2017 SyScan360 | SyScan360国际前瞻信息安全大会 中国 ‧ 北京

2017 SyScan360 | SyScan360国际前瞻信息安全大会
Omri Herscovici Omri Herscovici Check Point Software Technologies
Omer Gull Omer Gull Check Point Software Technologies

TOPIC

Pwned in Translation - from Subtitles to RCE

ABSTRACT

What if I told you, that when you're watching a movie on your PC or streamer - someone might also be watching you? And he might be doing so - using subtitles.

Yes, subtitles, those innocent looking text lines at the bottom of your screen.

Millions of people use them without a second thought – never wondering where they come from, where they're parsed or how they are rendered.

You might be surprised to find that there are actually more than 25 subtitle formats out there, most of which support exotic features such as HTML tags, raw images or even freeform binary (What?). Moreover, there is usually no standard library designed to parse subtitles, which leaves this task to be independently implemented by the various media players.

What can go wrong?

Well, basically - everything.

We will pioneer the uncharted subtitles attack vector and demonstrate its disastrous potential, and unravel the numerous vulnerabilities we found involving subtitles. There will be unsanitized JavaScript running on native web applications; files being manipulated; heaps being corrupted; and full RCE on the most common streaming platforms including VLC, Kodi (XBMC) and PopcornTime.

It seems there is no limit to what can be achieved by using these supposedly minor text files.

But wait, the plot thickens. Our presentation will delve even further into the subtitle supply chain. Some media players download subtitles automatically from shared online repositories (such as OpenSubtitles) where they are indexed and ranked.

By manipulating the website's ranking algorithm, we were able to guarantee our crafted malicious subtitles would be the ones downloaded by the video player, allowing us to take complete control over the entire subtitle supply chain - Look ma, no MITM or user interaction.

Do you like scary movies?

BIOGRAPHY

Omri Herscovici is a security researcher at Check Point Software Technologies. Omri is a developer and network security expert with extensive technical experience in software development, exploit and vulnerability research, and security architecture. In his past, Omri served seven years as an officer and R&D leader in an elite Israeli intelligence unit.


Omer has been a security researcher at Check Point Software Technologies LTD for the past year. Omer has diverse security background which includes networking, web application pentesting and exploit research. Previously Omer served in an elite IDF intelligence unit as an IT specialist.


Nikias Bassen Nikias Bassen Trustwave

TOPIC

The Ro(o)tten Apple: Vulnerabilities heaven behind the iOS sandbox

ABSTRACT

In modern days, no exploitation chain can be considered complete without a reliable privilege escalation vulnerability. This is why many security researchers spend a lot of their research time in finding those vulnerabilities.

Apple has set a new standard in iOS security by implementing many innovative techniques to prevent exploitation of PE vulnerabilities, however despite their continuous efforts some areas of iOS still remain more exposed than others to this kind of vulnerabilities.

This presentation will shed a light on some critical areas in the iOS kernel, that have been proven to contain many privilege escalation vulnerabilities that can potentially affect hundred of millions of iOS devices.

In this talk, we will overview these yet unexplored areas and present a chain of vulnerabilities, leading to a complete kernel privilege escalation exploit while bypassing all the latest kernel mitigations Apple introduced.

BIOGRAPHY

Nikias Bassen (@pimskeks) has been into reverse engineering for more than a decade. The breakthrough was back in 2011 when he joined the Chronic-Dev team to work on the iOS 5 + 5.1 jailbreaks. Ongoing research was focusing mostly on iOS, and in early 2013 he became part of the famous @evad3rs who released the evasi0n and evasi0n7 jailbreaks for iOS6 and 7. Being part of Zimperium zLabs since 2015 he is continuing his efforts in security research and reverse engineering targeting iOS. Nikias studied Computer Science at the University of Bremen, Germany, and holds a Diploma degree. He is also one of the masterminds behind the libimobiledevice project (http://libimobiledevice.org <http://libimobiledevice.org/>) – an open source implementation of the iOS device-computer communication protocols.


