Pages

Tuesday, 7 August 2012

Defcon 20 - Thoughts on 10 days in Vegas or at least what I can remember of it. Part 2

So this is the second part of my first time in Vegas and defcon, and as this is the second post, this post will be on the talks on, the second day. If you missed part 1, you can find it here. So we start from around midday Saturday

..Head still pounding..I need coffee...guess I should go to my first talk of the day though after sleeping through..

Hardware backdooring is practical by Jonathan Brossard
I thought this was really interesting talk and a great way to start off my day (read Notable others for info on talks before this). This was talk was talking about the x86 architecture and the flaws with it in general, as although it was understandable to have made the mistakes when it was initially designed, the fact we've stuck with it without change for so long is a surprise, and in hindsight of this talk a poor decision most probably due  to backwards compatibility. Another point of this talk was to also discuss whether it would be feasible for state level backdooring (spoiler alert: the answer is yes) as when we get down to the hardware level, encryption and a lot of safety mechanisms to protect against intrusion simply won't work. 
Jonathan started off by going over the basics as per usual, explaining the whole x86 architecture and how pieces of hardware work together and then went onto the goals of his research. Now most of these goals for a 'regular' exploit would be very difficult or nearly impossible (or at least impossible altogether) as he wanted the backdoor to be:
-persistent
-stealthy (virtually undetectable)
-OS independent
-remotely accessable/updatable
-plausible deniabile, have non attribution (state-level quality)
-would completely cross network perimeters
-redundant

What I also really liked about this was the fact that everything was built upon completely opensource software, which already ticks off a few of the goals from above. Then Jonathan showed what could be done with certain tools and certain things that can easily be turned off that are at hardware level such as removing the NX bit (you can find further information about the NX bit here), along with multiple other things to completely pwn a system. And because everything can be done on hardware or through memory, it also means that nothing needs to be left on disk, meaning it's practically impossible to realise anything is going on in the first place, making this much stealthier and harder to remove than a regular backdoor. 
Once he had explained everything here, Jonathan also explained why he used certain software instead of doing it himself (as it's much quicker and there's some plausible deniability along with non-attribution), or used certain software in favour of others, then he went through the demos showing how it could easily be done, and I've got to say with his demos, most of the time there were no differences at all. You could simply be booting into whatever OS you use, except really you would never know that all the while you were being infiltrated before the OS even started. 
Once through with the first set of demos, Jonathan went through updating malware, which primarily should use encryption, and how hardware backdoors can easily get around any sort of cryptography and that really putting AV on a server is in itself pointless usually. And amusingly he made this clear with some examples of AV trying to find older exploits (an example 3 year old exploit was found by only a small few and with packing, this dropped to 0). Once through with explaining how to own somebody's system left, right and centre, including possible attack scenarios (not including state-level attack surfaces) such as simply selling a NIC on an auction site which has a exploited firmware on, Jonathan went through some possible ways mitigations against getting completely owned this way, which basically turns into flashing every new piece of hardware with open source software, although unfortunately even these countermeasures he gave can't completely save the victim as the backdoor may be able to flash the original firmwares back remotely. 
And as a last point Jonathan went through his goals which hadn't been completely answered and answered them with accuracy, so the backdoor can look like nobody's ever been there, and on the chance they find out there has been foul play, there's no reason to suspect the criminal as they can easily make it look like a mistake which was exploited by a third party.
In summary I thought this talk was really interesting, and I was left sitting there wishing it could have been an hour longer just so he could have gone into more detail, as you can probably tell by my summary of the talk, there was a lot to go through. After what I had seen the day before, this opened my eyes further to some of the awesome things that can be done once you get to a really low level. 

..Wow. Mind blown..the darkness helps the brain stop hurting too :) Some more hardware anyone?

