BayThreat 4 - Day Two
After a great day of hanging out with old and new friends all while getting inspired to start breaking/researching anything ranging from 50 year old behemoths to Internet enabled light bulbs, I raced down peninsula to the epicenter of Bay Area's security community at Hacker Dojo. Baythreat Day Two has begun.
In a terrible miscalculation of my sleeping schedule I have regretfully missed several morning talks; however, below are the writeups of another series of excellent presentations from the breaker track for the remainder of the day.
BT Wireless Routers: Adventures in Reversing and Exploiting
Zachary Cutlip presented an excellent talk on a complete cycle of vulnerability hunting, reversing to identify root cause and exploit development of many consumer wireless routers using BT Home Hub 3.0B as a case study.
One of the first attack vectors that Zachary pursued was a straightforward command injection. While BT device did execute system commands with some potential for tainted user input, it did so in a limited way that did not appear to yield a command injection. However, for a complete example of a successful command injection vulnerability discovery and exploitation see Zachary's blog post on Netgear Root Compromise via Command Injection.
After a bit of disappointment (... and setting fire to a coworker's car), Zachary targeted configuration file vector since these files are expected to be well formed and likely parsed by a shell script. While performing a static analysis on the binaries handling the configuration file, Zachary discovered not only the encryption and signing algorithm (XML -> gzip -> AES -> base64 -> sign), but also the exact hard-coded AES Key and static IV allowing for creation and modification of arbitrary configuration files shared by all of the BT Home Hub routers with the same model. I particularly liked the tip on how to use/abuse complex encryption/signing mechanism by simply treating it as a black box that you can just import using LD_PRELOAD into your own binary and call external library functions to produce and modify configuration files. Unfortunately, the configuration file vector did not reveal any parameters that could be abused to yield code execution.
At this point Zachary started pulling more fun techniques out of his bag of tricks. He proceeded to build a MIPS emulation environment using QEMU complete with a custom library that simulates necessary NVRAM keys to trick applications into running as if they were still on the wireless hub. Finally, Zachary hit paydirt while analyzing
bcmupnp binary, a UPnP server running on the device. An unsafe
strcpy() call handling M-SEARCH's Search Target set to uuid strings was vulnerable. So a request of the form
ST:uuid:AAAAAAAAA....\0 would cause a classic overflow.
Unfortunately, due to being short on time Zachary was not able to go into the specifics of exploit development in the MIPS environment; however, you can find this information in the talk From SQL Injection to MIPS Overflows that he presented at BlackHat and Defcon in 2012.
The demo gods were merciful and the audience enjoyed the power of exploits riding on top of UDP broadcast messages owning anything vulnerable on the network segment.
For additional details about this talk please review the Reverse Engineering and Exploiting the BT
HomeHub 3.0b WhitePaper and be sure to check out Zachary's blog The Shadow File for plenty more router exploits.
Hacking is bullshit! Also check out Craig Heffner's /dev/ttyS0 Blog for even more awesome vulnerability research in wireless routers.
- BT Home Hub 3.0B - hardware specification of the device.
- BayThreat 2013 Presentation - Additional Resources.
- miranda-upnp - Python UPnP client useful for vulnerability discovery.
- Exploit PoC - Zachary's Github page with the exploit and notes on the vulnerability.
- From SQL Injection to MIPS Overflows
- Reverse Engineering and Exploiting the BT HomeHub 3.0b WhitePaper
No Apology Required: Deconstructing BB10
The presentation started with a technical description of the QNX operating system, several frameworks running on it such as Webkit, Adobe Flash, Adobe Air (preferred for Blackberry Apps), Android runtime, BB Balance (isolated environment/container for corporate data), WebWorks and native apps written in C/C++. The underlying system appeared pretty solid with its microkernel architecture and component separation for network, I/O, etc. Also the use of OpenBSD pf for the firewall, compiler/linker protection (ProPolice, PIE, RELRO) for its binaries, ASLR and POSIX ACLs sounded pretty reassuring.
Just as things were looking pretty good for the BlackBerry, Zack and Ben got into the mess of bash/python scripts used as a glue for critical services such as authman, a service used to control app permissions. This becomes a particularly juicy target for further research considering once Blackberry Balance is set up, all access to its content is controlled by authman which in turn is glued together by pf/ACL shell scripts.
To facilitate this research, Zack and Ben discussed how to set up a proper environment for dynamic analysis (Blackberry Similator, QNX Software Dev Platform) and static analysis(pbtools for firmware files, unpyc3.py for glue python scripts, sothink for AIR stuff, etc.)
I found the part of the talk on BB10 attack surface particularly interesting as it outlined a collection of threat vectors based on previous vulnerabilities and current research:
Network Services- Samba, WWW (bozonhttpd running cgi), WebDAV, Proxy (Saphire Proxy), SSH
WiFi- host management performed using Samba/HTTP, UPnP, internet gateway, standard network attacks.
HDMI/USB- can be used for transfer, runs Ethernet
Bluetooth- BB bridge, Saphire Proxy (tether handset to the tablet), HTTP/WebDav management.
Cellular- to be researched.
NFC- to be researched.
BB Desktop- runs web services to interact with BB10's WebDAV/HTTP interfaces.
Local Apps- malware client, local permission issues, privilege escalation.
