The modern Windows Operating System carries with it an incredible amount of legacy code. The Component Object Model (COM) has left a lasting impact on Windows. This technology is far from dead as it continues to be the foundation for many aspects of the Windows Operating System. You can find hundreds of COM Classes defined by CLSID (COM Class Identifiers). Do you know what they do? This talk seeks to expose tactics long forgotten by the modern defender. We seek to bring to light artifacts in the Windows OS that can be used for persistence, and lateral movement and privilege escalation.
Operating System Security
Transforming Open Source to Open Access in Closed Applications: Finding Vulnerabilities in Adobe Reader’s XSLT Engine
By Abdul-Aziz Hariri Vulnerability Analyst at Zero Day Initiative (USA) , Jasiel Spelman Vulnerability Analyst at Zero Day Initiative (USA) , Brian Gorenc Senior Manager of Vulnerability Research at Trend Micro (USA)
11:15 - 12:00
The inclusion of open-source components into large, closed-sourced applications has become a common practice in modern software. Vendors obviously benefit from this approach as it allows them to quickly add functionality for their users without the need to invest costly engineering effort. However, leveraging open source for a quick functionality boost comes with security side effects that might not be understood by the vendor until it is too late. In those cases, misunderstood or poorly implemented open source allows attackers to bypass security mechanisms that may exist elsewhere in the proprietary system.
This talk provides insight into these side effects through an examination of Adobe Reader's XSLT (Extensible Stylesheet Language Transformations) engine, which is based on the now abandoned open-source project called Sablotron ' an XML processor fully implemented in C++. We focus on techniques for auditing the source code of Sablotron in order to find corresponding bugs in Adobe Reader. We also present a new source-to-binary matching technique to help you pinpoint the vulnerable conditions within Sablotron that also reside in the assembly of Reader. Real-world application of these techniques will be demonstrated through a series of code execution vulnerabilities discovered in Adobe Reader's codebase. Finally, we'll highlight the trends in vulnerabilities discovered in Adobe Reader's XSLT engine over the last year.
We will do a research state of the art talk presenting as many as possible ways to attack RSA algorithm (encryption and signature cryptosystems), some of them being very new (discovered or implemented in the last few years). We will also show live computing demos with simple tools.
Protecting users' privacy in virtualized cloud environments is an increasing concern for both users and providers. A hypervisor provides a hosting facility administrator with the capabilities to read the memory space of any guest VM. Therefore, nothing really prevents such an administrator from abusing these capabilities to access users' data. This threat is not prevented even if the whole memory is encrypted with a single (secret) key. Guest VM's can be isolated from the administrator if each guest VM has its memory space encrypted with a unique per-VM key. Here, while the hypervisor's memory access capabilities remain unchanged, reading a VM memory decrypts the VM's encrypted data with the wrong key and therefore gives no advantage to the attacker. This is indeed the motivation behind some newly proposed technologies that are planned in future processors.
However, this presentation argues that the privacy claim of any technology that uses different encryption keys to isolate hypervisor administrators from guest VM's cannot be guaranteed. To show this, we explain and demonstrate a new instantiation of a "Blinded Random Corruption Attack". Under the same scenario assumptions that the per-VM keying method addresses, our attack allows the cloud provider administrator to use the capabilities of a (trusted) hypervisor in order to login to a guest VM. This completely compromises the user's data privacy.
This shows, once again, that memory encryption by itself, is not necessarily a defense-in-depth mechanism against attackers with memory read/write capabilities. A better guarantee is achieved if the memory encryption includes some authentication mechanism.
LLVM is a compiler infrastructure project that is widely used by numerous important software development groups, such as Apple. It was developed to be modular and to have a nice intermediate representation (IR) in order to be an ideal framework for supporting multiple higher level language and architectures as well as be fertile soil for compiler research. This design also makes it a good place for building application security research tools, program analysis for security tools, and application protection code transformations. These range from static analysis of code to injection of dynamic analysis hooks and from the injection of runtime protections to the symbolic execution of code in order to perform model checking. The examples given are non-trivial areas of research and having a common development base, such as LLVM, can help to bridge the gap between researchers.
