Archives of POC2016
Events of POC2016
PWNFEST by POC PwnFest is a bug pwning 'festival' for better security organized by POC with the help of sponsors, vendors, and judges in 2016. You can enjoy PwnFest every year. DATE: 2016.11.10 ~ 11 VENUE: TheK-Hotel Belluminar by POC Belluminar, hacking contest of POC, started at POC2015 in KOREA for the first time. Belluminar is from ‘Bellum’(war in Latin) and ‘seminar’. It is not a just hacking contest but a kind of festival consisted of CTF & seminar for the solution about challenges. Only invited teams can join Belluminar. Each team can show its ability to attack what other teams want to protect and can defend what others want to attack. DATE: 2016.11.10 ~ 11 VENUE: TheK-Hotel Power of XX by SISS & HackerSchool Who can show the power of XX this year? 'Power of XX' is the only one hacking contest for women. DATE: 2016.10.09(preliminary round, online) 2016.11.10(the final) VENUE: TheK-Hotel EMAIL: SISSofsookmyung@gmail.com KIDS CTF by SISS & HackerSchool 'KIDS CTF' is a hacking contest for kids: Elementary school & middle school students in Korea. This event encourages young boys and girls to study information security and make ethical attitudes themselves. DATE: 2016.10.09 VENUE: Space POC EMAIL: SISSofsookmyung@gmail.com
Ben Gras, “Flip Feng Shui: Hammering a Needle in the Software Stack"
Ben Gras has been part of the systems security research group at the Vrije Universiteit Amsterdam since january 2015. He likes working on hacking with hardware and side channels. Previously, he was a scientific programmer working on the Minix operating system under Andy Tannenbaum for 10 years. [Abstract] ========== We introduce Flip Feng Shui (FFS), a new exploitation vector which allows an attacker to induce bit flips over arbitrary physical memory in a fully controlled way. FFS relies on hardware bugs to induce bit flips over memory and on the ability to surgically control the physical memory layout to corrupt attacker-targeted data anywhere in the software stack. We show FFS is possible today with very few constraints on the target data, by implementing an instance using the Rowhammer bug and memory deduplication (an OS feature widely deployed in production). Memory deduplication allows an attacker to reverse-map any physical page into a virtual page she owns as long as the page’s contents are known. Rowhammer, in turn, allows an attacker to flip bits in controlled (initially unknown) locations in the target page. We show FFS is extremely powerful: a malicious VM in a practical cloud setting can gain unauthorized access to a co-hosted victim VM running OpenSSH. Using FFS, we exemplify end-to-end attacks breaking OpenSSH public-key authentication, and forging GPG signatures from trusted keys, thereby compromising the Ubuntu/Debian update mechanism. We conclude by discussing mitigations and future directions for FFS attacks.
Brian Pak(Cai), “Effective Patch Analysis for Microsoft Updates”
Brian Pak (Cai) Co-founder/Researcher at Theori. Reverse engineering / Exploit dev. Automotive security. R&D. Founder of Plaid Parliament of Pwning (PPP) CTF team. 3 wins on DefCon CTF finals, and numerous wins on other international CTFs. [Abstract] ========== Every Patch Tuesday, many people get busy. Whether you are an IT administrator who needs to deploy patches or a security researcher who wants to learn what vulnerabilities were fixed (or a pentester who wants to develop 1-day exploits), you have to maintain and manage released patches -- especially if you have to do it for multiple systems. In this talk, we take a look at the general process of patch analysis. We walk through each step from downloading the patch to a weaponized exploit. For the case study, we perform the analysis for CVE-2016-0189 (vbscript.dll) and jscript9.dll security bug fixed in MS16-063. At Theori, we built a system called 'Petch' (_P_atch + F_etch_) that can help you manage Microsoft's patches/updates more effectively. The system will expedite the patch analysis by providing the database of the updates of interest, as well as the symbol files for the executable files. Petch is not a cloud service, but we will open source shortly after the conference, so it can be set up locally. While we only cover browser vulnerabilities and exploits, the techniques and tools can be used for variety of things such as kernel drivers.
