Posts Tagged ‘DefCon32’
[DefCon32] Manipulating Shim and Office for Code Injection
The Windows ecosystem harbors hidden attack surfaces, and security researchers Ron Ben-Yizhak and David Shandalov from Deep Instinct unveil a sophisticated technique to exploit them. By manipulating the Application Compatibility Framework (shim) and OfficeClickToRun service, they achieve stealthy code injection and privilege escalation without traditional traces like registry modifications. Their reverse engineering of undocumented APIs and kernel drivers reveals novel methods to subvert system defenses, challenging assumptions about patched vulnerabilities.
Reviving the Shim Attack Surface
Ron introduces the Application Compatibility Framework, designed to ensure legacy software runs on modern Windows systems. The shim infrastructure, managed by a kernel driver, applies runtime fixes to processes. By exploiting undocumented APIs, Ron and David craft a malicious shim that injects code without disk-based evidence, evading detection by endpoint detection and response (EDR) systems. This approach, applied to 64-bit processes, bypasses traditional monitoring, as injection occurs before EDR hooks are established.
Exploiting OfficeClickToRun for Escalation
David details their attack surface research on OfficeClickToRun.exe, a service running as NT AUTHORITY\SYSTEM. By leveraging its undocumented RPC interfaces and Opportunistic Lock (OpLock) mechanisms, they inject a DLL into a high-privilege process, achieving escalation. This method requires specific conditions, which they meticulously engineered, demonstrating the power of combining disparate system components into a cohesive attack vector.
Methodology and Community Collaboration
The duo’s methodology hinges on deep reverse engineering, analyzing shim data structures and AVL tables to manipulate process behavior. They modernize a previously known technique, making it registry-free and elusive. Ron and David share their tools’ source code, inviting the community to refine these attacks and explore additional shim fixes. Their findings highlight the potential for OpLock and shim mechanisms to serve as building blocks for complex, multi-component attacks.
Defensive Measures and Future Research
To counter these threats, Ron and David urge developers to monitor early-stage process injections and scrutinize undocumented APIs. They encourage further exploration of shim data structures and AVL table manipulations, which could yield new attack vectors. By open-sourcing their tools, they foster collaborative advancements in offensive security, aiming to strengthen Windows defenses against such stealthy techniques.
Links:
[DefCon32] Sudos and Sudon’ts: Peering Inside Sudo for Windows
In a groundbreaking move, Microsoft introduced Sudo for Windows in February 2024, bringing a Unix-like privilege elevation mechanism to Windows 11 Insider Preview. Michael Torres, a security researcher at Google, delves into the architecture of this novel feature, exploring its implementation, inter-process communication, and potential vulnerabilities. Michael’s analysis, rooted in reverse engineering and Rust’s interaction with Windows APIs, uncovers security flaws that challenge the tool’s robustness. His open-source approach invites the community to scrutinize and enhance Sudo for Windows, ensuring it balances usability with security.
Understanding Sudo for Windows
Michael begins by demystifying Sudo for Windows, a utility designed to allow users to execute commands with elevated permissions directly from a non-elevated console. Unlike its Unix counterpart, it leverages User Account Control (UAC) for elevation and Advanced Local Procedure Call (ALPC) for communication between processes. Available in Windows 11 version 24H2, the tool supports three configurations: running commands in a new window, disabling input in the current window, or inline execution akin to Linux sudo. Michael highlights its open-source nature, hosted on GitHub, which enables researchers to dissect its codebase for potential weaknesses.
Security Implications and Rust Challenges
Delving into the technical intricacies, Michael examines how Sudo for Windows interoperates with Windows APIs through Rust, a language touted for memory safety. However, invoking native Windows APIs requires “unsafe” Rust code, introducing risks of memory corruption vulnerabilities—counterintuitive to Rust’s safety guarantees. He identifies non-critical issues reported to Microsoft’s Security Response Center (MSRC) and one embargoed vulnerability, emphasizing the need for rigorous scrutiny. For bug hunters, Michael advises focusing on unsafe Rust boundaries, where Windows API calls create exploitable seams.
