., lsass, , “raw”- .
Windows , Windows, , Sysmon.

—
-7. , ,

-7.

—
- Burp Suite

-. . , Burp Suite - . , c -. . , , .

—
OpenSource Sandbox

Open Source . , Open Source IOC — , .

—
Content Security Policy «»

, XSS- , , «». Content Security Policy , . CSP «» . .

Workshops

ZN -, .

—
Workshop: DDoS-

Workshop'

- « » (DDoS-) .

OSI , . - : (DNS, NTP, SSDP), (SYN flood), Sloworis .

, , . , . . Linux, .

— , ,
Workshop: . ( )

Workshop'

, , , .

Web Village

This year, the Web Village platform will work at the conference for two whole days. Here you can learn about modern attacks on web applications, try yourself as an attacker, find out how the modern web works, participate in contests and much more!

The first day will be completely devoted to attacks on clients of web applications (Client-side). Well-known community lecturers will talk about how to exploit vulnerabilities in modern browsers, perform actions on behalf of the victim, and prove that opening links from strangers is a bad idea.

Within the second day, attacks on the server side (Server-side) will be presented. Listeners will be able to understand the nature of server vulnerabilities, learn to find and exploit most of them: from typical web server configuration errors to executing arbitrary commands of the operating system.

All topics will be explained with simple examples, so if you do not have experience with the web, it doesn’t hurt to dive into the world of web vulnerabilities!

Web Village is a place to talk about the web, bugbounty, cool finds and funny situations.

We are waiting for everyone in a week, 16 - 17 November 2017 in ZIL KC, Moscow!