Jonathan Lalou's Blog

Posts Tagged ‘Cybersecurity’

Charles Fox, a security researcher with a knack for uncovering hidden vulnerabilities, captivated the DEF CON 32 audience with his exploration of CVE-2024-2961, a long-standing buffer overflow in the GNU C Library (glibc) that he leveraged to compromise the PHP engine. Discovered by chance while auditing PHP, Charles’s work revealed new remote code execution (RCE) vectors and previously unknown zero-day vulnerabilities. His presentation offered a deep dive into the internals of PHP, showcasing innovative exploitation techniques and their impact on the broader PHP ecosystem, while providing actionable insights for securing web applications.

Discovering the glibc Vulnerability

Charles stumbled upon CVE-2024-2961 while auditing PHP, though the flaw resided in glibc’s iconv library, responsible for character set conversion. This buffer overflow, overlooked for years, presented a potent opportunity for exploitation within PHP’s context. Charles detailed how his accidental discovery unfolded, emphasizing the importance of thorough code audits. By analyzing the iconv library’s behavior, he identified a pathway to manipulate PHP’s execution environment, transforming a seemingly innocuous bug into a powerful attack vector. His approach underscores the value of curiosity-driven research in uncovering critical security flaws.

Crafting Remote Code Execution Exploits

Delving into the technical intricacies, Charles explained two distinct methods to achieve RCE using the glibc vulnerability. The first targeted PHP filters, a lesser-known component of the PHP engine, which he manipulated to execute arbitrary code remotely. The second approach exploited direct calls to iconv, bypassing conventional security checks. His live demonstration showcased a sophisticated exploit that navigated PHP’s memory management constraints, even in scenarios without output visibility or with randomized memory allocations. Charles’s ability to achieve a shell under such conditions highlighted the vulnerability’s severity and his ingenuity in exploit development.

Impact on the PHP Ecosystem

Charles explored the broader implications of CVE-2024-2961, revealing its reach across popular PHP libraries and applications, including webmail platforms like Roundcube. He noted that email headers specifying charsets provided an ideal entry point for exploitation, as attackers could craft malicious inputs to trigger the buffer overflow. His analysis of affected sinks, from well-known functions to obscure code paths, underscored the pervasive risk within PHP-based systems. By sharing his findings, Charles aimed to alert developers to the hidden dangers in widely used software and encourage proactive vulnerability management.

Mitigation Strategies for Developers

Concluding, Charles offered practical recommendations to fortify PHP applications against similar exploits. He urged developers to update glibc to patched versions and scrutinize charset handling in their codebases. Additionally, he advocated for robust input validation and the use of secure coding practices to minimize exposure to buffer overflows. His work, shared openly with the community, empowers developers to strengthen their systems and inspires further research into PHP’s security landscape, ensuring the web remains a safer environment.

Links:

• None available

Javadi, Levy, and Draffe, a trio of security researchers, presented a groundbreaking study at DEF CON 32, unraveling vulnerabilities in HID Global’s iCLASS SE platform, a widely deployed electronic physical access control system. Over seven years, they reverse-engineered its complex chain of trust, uncovering flaws that enabled the recovery of cryptographic keys from CC EAL 5+ accredited secure elements. Their talk detailed the attack chain and provided practical mitigations for organizations relying on iCLASS SE.

Reverse-Engineering iCLASS SE

Javadi opened by contextualizing the ubiquity of HID’s iCLASS SE readers in government agencies and Fortune 500 companies. The team’s seven-year journey involved analyzing hardware, firmware, and software components to understand the platform’s security architecture. They discovered a series of implementation defects that compromised the system’s cryptographic integrity, challenging the notion that iCLASS SE was among the most secure access control solutions available.

Uncovering Cryptographic Flaws

Levy detailed the attack chain, which exploited pitfalls in the iCLASS SE’s secure elements. By targeting weaknesses in the hardware and software trust chain, they recovered sensitive cryptographic key material, effectively accessing the “keys to the kingdom.” Their approach combined advanced reverse-engineering techniques with exploitation of interoperability issues, particularly those tied to legacy Wiegand protocols, which undermined the platform’s security.