This talk from Atlas was basically going on about, you guessed it, hardware that runs at a frequency of less than 1Ghz . Now due to the size of the talk (it takes a lot of time to move people) and turning up slightly late, he had to actually speed through a lot of the information which was disappointing (luckily I can see as the slides at my leisure as they came as part of the pack at registration), but he started off by going over why people actually care about this, and why we should care about it if we don't. Then Atlas went into the technology he used to go over this information himself and going over the cc1111 chip and some information about it such as the radio state engine, configuration and other information. He also made very clear that RfCat (I will go into further detail about this further down) hides a lot of these details by default, and went over some interesting information we want to know along with some standard frequencies that are simply handy to know generally, just in case you want to go trying to hack them in the future. 
Once through this atlas went through some general information about waves such as modulation, data rate, channel width and the technical details about these (although some of this was skipped over or gone over very quickly). 
Once this was done he went over understanding frequency, either finding information out online (through patents and open source material), or reversing it to find information, and how to go about doing this. And at this point Atlas finally got around to introducing RfCat properly (told you I would get around to it), and it's the RF Chipcon-based Attack toolset and is as atlas has stated "an interactive python access to the
Atlas now went onto something a bit surprising, as he was telling us about his diabetic friend, since he was now going to talk about how to play around with medical devices (warning: I will say the same as atlas here, mucking around with these on people could cause serious injury or possibly even death, so shouldn't really be screwed with unless the equipment is going to be thrown away after or never used on an actual person), and how he went about getting the frequency, the "packet capture", and what he could do with it. After this Atlas went onto playing with (the slightly less dangerous) power meters, although without authorisation, this is completely illegal, and that basically the only reason he was doing any of this in the first place was because he was originally asked to test out a power meter. He then continued to go through this, finding the parts of the frequency which are important, and came away with this conclusion that companies are simply remaining ignorant in this field and expecting somebody else to secure it, which is why he has released rfcat, 
as a basis for people's attack tools. 
In my conclusion, I found this talk OK, but unfortunately again there just wasn't the time to go through everything, so a lot of points were gleaned over and unless you know a fair bit about frequencies already (such as ham radio fanatics) it's unlikely you would have had a great experience from this talk, as there just wasn't enough time to go over either the details of what the tool was used for or enough details of what rfcat could do. Looking over the slides now I can see rfcat looks really cool and the presentation could have been quite good but unfortunately I think the amount of time didn't really allow for the talk it could have been. 

..Hmm bit of a downer, but who cares there's an SAP reverse engineering talk coming up, and my first time in the Penn & Teller theatre...

Uncovering SAP vulnerabilities: reversing and breaking the DIAG protocol by Martin Gallo
I was really interested in this talk as I've wondered about SAP security for a little while myself, and as a first time speaker at defcon, I thought Martin did a good job of it. He started by going over what the DIAG protocol is, which is the Dynamic Information and Action Gateway, the link between the presentation layer (GUI) and the application layer (SAP Netweaver). Then Martin continued by going over the history of the subject with previous work and his motivation to reverse engineering and find vulnerabilities in the protocol, as he showed most work behind the protocol before had been regarding decompression and the inner workings were still unknown to most, so he wanted to find out, and hopefully be able to help with making proper tools for finding issue with it in the future, and also went over the SAP netweaver architecture and layout of the protocols briefly. 
Now Martin got into the reverse engineering, of which it was completely black box but he didn't do any binary reverse engineering and instead decided to stick with enabling tracing, then analyse the network and application traces while interacting with the components and through this he could incrementally build his knowledge of the application and finding out if he did something in particular, it was do a certain response and if he didn't do it, it would have another response. His results shows how the protocol is made up, along with states, and what each part is and what it does. 
From here he could create a wireshark plugin which easily shows the information and then importantly was able to fuzz the protocol and gave examples of the vulnerabilities he found this way, and possible attack scenarios for some of these vulnerabilities, and gave a demo showing one of the vulnerabilities in order to get a shell. 
Once the demo was out of the way, he went onto countermeasures, some of which are fairly obvious such as restricting network access and enabling encryption, but others such as restricting the use of GUI shortcuts aren't so obvious, as it turned out often having certain things enabled (which could be enabled with shortcuts) would allow vulnerabilities to be exposed. And now Martin has done this, it means the protocol details are available publicly to be scrutinised and tested, along with the use of tools for dissection of the protocol. Of course though, with the components, there is actually still a lot left over which could be tested as this was purely on finding issues with the protocol, this still hasn't really tested the GUI or app server particularly.
In conclusion I liked this talk a lot and for me there was enough detail while still staying high level enough for nearly anyone to follow along. Plus it was bringing something completely new to the table as not very much to do with the DIAG protocol has been previously documented or even scrutinised before and now with what Martin has given us, it can be tested more thoroughly and security issues resolved more suitably. 

..Now that was a great talk..and just to note really comfy chairs..I guess onto the next one. This looks interesting..

