Posts Tagged ‘Cybersecurity’
[DefCon32] DEF CON 32: Using ALPC Security Features to Compromise RPC Services
WanJunJie Zhang and Yisheng He, security researchers from Huorong Network Security, delivered a compelling presentation at DEF CON 32 on exploiting Windows Advanced Local Procedure Call (ALPC) security mechanisms to compromise Remote Procedure Call (RPC) services. Their research uncovered a subtle flaw in ALPC’s security checks, enabling unauthorized users to escalate to system privileges. WanJunJie and Yisheng’s detailed analysis of ALPC and RPC internals, combined with their innovative exploitation techniques, provided a fresh perspective on Windows kernel vulnerabilities.
Understanding ALPC and RPC Mechanics
WanJunJie opened by demystifying ALPC, a Windows kernel mechanism for inter-process communication, and its integration with RPC services. He explained the marshal/unmarshal processes, previously underexplored, which handle data exchange between processes. Their research at Huorong Network Security identified how ALPC’s security measures, designed to validate data and context, could be subverted. By analyzing historical ALPC and RPC bugs, such as time-of-check-time-of-use (TOCTOU) issues, WanJunJie set the stage for their discovery of a novel vulnerability.
Exploiting the Security Flaw
Yisheng detailed the critical flaw they uncovered in ALPC’s security mechanism, which they dubbed “defeating magic by magic.” This vulnerability allowed them to bypass strict kernel checks, achieving system-level privilege escalation. By manipulating ALPC syscalls in the Windows kernel (ntoskrnl), they crafted an exploit that leveraged a small oversight in the security validation process. Yisheng’s demonstration highlighted multiple exploitation paths, showcasing the versatility of their approach in targeting RPC services.
Lessons from Bug Hunting
The duo shared their bug hunting philosophy, emphasizing the importance of distrusting vendor patches, which may fail to fully address vulnerabilities. WanJunJie advocated for creative and critical analysis during patch reviews, noting that side effects from patches can introduce new flaws. Their experience, drawn from Huorong’s rigorous testing, underscored the need for patience and persistence in uncovering kernel-level bugs. They also highlighted the potential for automation in extracting RPC interface information to streamline future exploit development.
Enhancing Windows Security
Concluding, Yisheng offered insights into fortifying ALPC and RPC security, urging Microsoft to refine validation mechanisms and reduce reliance on backward compatibility. They encouraged the DEF CON community to explore RPC’s specialized features for new attack surfaces and share innovative ideas. Their references to prior works, such as Clement Rouault’s Hack.lu 2017 talk, provide a foundation for further research, inspiring attendees to probe Windows kernel vulnerabilities with renewed vigor.
Links:
[DefCon32] DEF CON 32: Exploiting the Unexploitable: Insights from the Kibana Bug Bounty
Mikhail Shcherbakov, a PhD candidate at KTH Royal Institute of Technology in Stockholm, captivated the DEF CON 32 audience with his deep dive into exploiting seemingly unexploitable vulnerabilities in modern JavaScript and TypeScript applications. Drawing from his participation in the Kibana Bug Bounty Program, Mikhail shared case studies that reveal how persistence and creative exploitation can transform low-impact vulnerabilities into critical remote code execution (RCE) chains. His presentation, rooted in his research on code reuse attacks, offered actionable techniques for security researchers and robust mitigation strategies for defenders.
Navigating the Kibana Bug Bounty
Mikhail began by outlining his journey in the Kibana Bug Bounty Program, where he encountered vulnerabilities initially deemed “by design” or unexploitable by triage teams. His work at KTH, focusing on static and dynamic program analysis, equipped him to challenge these assumptions. Mikhail explained how he identified prototype pollution vulnerabilities in Kibana, a popular data visualization platform, that could crash applications in seconds. By combining these with novel exploitation primitives, he achieved RCE, demonstrating the hidden potential of overlooked flaws.
Unlocking Prototype Pollution Exploits
Delving into technical specifics, Mikhail detailed his approach to exploiting prototype pollution, a common JavaScript vulnerability. He showcased how merge functions in popular libraries like Lodash could be manipulated to pollute object prototypes, enabling attackers to inject malicious properties. Mikhail’s innovative chain involved polluting a runner object and triggering a backup handler, resulting in RCE. He emphasized that even fixed prototype pollution cases could be combined with unfixed ones across unrelated application features, amplifying their impact and bypassing conventional defenses.
