sorry for the lame-ass title (all your math are belong to us)
This is a modal window.
Das Video konnte nicht geladen werden, da entweder ein Server- oder Netzwerkfehler auftrat oder das Format nicht unterstützt wird.
Formale Metadaten
| Titel |
| |
| Serientitel | ||
| Anzahl der Teile | 322 | |
| Autor | ||
| Lizenz | CC-Namensnennung 3.0 Unported: Sie dürfen das Werk bzw. den Inhalt zu jedem legalen Zweck nutzen, verändern und in unveränderter oder veränderter Form vervielfältigen, verbreiten und öffentlich zugänglich machen, sofern Sie den Namen des Autors/Rechteinhabers in der von ihm festgelegten Weise nennen. | |
| Identifikatoren | 10.5446/39737 (DOI) | |
| Herausgeber | ||
| Erscheinungsjahr | ||
| Sprache |
Inhaltliche Metadaten
| Fachgebiet | ||
| Genre | ||
| Abstract |
|
DEF CON 26241 / 322
18
27
28
40
130
134
164
173
177
178
184
190
192
202
203
218
219
224
231
233
234
235
237
249
252
255
268
274
287
289
290
295
297
298
299
302
306
309
312
315
316
00:00
SoftwareHackerHalbleiterspeicherProgrammbibliothekGrenzschichtablösungLastPhysikalisches SystemVirtuelle MaschineZentralisatorGewicht <Ausgleichsrechnung>ComputersicherheitSkriptsprachePunktwolkeObjekt <Kategorie>SymboltabelleMultiplikationsoperatorSchlussregelBenutzerbeteiligungFormale SpracheMathematikE-MailFont
03:27
AlgorithmusCodeImplementierungProgrammbibliothekHydrostatikProgrammierumgebungFunktionalPhysikalisches SystemServerProgrammfehlerAppletSkriptspracheMultiplikationsoperatorRegistrierung <Bildverarbeitung>Mobiles InternetImplementierungProgrammbibliothekElektronische PublikationPunktwolkeWechselseitige Information
06:53
AlgorithmusCodeDatenkompressionProgrammbibliothekParserSerielle SchnittstelleChiffrierungReverse EngineeringSkriptspracheGraphfärbungElektronische PublikationDatenkompressionSerielle SchnittstelleChiffrierungElektronische Publikation
08:29
AlgorithmusSchaltnetzZeichenketteAutomatische IndexierungFunktionalResultanteZahlenbereichZufallsgeneratorWort <Informatik>SkriptspracheElektronische Publikationp-BlockSymboltabelleZeichenketteAutomatische IndexierungPrimzahlzwillingeZahlenbereichMenütechnikFormation <Mathematik>Wort <Informatik>Elektronische PublikationIdentifizierbarkeitPersonal Area NetworkURNComputeranimation
10:47
ProgrammbibliothekMereologieZahlenbereichHilfesystemSymboltabelleDisassemblerGleichheitszeichenImplementierungZeichenketteProgrammbibliothekAutomatische IndexierungRechenwerkZahlenbereichWort <Informatik>Elektronische PublikationIdentifizierbarkeitPersonal Area NetworkComputeranimation
11:30
BinärcodeZahlenbereichWort <Informatik>SymboltabelleElektronische PublikationProgramm/Quellcode
12:08
AlgorithmusTelekommunikationBinärcodeServerExogene VariableBasis <Mathematik>Codierung <Programmierung>ChiffrierungApp <Programm>TelekommunikationServerDisjunktion <Logik>Mobiles InternetHIP <Kommunikationsprotokoll>
13:07
CodeDatenstrukturZeichenketteLokales MinimumServerExogene VariableSchnittmengeChiffrierungPasswortEinfache GenauigkeitDickeMessage-PassingApp <Programm>HydrostatikFaserbündelHill-DifferentialgleichungInhalt <Mathematik>Lokales MinimumRechenwerkExogene VariableDisjunktion <Logik>Elektronisches ForumPasswortElektronischer ProgrammführerMessage-PassingProgramm/Quellcode
14:57
ImplementierungMaßerweiterungServerPasswortExploitMessage-PassingMobiles InternetDivisionFehlermeldungCodierung <Programmierung>Disjunktion <Logik>Computeranimation
15:47
FunktionalStellenringVerschlingungServerBenutzerbeteiligungURN
16:37
FunktionalPhysikalisches SystemServerWeb SiteWrapper <Programmierung>URLKalkülPhysikalisches SystemE-MailWeb-SeitePuffer <Netzplantechnik>Wrapper <Programmierung>
17:14
CodeVirtuelle MaschineRPCRechenbuchComputeranimation
17:57
FunktionalAppletMailing-ListeURLDefaultFunktional
18:56