Operational Implications and Risks

Draffe explored the real-world implications, noting that standard key users face moderate risks, while advanced threat actors could exploit these flaws with significant skill. The vulnerabilities allow unauthorized access to physical systems, posing threats to high-security environments. The team’s findings underscore the dangers of relying on outdated protocols and the need for robust risk mitigation strategies to protect critical infrastructure.

Mitigating and Upgrading Security

Concluding, Javadi offered comprehensive guidance, recommending users transition to custom keys like HID’s Elite keys, which the vendor is offering fee-free for the first year. For advanced users, upgrading to the latest hardware and engaging with integrators to assess risks is critical. The researchers emphasized building security like an “onion” with layered defenses, urging organizations to work closely with HID to implement practical mitigations and enhance system resilience.

Links:

• HID Global website

Erwin Karincic and Woody, security researchers with a passion for wireless technologies, delivered a revealing presentation at DEF CON 32 on vulnerabilities in goTenna Pro, a device promising secure, off-grid mobile mesh networking. Their rigorous examination exposed flaws in the implementation of AES-256 encryption, enabling message tracking, interception, and injection. Erwin and Woody’s work, conducted in collaboration with goTenna, culminated in open-source tools and actionable recommendations to enhance device security, challenging the community to verify claims of security.

Unmasking goTenna’s Security Claims

Erwin introduced the goTenna Pro, a radio used by personnel requiring secure communication without cellular or satellite infrastructure. Despite its AES-256 encryption claims, their analysis revealed vulnerabilities allowing fingerprinting and tracking of every message, regardless of encryption. By dissecting the device’s hardware and software, Erwin and Woody uncovered implementation flaws that undermined its security guarantees, highlighting the dangers of trusting datasheets without verification.

Exploiting Mesh Network Vulnerabilities

Woody delved into the technical details, demonstrating how they exploited goTenna’s mesh network to intercept and decrypt messages. Their live demo showcased the ability to inject malicious messages into the network, exposing operational risks for users in sensitive environments. The researchers developed open-source tools to replicate these exploits, encouraging the DEF CON community to test similar devices. Their methodology emphasized systematic testing of RF protocols, revealing weaknesses in goTenna’s encryption implementation.

Collaborative Remediation Efforts

Erwin highlighted their constructive engagement with goTenna, which responded positively to their findings. The company acknowledged the vulnerabilities and worked to address them, a rare success in vendor collaboration. The researchers also thanked organizations like the Electronic Frontier Foundation (EFF) and CISA for supporting their work, emphasizing the importance of community-driven efforts to hold manufacturers accountable and improve device security.

Empowering Secure Communication

Concluding, Woody urged the DEF CON community to challenge security claims and test equipment rigorously. They released their tools open-source, inspiring further research into mesh technologies like LoRa and Meshtastic. By sharing their findings and mitigation strategies, Erwin and Woody aim to reduce the risk of compromise for goTenna users, advocating for secure-by-design principles in RF communication devices.

Links:

• Electronic Frontier Foundation website
• CISA website

Michael Gorelik and Arnold Osipov, security researchers from Morphisec, unveiled a series of devastating remote code execution (RCE) vulnerabilities in Microsoft Outlook at DEF CON 32. Their presentation focused on CVE-2024-30103, an evolution of CVE-2024-21378, which exploits Outlook’s COM object forms to trigger RCE from seemingly benign emails. Michael and Arnold’s meticulous research revealed additional NTLM credential leaks, exposing systemic weaknesses in Outlook’s security model and offering critical mitigation strategies.

The Evolution of Outlook Exploits

Michael kicked off by tracing the timeline of Outlook vulnerabilities, noting how incomplete patches often leave residual attack surfaces. He explained how CVE-2024-21378, a flaw in Outlook’s form handling, opened the door to RCE by allowing attackers to embed malicious COM objects in emails. Morphisec’s research built on this, uncovering CVE-2024-30103, which exploits trusted sender scenarios to execute code automatically upon email preview. Michael’s narrative highlighted the cascading effect of these vulnerabilities, turning routine email interactions into potential attack vectors.

Exploiting NTLM Leaks

Arnold delved into the NTLM credential leak issue, which Microsoft rated as medium risk due to mitigations like preview mode for untrusted senders. However, he demonstrated how compromised internal accounts could bypass these protections, enabling automatic image downloads that trigger NTLM leaks. Arnold’s analysis revealed that domain-joined devices are particularly vulnerable, as attackers can exploit trusted sender status within organizations to harvest credentials, amplifying the risk of lateral movement across networks.