Yuriy Gurkin Yuriy Gurkin The founder and CTO of Gleg ltd.

TOPIC

Penetration through ICS Development Software - potentially devastating attack vector or not? CODESYS 0days examples.

ABSTRACT

Among well known ICS development tools there is a CODESYS Programming Software which is widely used in energy, factory and other Automation Technology Sectors.Those tools are used by engineers to create Controller Applications, HMI devices etc...But could someone attack that (or another) Development Software, and gain control over engineer PC, over connected real or tested ICS, even leave a backdoor(potentially for whole Controller line ) ?

It seems like successful attacks against development software could be really devastating especially if they stays unidentified.

E.G. In 2015 Volkswagen had lost 30 % (2.5 billions) of its shares in two days as a result of its Diesel engine controller software scandal ... It was a strange and unclear story, but what is clear - controller software being "tuned" is pretty serious thing.

So, let's take a look to CODESYS. Utilizing open-source EAST pentest framework we will show vulnerabilities in CODESYS software of older versions, and two 0days in newer versions.

BIOGRAPHY

Working in the infosec field since 2004. Has cofounded the company Gleg ltd which nowadays develops exploit packages for Immunity Inc's "Canvas" framework, Core Security's "Core Impact" framework.The company is also heading and promoting open-source EAST penetration testing framework and associated exploit packages.


Zoltan Balazs Zoltan Balazs MRG Effitas

TOPIC

How to hide your browser 0-Days

ABSTRACT

When it comes to browser exploits, so far there was no known technique to make network forensics of the exploit impossible. In my research I have demonstrated that it is possible to deliver browser exploits in an encrypted way (using AES after ECDH key agreement), which makes passive network analysis of the exploit impossible.

BIOGRAPHY

Zoltan (@zh4ck) is the Chief Technology Officer at MRG Effitas, a company focusing on AV testing.Before MRG Effitas, he had worked as an IT Security expert in the financial industry for 5 years and as a senior IT security consultant at one of the Big Four companies for 2 years. His main expertise areas are penetration testing, malware analysis, computer forensics and security monitoring. He released the Zombie Browser Tool that has POC malicious browser extensions for Firefox, Chrome and Safari. He is also the developer of the Hardware Firewall Bypass Kernel Driver (HWFWBypass) and the Sandbox tester tool to test Malware Analysis Sandbox es. He has been invited to give presentations worldwide at information security conferences including DEF CON, Hacker Halted USA, Botconf, AusCERT, Nullcon,Hackcon, Shakacon, OHM, Hacktivity and Ethical Hacking.Zoltan passed OSCE recently, and he is very proud of it


Brian Gorenc Brian Gorenc Trend Micro Zero Day Initiative
Abdul-Aziz Hariri Abdul-Aziz Hariri Trend Micro Zero Day Initiative
Jasiel Spelman Jasiel Spelman Trend Micro Zero Day Initiative

TOPIC

Transforming Open Source to Open Access in Closed Applications: Finding Vulnerabilities in Adobe Reader's XSLT Engine

ABSTRACT

The inclusion of open-source components into large, closed-sourced applications has become a common practice in modern software. Vendors obviously benefit from this approach as it allows them to quickly add functionality for their users without the need to invest costly engineering effort. However, leveraging open source for a quick functionality boost comes with security side effects that might not be understood by the vendor until it is too late. In those cases, misunderstood or poorly implemented open source allows attackers to bypass security mechanisms that may exist elsewhere in the proprietary system.

This talk provides insight into these side effects through an examination of Adobe Reader’s XSLT (Extensible Stylesheet Language Transformations) engine, which is based on the now abandoned open-source project called Sablotron – an XML processor fully implemented in C++. We focus on techniques for auditing the source code of Sablotron in order to find corresponding bugs in Adobe Reader. We also present a new source-to-binary matching technique to help you pinpoint the vulnerable conditions within Sablotron that also reside in the assembly of Reader.Real-world application of these techniques will be demonstrated through a series of code execution vulnerabilities discovered in Adobe Reader’s codebase. Finally, we'll highlight the trends in vulnerabilities discovered in Adobe Reader’s XSLT engine over the last year.