CodeMehrrechnersystemBitVirtuelle MaschineRPCRechenbuchHill-DifferentialgleichungBildschirmsymbolCulling <Computergraphik>ComputeranimationProgramm/Quellcode
20:04
DatenverwaltungImplementierungProdukt <Mathematik>FunktionalServerInformationsspeicherungSchlüsselverwaltungCookie <Internet>VisualisierungSchlüsselverwaltungCookie <Internet>
20:56
CodeProdukt <Mathematik>ServerSystemverwaltungElektronische UnterschriftPasswortCookie <Internet>Rechter WinkelNormalvektorMagnettrommelspeicherCookie <Internet>ComputeranimationProgramm/Quellcode
21:36
CodeProdukt <Mathematik>FunktionalPhysikalisches SystemResultanteServerRPCInstantiierungNabel <Mathematik>AuthentifikationKartesische KoordinatenSkriptspracheRechter WinkelHilfesystem
23:15
Dynamisches SystemMathematikProdukt <Mathematik>DatenflussRuhmasseProzess <Informatik>FehlermeldungNotebook-ComputerInteraktives FernsehenArithmetischer AusdruckDemo <Programm>Dynamisches SystemLokales MinimumSkriptspracheElektronischer ProgrammführerDatumsgrenze
25:00
BildschirmfensterProzess <Informatik>Programm/Quellcode
25:40
Dynamisches SystemLoopDatensichtgerätParametersystemArithmetischer AusdruckSymbolische DynamikElektronische PublikationMultiplikationsoperatorComputeranimationFlussdiagrammProgramm/Quellcode
26:53
VerzeichnisdienstInteraktives FernsehenArithmetischer AusdruckElektronische PublikationFlussdiagrammProgramm/Quellcode
27:32
Dynamisches SystemZeichenketteModallogikFunktionalInterpretiererNotebook-ComputerArithmetischer AusdruckHypermediaComputeranimationFlussdiagrammProgramm/Quellcode
28:15
SoftwareDateiverwaltungProdukt <Mathematik>ProgrammierumgebungNotebook-ComputerDateiformatFlächentheorieElektronische PublikationNeuroinformatikProxy ServerInformationDateiformatProxy ServerICC-GruppeFlussdiagrammProgramm/Quellcode
30:06
Virtuelle MaschineServerElektronische PublikationComputeranimationProgramm/Quellcode
30:44
TelekommunikationBitServerSocketComputeranimationProgramm/Quellcode
31:19
ServerComputeranimationProgramm/Quellcode
31:57
DatenverwaltungMathematikProdukt <Mathematik>DatenflussKonfigurationsraumAuthentifikationKernel <Informatik>Elektronische PublikationCluster <Rechnernetz>Web-ApplikationKonvexe HülleKernel <Informatik>
33:06
DatenverwaltungImplementierungZeichenketteMAPFunktionalInjektivitätDatenflussAbfrageKonfigurationsraumServerParametersystemAuthentifikationKernel <Informatik>Kartesische KoordinatenQuellcodeSchreib-Lese-KopfSoftwareschwachstelleInjektivitätAuthentifikationKartesische KoordinatenQuellcodeSchreib-Lese-KopfProxy Server
35:19
LeistungsbewertungServerNabel <Mathematik>Kartesische KoordinatenSkriptspracheSoftwareschwachstelleComputeranimation
36:00
Produkt <Mathematik>GrundraumZahlenbereichInternetworkingWeb SiteInformation RetrievalGrundraumKonvexe HülleComputeranimationProgramm/Quellcode
36:36
CodeMaschinenspracheTelekommunikationLeistungsbewertungMetropolitan area networkKernel <Informatik>Protokoll <Datenverarbeitungssystem>Kernel <Informatik>Protokoll <Datenverarbeitungssystem>
37:25
ResultanteServerMetropolitan area networkKernel <Informatik>SkriptspracheRechenbuchMultiplikationsoperatorComputeranimation
38:44
CodeProgrammierungFunktionalSystemaufrufRPCCodeTelekommunikationProgrammierungHill-DifferentialgleichungWärmeübergangRPCKernel <Informatik>Protokoll <Datenverarbeitungssystem>Kartesische KoordinatenSymboltabelleComputeranimationProgramm/Quellcode
39:30
ProgrammierungFunktionalGeradeVerschlingungServerProzess <Informatik>Arithmetischer AusdruckRechenbuchMulti-Tier-ArchitekturComputeranimationProgramm/Quellcode
40:30
SoftwareZahlenbereichNetzadresseInstallation <Informatik>Elektronische PublikationFernwartungDefaultEinfach zusammenhängender RaumAchtHIP <Kommunikationsprotokoll>
41:27
ProgrammbibliothekServerOffene MengeProtokoll <Datenverarbeitungssystem>Kartesische KoordinatenAppletComputeranimationTechnische Zeichnung