Technical Breakdown of RCE Chains

Michael provided a detailed breakdown of the RCE exploit chain, showcasing how attackers manipulate Outlook’s form controls to execute arbitrary code. He highlighted the role of compound monitors, which process email content, in enabling these attacks. By leveraging insights from researchers like NetSPI and Check Point, Morphisec constructed a robust exploit that bypasses existing patches. Michael’s technical exposition underscored the complexity of securing Outlook’s extensive attack surface, particularly when patches introduce new vulnerabilities.

Mitigating Outlook Vulnerabilities

Concluding, Arnold shared actionable recommendations, including enabling SMB signing, managing outbound SMB traffic, and adopting Windows 11’s default NTLM restrictions. He emphasized the need for organizations to monitor trusted sender configurations and enhance email security protocols. Michael and Arnold’s work, supported by Morphisec’s threat research, calls for a reevaluation of Outlook’s security architecture, urging the cybersecurity community to collaborate on robust defenses against these evolving threats.

Links:

• Morphisec website
• NetSPI website
• Check Point website

WanJunJie Zhang and Yisheng He, security researchers from Huorong Network Security, delivered a compelling presentation at DEF CON 32 on exploiting Windows Advanced Local Procedure Call (ALPC) security mechanisms to compromise Remote Procedure Call (RPC) services. Their research uncovered a subtle flaw in ALPC’s security checks, enabling unauthorized users to escalate to system privileges. WanJunJie and Yisheng’s detailed analysis of ALPC and RPC internals, combined with their innovative exploitation techniques, provided a fresh perspective on Windows kernel vulnerabilities.

Understanding ALPC and RPC Mechanics

WanJunJie opened by demystifying ALPC, a Windows kernel mechanism for inter-process communication, and its integration with RPC services. He explained the marshal/unmarshal processes, previously underexplored, which handle data exchange between processes. Their research at Huorong Network Security identified how ALPC’s security measures, designed to validate data and context, could be subverted. By analyzing historical ALPC and RPC bugs, such as time-of-check-time-of-use (TOCTOU) issues, WanJunJie set the stage for their discovery of a novel vulnerability.

Exploiting the Security Flaw

Yisheng detailed the critical flaw they uncovered in ALPC’s security mechanism, which they dubbed “defeating magic by magic.” This vulnerability allowed them to bypass strict kernel checks, achieving system-level privilege escalation. By manipulating ALPC syscalls in the Windows kernel (ntoskrnl), they crafted an exploit that leveraged a small oversight in the security validation process. Yisheng’s demonstration highlighted multiple exploitation paths, showcasing the versatility of their approach in targeting RPC services.

Lessons from Bug Hunting

The duo shared their bug hunting philosophy, emphasizing the importance of distrusting vendor patches, which may fail to fully address vulnerabilities. WanJunJie advocated for creative and critical analysis during patch reviews, noting that side effects from patches can introduce new flaws. Their experience, drawn from Huorong’s rigorous testing, underscored the need for patience and persistence in uncovering kernel-level bugs. They also highlighted the potential for automation in extracting RPC interface information to streamline future exploit development.

Enhancing Windows Security

Concluding, Yisheng offered insights into fortifying ALPC and RPC security, urging Microsoft to refine validation mechanisms and reduce reliance on backward compatibility. They encouraged the DEF CON community to explore RPC’s specialized features for new attack surfaces and share innovative ideas. Their references to prior works, such as Clement Rouault’s Hack.lu 2017 talk, provide a foundation for further research, inspiring attendees to probe Windows kernel vulnerabilities with renewed vigor.

Links:

• Huorong Network Security website

Mikhail Shcherbakov, a PhD candidate at KTH Royal Institute of Technology in Stockholm, captivated the DEF CON 32 audience with his deep dive into exploiting seemingly unexploitable vulnerabilities in modern JavaScript and TypeScript applications. Drawing from his participation in the Kibana Bug Bounty Program, Mikhail shared case studies that reveal how persistence and creative exploitation can transform low-impact vulnerabilities into critical remote code execution (RCE) chains. His presentation, rooted in his research on code reuse attacks, offered actionable techniques for security researchers and robust mitigation strategies for defenders.