BIOGRAPHY

Brian Gorenc is the director of Vulnerability Research with Trend Micro. In this role,Gorenc leads the Zero Day Initiative (ZDI) program, which represents the world’s largest vendor-agnostic bug bounty program. His focus includes analyzing and performing root-cause analysis on hundreds of zero-day vulnerabilities submitted by ZDI researchers from around the world. The ZDI works to expose and remediate weaknesses in the world’s most popular software. Brian is also responsible for organizing the ever-popular Pwn2Own hacking competitions.


Abdul-Aziz Hariri is a security researcher with the Zero Day Initiative program. In this role, Hariri analyzes and performs root-cause analysis on hundreds of vulnerabilities submitted to the Zero Day Initiative (ZDI) program, which is the world's largest vendor-agnostic bug bounty program. His focus includes performing root-cause analysis, fuzzing and exploit development. Prior to joining ZDI, Hariri worked as an independent security researcher and threat analyst for Morgan Stanley emergency response team. During his time as an independent researcher, he was profiled by Wired magazine in their 2012 article, Portrait of a Full-Time Bug Hunter. In 2015, Abdul was part of the research team that submitted "Breaking Silent Mitigations - Gaining code execution on Isolated Heap and MemoryProtection hardened Internet Explorer" to the Microsoft bounty program. Their submission netted the highest payout to date from the Microsoft bounty program where the proceeds went to many STEM organizations. Twitter: @abdhariri


Jasiel Spelman is a vulnerability analyst and exploit developer for the Zero Day Initiative (ZDI) program. His primary role involves performing root cause analysis on ZDI submissions to determine exploitability, followed by developing exploits for accepted cases. Prior to being part of ZDI, Jasiel was a member of the Digital Vaccine team where he wrote exploits for ZDI submissions, and helped develop the ReputationDV service from TippingPoint. Jasiel's focus started off in the networking world but then shifted to development until transitioning to security. He has a BA in Computer Science from the University of Texas at Austin. Twitter:@WanderingGlitch


Maxwell Koh Maxwell Koh Trustwave

TOPIC

Bypass 2FA, Stealing Private Keys, and the Introduction to 2FAssassin

ABSTRACT

The "knowledge factor" (using passwords for authentication) will never be enough for security. We need the second layer of defense -- a "possession factor" or sometimes called the "Two-Factor Authentication", hence the term, "2FA".Nowadays many organization plans to adopt password-free login to authenticate their systems, thereby completely replacing the password-based authentication with key-based authentication, which they believed is more secure. However, the truth is far from reality. Although 2FA creates a formidable barrier against potential security breaches, however it doesn't guarantee much security at all, especially when it comes to the inefficacious and often futile private key protection. In that sense, we can say that the effectiveness of the 2FA depends on how well they can protect "something only user has". In fact, there are many ways to steal someone’s private keys without performing social engineering attacks. This talk is dedicated to discuss and demonstrate the newly discovered techniques to bypass the two-factor authentication by stealing and cracking OTP, private keys, and client certificates. By that means, an attacker must compromise the voice or text message accounts, software token, infecting memory agents, cracking passphrase, stealing hardware token, etc. With the help from the “2FAssassin” we could turn these looted keys for more fun and profits. The demonstration will include the scenario where the private keys are compromised and then show how an attacker could leverage the situation to gain more access into the corporate networks and for making profits. These are not limited to systems that used single sign-on (with 2FA enabled), public key authentication(e.g., password-less authentication, authorized_keys abuse), free software token (e.g., Google Authenticator), website owner (e.g., phishing sites created using stolen private key), and even software vendor (e.g., stolen private key can be used to sign the malicious malware). The tool will automate the exploitations against the common vulnerabilities that lead to the private key leakage. It can be used to compromise individual system, or the entire network using looted private keys. It also capable to analyze and identify potential private keys, key information extraction in order to profile the target servers, cracking and removing the passphrase, injecting arbitrary key-based backdoors, building multi-chained covert tunnels by leveraging on the loopholes found in vulnerable public key authentication. Nevertheless, the talk will end with recommendations to protect the private keys from theft, as well as what to do during the worst case scenario.