42:07
BitVirtuelle MaschineServerKartesische KoordinatenInteraktives FernsehenElektronische PublikationFilesharing-SystemFernwartungInteraktives Fernsehen
43:18
ResultanteServerFiletransferprotokollAppletElektronische PublikationRechenbuchFernwartungExploitWurm <Informatik>BenutzerbeteiligungComputeranimationProgramm/Quellcode
45:18
SoftwareDemo <Programm>SpieltheorieProdukt <Mathematik>MIDI <Musikelektronik>InjektivitätPrimzahlzwillingeFlächeninhaltTechnische InformatikServerARM <Computerarchitektur>
Transkript: Englisch(automatisch erzeugt)
00:00
Okay, so this afternoon's talk is, sorry for the lame title, and Toma, let's give him a big DEFCON welcome. Come on! Louder! Thanks. Wow, it's an honor to be here at DEFCON again. I hope you do enjoy yourselves as well. I'm Toma. I've been calling myself a hacker for
00:28
almost 10 years. I'm from Hungary and I work for an IT security company in Hungary as a Pentaster and a developer. This is my third time at DEFCON and I'm also a regular speaker at
00:46
Central Europe's hacker conference activity. That's enough about me. How did I choose this topic? It was not the usual way, so I didn't have any interest in Matlab and this software,
01:06
but I was at a friend's birthday party and at two or three o'clock in the morning her sister asked me if I could help her in Matlab. I had some vague memories about Matlab back from university, but of course they said yes, so the next day there was I sitting in my
01:27
room installing Matlab and as a rule of thumb, what I install on my machine I try to hack. And there was a lot of stuff to hack. This software is huge. There are several web servers,
01:45
cloud integration, lots of functionalities, lots of attack surfaces, so hacking is fun, so I dived in, but I didn't want to discriminate Matlab, so I also downloaded a trial of Mathematica and Maple and together they gave a pretty
02:09
nice topic to talk about. In this talk probably won't be the most technical talk you will hear at DefCon. I won't show you any groundbreaking techniques or methodologies,
02:25
but I will show you a bunch of zero days in this free software. Let's start with Matlab. Some simple stuff. Like every scripting language, Matlab has also
02:42
facilities to run native codes, native commands. It has a system command which you can use to execute OS commands. You can also use the bank symbol. And there are facilities to
03:00
load native libraries, Java, dot net libraries and common objects too. This is of course not a vulnerability in itself, but can be used for malicious purposes. For example, spear phishing attack can be created with the malicious Matlab script. One other interesting aspect of this
03:31
native command execution is that you can download Matlab mobile and you can create a free registration at Matworks servers and you can actually run Matlab functions on Matworks servers
03:49
and this is not white listed or black listed, so you can also run these system commands on their servers. Granted, it's in a Docker environment. I did not try to escape it,
04:03
but we all know that it's just a privilege escalation by the way. So, I mentioned using malicious Matlab scripts in a phishing attack or something like that,
04:21
but it should be fairly easy to protect against these attacks because you just have to scan your scripts for these dangerous functions. But Matworks have a solution against IP theft, which is the function P code. With P code, you can obfuscate your Matlab scripts,
04:48
so it won't be that obvious what they do. Matlab itself uses it. Lots and lots of functionalities in Matlab are implemented as
05:03
P files, P coded Matlab scripts. Even though Matworks has a warning that this is merely an obfuscation, it's not secure enough to trust your sensitive data to it.