Advanced Exploitation Techniques
Mikhail introduced new primitives and gadgets that elevate prototype pollution beyond denial-of-service (DoS) attacks. He demonstrated how carefully crafted payloads could exploit Kibana’s internal structures, leveraging tools like Node.js and Deno to execute arbitrary code. His research also touched on network-based attacks, such as ARP spoofing in Kubernetes environments, highlighting the complexity of securing modern applications. Mikhail’s findings, documented in papers like “Silence Print” and “Dust,” provide a roadmap for researchers to uncover similar vulnerabilities in other JavaScript ecosystems.
Mitigating and Defending Against RCE
Concluding, Mikhail offered practical recommendations for mitigating these threats, urging developers to adopt secure coding practices and validate inputs rigorously. He encouraged researchers to persist in exploring seemingly unexploitable bugs, sharing resources like his collection of server-side prototype pollution gadgets. His work, accessible via his blog posts and Twitter updates, inspires the cybersecurity community to push boundaries in vulnerability research while equipping defenders with tools to fortify JavaScript applications against sophisticated attacks.
Links:
[DefCon32] Defeating EDR-Evading Malware with Memory Forensics
Andrew Case, a core developer on the Volatility memory analysis project and Director of Research at V-Soft Consulting, joined colleagues Sellers and Richard to present a groundbreaking session at DEF CON 32. Their talk focused on new memory forensics techniques to detect malware that evades Endpoint Detection and Response (EDR) systems. Andrew and his team developed plugins for Volatility 3, addressing sophisticated bypass techniques like direct system calls and malicious exception handlers. Their work, culminating in a comprehensive white paper, offers practical solutions for countering advanced malware threats.
The Arms Race with EDR Systems
Andrew opened by outlining the growing prominence of EDR systems, which perform deep system inspections to detect malware beyond traditional antivirus capabilities. However, malware developers have responded with advanced evasion techniques, such as code injection and manipulation of debug registers, fueling an ongoing arms race. Andrew’s research at V-Soft Consulting focuses on analyzing these techniques during incident response, revealing how attackers exploit low-level hardware and software components to bypass EDR protections, as seen in high-profile ransomware attacks.
New Memory Forensics Techniques
Delving into their research, Andrew detailed the development of Volatility 3 plugins to detect EDR bypasses. These plugins target techniques like direct and indirect system calls, module overwriting, and abuse of exception handlers. By enumerating handlers and applying static disassembly, their tools identify malicious processes generically, even when attackers tamper with functions like AMSI’s scan buffer. Andrew highlighted a specific plugin, Patchus AMSI, which catches both vector exception handlers and debug register abuses, ensuring EDRs cannot be fooled by malicious PowerShell or macros.
Practical Applications and Detection
The team’s plugins enable real-time detection of EDR-evading malware, providing defenders with actionable insights. Andrew demonstrated how their tools identify suspicious behaviors, such as breakpoints set on critical functions, allowing malicious code to execute undetected. He emphasized the importance of their 19-page white paper, available on the DEF CON website, which documents every known EDR bypass technique in userland. This resource, combined with the open-source plugins, empowers security professionals to strengthen their defenses against sophisticated threats.
Empowering the Cybersecurity Community
Concluding, Andrew encouraged attendees to explore the released plugins and white paper, which include 40 references for in-depth understanding. He stressed the collaborative nature of their work, inviting feedback to refine the Volatility framework. By sharing these tools, Andrew and his team aim to equip defenders with the means to counter evolving malware, ensuring EDR systems remain effective. Their session underscored the critical role of memory forensics in staying ahead of attackers in the cybersecurity landscape.
Links:
[DefCon32] Digital Emblems—When Markings Are Required, but You Have No Rattle-Can
Bill Woodcock, a seasoned contributor to the Internet Engineering Task Force (IETF), presented an insightful session at DEF CON 32 on the development of digital emblems. These digital markers aim to replace or supplement physical markings required under international law, such as those on ISO containers, press vests, or humanitarian symbols like UN blue helmets. Bill’s work, conducted within the IETF, leverages protocols like DNS and DNSSEC to create a global, cryptographically secure marking system. His talk explored the technical and security implications of this standardization effort, inviting feedback from the DEF CON community on potential vulnerabilities.