BIOGRAPHY

Maxwell is a penetration tester with Trustwave's SpiderLabs Asia-Pacific. Maxwell is based out of Singapore and his primary focus is on providing penetration testing service to clients in the Asia-Pacific region.


徐文渊 徐文渊 浙江大学
刘健皓 刘健皓 奇虎360

TOPIC

"海豚音"攻击-利用无声音波穿透智能语音控制系统

ABSTRACT

在日常生活中,Siri、Google Now、Alexa等语音助手变得越来越流行了,包括智能手机、平板电脑、可穿戴设备以及智能汽车在内的智能设备都搭载着语音助手,并且语音控制的功能也越来越多了。目前的普遍认知是语音助手是相对安全的,因为要攻击语音助手势必会产生声音而被发现,但是我们发现了一种完全无法被听见的攻击方法:海豚攻击(Dolphin Attack),推翻了大众的普遍认知。海豚攻击将语音命令转换成超音波信号,利用麦克风的硬件漏洞进行自动解调功能恢复出原始的语音命令,从而驱动语音助手执行相应的控制命令。我们对多款智能手机、智能家居、车辆设备的多种语音助手进行了攻击测试,并且都达到了我们预期的效果。这些攻击包括:无声的开启语音助手、拨打任意电话、发短信、视频通话、将手机切换到飞行模式、操作奥迪汽车的导航系统、购物、甚至能够无声解锁Nexus 7等。为了抵御这些攻击,我们同时提出了软硬结合的防御方案。并且希望通过我们的研究,能让消费者和各大生产厂商能够开始重视语音助手所带来的安全问题,防止用户隐私泄露和财产的损失。

BIOGRAPHY

徐文渊现任浙江大学电气工程学院教授博导,浙江大学系统科学及控制研究所副所长,国家“青年千人计划”入选者、美国国家NSF CAREER Award获得者、美国南卡罗莱纳大学终身教授(Tenured Associate Prof.)。从事无线网络安全及隐私的研究多年,研究项目包括智能设备安全,车联网安全,和智能电网安全。她所建立的USSLAB在2014、2016入选Tesla安全研究者名人堂。主持过多项美国国家基金和中国国家自然科学基金的研究项目。担任国际学术会议程序委员会委员和分会主席数50+次。发表了六十多篇期刊和会议论文(包括安全领域的四大顶级会议),并出版了1 本学术专著,论著被引用(Google Scholar)共计3000多次。


刘健皓现任360智能网联汽车安全实验室-主任、360行者团队负责人,主要负责智能汽车信息安全、车联网信息安全、自动驾驶信息安全方面的研究。他是全球首例破解Tesla车联网系统主要贡献者、特斯拉自动驾驶安全主要研究者、两次进入特斯拉名人堂,并带领团队破解国内外多款联网汽车。其在国际知名信息安全会议DEFCON\ISC\Syscan360\Pacsec\POC\CanSecWest发表过重要演讲及研究成果,参与细化中国制造2025智能网联汽车信息安全技术路线图主要负责人。刘建皓具备多年安全服务、安全评估、渗透测试从业经验,受聘于多家信息安全机构的安全专家,发布《2015汽车信息安全年度报告》《智能网联汽车信息安全最佳实践》、《2016汽车信息安全年度报告》,是《智能硬件安全》书籍主要编著者,并且牵头参与多家整车企业车联网汽车的信息安全评估、咨询工作,获得用户的一致好评及行业认可。


Bertin Bervis Bertin Bervis Cybertrust Spa , Santiago Chile

TOPIC

Exploiting and abusing web applications flaws in industrial and network communication devices

ABSTRACT

PLCS, data acquisition servers and industrial network communication gateways/routers often comes with a web server/web service enable, these web applications usually are being put in production with a lot of bugs and issues. Vulnerablities like stored XSS , path traversal,LFI, or RCE those are really easy to find in this devices but task needs to be done manually since automated tools/scanners usually crash the web application during the scan execution .In the worse scenario these web servers are being publish in the internet and remote attackers can take over these vulnerablilities in order to get access ,remote execution or persistance in browsers.