Navigating the Kibana Bug Bounty

Mikhail began by outlining his journey in the Kibana Bug Bounty Program, where he encountered vulnerabilities initially deemed “by design” or unexploitable by triage teams. His work at KTH, focusing on static and dynamic program analysis, equipped him to challenge these assumptions. Mikhail explained how he identified prototype pollution vulnerabilities in Kibana, a popular data visualization platform, that could crash applications in seconds. By combining these with novel exploitation primitives, he achieved RCE, demonstrating the hidden potential of overlooked flaws.

Unlocking Prototype Pollution Exploits

Delving into technical specifics, Mikhail detailed his approach to exploiting prototype pollution, a common JavaScript vulnerability. He showcased how merge functions in popular libraries like Lodash could be manipulated to pollute object prototypes, enabling attackers to inject malicious properties. Mikhail’s innovative chain involved polluting a runner object and triggering a backup handler, resulting in RCE. He emphasized that even fixed prototype pollution cases could be combined with unfixed ones across unrelated application features, amplifying their impact and bypassing conventional defenses.

Advanced Exploitation Techniques

Mikhail introduced new primitives and gadgets that elevate prototype pollution beyond denial-of-service (DoS) attacks. He demonstrated how carefully crafted payloads could exploit Kibana’s internal structures, leveraging tools like Node.js and Deno to execute arbitrary code. His research also touched on network-based attacks, such as ARP spoofing in Kubernetes environments, highlighting the complexity of securing modern applications. Mikhail’s findings, documented in papers like “Silence Print” and “Dust,” provide a roadmap for researchers to uncover similar vulnerabilities in other JavaScript ecosystems.

Mitigating and Defending Against RCE

Concluding, Mikhail offered practical recommendations for mitigating these threats, urging developers to adopt secure coding practices and validate inputs rigorously. He encouraged researchers to persist in exploring seemingly unexploitable bugs, sharing resources like his collection of server-side prototype pollution gadgets. His work, accessible via his blog posts and Twitter updates, inspires the cybersecurity community to push boundaries in vulnerability research while equipping defenders with tools to fortify JavaScript applications against sophisticated attacks.

Links:

• KTH Royal Institute of Technology website

Andrew Case, a core developer on the Volatility memory analysis project and Director of Research at V-Soft Consulting, joined colleagues Sellers and Richard to present a groundbreaking session at DEF CON 32. Their talk focused on new memory forensics techniques to detect malware that evades Endpoint Detection and Response (EDR) systems. Andrew and his team developed plugins for Volatility 3, addressing sophisticated bypass techniques like direct system calls and malicious exception handlers. Their work, culminating in a comprehensive white paper, offers practical solutions for countering advanced malware threats.

The Arms Race with EDR Systems

Andrew opened by outlining the growing prominence of EDR systems, which perform deep system inspections to detect malware beyond traditional antivirus capabilities. However, malware developers have responded with advanced evasion techniques, such as code injection and manipulation of debug registers, fueling an ongoing arms race. Andrew’s research at V-Soft Consulting focuses on analyzing these techniques during incident response, revealing how attackers exploit low-level hardware and software components to bypass EDR protections, as seen in high-profile ransomware attacks.

New Memory Forensics Techniques

Delving into their research, Andrew detailed the development of Volatility 3 plugins to detect EDR bypasses. These plugins target techniques like direct and indirect system calls, module overwriting, and abuse of exception handlers. By enumerating handlers and applying static disassembly, their tools identify malicious processes generically, even when attackers tamper with functions like AMSI’s scan buffer. Andrew highlighted a specific plugin, Patchus AMSI, which catches both vector exception handlers and debug register abuses, ensuring EDRs cannot be fooled by malicious PowerShell or macros.

Practical Applications and Detection

The team’s plugins enable real-time detection of EDR-evading malware, providing defenders with actionable insights. Andrew demonstrated how their tools identify suspicious behaviors, such as breakpoints set on critical functions, allowing malicious code to execute undetected. He emphasized the importance of their 19-page white paper, available on the DEF CON website, which documents every known EDR bypass technique in userland. This resource, combined with the open-source plugins, empowers security professionals to strengthen their defenses against sophisticated threats.