The end goal of this talk is for audience members/research colleagues to have a better understanding of the existing LLVM-based security tools and research and to have the means to con- tribute to such projects and/or research and develop their own such utilities. The talk will first introduce the LLVM project and the features that make it a powerful and popular framework. Following this will be brief survey highlighting existing security related projects and quick hacks that are LLVM based. These motivate the introduction of developing such code; we use code to explain how passes are used and act on IR. We go through the basics by developing a handful of passes that serve a variety of purposes from read-only call flow analysis to the injection of code. These will be followed by going through a very naive data exfiltration analysis tool. Lastly, the talk will briefly touch on useful tips for using LLVM and some possible ideas for research and development.
The Blackbox of DPAPI: the gift that keeps on giving
Windows Data Protection API (DPAPI) has been around since Windows 2000 and while widely used by developers due to its simplicity and the "blackbox" concept, it's not so well-known among DFIR community. Outlook, Internet Explorer, EFS, Skype' and the list goes on, many of every day's applications and Windows components rely on DPAPI for keeping user secrets safe, however, are they really that safe? This session provides an introduction into DPAPI from a DFIR practitioner's perspective, though red-teamers will also find it interesting. It takes the audience through 3 real-world examples of problems faced on Incident Response engagements, gradually building up knowledge as the stories unravel. At the end you will know how to decrypt DPAPI secrets offline and what has DPAPI in common with staging exfil, mysterious malware payload and RDP replay.
Operating System Security
Practical attacks against Digital Wallet
By Loic Falletta Principal Security Consultant at Yinkozi (France)
17:15 - 18:00
Digital Wallets are used to purchase an item online or send funds to friends or family. Depending on the type of digital wallet used, the information stored might include debit, credit, prepaid or loyalty card data. Security research is focused on Android Pay, Apple Pay, and Samsung Solutions. However, mobile banking/payment applications are using their own mobile payment platform. What can go wrong?
The talk will go from assessing highly secure mobile applications (secure container, Secure Enclave usage, when the security tools fail) to the card agent (HCE payment, APDU analysis). I am also going to introduce a way to bypass the in-app fingerprint authentication on some configuration called “Evil partner attack”
April 27, 2017
By Wim Remes Chairman of the (ISC)2 Board of Directors (Belgium)
09:30 - 10:15
Agentless Post Exploitation on Device Guarded Systems
Device Guard is a defensive technology introduced with the release of Windows 10 and Server 2016. Device Guard allows you to create code integrity policies explicitly defining the applications, publishers, etc should be considered trusted, and blacklists anything not specifically allowed. Additionally, Device Guard auto-enrolls PowerShell to run in Constrained Language mode. When maintained, Device Guard can raise the bar for attackers to effectively control and utilize compromised protected systems.
Rather than looking into a Device Guard bypass, I wanted to look into a way to live off the land. WMImplant is a PowerShell-based tool which provides agent-less post-exploitation capabilities and was developed exclusively against Device Guard protected systems. I wanted to create the full functionality of a RAT that worked within the constraints of Device Guard - everything from remotely executing PowerShell scripts and receiving output, file transfers, code execution, and more. This talk will cover the constraints put in place by a Device Guard protected system, and will showcase how WMImplant is able to effectively operate on protected systems and offers meaningful post-exploitation capabilities.
Supply chain attacks are a gold standard of exploitation. Evil coming through the same channels as legitimate software is rarely in a target's threat model since it is nearly impossible to defend against. But supply chain attacks are often assumed to be expensive, time-consuming, and personally risky; exclusively the domain of intelligence services or well-funded criminal groups. This talk will show how anyone can launch similar software supply chain attacks that are effective against a global audience, and do so in ways that are nearly impossible to trace. It will examine numerous popular software distribution methods and show how most of them have readily exploitable weaknesses.