The Need for Digital Emblems
Bill introduced the concept of digital emblems, explaining their necessity in an increasingly digitized world. Physical markings, such as serial numbers on shipping containers or symbols on humanitarian vehicles, are critical for compliance with international regulations. However, as processes like border transport and battlefield protections become digitized, these markings must transition to machine-readable formats. Bill outlined how the IETF’s proposed standard aims to create a unified protocol for digital emblems, ensuring they are scannable, cryptographically verifiable, and adaptable to various use cases, from logistics to military operations.
Technical Foundations and Challenges
Delving into the technical details, Bill described how the digital emblem system builds on existing protocols like DNS and DNSSEC, enabling robust validation without constant network connectivity. He highlighted the ability to embed significant data in devices like RFID tags, allowing offline validation through cached root signatures. However, Bill acknowledged challenges, particularly in ensuring the security of these emblems against adversarial tampering. He noted that military use cases, where covert validation is critical, pose unique risks, as adversaries could mislabel objects to deceive validators, necessitating strong cryptographic protections.
Security and Privacy Considerations
Bill addressed the security and privacy concerns raised by digital emblems, particularly in adversarial scenarios. He explained that the system allows for covert inspection, enabling validators to check emblems without alerting potential attackers. However, he cautioned that physical binding remains a weak point, as malicious actors could exploit mislabeled objects in conflict zones. Bill invited the DEF CON audience to scrutinize the proposed standard for vulnerabilities, emphasizing the importance of community input to harden the system against attacks, especially in high-stakes military and humanitarian contexts.
Shaping the Future of Digital Standards
Concluding, Bill underscored the potential of digital emblems to streamline global processes while enhancing security. He encouraged the DEF CON community to engage with the IETF’s ongoing work, accessible via the provided URLs, to contribute to refining the standard. By addressing vulnerabilities and ensuring robust cryptographic validation, Bill envisions a future where digital emblems enhance trust and compliance across borders and battlefields. His call to action resonated with the audience, inviting hackers to play a pivotal role in shaping this emerging technology.
Links:
[DefCon32] Changing Global Threat Landscape
Rob Joyce, a distinguished former National Security Agency (NSA) official, joined Jeff Moss, known as The Dark Tangent and founder of DEF CON, for a riveting fireside chat at DEF CON 32. Their discussion delved into the dynamic evolution of global cyber threats, with a particular focus on the transformative role of artificial intelligence (AI) in reshaping cybersecurity. Rob, recently retired after 34 years at the NSA, brought a wealth of experience from roles such as Cybersecurity Coordinator at the White House and head of the NSA’s Tailored Access Operations. Jeff facilitated a conversation that explored how AI is redefining defense strategies and the broader implications for global security, offering insights into the challenges and opportunities ahead.
The Evolution of Cyber Threats
Rob began by reflecting on his extensive career at the NSA, where he witnessed the transformation of cyber threats from isolated incidents to sophisticated, state-sponsored campaigns. He highlighted how adversaries now leverage AI to enhance attack vectors, such as spear-phishing and polymorphic malware, which adapt dynamically to evade detection. Rob emphasized that the scale and speed of these threats demand a shift from reactive to proactive defenses, underscoring the importance of understanding adversaries’ intentions through signals intelligence. His experience during the Iraq War as an issue manager provided a unique perspective on the strategic use of cyber intelligence to counter evolving threats.
AI’s Dual Role in Cybersecurity
The conversation pivoted to AI’s dual nature as both a tool for attackers and defenders. Rob explained how AI enables rapid analysis of vast datasets, allowing defenders to identify patterns and anomalies that would be impossible for human analysts alone. However, he cautioned that adversaries exploit similar capabilities to craft advanced persistent threats (APTs) and automate large-scale attacks. Jeff probed the balance between automation and human oversight, to which Rob responded that AI-driven tools, like those developed by the NSA, are critical for scaling defenses, particularly for protecting critical infrastructure. The integration of AI, he noted, is essential to keep pace with the growing complexity of cyber threats.