05:22
But because lots of Matlab's functionality is implemented as P files, I needed to reverse engineer this algorithm. This was kind of painful because there are a huge number of native
05:46
libraries that call Java jars that in turn execute Matlab P files that sometimes go back to Java libraries. So, from an external viewpoint, it's quite a mess. And it got me confused a
06:08
few times. One of these even created a nice, fairly nice topic. I have found an RCE bug
06:24
via static code analysis, but it turned out that that code was some leftover that code that is not used anyway. So, eventually I have found the P code implementation and I was able to
06:45
create a Python script that decodes P files back to Matlab scripts. It was a huge internal debate with myself if I should release this Python script. But I have decided against it.
07:04
Because even though Matlab has that warning, lots of people use P code to protect their research and I didn't want to expose it. But I will show you the most interesting step of
07:28
the P code algorithm. P code consists of three steps. There's a serialization step, a compression and an encryption step. The latter two are implemented in M underscore parser library and
07:47
they are pretty straightforward. They are really easy to reverse engineer. So, if you are interested in it, you should do it, you could do it without problems. The serialization was
08:04
more interesting because it's a lot of probably C++ code and it would have been really painful to reverse engineer even with some decompiler. But what was interesting is that
08:22
almost the whole algorithm could be understood by just looking at the P files, just looking at the data. So, here is a P file. It's already color coded but even without the colors, it should stick out that there are separate blocks that contain function names and numbers
08:50
used in the script and the string literals. So, what remains to be understood is this first block and this last. If you look at the first block, it really seems to be
09:08
seven D words that have very small values. And if you look at these values, the first is zero X O C, which is 12. And if you count the function names, it's 12. The second number is
09:25
two and there are two numbers. So, these seven D words, it seems these are the numbers of symbols in the P file. There are seven of them. I was able to identify three of them but it
09:51
turned out that it's not really important. So, this was enough to reverse the algorithm. What remains is this last block, which seems to be a combination of some random numbers
10:10
that are in white and some 0x8080 pairs. After a while, it turned out that if you
10:25
subtract 0x8080 from these pairs, then the result is an index into this array. So, the first one is 0x8080, you subtract 0x8080, you get zero and the zero element of
10:44
the array is X. And if we go back to the original script, you can see that it is indeed starts with X. And the next symbol is an equal sign. So, maybe 0x5F represents the
11:05
equal sign. And maybe all these numbers represent some symbols or reserved words in MATLAB language. So, this was the part when I asked for the help of a disassembler.
11:24
I looked for these numbers in the disassembly of the library and I found an array of the reserved words and the symbols, which could be easily extracted from the binary. So,
11:46
it only needed to substitute those numbers with the symbols and reserved words. To get the original MATLAB script. So, it took a few days, but it was easy enough to
12:08
reverse engineer the whole algorithm only just by looking at the data. So, I've already told you about MATLAB Mobile and I've told that you can connect to MATLAB
12:30
servers with it. But it is not only MATLAB servers you can connect to, but you can create your own and you can connect to it, too. The communication between the mobile application
12:46
and the server is HTTP communication. It's plain HTTP. There is no possibility to set up HTTPS, but the bodies seem to be basis for encoded binary blobs. So, they are maybe
13:05
encrypted. These are the request and response bodies. I have reverse engineered the server code and it turned out that it is indeed encrypted, but it is encrypted by the plain text
13:31
message with the MATLAB server's password. So, it's really strong encryption. But it gets better because every single plain text message is prefixed with a string MATLAB connector
13:49
dash V1. This means that if you have one single message, you can access the first 18 bytes of it with a MATLAB connector underscore V1 and you get the password. So, this is
14:10
pretty nice. But the maximum password length is 32 bytes. So, what if somebody sets 32
14:22
bytes password? No worries. Because of the structure of the plain text messages, these are JSON messages, there are always 32 static bytes at the beginning of a message. So, this is how request starts and this is how response starts. So, if you got one message from the
14:50
MATLAB mobile application to the server, you can use the password. I have created a extension that does exactly this. It retrieves the password and creates a MATLAB
15:09
connector tab that shows you the plain text message and lets you edit it. I didn't try to test for the MATLAB mobile server, but this could be a big hub for that, for
15:29
e.g. fuzzing the server or something like that. This extension and all of my demos, all of my exploits will be available on my GitHub shortly after my talks. You can
15:46
download and play with it. Okay. While I was looking for the implementation of MATLAB mobile, I have found an interesting web.xml in the MATLAB server. It described some
16:07
sublets of which do seem very interesting. The engine sublet and the MATLAB sublet. The MATLAB sublet evaluates functions via a get request. It is white listed. There are only
16:24
a handful of functions that can be called. And it is local host only. But I was looking at all these functions that can be called. And it turned out that the PS link private
16:42
function is basically just a wrapper around F evil. F evil is the MATLAB function used to evaluate arbitrary MATLAB functions. What this means is you can call arbitrary MATLAB functions, the system function included, by just one get request to local host to the MATLAB
17:08
server. So, you can have a website that embeds an image with such a URL. And if somebody
17:26
with an open MATLAB opens your website, it will execute whatever MATLAB command you want. So, this means basically remote code execution on victim's machine.