For the popular software repositories, this talk will demonstrate how easy it is to upload unverified malicious code, and how it will be executed on countless systems with just a single errant keystroke or even no mistake at all. This presentation will show how comprehensive public information also enables us to identify and target individuals trusted by enormous user bases and automate credential theft and infection of widely trusted software at source, at publication, at distribution, and at the end user. Finally, this talk will show the results when many of these actions were performed in the wild with proof-of-concept non-malicious packages created to test and validate these infection vectors.
Elena will talk about her research experience in information security of industrial SCADA systems, demonstrating the full process of typical research. Hacking and controlling wireless sensors with SDR and GNU Radio. She will also talk about common defense vectors in wireless SCADA systems.
You wanted to explore deep corners of your system but didn't know how? System boot firmware, ROMs on expansion cards, I/O devices and their firmware, microprocessors, embedded controllers, memory devices, low-level hardware interfaces, virtualization and hypervisors. You could discover if any of these have known vulnerabilities, configured insecurely or even discover new vulnerabilities and develop proof-of-concept exploits to test these vulnerabilities. Ultimately, you can verify security state of platform components of your system and how effective are the platform security defenses: hardware or virtualization based TEE, secure or trusted boot, firmware anti-tampering mechanisms, hypervisor based isolation... Or maybe you just want to explore hardware and firmware components your system has.
CHIPSEC framework can help you with all of that. Since releasing it three years ago at CanSecWest 2014 significant improvements have been made in the framework - from making it easy to install and use to adding lots of new security capabilities. We'll go over certain representative examples of what you can do with it such as finding vulnerabilities in SMM firmware, analyzing UEFI firmware vulnerabilities, testing hardware security mechanisms of the hypervisors, finding backdoors in UEFI images and more.
From mimikatz to kekeo, passing by new Microsoft security technologies
In recent years, Microsoft has multiplied efforts to slow down some mimikatz behaviors... the most popular, and in some ways the most dangerous. During this presentation, we will make a retrospective at Microsoft's methods to prevent credentials theft, either in terms of fast/dirty patches or changes in infrastructure. Of course, with the equivalent of their bypasses, or alternative methods.
With the increase of detections and new security technologies in Windows, attack methods to elevate privileges have evolved. New teams are using methods that cannot be "corrected" ... they are now closer to protocols, near official methods, and standards offered by Windows. We will take a look at the latest features of mimikatz, but also of its turbulent little brother, Kerberos oriented; kekeo... All of this with a very particular focus on PKINIT Mustiness and Windows 2016; you will no longer look at your credentials and smartcards/tokens in the same way.
KIWI ADVISORY: Explicit credentials ' first rows can see cleartext credentials.
In an ever-connected world, people all around the globe are freely surrendering their personal information and privacy over to the helms of the social media giants with unprecedented trust. We are quick to not only share our biographies and interests with complete strangers through these social media platforms, but in the process, have also managed to redefine the traditional definition of a friend. Our blind trust in social media platforms to protect our information have allowed us to forgo the age-old warning of??? stranger danger in our search for fame and popularity, in meeting new people, or in the never-ending quest of finding true love.
But what happens when this information falls in the hands of the wrong people? What if the social media platforms have not done as good of a job as they claim in protecting our personal information? In protecting us from criminals, stalkers, and others that mean to cause us harm?
In this presentation, we identify some flaws in one of the most popular social media platforms used globally today and demonstrate how an attacker can not only retrieve information about its users, but also track their location and movements around the globe. We also demonstrate through a study experiment how to extract information from people unknowingly and in the process, identify users that tend to use the platform for committing fraudulent acts like misappropriation, prostitution, and pedophilia.
But not everything has to end on a negative note. We conclude by demonstrating how law enforcement could possibly use this same data to their advantage to find criminals that may be active on the platform.