Strengthening Defenses Through Collaboration
Rob stressed the importance of bipartisan support for cybersecurity, noting that stopping foreign adversaries is a shared goal across administrations. He highlighted the role of the Office of the National Cyber Director (ONCD) in convening agencies to synchronize efforts, citing examples where ground-up collaboration among agencies has led to effective threat mitigation. Jeff asked about the resource gap, and Rob acknowledged that the scope of threats often outpaces available resources. He advocated for widespread adoption of two-factor authentication and secure software development practices, such as moving away from memory-unsafe languages, to build more defensible systems.
Building a Resilient Future
Concluding, Rob expressed optimism about the trajectory of cybersecurity, emphasizing that automation can alleviate the burden on security teams, particularly for 24/7 operations. He underscored the need for robust teams and innovative technologies to address the relentless pace of vulnerabilities exploited by attackers. Jeff echoed this sentiment, encouraging the DEF CON community to contribute to shaping a secure digital landscape. Their dialogue highlighted the critical role of collaboration between government, industry, and the hacker community in navigating the ever-changing threat landscape.
Links:
[DefCon32] DriverJack: Turning NTFS and Emulated ROFs into an Infection
Alessandro Magnosi, a security researcher at the British Standards Institute, unveils an innovative technique for loading malicious drivers on Windows 11 by exploiting NTFS features and emulated read-only filesystems (ROFs). His presentation at DEF CON 32 explores how advancements in Windows security, such as Driver Signature Enforcement (DSE) and Hypervisor-protected Code Integrity (HVCI), have pushed attackers to exploit new vulnerabilities. Alessandro’s work provides actionable detection strategies to counter these sophisticated threats.
Exploiting NTFS and ROFs
Alessandro introduces his DriverJack technique, which manipulates NTFS and emulated CDFS vulnerabilities to bypass modern Windows protections. By exploiting previously identified flaws in emulated filesystems, Alessandro demonstrates how attackers can covertly install malicious drivers. His approach, developed at the British Standards Institute, leverages these weaknesses to achieve persistence, evading detection mechanisms designed to thwart traditional malware deployment.
Bypassing Security Mechanisms
Delving deeper, Alessandro explains how DriverJack circumvents DSE and HVCI. He explores alternative malware delivery methods in usermode, integrating with tools like Kernel Driver Utility (KDU) and Canal Forge when HVCI is disabled. Alessandro highlights the challenges of exploiting modern CPUs, noting that outdated hardware exacerbates vulnerabilities, making timely updates critical for system security.
Detection and Mitigation Strategies
Alessandro provides practical Indicators of Compromise (IOCs), such as monitoring for privilege escalations to SYSTEM or TrustedInstaller, drive letter changes, and alterations in the NT object manager. He advocates for runtime hash verification of driver load events to detect discrepancies, ensuring robust defense against DriverJack. His publicly available proof-of-concept on GitHub empowers researchers to test and refine these countermeasures.
Strengthening System Defenses
Concluding, Alessandro urges organizations to prioritize hardware updates and implement cross-checks for driver integrity. His work underscores the evolving nature of cyber threats, encouraging the cybersecurity community to stay vigilant. By sharing DriverJack’s methodologies, Alessandro inspires proactive measures to safeguard Windows systems against emerging exploits.
Links:
[DefCon32] Prime Cuts from Hacker History: 40 Years of 31337
Deth Veggie, Minister of Propaganda for the Cult of the Dead Cow (cDc), leads a nostalgic panel celebrating 40 years of hacker culture, joined by members of cDc, Legion of Doom, 2600 Magazine, Phrack, and r00t. Moderated by Professor Walter Scheirer from the University of Notre Dame, the session traces the origins of the computer underground in 1984, a pivotal year marked by the rise of personal computers and modems. Through vivid storytelling and audience engagement, the panelists reflect on the rebellious spirit, technical curiosity, and community that defined early hacking, offering insights for inspiring the next generation.
The Birth of Hacker Culture
Deth Veggie sets the stage, recounting the founding of cDc in 1984 in a Texas slaughterhouse adorned with heavy metal posters and a cow skull. This era saw the convergence of disaffected youth, empowered by personal computers and modems, forming groups like Legion of Doom and launching 2600 Magazine. The panelists share how their fascination with technology and rebellion against societal norms fueled the creation of a vibrant subculture, where Bulletin Board Systems (BBSes) became hubs for knowledge exchange.