Chen Yan, Wenyuan Xu, and Jianhao Liu, “Can You Trust Autonomous Vehicles: Contactless Attacks against Sensors of Self-Driving Vehicles”
[Speaker Info] ========== Chen Yan is a Ph.D. student at Zhejiang University in the Ubiquitous System Security Laboratory. His research focuses on the security and privacy of wireless communication and embedded systems, including automobile, analog sensors, and IoT devices. Wenyuan Xuis a professor in the College of Electrical Engineering at Zhejiang University and an associate professor in the Department of Computer Science and Engineering at University of South Carolina. She received her Ph.D. degree in Electrical and Computer Engineering from Rutgers University in 2007. Her research interests include wireless security, network security, and IoT security. She is among the first to discover vulnerabilities of tire pressure monitor systems in modern automobiles and automatic meter reading systems. Dr. Xu received the NSF Career Award in 2009. She has served on the technical program committees for several IEEE/ACM conferences on wireless networking and security, and she is an associated editor of EURASIP Journal on Information Security. Jianhao Liu is the director of ADLAB at Qihoo 360. He specializes in the security of Internet of Things and Internet of Vehicles. He has reported a security vulnerability of Tesla Model S, led a security research on the remote control of a BYD car, and participated in the drafting of security standards among the automobile society. Being a security expert employed by various information security organizations and companies, he is well experienced in security service, security evaluation, and penetration test. [Abstract] ========== To improve road safety and driving experiences, autonomous vehicles have emerged recently, and they can sense their surroundings and navigate without human inputs. Although promising and proving safety features, the trustworthiness of these cars has to be examined before they can be widely adopted on the road. Unlike traditional network security, autonomous vehicles rely heavily on their sensory ability of their surroundings to make driving decision, which opens a new security risk. Thus, in this talk we examine the security of the sensors of autonomous vehicles, and investigate the trustworthiness of the 'eyes' of the cars. In this talk, we investigate sensors whose measurements are used to guide driving, i.e., millimeter-wave radars, ultrasonic sensors, forward-looking cameras. In particular, we present contactless attacks on these sensors and show our results collected both in the lab and outdoors on a Tesla Model S automobile. We show that using off-the-shelf hardware, we are able to perform jamming and spoofing attacks, which caused the Tesla's blindness and malfunction, all of which could potentially lead to crashes and greatly impair the safety of self-driving cars. To alleviate the issues, at the end of the talk we propose software and hardware countermeasures that will improve sensor resilience against these attacks.
Gleb Gritsai, Sergey Gordeychik, “The Great Train Cyber Robbery”
[Abstract] ========== In this report SCADA StrangeLove team will show show by example of railway the link between information security and industrial safety and demonstrate how a root access gained in a few minutes can bring to naught all the years of efforts that were devoted to the improvement of fail-safety and reliability of the ICS system. Railroads is a complex systems and process automation is used in different areas: to control power, switches, signals and locomotives. At this talk we will analyze threats and vulnerabilities of fundamental rail-road automation systems such as computer based interlocking, automatic train control and automatic train protection
Keen Lab, “Hacking Phones from 2013 to 2016”
Qidan He (a.k.a Flanker) is a security researcher focusing on mobile security at KeenLab of Tencent (formerly known as Keen Team). His major experience includes vulnerability hunting & exploitation on *nix platforms. He is frequently credited on various security bulletin and advisories, most of them are Android and Apple's. He is the winner of Pwn2Own 2016 OS X Category and member of Master of Pwn Champion team. He has spoken at conferences like BlackHat, REcon, CanSecWest, DEFCON, HITCON and QCON. Liang Chen is a senior security researcher at KeenLab of Tencent (formerly known as Keen Team). Liang has a strong research experience on software vulnerability exploitation and vulnerability discovery. During these years, Liang's major research area was browser exploitation including Safari, Chrome, Internet Explorer, etc on both PC and mobile platform. Also Liang researches sandbox escape technology on various platforms. Liang led Tencent Security Team Sniper to win "Master of Pwn" in Pwn2own 2016. Liang is also the winner of iPhone Safari category in Mobile Pwn2own 2013 and Mavericks Safari category in Pwn2Own 2014. Liang has spoken at several security conferences including XCON 2013, BlackHat Europe 2014, CanSecWest 2015/2016, POC 2015, etc. [Abstract] ========== As the security of mobile devices has drawn more and more attention from underground attackers and innocent public, both vendors and security researchers rush to fuzz and audit both closed source/ open source components to eliminate security vulnerabilities. However hidden corners still exist due to the nature of the operating system, which introduce vulnerability pattern that has been overlooked before. In this talk we will focus on a complete exploit chain consisting of brand new bugs, starting from compromising the browser renderer to escaping the sandbox and fresh kernel bugs that can be used to elevate privilege from constrained domain, found by this pattern. The talk will be concluded by remote exploitation demos on up-to-date major mobile devices.