17:44
As we will shortly see. So, yeah, you can see the calculator opened. Thanks. Okay. So, the other sublet is it also evaluates MATLAB functions. But this does not work
18:09
on the default configuration. So, you have to turn on engine sublet. But it still can be used to, I don't know, back door somebody's machine. With engine sublet, there is no white or black
18:23
list. You can call any MATLAB functions. It requires an API key. But this is burnt into MATLAB. It's MATLAB. And it's also local host only. At least in theory. Because
18:42
they used the get request URL Java function to get the originating URL, which uses the host header. So, it can be very easily faked. There's the key. And I also have a demo for
19:01
this. So, I'm starting MATLAB. And I'm going to show you the simpler command that can be used to start calculator on victim's machine via MATLAB. I'm just going to fast forward a bit.
19:31
So, we can see that it's forbidden because engine sublet is not running right now. This is the code that can be used to turn it on. I'm fast forwarding. Okay. It's on now.
19:54
We try again. We get the calculator. So, it's again remote code execution. But it
20:02
needs engine sublet to be turned on. Okay. Moving on to another MATLAB product. It's called MATLAB production server. It can be used to deploy MATLAB functions on the web. It has an express-based management dashboard, which uses signed cookies to
20:26
store the session. It uses the cookie session and the key grip NPM packages for this. But it has a huge implementation problem because they have an array of two keys. It contains MATLAB
20:46
and Simulink. But in reality, only the first one is ever used. They never rotate the keys. We can confirm this by creating a signature for a cookie using EG OpenSSL. So, you can see here's
21:10
the password. And we get the same signature that we got from the server. What this means for an
21:21
attacker is that we can create a super cookie that grants administration rights to any MATLAB production servers always. And this can of course be used to run code on the MATLAB
21:42
production server. Because you can upload a MATLAB function that contains only the system function. And you can call it remotely. So, I have a Python script that creates a new MPS instance. It creates a new application and deploys and starts it.
22:10
And this application contains only the function MATLAB call. So, if we run this
22:20
Python script, you can see it's working. And we have a new MPS application. It's running all right. So, now we can use the MPS shell.py script to run commands on the MPS server.
22:50
So, as you can see, it's a bit slow. But it eventually answers with the results. So,
23:04
this is remote code execution without any authentication to the MPS server. So, I did not do a thorough inspection of MPS. I did not have the time yet. But I have found
23:26
some additional flows. It's just an example. It's stored XSS. I'm sure there are several others. So, it's a nice target, I think. Okay. So, moving on to another
23:46
MASS product. It's Mathematica. And it can also execute native commands. But notebooks, Mathematica notebooks, are not scripts. So, they won't evaluate when you open them.
24:04
But there are expressions called dynamics that can be used to evaluate expressions automatically. But these dynamic expressions have some protections against malicious
24:23
notebooks. There are some mathematical functions, expressions that are dangerous. And they won't evaluate via dynamic expression without user interaction.
24:42
At least they shouldn't. But I have found a way by trial and error to bypass this protection. So, I'm gonna show the whole trial and error process in this demo.
25:13
The first thing I've tried was a simple run command, which can be used to run commands.
25:29
But it pops up the CMD window. So, I didn't like that. It turned out that run process does not pop up the CMD window. So, it looks better.
25:46
Now, I'm trying to wrap this into a dynamic. And it became quite a disaster. Because every time a dynamic is displayed, it evaluates the expression. So, it was a loop and
26:08
eventually I managed to quit. And I have also found a way to get around this infinite loop.
26:25
We can use the tracked symbols dynamic parameter to basically make a dynamic update only once when it first displayed. So, now if we try to save this into a file.