Path Resolution and Process Coordination
Michael explores the path resolution process, critical for handling file and relative path inputs in Sudo for Windows. The tool’s reliance on ALPC for coordinating elevated and non-elevated processes introduces complexity, as it must maintain secure communication across privilege boundaries. Missteps in path handling or process elevation could lead to unintended escalations, a concern Michael flags for further investigation. His analysis underscores the delicate balance between functionality and security in this new feature.
Community Engagement and Future Directions
Encouraging community involvement, Michael praises the open-source release, urging researchers to probe the codebase for additional vulnerabilities. As Sudo for Windows rolls out to mainline Windows 11, its adoption could reshape administrative workflows, but only if security holds. He advocates for responsible bug hunting to prevent malicious exploitation, ensuring the tool delivers on its promise of seamless elevation without compromising system integrity.
Links:
[DefCon32] Spies and Bytes: Victory in the Digital Age
Cyber warfare reshapes global security, demanding agility and collaboration. General Paul M. Nakasone, retired U.S. Army and former director of the NSA and U.S. Cyber Command, shares insights from his career defending against nation-state hackers. His narrative, rooted in real-world operations, highlights strategies for securing critical infrastructure and countering sophisticated threats. Now founding director of Vanderbilt University’s Institute for National Security, Paul envisions a future where adaptive cyber strategies and new leadership tackle emerging challenges.
Paul’s experiences, from thwarting cyberattacks to fostering international alliances, underscore the importance of transparency and intelligence sharing. His forward-looking vision emphasizes resilience and interdisciplinary approaches to safeguard the digital frontier.
Defending Against Nation-State Threats
Paul recounts operations against adversaries like China and Russia, where rapid intelligence sharing thwarted attacks on U.S. infrastructure. As NSA director, he prioritized real-time collaboration with allies, disrupting cyber campaigns targeting elections and utilities.
These efforts highlight the need for dynamic defenses, adapting to adversaries’ evolving tactics in a borderless digital battlefield.
Building Resilient Cyber Defenses
At U.S. Cyber Command, Paul oversaw strategies integrating offensive and defensive operations. He describes fortifying critical systems, like power grids, through persistent engagement—proactively disrupting attacker infrastructure. Partnerships with private sectors, including tech giants, amplified these efforts, leveraging collective expertise.
Transparency in operations, he argues, builds trust and deters adversaries, a lesson drawn from high-stakes missions.
The Role of Intelligence and Alliances
International cooperation was central to Paul’s tenure. Alliances with NATO and Five Eyes nations enabled coordinated responses to threats, such as ransomware campaigns. Intelligence-driven operations, blending human and technical sources, provided actionable insights, often preventing attacks before they materialized.
This collaborative model sets a benchmark for future cyber defense, emphasizing shared responsibility.
Shaping the Future of Cybersecurity
At Vanderbilt, Paul aims to cultivate young leaders through the Institute for National Security, launching in October 2025. By integrating AI, cybersecurity, and decision-making, the institute addresses the industry’s age gap, where most professionals are over 50. He invites the DEF CON community to join, fostering innovation through partnerships and open dialogue.
Links:
[DefCon32] Redefining V2G: How to Use Your Vehicle as a Game Controller
Modern vehicles, intricate networks of computers on wheels, offer more than mobility—they can become game controllers. Timm Lauser and Jannis Hamborg, researchers from P3 Group, present Vehicle-to-Game (V2G), a Python-based project that transforms cars into Bluetooth gamepads. By leveraging the CAN bus or OBD2 port, V2G maps vehicle inputs like steering or pedals to game controls, blending automotive hacking with playful innovation.
Timm and Jannis, driven by curiosity about vehicle networks, developed V2G to run on laptops or Raspberry Pi Zero WH, requiring reverse-engineering of CAN messages or UDS diagnostics. Their work, accessible via a public GitHub repository, invites enthusiasts to explore car interfaces while highlighting the accessibility of automotive security research.
Understanding Vehicle Networks
Timm explains vehicle architectures, where CAN buses and diagnostic ports like OBD2 facilitate communication between ECUs. V2G intercepts signals from components like the steering wheel or accelerator, translating them into gamepad inputs. This requires understanding proprietary CAN messages, often unique to each vehicle model.