Empowering the Cybersecurity Community

Concluding, Andrew encouraged attendees to explore the released plugins and white paper, which include 40 references for in-depth understanding. He stressed the collaborative nature of their work, inviting feedback to refine the Volatility framework. By sharing these tools, Andrew and his team aim to equip defenders with the means to counter evolving malware, ensuring EDR systems remain effective. Their session underscored the critical role of memory forensics in staying ahead of attackers in the cybersecurity landscape.

Links:

• V-Soft Consulting website
• Volatility Project website

Bill Woodcock, a seasoned contributor to the Internet Engineering Task Force (IETF), presented an insightful session at DEF CON 32 on the development of digital emblems. These digital markers aim to replace or supplement physical markings required under international law, such as those on ISO containers, press vests, or humanitarian symbols like UN blue helmets. Bill’s work, conducted within the IETF, leverages protocols like DNS and DNSSEC to create a global, cryptographically secure marking system. His talk explored the technical and security implications of this standardization effort, inviting feedback from the DEF CON community on potential vulnerabilities.

The Need for Digital Emblems

Bill introduced the concept of digital emblems, explaining their necessity in an increasingly digitized world. Physical markings, such as serial numbers on shipping containers or symbols on humanitarian vehicles, are critical for compliance with international regulations. However, as processes like border transport and battlefield protections become digitized, these markings must transition to machine-readable formats. Bill outlined how the IETF’s proposed standard aims to create a unified protocol for digital emblems, ensuring they are scannable, cryptographically verifiable, and adaptable to various use cases, from logistics to military operations.

Technical Foundations and Challenges

Delving into the technical details, Bill described how the digital emblem system builds on existing protocols like DNS and DNSSEC, enabling robust validation without constant network connectivity. He highlighted the ability to embed significant data in devices like RFID tags, allowing offline validation through cached root signatures. However, Bill acknowledged challenges, particularly in ensuring the security of these emblems against adversarial tampering. He noted that military use cases, where covert validation is critical, pose unique risks, as adversaries could mislabel objects to deceive validators, necessitating strong cryptographic protections.

Security and Privacy Considerations

Bill addressed the security and privacy concerns raised by digital emblems, particularly in adversarial scenarios. He explained that the system allows for covert inspection, enabling validators to check emblems without alerting potential attackers. However, he cautioned that physical binding remains a weak point, as malicious actors could exploit mislabeled objects in conflict zones. Bill invited the DEF CON audience to scrutinize the proposed standard for vulnerabilities, emphasizing the importance of community input to harden the system against attacks, especially in high-stakes military and humanitarian contexts.

Shaping the Future of Digital Standards

Concluding, Bill underscored the potential of digital emblems to streamline global processes while enhancing security. He encouraged the DEF CON community to engage with the IETF’s ongoing work, accessible via the provided URLs, to contribute to refining the standard. By addressing vulnerabilities and ensuring robust cryptographic validation, Bill envisions a future where digital emblems enhance trust and compliance across borders and battlefields. His call to action resonated with the audience, inviting hackers to play a pivotal role in shaping this emerging technology.

Links:

• Internet Engineering Task Force website

Rob Joyce, a distinguished former National Security Agency (NSA) official, joined Jeff Moss, known as The Dark Tangent and founder of DEF CON, for a riveting fireside chat at DEF CON 32. Their discussion delved into the dynamic evolution of global cyber threats, with a particular focus on the transformative role of artificial intelligence (AI) in reshaping cybersecurity. Rob, recently retired after 34 years at the NSA, brought a wealth of experience from roles such as Cybersecurity Coordinator at the White House and head of the NSA’s Tailored Access Operations. Jeff facilitated a conversation that explored how AI is redefining defense strategies and the broader implications for global security, offering insights into the challenges and opportunities ahead.

The Evolution of Cyber Threats

Rob began by reflecting on his extensive career at the NSA, where he witnessed the transformation of cyber threats from isolated incidents to sophisticated, state-sponsored campaigns. He highlighted how adversaries now leverage AI to enhance attack vectors, such as spear-phishing and polymorphic malware, which adapt dynamically to evade detection. Rob emphasized that the scale and speed of these threats demand a shift from reactive to proactive defenses, underscoring the importance of understanding adversaries’ intentions through signals intelligence. His experience during the Iraq War as an issue manager provided a unique perspective on the strategic use of cyber intelligence to counter evolving threats.