In this presentation, i,m going to demonstrate real cases about several vulnerablities found in web servers from PLCs, Weather stations and industrial gateways/routers from well known vendors in the industrial field , i will demostrate practical exploitation step by step about issues that i found and have been reported to every vendor affected, i will share tips and techniques to spot easy and quickly vulnerablities in these web appications in industrial devices.

BIOGRAPHY

Bertin Bervis is a security researcher from Costa Rica currently working for a cyber security firm in Santiago de Chile called CyberTrust Spa as security consultant, Bertin has been speaker in several security conferences around the world like DEFCON , Blackhat And Ekoparty


Matt Suiche Matt Suiche COMAE TECHNOLOGIES

TOPIC

The Shadow Brokers – Cyber Fear Game-Changers

ABSTRACT

Who are/is TheShadowBrokers? We have no clue. Nobody really does. The Shadow Brokers are one of most controversial characters of this Cyber-Era. The mysterious group emerged mid-summer 2016 when they started to anonymously, publicly drop tools and operational notes that allegedly belonged to the NSA Tailored Access Operations unit. This group referred to itself as The Shadow Brokers and quickly became the NSA’s worst nightmare since Edward Snowden.

Previous whistle blowers released documents redacted of sensitive nature, such as authors. But with The Shadow Brokers, what emerged was a different level of dangerous and more aggressive leaks that didn’t only release highly sensitive tools, but also revealed a wide range of modus operandi that included agents’ names and the full disclosure of the NSA’s complex (and many argue irresponsible) attack against the backbone of the Middle East’s financial institutions. For now, The Shadow Brokers are happy to have the general public guessing their identity and true origins. Is it an intelligence organization running a highly complex set of misdirection and penetration? Is it a second Snowden with access to the NSA’s most sensitive cyber weapons? We may never know. What is certain, is that the emergence of The Shadow Brokers is a game-changer and presents a massively embarrassing (and dangerous) breach for the NSA, the world’s most advanced signal intelligence agency and best resourced government backed hacking organization. This embarrassment became a muse for the most destructive and fast-spreading ransomware (WannaCry) in History, shutting down hospitals and companies across the Globe. Followed one month later by NotPetya, another highly destructive malware disguised as a ransomware which spread primarily in Ukraine.

BIOGRAPHY

Matt Suiche is the founder of the cybersecurity start-up Comae Technologies and cyber-security conference OPCDE. Prior to founding Comae, he was the co-founder & Chief Scientist of the application virtualization start-up CloudVolumes which was acquired by VMware in 2014. His also previous employers include the Netherlands Forensics Institute and Airbus. Matt is best known as the founder of MoonSols for his work in the memory forensics and computer security fields. His most notable research contributions include Windows hibernation file analysis and Mac OS X physical memory analysis. Most recently Matt released the first Blockchain decompiler for Ethereum smart-contracts called Porosity. Since 2009-2017 Matt has been recognized as a Microsoft Most Valuable Professional in Enterprise Security for his work in discovering multiple security flaws in multiple Microsoft Windows kernel components and various contributions.  Matt has also been a frequent speaker at various computer security conferences such as Black Hat Briefings, Microsoft Blue Hat Hacker Conference, Hackito Ergo Sum, Europol High Tech Crime Experts Meeting, CanSecWest, PacSec, Hack In The Box, SyScan and Shakacon.