The Rise of T-Files and Phrack
The panel explores the explosion of written hacker culture in 1985 with the advent of Phrack Magazine and text files (t-files), which became the currency of elite hackers. Panelists from Phrack and 2600 recount how these publications democratized technical knowledge, from phone phreaking to early computer exploits. Their stories highlight the thrill of discovery and the camaraderie of sharing hard-earned insights, shaping a community driven by curiosity and defiance.
Navigating the Underground
Reflecting on their experiences, the panelists discuss navigating the computer underground, from dial-up BBSes to illicit explorations of early networks. Members of Legion of Doom and r00t share anecdotes of creative problem-solving and the ethical dilemmas of their actions. These narratives reveal a culture where technical prowess and a desire to challenge authority coexisted, laying the groundwork for modern cybersecurity practices.
Engaging the Next Generation
Responding to audience questions, the panel addresses how to inspire today’s youth to engage with technology creatively. Deth Veggie suggests encouraging hands-on exploration through hacker spaces, maker spaces, and vintage computer festivals, where kids can tinker with old cameras and computers. The panelists emphasize finding role models who ignite passion, citing their own experiences looking up to peers on stage. They advocate fostering an active search for knowledge, akin to the BBS era, to cultivate emotional and intellectual investment in tech.
Preserving the Hacker Spirit
The panel concludes by urging the community to preserve the hacker spirit through mentorship and open knowledge sharing. Walter Scheirer’s moderation highlights the importance of documenting this history, as seen in cDc’s archives and 2600’s ongoing publications. The panelists call for nurturing curiosity in young hackers, ensuring the legacy of 1984’s rebellious innovators continues to inspire transformative contributions to technology.
Links:
[DefCon32] Clash, Burn, and Exploit: Manipulate Filters to Pwn kernelCTF
Kuan-Ting Chen, known as HexRabbit, a security researcher at DEVCORE and member of the Balsn CTF team, delivers a riveting exploration of Linux kernel vulnerabilities in the nftables subsystem. His presentation at DEF CON 32 unveils three novel vulnerabilities discovered through meticulous analysis of the nftables codebase, a critical component for packet filtering in the Linux kernel. Kuan-Ting’s journey, marked by intense competition and dramatic setbacks in Google’s kernelCTF bug bounty program, culminates in a successful exploit, earning him his first Google VRP bounty. His narrative weaves technical depth with the emotional highs and lows of vulnerability research, offering a masterclass in kernel exploitation.
Understanding nftables Internals
Kuan-Ting begins by demystifying nftables, the successor to iptables, which manages packet filtering and network-related functionalities in the Linux kernel. He explains how features like batch commits, anonymous chains, and asynchronous garbage collection, designed to enhance efficiency, have inadvertently increased complexity, making nftables a prime target for attackers. His introduction provides a clear foundation, enabling attendees to grasp the intricate mechanisms that underpin his vulnerability discoveries.
Uncovering Novel Vulnerabilities
Delving into the technical core, Kuan-Ting dissects three nftables vulnerabilities, two of which exploited challenging race conditions to capture the kernelCTF flag. He details how structural changes in the nftables codebase, often introduced by security patches, can unintentionally create new flaws. For instance, one vulnerability, identified as CVE-2024-26925, stemmed from improper input sanitization, enabling a double-free exploit. His methodical approach, combining code auditing with creative exploitation techniques like Dirty Pagedirectory, achieved a 93–99% success rate across hardened kernel instances, including Ubuntu and Debian.
The kernelCTF Roller-Coaster
Kuan-Ting’s narrative shines as he recounts the emotional and competitive challenges of the kernelCTF program. He describes a series of near-misses: an initial exploit collided with another submission, a second was rendered unusable due to a configuration error, and a third lost a submission race by mere seconds. The turning point came when a competitor’s disqualification allowed Kuan-Ting to secure the bounty just before Google disabled nftables in the LTS instance on April 1, 2024. This gripping tale underscores the persistence required in high-stakes vulnerability research.
Lessons for Kernel Security
Concluding, Kuan-Ting reflects on the broader implications of his findings. He advocates for rigorous code auditing to complement automated fuzzing, as subtle logic errors can lead to potent exploits. His work, detailed in resources like the Google Security Research repository, encourages researchers to explore novel exploitation techniques while urging kernel maintainers to strengthen nftables’ defenses. Kuan-Ting’s success inspires the cybersecurity community to tackle complex subsystems with creativity and resilience.