AI’s Dual Role in Cybersecurity

The conversation pivoted to AI’s dual nature as both a tool for attackers and defenders. Rob explained how AI enables rapid analysis of vast datasets, allowing defenders to identify patterns and anomalies that would be impossible for human analysts alone. However, he cautioned that adversaries exploit similar capabilities to craft advanced persistent threats (APTs) and automate large-scale attacks. Jeff probed the balance between automation and human oversight, to which Rob responded that AI-driven tools, like those developed by the NSA, are critical for scaling defenses, particularly for protecting critical infrastructure. The integration of AI, he noted, is essential to keep pace with the growing complexity of cyber threats.

Strengthening Defenses Through Collaboration

Rob stressed the importance of bipartisan support for cybersecurity, noting that stopping foreign adversaries is a shared goal across administrations. He highlighted the role of the Office of the National Cyber Director (ONCD) in convening agencies to synchronize efforts, citing examples where ground-up collaboration among agencies has led to effective threat mitigation. Jeff asked about the resource gap, and Rob acknowledged that the scope of threats often outpaces available resources. He advocated for widespread adoption of two-factor authentication and secure software development practices, such as moving away from memory-unsafe languages, to build more defensible systems.

Building a Resilient Future

Concluding, Rob expressed optimism about the trajectory of cybersecurity, emphasizing that automation can alleviate the burden on security teams, particularly for 24/7 operations. He underscored the need for robust teams and innovative technologies to address the relentless pace of vulnerabilities exploited by attackers. Jeff echoed this sentiment, encouraging the DEF CON community to contribute to shaping a secure digital landscape. Their dialogue highlighted the critical role of collaboration between government, industry, and the hacker community in navigating the ever-changing threat landscape.

Links:

• National Security Agency website
• Rob Joyce on Twitter/X
• Joyce Cyber LLC website

Alessandro Magnosi, a security researcher at the British Standards Institute, unveils an innovative technique for loading malicious drivers on Windows 11 by exploiting NTFS features and emulated read-only filesystems (ROFs). His presentation at DEF CON 32 explores how advancements in Windows security, such as Driver Signature Enforcement (DSE) and Hypervisor-protected Code Integrity (HVCI), have pushed attackers to exploit new vulnerabilities. Alessandro’s work provides actionable detection strategies to counter these sophisticated threats.

Exploiting NTFS and ROFs

Alessandro introduces his DriverJack technique, which manipulates NTFS and emulated CDFS vulnerabilities to bypass modern Windows protections. By exploiting previously identified flaws in emulated filesystems, Alessandro demonstrates how attackers can covertly install malicious drivers. His approach, developed at the British Standards Institute, leverages these weaknesses to achieve persistence, evading detection mechanisms designed to thwart traditional malware deployment.

Bypassing Security Mechanisms

Delving deeper, Alessandro explains how DriverJack circumvents DSE and HVCI. He explores alternative malware delivery methods in usermode, integrating with tools like Kernel Driver Utility (KDU) and Canal Forge when HVCI is disabled. Alessandro highlights the challenges of exploiting modern CPUs, noting that outdated hardware exacerbates vulnerabilities, making timely updates critical for system security.

Detection and Mitigation Strategies

Alessandro provides practical Indicators of Compromise (IOCs), such as monitoring for privilege escalations to SYSTEM or TrustedInstaller, drive letter changes, and alterations in the NT object manager. He advocates for runtime hash verification of driver load events to detect discrepancies, ensuring robust defense against DriverJack. His publicly available proof-of-concept on GitHub empowers researchers to test and refine these countermeasures.

Strengthening System Defenses

Concluding, Alessandro urges organizations to prioritize hardware updates and implement cross-checks for driver integrity. His work underscores the evolving nature of cyber threats, encouraging the cybersecurity community to stay vigilant. By sharing DriverJack’s methodologies, Alessandro inspires proactive measures to safeguard Windows systems against emerging exploits.

Links:

• British Standards Institute website
• Alessandro Magnosi on GitHub