The presentation was designed to provide necessary background knowledge and target vectors for security researchers to begin exploring the Blackberry 10 platform. Although there is a relative disinterest in the security community in exploring the company that is not doing so good lately, BB10 is still a DoD approved platform making it a worthwhile target. For a presentation on the actual found vulnerabilities, take a look at Zach and Ben's Playbook exploitation talk from last year.
- Voight-Kampff'ing The BlackBerry PlayBook
- Dissecting Blackberry 10 – An initial analysis
- QNX Foundry
Bob's Adventures in Chemo
A fun talk by Boris Sverdlik about a fictional character, Bob, trying to get his medical records and being prevented from getting them by his hospital. I though of this talk as a hacker version of
Breaking Bad episode in which the main character just goes nuts on the hospital network; sniffing, intercepting and backdooring everything he can all while illustrating common insecurities and how to exploit them.
After further research, I really wish ...Bob good health in the year 2014.
Applying Machine Learning to Network Security Monitoring
Alexandre Pinto did a great job demystifying big data as an ecosystem, explaining foundations of machine learning and exploring security applications of ML such as log analysis, spam detection, identification of threat actors.
Introductory topics on big data covered the overall ecosystem (hadoop clusters, data sets and data analysis). Machine Learning discussion included supervised learning (classification and regression types), unsupervised learning (clustering, decomposition) and explained how ML could be used for security (fraud detection, network anomaly detection, predicting attack actors) as well as implementation pitfalls (spammers learning of the model and circumventing it).
The core of Alexandre's talk concentrated on a set of ML algorithms he has been developing for detection of malicious behavior based on analysis of log entries. Below are a few examples of such algorithms:
Feature Intuition: IP Proximity- analysis of geolocation, "bad neighborhoods", network proximity to identify bad actors.
Feature Intuition: Temporal Decay- dealing with attackers moving around, changing IP addresses invalidating above information.
Feature Intuition: DNS Features- member domains of an IP address, any suspicious records, etc.
Alexandre concluded the talk by outlining several resources to get started with data science for security applications such as the knowledge of programming languages (Python and R), basic statistics knowledge and several Coursera classes listed below.
- MLSec - main project page on the use of machine learning for log monitoring.
- scikit-learn - Machine Learning in Python.
- Coursera: Machine Learning
- Coursera: Data Analysis
- Coursera: Data Science
Wacky Bugs and Running a Bug Bounty
An entertaining and insightful talk by Collin Greene, a security engineer at Facebook, on his experience with the company's bug bounty program and some anecdotes on wacky/serious bugs that came through it.
Collin began with an explanation of some of Facebook's security programs such as code reviews, static/dynamic analysis, security testing. His view on the bug bounty program is that of a complementary service to existing tools, people and security services. Some numbers on the bug bounty program: Since July 2011, Facebook paid 1.5 million dollars with ~14% of discovered bugs classified as critical (aka "unbreak now").
Stories about some of the more serious bugs included shockwave files vulnerable to XSS, interns introducing vulnerabilities in everything they touched, logic bugs that allowed group takeovers through a combination of blocking and auto-promotion to admin. Wacky bugs ranged anywhere from hard-coded passwords in a demo iOS app, people bypassing security verification questions by figuring out the algorithm used to generate driver license numbers, Facebook recruiting video shot in high resolution containing a live mysql password, dirbusting for vulnerable development shockwave files and others. There was a fun story about Facebook spammers backstabbing each other by closing down bugs of their opposition.
Collin had an insightful discussion of challenges involved in running a bug bounty program such as signal-to-noise ratio, bad bugs, dealing with testers, language barrier. However, the overall feel for the program sounded positive because even with the ever increasing number of submissions the few good bugs make the program worth it.
A very successful year for BayThreat with a great new venue. Kudos to the organizers for making the con run so smoothly and getting all of the great speakers to come from all over the country. During the conference, you could feel the vibe of openness, genuine curiosity about learning new things and excitement of meeting old and new friends among the attendees. This made BayThreat a truly special event worthwhile to continue for years to come.
Until next year!
baythreat 4 - day one
The year is almost over, but the infosec community in the Bay Area shows no signs of slowing down with the fourth annual BayThreat conference happening this Friday and Saturday. I always loved smaller hacker cons for their much more personable feel and few carefully selected talks that you can see without missing a dozen others. I love BayThreat not only because it is a local event, but also due to the overall quality of the talks and organization being on par with many of the larger cons.
BayThreat 4 marks the return to the Hacker Dojo, albeit at a different location, which in my opinion is even better than the original. Below are a few writeups on the talks from the breaker track that I had a chance to attend. Read more.
isec open forum bay area
It feels like the infosec community in the Bay Area is just getting warmed up toward the end of the year with another quarterly iSec Open Forum. As a small and local security event, it usually hosts novel security topics from local security professionals that may not appear in more mainstream events. After getting to the talks area at the end of a long hall with folks from Dropbox zooming by on their skateboards and razorblades, I found an infosec crowd of about a hundred or so people ready to learn and connect.
Below are my notes from the event: Read more.
|Date||August 28th, 2011|
Airoscapy is a passive wireless access point scanner. Using this tool you can monitor Access Point's SSID, BSSID, Channel and Encryption support. Read more.
Scapy is a packet forging tool using Python as its domain specific language. It was developed by Philippe Biondi in 2003. Read more.
All original content on this site is copyright protected and licensed under Creative Commons - Attribution, NonCommercial, ShareAlike 4.0 International.