The agenda for Day 1 of the 9th annual HITB Security Conference in The Netherlands has been announced and it’s packed with cutting edge research on a range of attack and defense topics from crypto currencies to fuzzing and more.
Invoke-DOSfuscation: Techniques FOR %F IN (-style) DO (S-level CMD Obfuscation)
In this presentation, Daniel Bohannon, a Senior Applied Security Researcher with MANDIANT’s Advanced Practices group, will dive deep into cmd.exe’s multi-faceted obfuscation opportunities beginning with carets, quotes and stdin argument hiding. He will extrapolate more complex techniques including FIN7’s string removal/replacement concept and two never-before-seen obfuscation and full encoding techniques – all performed entirely in memory by cmd.exe. Finally, he will outline three approaches for obfuscating binary names from static and dynamic analysis while highlighting lesser-known cmd.exe replacement binaries.
Ticket to Ride: Abusing The Travel and Hospitality Industry for Profit
This presentation covers research of underground travel fraud schemes which are frequently exploited for profit. This includes a variety of abuses, from credit card fraud to exploitation of vulnerabilities in traveling systems and platforms and mileage programs. The authors cover a number of typical cases that we encountered in our investigation, studying the victim perspective of the fraud, the “customer” side, and the criminal actor side.
How to Analyze and Find Bugs in MacOS and iOS Kernel Drivers
In this talk, the authors will share our experience of analyzing and finding bugs in macOS and iOS kernel drivers (in short, Apple drivers). They will introduce our open source tool, Ryuk, for analyzing Apple drivers, which greatly facilitates the process of manual review and static analysis. Further, they will introduce two zero-day kernel driver vulnerabilities we recently found that can be exploited for privilege escalation on macOS 10.13.2. Several new kernel exploitation strategies we use on the latest macOS will also be explained and discussed.
Rooting Android 8 with a Kernel Space Mirroring Attack
In this presentation, the authors will first detail an Out-Of-Bounds writing vulnerability exploitation in media framework. Since the overwriting bytes are ‘0x80’s and the vulnerability is triggered during decoding a crafted mp4 file, it’s quite challenging to shape the memory layout of a remote high privilege process and achieve PC control. They will detail how the shared memory can be used to pad the memory and bypass ASLR, how to escape the SECCOMP sandbox of mediacodec, and control one thread of mediaserver with almost 100% success rate. They will showcase a new rooting solution ReVent. It derives from a Use-After-Free vulnerability due to race condition, which affects all the Android devices shipped with >=3.18 Linux kernel, and can be executed by any untrusted application.
Applying Machine Learning to User Behavior Anomaly Analysis
This talk is based on results of R&D project aimed to build a solution for user behavior security analytics. Eugene Neyolov, Head of R&D at ERPScan, will describe various methods and ideas for anomaly detection solutions built to understand user behavior trends and find abnormal activity using state-of-the-art neural networks.
Hacking Intelligent Buildings
Most of today’s buildings use a variety of intelligent building systems to manage a wide variety of equipment. Companies such as Siemens, ABB, and Schneider Electric have introduced their own intelligent building products. At present, the communication protocols mainly used in the intelligent building industry are the KNX protocol for the industrial field and the ZigBee protocol for the household field. In this talk, the authors will talk about how to attack smart buildings.
Ghost Tunnel: Covert Data Exfiltration Channel to Circumvent Air Gapping
In recent years, attacking air gapped network through HID devices is becoming popular. The HID attack uses the USB interface to forge the user’s keystrokes or mouse movement to modify the system settings and run malware. In 2009, NSA’s Office of Tailored Access Operations (TAO) developed the COTTON-MOUTH – a USB hardware implant which will provide a wireless bridge into a target network as well as the ability to load exploit software on to target PCs. Unlike COTTON-MOUTH, Ghost Tunnel attacks the target through the HID device only to release the payload, and it can be removed after the payload is released.
Attacking Microsoft’s .NET Framework Through CLR
In this talk, the authors first introduce managed execution environment and managed code under .NET Framework and discuss the security weaknesses of this code execution method. After that, they show an exploit for SQL Server through CLR and their automated tools for this exploitation. They will introduce a backdoor with administrator privilege based on CLR hijacking arbitrary .NET applications. In addition, they extend our CLR security study to Microsoft Office used VSTO. The result shows that they could convert a document‐level customizations into a program‐level customizations and execute arbitrary code quietly.
Brida: When Burp Suite meets Frida
Brida is born with the purpose of helping the penetration tester/hacker to bypass this kind of security features and reach quickly the core of target application. Brida is a plugin that acts as a bridge between Burp Suite (the de-facto standard tool in web application pentesting) and Frida (a multi-platform dynamic code instrumentation toolkit). Thanks to Brida it is possible to delegate the management of the security features to the mobile application itself, by calling application functions with Frida directly from Burp Suite.
Smashing Ethereum Smart Contracts for Fun and ACTUAL Profit
In this talk, Bernhard Mueller, Security Engineer at Consensys, will investigate recent incidents, and shed light on the various types of flaws that occur in Ethereum smart contracts. He’ll show how to explore the blockchain and reverse engineer smart contract binary code using Mythril, the “nmap of Ethereum”. He will also demonstrate the use of symbolic analysis to detect different types of vulnerabilities, including those resulting from inter-contract calls. Finally, he’ll show how to autogenerate Ethereum exploits using the Z3 solver.
Sneaky Element: Real World Attacks Against Secure Elements
This talk will demonstrate a real world attack against a globally deployed Secure Element that allows any adversary to impersonate any device secured by the element, resulting in access to otherwise secured networks, and more. Don Bailey, Founder of Lab Mouse Security, will not only give a live demonstration of the technology and the exploit, but will publish open source software that facilitates the attack (some of which he already published). The lecturer will also describe why the attack is successful, and common gaps in scaling secure elements for global deployments. Don will also describe how this attack was predicted by him and the GSMA team during the development of the IoT Security Guidelines, released in 2016.