Kevin Borgolte, “Cyber Grand Shellphish: Shellphish and the DARPA Cyber Grand Challenge”
Kevin Borgolte is a PhD candidate in the Computer Science department at UC Santa Barbara. He is an active member of the Shellphish Capture the Flag team, played with them various DEFCON CTFs in the past years, and won third place with some other selected members at the DARPA's Cyber Grand Challenge, which came with a total of $1,500,000 of prize money including the qualification prize. Kevin has also been an organizer of the International Capture the Flag contest, which is being held annually since 2001. Kevin published at top-tier academic security conferences like USENIX Security, ACM CCS, and WWW. In his research, he focuses on data-driven security and spans from web-based malware and threats to cybercrime, the underground economy, and large-scale abuse to adversarial machine learning. He also dabbles in automatic vulnerability discovery and exploitation. [Abstract] ========== Autonomous hacking is becoming a reality. Over the last years, DARPA organized the Cyber Grand Challenge (CGC), a security competition in which participants had to develop a system able to automatically exploit and patch binaries without any manual interaction. We, Shellphish, qualified for the final event and fielded our Cyber Reasoning System, the Mechanical Phish, against six other competitors. Our system placed third overall, was the first self-funded team, and the first academic-only team.. In this talk, we introduce Mechanical Phish. We present the challenges we faced and tackled, and the solutions we implemented for them while developing one of the first fully-autonomous hacking systems, which spans over 100,000 lines of code (mostly in Python). We have open-sourced Mechanical Phish and we demonstrate how it can be used to automatically find bugs, create exploits, and patch vulnerable binaries. Specifically, Mechanical Phish uses a combination of symbolic execution (powered by angr, the binary analysis platform developed at UC Santa Barbara) and fuzzing to find bugs. From exploitable bugs, it automatically generates proofs of vulnerability to show code execution capabilities. In addition, our system patches existing binaries to make them resilient against known and unknown attacks with negligible performance impact. Finally, given the hardware-setup and the no-human-intervention policy of the Cyber Grand Challenge final event, we will touch on how we designed Mechanical Phish to be extremely realiable, efficient in resource usage, and a fault-tolerant distributed system.
Maxim Goncharov, "badWPAD"
Maxim Goncharov Threat Analyst with 15 years working experience in the field of computer security. Equipped with knowledge in research and development of threat analytics systems, producing white papers based on research work and presenting these research results at security conferences. Participate as speaker at various security conferences and training seminars regarding the topic of cybercrime and related issues (e.g.cyberterrorism, cybersecurity, underground economy, etc.), like PacSec,Power of Community, DeepSec, VB, APWG. Russian Underground research and the development of secure analytics tools are some of the most important parts of my day-to-day work. [Abstract] ========== WPAD (Web Proxy Auto Discovery) is a protocol that allows computers to automatically discover Web proxy configurations. It is primarily used in networks where clients are only allowed to communicate to the outside through a proxy. The WPAD protocol has been around for almost 20 years (RFC draft 1999-07-28), but its well-known inherent in risks have been largely ignored by the security community. This session will present the results of several experiments highlighting the flaws inherent this badly designed protocol (WPAD), and bring attention to the many ways they can be easily exploited. Our research expands on these known flaws and proves a surprisingly broad applicability of "badWPAD" for possible malicious use today by testing it in different environments. The speaker will share how his team initially deployed a WPAD experiment to test whether WPAD was still problematic or had been fixed by most software and OS vendors. This experiment included attacks in 1) Intranets and open-access networks (e.g. Free-WIFI spots and corporate networks) and 2) DNS attacks on clients leaking HTTP requests to the internet. Attendees will hear the rather surprising results that this experiment yielded: The DNS portion of the experiment revealed more than 38 million requests to the WPAD honeypot domain names from oblivious customers - while the intranet Free-WIFI experiment proved that almost every second Wifi spot can be utilized as attack surface. This test included Wifi at airport lounges, conferences, hotel and on board of aircrafts, and were amazed that apparently nobody realized what their laptop was secretly requesting. It seems that this neglected WPAD flaw is growing, while it's commonly assumed to be fixed. The paper will conclude with statistics that reveal why the return of badWPAD should be a major security concern and what should be done to protect against this serious risk.
