Speakers - Alexandre Gese, Fabien Périgueux and Jofri Charna
Turning your BMC into a revolving door
Description of the reportLate installation of patches for BMC and the lack of control over their work almost always leads to the erosion of the security of complex network infrastructures and data centers. A study of HPE iLO systems (4 and 5) revealed a number of vulnerabilities, the operation of one of which allows you to completely compromise the iLO chip with the host system itself. From the report you will learn how the successful exploitation of the found vulnerabilities can turn the iLO BMC into a “revolving door” between the administrative and production networks.
Speakers - Junyou Zhou, Wenshu Wu and Jiantao Li
Who owned your code: Attack faces against Git web servers used by thousands of developers
Description of the reportThe speakers will explain how in 2018 they carried out several successful remote attacks against popular Git web servers, including Gitlab, Github enterprise, Gogs and Gitea. The speakers will explain how the used technique works, present the discovered zero-day vulnerabilities and a completely new attack surface of Git web servers, as well as two chains of attacks on Gogs leading to RCE.
Speaker - Denis Selyanin
Research Marvell Avastar Wi-Fi: from zero knowledge to over-the-air zero-touch RCE
Description of the reportThe vulnerability of Broadcom BCM43xx Wi-Fi chipsets was widely discussed last year. Exploiting vulnerabilities in the firmware of these chips, researchers could develop exploits that allow access to the device without user interaction. No matter how protected the device's OS is, there is a separate chip in the system that performs the parsing of Wi-Fi frames and does not have any means of protection against exploitation of vulnerabilities. This presentation will look at the design and operation of Wi-Fi vulnerabilities of Marvell Avastar chips, the possible attack surface of these devices and some algorithms of the real-time operating system ThreadX, on the basis of which the firmware of these devices are implemented, as well as techniques that make it easier to analyze such devices.
Speaker - Khoksen Kore
Diffing C source codes to binaries
Description of the reportOften during the course of a project, a reverse engineer has to import symbols from open access or leaked code bases into IDA databases. The most obvious solution that comes to mind in such situations is to compile into binary, execute diff and import matches. However, as a rule, the problem is complicated by compiler optimization, a set of used flags and other technical issues. The problem may become intractable, since the new versions of the compiler are not able to correctly handle the source code, presented only in the form of separate pieces. In this report, we will discuss the algorithms for importing characters "directly" from the source C-code into the IDA database and present to the listeners a tool (which most likely will work in conjunction with Diaphora) allowing it to be done.
Speakers - Ilya Nesterov and Sergey Shekyan
Unveiling the cloak:
Description of the reportA report on the amazing world of cloaking and how this technology has evolved from a simple IP filtering technique into a comprehensive platform used for fraud and bot detection. Web cloaking is used to disguise pornographic or propaganda content, cryptocurrency, as well as websites that distribute malicious software. Listeners will learn about the needs of the market in ways to prevent detours, control the level of cloaking-a complexity, and how to get rid of the web cloaking once and for all. We will also discuss what common web cloaking has with modern fraud methods and automatic detection systems, existing methodologies for minimizing the effects of web cloaking, and new protection mechanisms.
Speakers - Jianing Wang and Junyu Zhou
Ntlm Relay Reloaded: Attack methods you do not know
Description of the reportMany years have passed since the introduction of the NTLM authentication protocol in Windows. The NTLM relay attacks themselves have gained immense popularity among intruders during this time, and Microsoft managed to release a lot of patches to counter them. Speakers will talk about two new attack vectors. The first implies theft of NTLM Hash from Chrome (previously, attacks were only spreading to IE / Edge). When the browser-related services are compromised, the attacker can remotely execute his code without any user interaction. The second is to bypass the patch MS08-068 and remotely execute the code by transferring the Net-NTLM Hash to the machine itself. During the report, a tool will also be presented to automate such attacks.
Source: https://habr.com/ru/post/426573/