Links:
[DefCon32] Bug Hunting in VMware Device Virtualization
JiaQing Huang, Hao Zheng, and Yue Liu, security researchers at Shanghai Jiao Tong University, explore an uncharted attack surface in VMware’s device virtualization within the VMKernel. Their presentation unveils eight vulnerabilities, three assigned CVEs, discovered through reverse-engineering. JiaQing, Hao, and Yue provide insights into exploiting these flaws, some successfully demonstrated at Tianfu Cup, and discuss their implications for virtual machine security.
Exploring VMware’s VMKernel
JiaQing introduces the VMKernel’s device virtualization, focusing on the virtual machine monitor (vmm) and UserRPC mechanisms that enable communication between the hypervisor and host. Their reverse-engineering, conducted at Shanghai Jiao Tong University, uncovered vulnerabilities in USB and SCSI emulation, revealing a previously unexplored attack surface critical to VMware Workstation and ESXi.
USB System Vulnerabilities
Hao details flaws in the USB system, including the host controller, VUsb middleware, and backend devices. Their analysis identified exploitable issues, such as improper input validation, that could allow attackers to manipulate virtual devices. By exploiting these vulnerabilities, Hao and his team achieved privilege escalation, demonstrating the risks to virtualized environments.
SCSI Emulation Flaws
Yue focuses on the SCSI-related emulation in VMware’s virtual disk system, highlighting differences between Workstation and ESXi. Their discovery of an out-of-bounds write in the unmap command, due to unchecked parameter lengths, caused system crashes. Yue’s analysis underscores design flaws in disk emulation, exposing potential avenues for virtual machine escape.
Mitigating Virtualization Risks
Concluding, JiaQing proposes enhancing sandbox protections and elevating process privileges to prevent exploits. Their work, officially confirmed by VMware, calls for robust mitigation strategies to secure virtual environments. By sharing their findings, JiaQing, Hao, and Yue encourage researchers to explore VMKernel security, strengthening virtualization against emerging threats.
Links:
[DefCon32] Unsaflok: Hacking Millions of Hotel Locks
Lennert Wouters and Ian Carroll, security researchers from KU Leuven and application security experts, respectively, unveil critical vulnerabilities in dormakaba’s Saflok hotel lock system, affecting three million units worldwide. Their presentation details reverse-engineering efforts that enabled them to forge keycards, exposing flaws in the proprietary encryption and key derivation functions. Lennert and Ian also discuss their responsible disclosure process and offer practical advice for hotel guests to verify lock security.
Uncovering Saflok Vulnerabilities
Lennert begins by explaining the Saflok system’s reliance on MIFARE Classic cards, widely used in Las Vegas’s 150,000 hotel rooms. By reverse-engineering the proprietary key derivation and encryption algorithms, Lennert and Ian crafted two forged keycards from a single guest card, capable of unlocking any room and disabling deadbolts. Their findings reveal systemic weaknesses in a decades-old system never previously scrutinized by researchers.
Exploitation Techniques
Ian details the technical approach, which involved analyzing the Saflok’s software and hardware to bypass its protections. Using a low-privilege guest card, they exploited vulnerabilities to generate master keycards, granting unauthorized access. Their demonstration, inspired by prior work on Onity and Vingcard locks, underscores the ease of compromising unpatched systems, posing risks to guest safety and property security.
Responsible Disclosure and Mitigation
The duo responsibly disclosed their findings to dormakaba in September 2022, leading to mitigation efforts, including the adoption of Ultralight C cards and secure element encoders. Lennert discusses challenges in patching millions of locks, noting that legacy encoders may still support vulnerable MIFARE Classic cards. Their work has prompted dormakaba to enhance system security, though full deployment remains ongoing.
Empowering Guest Safety
Concluding, Ian offers practical guidance for hotel guests to check if their room’s lock is patched, such as verifying card types. Their presentation, lauded by peers like Iceman, calls for continued scrutiny of electronic lock systems. By sharing their methodologies, Lennert and Ian empower the cybersecurity community to strengthen hospitality security against emerging threats.