Their Volkswagen ID.3 demo showcases real-time mapping of driving inputs to game controls, illustrating the project’s practicality.
Building the V2G Framework
Jannis details V2G’s implementation, using Python to interface with CAN buses via affordable hardware. The framework supports Bluetooth gamepad emulation, allowing cars to control games like racing simulators. Reverse-engineering CAN signals, though labor-intensive, is achievable with tools like CAN-utils, making V2G adaptable to various vehicles.
The open-source release encourages community contributions, with QR codes linking to the repository for further development.
Creative Applications and Challenges
Beyond gaming, V2G sparks interest in automotive interfaces, such as heads-up display integration. Timm and Jannis explore connecting to in-car screens via adapters, though cost remains a barrier. Flight simulator mapping, suggested by an audience member, highlights V2G’s versatility for unconventional inputs.
Challenges include model-specific CAN protocols and hardware costs, but the project lowers barriers for hobbyists and researchers.
Implications for Automotive Security
While playful, V2G underscores the accessibility of vehicle networks, a double-edged sword for security. Exposed interfaces like OBD2 ports are potential attack vectors, urging manufacturers to secure diagnostic communications. Timm and Jannis advocate responsible exploration, fostering learning without compromising safety.
Links:
[DefCon32] Splitting the Email Atom: Exploiting Parsers to Bypass Access Controls
Email addresses, seemingly mundane, harbor complexities that can unravel security controls. Gareth Heyes, a security researcher at PortSwigger, exposes how arcane RFC standards governing email parsing enable attackers to bypass access controls. By crafting RFC-compliant email addresses, Gareth demonstrates spoofing domains, accessing internal systems, and executing blind CSS injection. His toolkit, integrated with Burp Suite, automates these attacks, revealing vulnerabilities in applications and libraries.
Gareth’s exploration, rooted in parser discrepancies, shows how seemingly valid emails can route to unintended destinations, undermining Zero Trust architectures. His methodology and open-source tools empower researchers to probe email-handling systems, urging developers to fortify defenses against these subtle yet potent attacks.
The Chaos of Email RFCs
Gareth begins with the convoluted RFCs defining email syntax, which allow exotic encodings like Unicode overflows and encoded words. These standards, often misunderstood, lead to parser inconsistencies. For example, an email ending in @example.com might route elsewhere due to mishandled Unicode or Punycode, breaking domain-based authorization.
Case studies illustrate real-world exploits, including bypassing employee-only registrations and accessing internal systems by exploiting parser flaws.
Exploiting Parser Discrepancies
Using tools like Hackverter and Turbo Intruder, Gareth automates the generation of malicious email addresses. His Punycode fuzzer, for instance, substitutes placeholders with random characters, uncovering exploitable parser behaviors. A notable exploit involved GitHub’s handling of null characters, found via Turbo Intruder, leading to unauthorized access.
These techniques transform harmless inputs into payloads that misroute emails or inject CSS, compromising application security.
Defensive Strategies
Gareth advocates filtering encoded words and verifying email addresses before use, even from trusted SSO providers. Relying solely on domains for authorization is perilous, as demonstrated by his exploits. Regular expression sanitization and strict validation can mitigate risks, ensuring emails route as intended.
He references influential blog posts by researchers like Pep Villa, emphasizing community knowledge-sharing to bolster defenses.
Tools and Future Research
Gareth’s toolkit, including a Burp Suite wordlist and a vulnerable Joomla Docker instance, enables researchers to replicate his attacks. A Web Security Academy CTF further hones skills in email splitting. He encourages exploring additional parser vulnerabilities, such as those in mailer libraries, to uncover new attack vectors.
Links:
[DefCon32] Sshamble: Unexpected Exposures in the Secure Shell
The Secure Shell (SSH), a cornerstone of secure communication, powers a vast array of systems beyond traditional POSIX environments, from network devices to Windows file transfer tools. HD Moore and Rob King, security researchers at Rumble, Inc., delve into the lesser-known implementations of SSH, uncovering surprising vulnerabilities. Their presentation introduces “Sshamble,” an open-source tool designed to probe SSH services, revealing weaknesses in diverse implementations. With OpenSSH dominating 80% of deployments, HD and Rob explore the long tail of alternative servers, exposing flaws like null byte password acceptance in honeypots and key mismanagement.