Overwriting the exception handling cache pointer - dwarf oriented programming by Rodrigo Branco, Sergey Bratus and James Oakley
I'll say now, this was probably my favourite talk and just shows that pretty much anybody can get to you, and that really AVs are often fundamentally screwed as some certain attacks, just like the hardware backdoor previously, AV has practically no chance against. 
This talk comes on from "Exploiting the hard-working DWARF" talk at Schmoocon which can be found here and is basically talking about DWARF bytecode (Debugging With Attributed Records Format), which comes in compiled binaries compiled with GCC when they include exception handling. Now if you haven't already clicked on the link above, I would suggest you do so as they give a far better, and more detailed explanation than I do but DWARF bytecode is basically an interpreted language which is run underneath the program in a virtual machine, interpreted to describe the stack frame layout. And because DWARF is turing-complete it can basically be used to perform almost any computation, and is very powerful because of what it does, so it can read arbitrary memory, perform arbitrary computations with values in registers & memory and is generally meant to influence the flow of the program, since this is what exception handling does. 
One of the speakers (I believe James, please comment if you know I'm wrong) created a tool called Katana which allows the user to easily see and modify unwind tables in an easy way, controlling the unwinding flow to avoid exception handlers, redirect exception handlers, find symbols and calculate relocations. 
Once past this they explained how exception handling is setup and how it works within GCC, and explained key differences within different versions of gcc, which don't particularly make exploitation harder, but it means you have to then exploit them a different way and requires a memory leak, although these are fairly common so that shouldn't be too big an issue. After explaining everything, they then went to a demo showing exploiting a program using DWARF. 
In conclusion, I thought this presentation was awesome, as although the speakers weren't perhaps the best speakers ever (this may have partially been due to some slight time constraints), the subject and their enthusiasm for it shone through, and although being very complicated I felt that this presentation was missed out by way too many people. Albeit a similar presentation was done at Schmoocon and Dan Kaminsky's talk was going on simultaneously, I still think that this talk deserved at least 3 times the attendance, as it was simply an amazing subject and a great talk (although I had to go through the slides a few times to understand it fully). Again if you haven't clicked above to see the schmoocon presentation above, I suggest you do as it is simply an awesome topic I had never heard of before, and was probably my favourite talk of the entire conference. 

..Oh...My...God...I'm going to have to go back over the slides but that was awesome. Pwnage all round! The last day's going to be awesome.....

Notable others
Now unfortunately I was sort of up drinking the night before and a problem went wrong with my alarm meaning I missed a couple of talks, but here are the talks I wanted to see, and other good talks along with some notes on them:

Defeating PPTP VPNs and WPA2 Enterprise with MS-CHAPv2 with Moxie Marlinspike, David Hulton and Marsh Ray.
I haven't heard any reviews from other people on this talk however I've seen the general content, which Moxie (one of the speakers), created a blog post you can find here.
The general idea about the talk is about the implementation of the aforementioned MS-CHAPv2 and it's weaknesses, as previous weaknesses were thought to be purely down to the difficulty to guess the password. But this shows they've found that due to it's use of MD4, in fact the implementation can be brute forced with the same strength of single DES (2^56). Now back in 1998, when the password weaknesses were discovered, this was infeasible anyway, but with today's hardware, they've shown this would take at the very LONGEST of around 23 hours, averaging around half a day. Although I can't say exactly what was in the talk, you should at least give the above post a read, as Moxie shows in detail (that isn't too difficult to understand) why it is as such. 

Owning bad guys {and mafia} with Javascript botnets by Chema Alonso and Manu 'The Sur'
I wasn't actually sure which talk I wanted to see, this or the talk described after, but luckily due to my drunkenness (crossed out) oversleeping, I wasn't able to attend either. But this talk looked interesting as it was talking about creating botnets through javascript by keeping it in the cache by initially having a proxy which injects javascript, along with other ways to inject javascript and then took you through what results they found along with some interesting results in real-time. 

Exploit archaeology: Raiders of the lost payphones by Josh Brashars
This talk was about modern techniques of hacking payphones, which is where a lot of people started off within hacking. He talks about the difference styles of payphones, getting his own, opening it up without destroying it, then reprogram it so that he could get free telephone calls. After figuring out how it all worked, he was then able to do other things with the phone along with coming up with idea to combine it with other hardware to create better hacks. 

Other notable talks I couldn't see due to clashes:

Hellaphone: Replacing the Java in Android
Bruce Schneier answers your questions
Black Ops
Hacker + Airplanes = No Good can come of this


No comments:

Post a comment