MJ0011 & Yuki Chen, “Escape Plans: A Year's Journey with Microsoft Edge Sandbox”
MJ0011 is a security researcher and the general manager in the Department of Core Security at Qihoo360. He leads the vulnerability research team 360Vulcan which has achieved hundreds of CVEs from Microsoft/Apple/Adobe and won the targets of Pwn2Own2015/2016. Yuki Chen is a security research fellow at Qihoo360 and also a core member in 360Vulcan Team. Together with the 360Vulcan Team in Pwn2Own 2016 and 2015 competition, they have succeeded in breaking multiple targets, such as IE, Chrome and Flash and so on. Yuki has over 7 years experiences in the field of information security, and is now leading a team to work on finding security vulnerabilities at Qihoo360. His specialty is on security vulnerability digging and analysis, and developmental area employment. In addition, he has found more than 100 high-risk security vulnerabilities from mainstream browsers, Adobe Flash, PDF, Java and other applications. Meanwhile, his talks have been given in Syscan, Syscan360, 44Con, XCon, BlackHat EU, HITCON and other related security conferences. [Abstract] ========== With the aim of "Building a safer browser", Microsoft keeps adding security improvements to their Edge Brower. As one of the most important exploit mitigation technique in Edge browser, the sandbox also keeps involving. Last year we have discussed the security features of Microsoft Edge as well as a critical bug inside Edge sandbox that could escape from its “safer” sandbox. As a year went by, Microsoft did more works on improving the security of the sandbox and our escape researches are also continue following. In Windows 10 annual update RS1, we have seen many new security features been added to the Edge sandbox, such as disabling child process creation, plugin isolation, win32k filter and so on. In this presentation, we will first go through the important sandbox improvements added in Windows 10 RS1. We will introduce the mechanism of the new security features in Edge sandbox by analyzing how they are implemented, and we will also discuss how those new features can make Edge sandbox stronger, then we will go through the attack surfaces of the Edge sandbox, mainly focusing on OS kernel APIs and sandbox/system RPC calls. For each attack surface, we will introduce some real bugs (including the kernel bugs we used in this year's pwn2own contest) and show how we exploit those bugs to escape from the sandbox. We will also introduce the fuzzing tool we used to find RPC bugs in the Edge and some interesting bugs that we found by that tool.
Pangu, “Analysis of iOS 9.3.3 Jailbreak & Security Enhancements of iOS 10”
Team Pangu consists of several senior security researchers and focuses on mobile security research. Team Pangu is known for the multiple releases of jailbreak tools for iOS 7, iOS 8, and iOS 9. Team Pangu actively shares knowledge with the community and presents the latest research at well known security conferences including BlackHat, CanSecWest, POC, and Ruxcon. [Abstract] ========== In this talk, we will firstly disclose details of the kernel vulnerability that was exploited in Pangu9 jailbreak for iOS 9.3.3. Since the vulnerability is triggerable inside the container sandbox, Apple released an update(9.3.4) to fix the single bug in a short time. We will show how to exploit this bug to break KASLR and then gain arbitrary kernel code execution. After discussing the bug, we will continue to introduce some security enhancements in iOS 10. In fact, iOS 10 has fixed lots of unpublished bugs and enhanced some security mechanisms such as KPP, sandbox and the kernel heap management. In addition, we will talk about new hardware based protection of iPhone7(Plus).