龚广 龚广 奇虎360

TOPIC

Butterfly Effect and Program Mistake ---- Exploit an "Unexploitable" Chrome Bug

ABSTRACT

Does the flap of a butterfly’s wings in Brazil set off a tornado in Texas? I don’t know. But I do know a negligible tiny logical bug in v8 engine can lead to remote code execution in Chrome. In PwnFest contest 2016, I exploited a logical mistake(CVE-2016-9651) in v8 engine to gain remote code execution. This logical mistake was very small and It appeared unexploitable at first glance. But by the combination of several unusual exploitation tricks, I finished a stable exploit at last. The journey of exploiting this vulnerability tells me: Never give up easily on “unexploitable” bugs. In this talk, I will firstly introduce the "invisible" private property in v8 engine, then disclose the logical mistake related with private property, after that I'll detail how to exploit this tiny bug to gain remote code execution especially the trick of turning an OOB read vulnerability to an OOB write vulnerabilty.

BIOGRAPHY

Guang Gong(@oldfresher) is a senior security researcher of Qihoo360 and the team leader of 360 AlphaTeam. His research interests included Windows rootkits, virtualization and cloud computing. He currently focuses on mobile security, especially on hunting and exploiting Android’s vulnerabilities. He has spoken at several security conferences such as Black Hat, CanSecWest, PHDays, SysCan360, MOSEC, PacSec . He is the winner of Pwn2Own 2015(the target: Nexus 6), Pwn0Rama 2016 (the category of mobile devices), Pwn2Own 2016 (the target: Chrome), PwnFest 2016(the target: Pixel XL)


李强 李强 奇虎360
胡智斌 胡智斌 奇虎360

TOPIC

The Virtio Security in Qemu

ABSTRACT

QEMU 是现代开源虚拟化解决方案的一个基本组成部分,特别是在 KVM 和 Xen 中。作为一款全面的虚拟化解决方案,QEMU 能够模拟处理器、内存和外设。如要改善虚拟机的性能,virtio 架构通常是首要之选。目前,几乎所有云平台都默认使用 virtio 设备。但事实表明,高性能与高安全性不可同时兼得。在本次演讲中,我将探讨 virtio 的安全性。内容将包括 virtio 架构的详情及其为何能改善性能。此外,我还将探讨 virtio 在整个数据流资源管理中的攻击面,以及数据流链中的薄弱环节,包括逻辑与实施漏洞。我们发现了与virtio 相关的大量漏洞,在本次演讲中,我们将介绍多个案例以及编写 virtio 漏洞概念验证的一些细节。

BIOGRAPHY

360公司安全研究员,从事漏洞发现与分析方向,发现包括QEMU / Linux内核/ Virtualbox等大量的vulns,同时也是CanSecWest, Ruxcon的演讲者



王铁磊 王铁磊 盘古
徐昊 徐昊 盘古

TOPIC

Finding iOS vulnerabilities in an easy way

ABSTRACT

There is a saying: consider the past you shall know the future. The talk will share our experience in how we find new iOS vulnerabilities while studying previously fixed vulnerabilities.

These new vulnerabilities are usually in the same function, context, or have the same root cause as the fixed vulnerabilities, or are even introduced by incorrect/incomplete fixes. The talk will show you an interesting battle history of fixing bugs by Apple.

BIOGRAPHY

Tielei Wang is a member of Team Pangu. He was a research scientist at the Georgia Institute of Technology from 2012 to 2014 and received his Ph.D. degree in 2011. His research interests include system security, software security, and mobile security. He discovered a number of zero-day vulnerabilities and won the Secunia Most Valued Contributor Award in 2011. He has published many papers in top research conferences including IEEE Security and Privacy, USENIX Security, ACM CCS, and NDSS, and gave several presentations at BlackHat USA, CanSecWest, POC, and RUXCON.


Hao Xu is a member of Team Pangu. He has been involved in information security for over 10 years. His research interests range from OSX/iOS/Windows kernel security, rootkit and malware analysis, hardware virtualization technology, and reverse engineering. He is a regular speaker at BlackHat USA, Syscan 360, POC, Xcon.