Their journey, sparked by the XZ backdoor investigation, reveals tens of thousands of vulnerable SSH instances. By analyzing server behaviors and handshake anomalies, Sshamble empowers researchers to identify and exploit misconfigurations, urging a reevaluation of SSH’s assumed security.
The Landscape of SSH Implementations
HD outlines SSH’s evolution from a remote shell to a ubiquitous transport protocol, second only to TLS. While OpenSSH prevails, alternatives like Dropbear and niche libraries in devices and forges introduce variability. Their research uncovers servers accepting invalid credentials or mangled requests, often indicative of honeypots or flawed implementations. For instance, many honeypots accept null byte passwords, a trait absent in legitimate OpenSSH setups.
This diversity, while functional, creates an attack surface ripe for exploitation, as non-standard servers deviate from expected security models.
Sshamble: A Tool for Discovery
Rob introduces Sshamble, a versatile tool that scans SSH services across specified ports, performing handshakes to detect anomalies. It identifies honeypots by exploiting behaviors like accepting any public key or malformed passwords. The tool’s open-source release on GitHub encourages community contributions, enhancing its ability to catalog and test SSH implementations.
Demonstrations show Sshamble pinpointing vulnerable servers, including those misconfigured to accept arbitrary credentials, highlighting the need for rigorous server validation.
Exploiting SSH Weaknesses
HD details specific vulnerabilities, such as key generation issues in libraries and servers that bypass standard authentication. While client-side tools like PuTTY were not the focus, server-side flaws dominate, with some implementations ignoring protocol specifications. These gaps allow attackers to bypass authentication or inject malicious data, compromising systems.
The XZ backdoor, though not directly exploitable, inspired their broader exploration, revealing systemic issues in SSH ecosystems.
Mitigating SSH Risks
Rob emphasizes hardening SSH deployments through strict configuration and regular audits. Disabling null byte passwords, enforcing strong key management, and monitoring handshake behaviors mitigate risks. Sshamble aids defenders by identifying weak implementations, urging organizations to standardize on robust servers like OpenSSH.
The talk concludes with a call for ongoing research into SSH’s evolving attack surface, leveraging tools like Sshamble to bolster defenses.
Links:
[DefCon32] The Hack, the Crash, and Two Smoking Barrels
The automotive industry’s rush to pack vehicles with connectivity exposes a glaring cybersecurity gap. Thomas Sermpinis, a security researcher at Upstream Security, navigates this “underworld” of car manufacturing, where tight deadlines and complacent engineering sideline security. His narrative, punctuated by real-world exploitations and a live ECU demo, exposes vulnerabilities in vehicle architectures and advocates for systemic change.
Thomas, leveraging his expertise in embedded systems, recounts discovering zero-day flaws and convincing skeptical engineers of their severity—sometimes by engaging brakes mid-drive. His stories highlight the tension between innovation and safety, contrasting mainstream manufacturers with a smaller OEM’s robust security design.
Automotive Architecture Vulnerabilities
Thomas outlines vehicle architectures, where ECUs (Electronic Control Units) manage critical functions like braking and steering. Legacy designs, reliant on CAN bus protocols, lack encryption, making them susceptible to injection attacks. He demonstrates exploiting a zero-day to manipulate an ECU, showcasing real-time risks like unauthorized control.
Mainstream OEMs, driven by cost, lag in adopting secure protocols like Automotive Ethernet, leaving vehicles exposed to remote attacks.
Engaging Engineers and Industry
A pivotal moment in Thomas’s journey involves a live demo, where an engineer experiences a brake lock triggered by a flaw. This visceral proof shifts perspectives, underscoring the need for security prioritization. He critiques the “good enough” mentality fueled by capitalism, where budgets trump safety.
His modular toolkit, Caribou Next, a fork of Caring Caribou, enables standardized attacks across vehicles, highlighting systemic weaknesses.