Paulo Shakarian, “Scaling to the Adversary: Machine Learning Driven Mining of Threat Intel from the Darkweb”
Paulo Shakarian, Ph.D. is the CEO and Founder of IntelliSpyre, Inc., a company specializing in cyber threat intelligence mined from the deep and dark web. He is also a Fulton Entrepreneurial Professor (tenure-track) at Arizona State University where he directs the Cyber-Socio Intelligent System (CySIS) Laboratory - specializing in cyber-security, social network analysis, and artificial intelligence. He has written numerous articles in scientific journals and has authored several books, including Elsevier’s /Introduction to Cyber-Warfare /and Cambridge’s forthcoming /Darkweb Cyber Threat Intelligence Mining/. Recently, his work was featured in major news media including /Forbes, /the /New Yorker, Slate, The Economist, Business Insider, TechCrunch/, and the /BBC/. Shakarian's company, IntelliSpyre, was recently selected as a semi-finalist in the Cisco Innovation Grand Challenge (one of 15 of over 5,700 applicants). Paulo was named a KDD Rising Star in 2016 by Microsoft Research Asia, is a New America Fellow and recipient of the Air Force Young Investigator award, DURIP award, DoD Minerva award, FOSINT-SI Best Paper, MIT Tech. Review “Best of 2013”, and was a DARPA Service Chief’s Fellow. Previously, Paulo was an officer in the U.S. Army where he served two combat tours in Iraq, earning a Bronze Star and the Army Commendation Medal for Valor. He also previously worked as an Assistant Professor at West Point. Paulo holds a Ph.D. and M.S. in computer science from the University of Maryland, College Park, and a B.S. in computer science from West Point (with a Depth of Study in Information Assurance). [Abstract] ========== The number of Tor sites has more than doubled since February of 2016 – and many of these new sites are havens for malicious hackers where they buy, sell, and trade exploits, malware, and hacking-as-a-service (HaaS). Growth in these communities is occurring worldwide with new sites emerging constantly from not only the traditional locations such as the former Soviet bloc, western Europe, and the U.S., but now South America, the Middle-East, and the Asia-Pacific region are also showing significant growth in deep and darkweb malicious hacker communities. In the near future, the expense of using solely human analysts to monitor these sites will prove unsustainable. In this talk, we describe how machine learning and data mining can address this problem. We introduce our framework for crawling the deep and darkweb, describe various data mining and machine learning challenges we address in cleaning, normalizing, and organizing the data. Then we show how this data can provide insights into hacking communities, malware and exploit product offerings, and other use cases. We also will highlight some interesting findings that we uncovered that involve hacker actions across multiple deep and darkweb sites. The talk will include a brief demo of our platform.
Petr Švenda, Peter Sekan, “The Million-Key Question – How RSA Public Key Leaks Its Origin”
Petr Švenda is security researcher at the Masaryk University, Brno, Czech Republic. He engages in the research of a randomness and pseudo-randomness and key distribution protocols usable for systems with multiple parties, often with the devices significantly limited in performance capabilities and/or working in partially compromised environment, e.g., cryptographic smart cards or wireless sensor networks. He also focuses on a utilization of secure hardware in complex scenarios and the development of secure applications on such platforms in Enigma Bridge, Cambridge, UK. [Abstract] ========== Can bits of an RSA public key leak information about design and implementation choices such as the prime generation algorithm? We analysed over 60 million freshly generated key pairs from 22 open- and closed-source libraries and from 16 different smartcards, revealing significant leakage. The bias introduced by different choices is sufficiently large to classify a probable library or smartcard with high accuracy based only on the values of public keys. Such a classification can be used to identify library responsible for the occurrence of weak keys, to quickly detect other keys from the same vulnerable library, decrease the anonymity set of users of anonymous mailers or operators of linked Tor hidden services or to verify a claim of use of secure hardware by a remote party. The classification of the key origins of more than 10 million RSA-based IPv4 TLS keys and 1.4 million PGP keys also provides an independent estimation of the libraries that are most commonly used to generate the keys found on the Internet. Our broad inspection also provides deep insight regarding which of the recommendations for RSA key pair generation are followed in practice, including closed-source libraries and smartcards. The talk will be based on Usenix Security 2016 paper and will provide additional fresh details from our continuous analysis of more libraries and smartcards we currently perform.
Shinjo Park, “White Rabbit in Mobile: Effect of Unsecured Clock Source in Smartphone OS and Apps”
Shinjo Park is a PhD student in Security in Telecommunications, TU Berlin. He is interested in breaking and fixing cellular network entities, mobile appplications in the world. Before joining TU Berlin, he finished master's degree in KAIST. During his free time, he translates various free softwares in Korean, including KDE, Nextcloud and VirtualBox. Altaf Shaik is a PhD student in Security in Telecommunications, TU Berlin. He is interested in studying security issues in 4G-LTE cellular networks, devices and their applications. [Abstract] ========== Modern smartphones can obtain clock either via internet or GPS or mobile network (2G/3G/4G). Clock spoofing attacks over Internet and GPS are widely known unlike attacks over mobile network. In this talk, we deeply analyze the management of several clock sources and their security aspects inside smartphones. We also demonstrate clock spoofing attacks over mobile networks using a low cost fake base station. The attacks are a result of configuration problems from mobile network operators, implementation specific issues from mobile baseband and OS designers. Further we present the following attacks using clock spoofing on mobile OS and applications, including: - Analyzing affect of clock spoofing on basic mobile network operation - Remote DoS attack on Android, addressed as CVE-2016-3831 - Hindering operation of famous applications, including mobile messengers and banking apps
SysSec@KAIST, “Breaking VoLTE, not VoIP”
Hongil Kim is a Ph.D. candidate in System Security Laboratory from Korea Advanced Institute of Science and Technology. He received his M.S. and B.S. in electrical engineering from KAIST. He has broad interests in system security. Especially, He is mainly working on cellular network system and mobile device security. Dongkwan Kim is a student in a master's degree in the Department of Electrical Engineering at KAIST. He is interested in various fields of security: cellular network, embedded devices, sensing and actuation systems. He is now working on designing secure architecture of cellular network, and building a spoofing detection and prevention framework for sensing and actuation systems. He has been working on several embedded devices such as automobiles, smart TVs, network routers, and femtocells. He participated in several hacking CTFs (DEFCON, Codegate, Whitehat Contest, HDCON) as a member of KAIST GoN. He holds a BS from KAIST (2014) in CS. [Abstract] Long Term Evolution (LTE) is becoming the dominant cellular networking technology, shifting the cellular network away from its circuit-switched legacy towards a packet-switched network that resembles the Internet. To support voice calls over the LTE network, operators have introduced Voice-over-LTE (VoLTE) that dramatically changes how voice calls are handled both from the user equipment and the infrastructure perspective. We find that this dramatic shift opens up a number of new attack surfaces that have not been previously explored. To call attention to this matter, this paper presents a systematic security analysis. Unlike the traditional call setup, VoLTE call setup is controlled and performed at the Application Processor (AP), using the SIP over IP. A legitimate user who has control over AP can potentially control and exploit the call setup process to establish a VoLTE channel. This combined with the legacy accounting policy (e.g., unlimited voice and the separation of data and voice) leads to a number of free data channels. In the process of unveiling the free data channels, we identify a number of additional vulnerabilities of early VoLTE implementations, which lead to serious exploits, such as caller spoofing, over-billing, and denial-of-service attacks. We identify the nature of these vulnerabilities and concrete exploits that directly result from the adoption of VoLTE. We also propose immediate countermeasures that can be employed to alleviate the problems. However, we believe that the nature of the problem calls for a more comprehensive solution that eliminates the root causes at mobile devices, mobile platform, and the core network.
Su Yong Kim & SSLab, “Papa Said They Used To Find Vulnerabilities Manually...”
Su Yong Kim is a senior member of the engineering staff in the affiliated institute of ETRI. His research focuses on finding and fixing vulnerabilities in softwares. He presented his papers at the Blackhat and CanSecWest conferences. [Abstract] ========== This talk will cover results of collaborative research between SSLab in Georgia Tech and the affiliated institute of ETRI. Our research focused on finding security bugs in commodity software by using concolic testing. We could automatically disclose many crashes in Windows kernel drivers using our practical concolic testing tool, CAB-Fuzz. We reported all crashes to venders. Microsoft and ESET confirmed that four of them are new vulnerabilities to be fixed. In this talk, we will explain problems and solutions of concolic testing in Windows kernel drivers.