Lessons from a Secure OEM
Thomas contrasts mainstream failures with a small manufacturer, likely Tesla, whose IT-centric approach yields a centralized, secure architecture. By treating vehicles as software platforms, this OEM implements robust encryption and authentication, resisting common exploits.
This model, though not universal, offers a blueprint for industry-wide improvements, emphasizing proactive security integration.
Raising Awareness and Future Steps
Thomas urges collaboration between researchers, OEMs, and regulators to enforce security standards. Emerging technologies like secure CAN transceivers show promise, but adoption lags. His demos, shared responsibly, aim to spark interest in automotive hacking, driving awareness to protect lives.
Links:
[DefCon32] Optical Espionage: Using Lasers to Hear Keystrokes Through Glass Windows
In a world where physical barriers seem to shield sensitive data, Samy Kamkar reveals how light and sound betray secrets. A renowned security researcher, Samy introduces a laser-based eavesdropping technique that captures keystrokes through glass windows, targeting air-gapped systems. His accessible approach, requiring minimal technical expertise, leverages physics to extract signals from noise, demonstrating vulnerabilities in seemingly secure environments.
Samy, known for past innovations like the MySpace worm, explores side-channel attacks rooted in historical TEMPEST research by the NSA and KGB. By directing lasers at reflective surfaces, he captures vibrations from typing or audio, decoding them into actionable data. This method, blending optical and radio signal processing, exposes the fragility of physical security in modern systems.
Physics of Signal Leakage
Samy demystifies how energy forms—light, sound, vibration—travel through air, undermining air-gapped systems. Electrical signals emit electromagnetic waves, capturable via radio or optical methods. His laser microphone, pointed at a window, detects minute vibrations from keystrokes or ambient sound, converting them into audible signals.
Historical attacks, like the KGB’s 1940s “The Thing” device, inform his approach. By combining affordable components like lasers and photodiodes, Samy reconstructs clear audio, demonstrating the technique’s accessibility.
Keystroke Recovery and Analysis
Using tools like FFmpeg and GNU Radio, Samy processes laser reflections to isolate keystroke sounds. Each key produces distinct acoustic signatures, which frequency analysis decodes, especially when paired with language models. For instance, 100–200 keystrokes suffice to infer typed content in English, akin to cracking a substitution cipher.
Demonstrations show a laptop’s reflective surface betraying typed text, with software recovering input at 10x speed. This highlights the technique’s real-world feasibility, even in noisy environments.
Mitigations and Challenges
Samy addresses noise reduction, a key challenge, by shifting processing to the radio domain, leveraging GNU Radio’s filtering capabilities. Potential defenses include anti-reflective coatings or white noise generators, though these are costly or impractical. He encourages exploring further signal processing improvements, such as advanced denoising algorithms.
The technique’s low cost—using consumer-grade lasers—makes it a potent threat, urging organizations to reassess physical security for sensitive systems.
Broader Implications for Security
Samy’s work extends beyond keyboards, suggesting vulnerabilities in any vibrating surface. He calls for community research into side-channel mitigations, emphasizing that “unhackable” claims invite scrutiny. His open-source tools, shared for experimentation, empower defenders to test and secure their environments.
Links:
[DefCon32] Reverse Engineering MicroPython Frozen Modules
In the realm of embedded systems, MicroPython empowers developers to deploy Python-based solutions on microcontrollers, fueling applications from industrial automation to DEF CON’s #badgelife projects. Wesley McGrew, a Senior Cyber Fellow at MartinFederal, unveils the intricacies of reverse-engineering MicroPython’s frozen modules—compiled code embedded in firmware. Unlike CPython, MicroPython’s unique bytecode and lack of tailored tools pose challenges for analysts. Wesley’s presentation guides enthusiasts through extracting and decoding these modules using Ghidra, offering a pathway to uncover their functionality without debug symbols.
Wesley’s expertise in reverse engineering and offensive security informs his approach, blending technical precision with practical demonstrations. He emphasizes that frozen modules, designed for efficiency, are not secure storage for secrets, especially as his methods expose their contents. This exploration not only aids badge hackers but also underscores the fragility of firmware-based protections.
Navigating Firmware with Ghidra
Wesley begins by addressing the challenge of locating frozen modules within firmware images. Using Ghidra, a powerful disassembler, he identifies module structures, strings, and object data without relying on debug symbols. MicroPython’s architecture, distinct from CPython, compiles modules into bytecode stored in flash memory, often alongside firmware updates.
He demonstrates parsing these structures, extracting raw code, and reconstructing non-frozen modules. This process, while manual, reveals the module’s purpose, from badge interactions to industrial controls, making it accessible for CTF enthusiasts and security researchers.
Decoding MicroPython Bytecode
Delving deeper, Wesley details MicroPython’s bytecode, a compact format optimized for microcontrollers. Unlike CPython’s well-documented opcodes, MicroPython’s require custom analysis. He walks through reading opcodes, mapping their functionality, and reconstructing logic, using a badge-life example to illustrate real-world applications.
This granular approach empowers analysts to understand module behavior, exposing vulnerabilities or unintended features. Wesley cautions against using frozen modules for obfuscation, as physical access to firmware—via flash dumps or over-the-air updates—renders them transparent.
Practical Implications and Community Tools
Wesley highlights the broader impact for badge-life communities, where MicroPython powers interactive devices. His techniques enable hackers to explore CTF challenges ethically, enhancing learning without disrupting competitions. He references resources like The Ghidra Book by Chris Eagle and Kara Nance, recommending it for mastering Ghidra’s capabilities.
While automation of extraction remains complex due to variable data structures, Wesley’s methods lay groundwork for future tools, fostering community-driven advancements in firmware analysis.
Ethical Considerations and Future Directions
Emphasizing responsible use, Wesley advises against exploiting these techniques to spoil CTFs or proprietary systems. Instead, he encourages playful exploration within ethical boundaries, leveraging open-source tools to advance MicroPython security. His work underscores the need for robust firmware protections, as physical access undermines current safeguards.
Links:
[DefCon32] SQL Injection Isn’t Dead: Smuggling Queries at the Protocol Level
Despite advancements in database security, SQL injection persists through novel vectors. Paul Gerste, a security researcher, introduces protocol-level smuggling attacks, bypassing prepared statements by targeting database wire protocols. His research at [redacted], leveraging vulnerable driver libraries, demonstrates how attackers can inject malicious (No)SQL statements, leading to authentication bypasses, data leaks, and remote code execution.
Paul reimagines HTTP request smuggling for binary protocols, desynchronizing applications and databases. By manipulating message boundaries, attackers insert unauthorized queries, exploiting flaws in protocols like MySQL and PostgreSQL. His findings extend beyond databases, impacting message queues and caching systems, revealing a pervasive attack surface.
The talk explores real-world implications across programming languages and frameworks, offering insights into mitigating these threats and inspiring further protocol research.
Protocol Smuggling Mechanics
Paul illustrates how wire protocols, using length-based message fields, are susceptible to manipulation. By crafting oversized payloads, attackers trigger integer overflows, disrupting message parsing. A Go-based HTTP handler, assumed secure with prepared statements, falls to this attack, allowing query injection.
Demonstrations show desynchronization, where malicious messages execute as legitimate queries, bypassing application-layer defenses.
Real-World Applicability
Testing across languages like Python, Java, and Node.js, Paul finds varying resilience. Frameworks with strict input validation fare better, but many database drivers remain vulnerable. He identifies MySQL’s driver as particularly prone, with four-byte length fields enabling large payload exploits.
Caching systems and message queues, like Redis and RabbitMQ, exhibit similar flaws, broadening the attack’s scope.
Mitigation Strategies
Paul proposes robust input validation and size limits to thwart smuggling. Developers must prioritize protocol-level checks, avoiding assumptions about memory-safe languages. Integer overflows, often overlooked, enable these attacks, necessitating renewed scrutiny.
He advocates auditing driver libraries and enforcing strict message boundaries to restore database integrity.
Future Research Directions
Paul encourages exploring two-byte length fields, which ease exploitation, and delimiter-based protocols for alternative vulnerabilities. Large payload techniques could bypass framework restrictions, warranting further investigation.
His tools, shared for pentesting, empower researchers to probe additional protocols, ensuring comprehensive security.