Wanqiao Zhang, Lin Huang, “Forcing LTE Cellphone into Unsafe Network”
Wanqiao Zhang is wireless security researcher in UnicornTeam of Qihoo360, graduated from NUAA with master’s degree in last year. She is enthusiastic about security of radio transmission and cellular network. She was a speaker of DEFCON24. Lin Huang is a senior wireless security researcher, in UnicornTeam of Qihoo 360. She is an expert in SDR area. Her research interests include the security issues in many kinds of wireless communication systems, especially the cellular network security. She was a speaker of DEFCON, POC and HITB. [Abstract] ========== LTE is a more advanced mobile network but not absolutely secure. There already some papers those exposed the vulnerabilities of LTE network. In this presentation, we will introduce one method which jointly exploits the vulnerabilities in tracking area update procedure, attach procedure, and RRC redirection procedure, and finally can force a targeted LTE cellphone to downgrade into another malicious network, a fake network that we setup or a rogue network we assign, where the attacker can make further attack. This is not a simple DoS attack like high power jamming. It can select the targeted cellphone by filtering the IMSI number (IMSI catcher function), so it will not influence the other cellphones and keep them still in the real network. This work was presented in HITB and DEFCON this year and we got good feedbacks. In this POC presentation, we will introduce some more efforts we made after DEFCON, and give audience the latest update on this topic.
Wei Xiao, Qinghao Tang, “qemu+kvm & xen pwn: virtual machine escape from 'Dark Portal'”
Wei Xiao , virtualization security researcher, 360 MarvelTeam, Qihoo 360, China Beijing Wei Xiao is the security researcher of 360 Marvel Team from Qihoo 360 Technology Co. Ltd , He has rich experience in cloud computing security . Additionally, he has found a considerable number of virtualization softwares vulnerabilities. Qinghao Tang, virtualization security researcher, 360 MarvelTeam, Qihoo 360, China Beijing Qinghao Tang is the team leader of 360 Marvel Team from Qihoo 360 Technology Co. Ltd , He has rich experience in cloud computing security and linux kernel security . He was the speaker of Pacsec 2015 , Syscan 2016 and hitb 2016. [Abstract] ========== QEMU+KVM and Xen now are both the widely-used system framework in cloud computing filed. Meanwhile, security risks is just like the shadow which always follow these system, bring severe damages. And the most serious security risk among them is controlling host machine by using malicious code inside virtual machine. We call it virtual machine escape attack. By means of utilizing the “Dark Portal”(CVE-2016-3710) vulnerability found by 360 Marvel Team, we have successfully realized virtual machine escape attack under QEMU+KVM and Xen. In this topic, we want to share following contents: - Analysis of memory layout of QEMU process under QEMU+KVM environment and Xen environment. - Principle of EIP/RIP control directly or indirectly. - ShellCode placement by using information leakage vulnerability of QEMU. - How to bypassing DEP and ALSR - Other useful vulnerability exploitation methods. - Full demo video and escape code.
Xpl017Elz, “New Reliable Android Kernel Root Exploitation”
Xpl017Elz - Co-founder / CTO / Head of INetCop Security smart platform lab - Ph.D. Chonnam National University Graduate School of Information Security - Working on machine learning based android malware analysis and search for vulnerabilities in android apps and kernel [Abstract] ========== In recent years, several techniques that can bypass the PXN Android devices have been introduced. Today, I'm about to tell you a significantly easier, better way to by pass PXN than traditional way. Using this method, you can very easily annihilate kernel security measures without using ROP / JOP. It will work on every device and platform based on linux kernel. This session will include some of demonstrations of using this method on existing vulnerabilities.
Yannay Livneh, “Exploiting PHP-7: teaching a new dog old tricks”
Yannay has been lead security researcher at Check Point Software Technologies LTD for the past year. Before joining Check Point, Yannay served as a security researcher and developer in the IDF for four years. Yannay holds a first degree in computer science from Bar Ilan University, which he graduated at the age of 18. [Abstract] ========== PHP7 is a new version of the most prevalent server-side language in use today. Like previous version, this version is also vulnerable to memory corruptions. However, the language has gone through extensive changes and none of previous exploitations techniques are relevant. In this talk, we explore the new memory internals of the language from exploiters and vulnerability researchers point of view, discuss new vulnerabilities and bugs that arise from it, and present re-usable primitives for remote exploitation of a common vulnerability class in the language.