26:55
And sorry. So, trying to open the file. And there's indeed a warning. So, it won't execute
27:05
pinball without user interaction. I was looking through the documentation. And I found another expression called oh, sorry. There's something other in this video, too. There are so-called
27:26
safe directories. And the documents inside safe directories are not checked for these dangerous functions. So, dynamics will always evaluate from them. So, if you can get somebody to
27:41
download your malicious notebook to a safe location, then you are good to go. No tricks necessary. But if you don't have that luxury, you can use the interpreter expression which is used to run expressions from a string. And it should be a dangerous function.
28:10
But it turned out it's not. So, this can be used to auto execute commands with a
28:20
Mathematica notebook. So, this is how you can bypass the dynamic production. Okay. So, really similar to Mathematica notebooks are computable documents, format documents.
28:45
These are almost the same. But they are run in a restricted environment. They are run in a sandbox. But you can also run them from a browser. So, it somewhat widens the attack
29:03
surface. The biggest restriction of the sandbox is that you have no file system access. You can't download files. You can't even execute commands. But there are still some ways to
29:23
abuse these CDFs. When I was looking through the documentation, I found out that you can do TCP IP from CDFs. And my very first thought was that I can create a sandbox with that. So, if I can get someone to open my CDF document, which implements the proxy,
29:48
then it will open a proxy into the victim machine, into the victim network. So, I thought it would be pretty cool. So, I did implement that proxy. And I'm going to show you this
30:07
with a Linux machine that runs X server. This is the victim. And it will open the CDF file that implements the SOCKS proxy. And I'm going to use it to create a screenshot of the
30:35
desktop remotely through the SOCKS server. So, I'm using SoCAD to redirect the
30:48
SOCKS communication into a UNIX socket. Okay. I started the CDF file, creating the
31:05
listening socket for the X11 server. I'm just going to go and fast forward it a bit.
31:23
Okay. So, now everything is running. I can use XWD to download a screenshot from the X server. It runs quite a while. So, I'm fast forwarding again. But when it's done, I'm converting it to a PNG. And you can see that
31:49
creating the screenshot was indeed successful. Thank you.
32:04
So, another Wofram research product is a lightweight grid manager. It's a clustering solution from research. It's basically a Tomcat-based web application to
32:21
manage mathematical kernels. It needs authentication to make changes. But you can start a kernel without authentication. It has some protection, though, because you can set up an IP whitelist. But these protections have some very serious implementation flows.
32:46
First for the authentication, this is the config file snippet that implements the authentication. You can see that it's only for GET and POST requests. This is the first
33:04
flow. You will see shortly why. And they also have an AGP listener available. This is a second flow. So, the first one is a problem because the application will accept parameters
33:21
from the query string. And this means you can use a head HTTP request. And it does not require authentication. It's not in the configuration file. So, you can change any configuration without authentication by just using a head request.
33:48
But you have to bypass the IP filter first. You can use AGP for this. Because while AGP, you can lie about the source address. You can
34:07
say that you are coming from a local host. So, the application will accept your request because the IP filter is implemented in the application level and not in the
34:22
application server level. So, this can be used to bypass the IP filter. There is one more vulnerability in this implementation that makes it really easy to exploit this. It has the... You can set the kernel's path via a setting. And
34:49
that functionality contains an OS command injection vulnerability. So, this means if you combine these three vulnerabilities, you can have arbitrary OS command injection
35:08
on any lightweight grid manager server without any authentication. I have created
35:22
a Python script that does this. So, you can see it's the AGM application. I'm gonna start the listener. And I'm going to start connect by shell by exploiting these vulnerabilities.
35:48
You can see that I have a connection back. And I can execute commands on the AGM server. One other thing about AGM, it's not available. There is no trial or evaluate
36:13
license. But I really wanted to test it. And I dig through the whole internet. And I found
36:21
a university website where there was a Mathematica license number available for public. So, maybe you don't do that. Okay. So, Mathematica and in general Vofram products use the
36:45
WSTP protocol to communicate internally between the kernel and the front end and externally in a clustering situation or with some third party native applications.
37:01
This protocol uses plain text communication. So, it's pretty easy to launch a man in the middle attack against it. And in this case, man in the middle attack means remote code execution because you can send a WSTP evaluate packet which will be evaluated on the
37:29
receiving side. I'm going to show you this by connecting Mathematica to a grid. And I'm
37:47
running a simple calculation on the grid. So, I'm going to calculate three times two using
38:02
the grid. And it gives us the result. But when I start my man in the middle attack script which uses X inject to replace any packets with one evaluate packet. I'm using
38:24
ARP spoof to ARP poison. Launching a listener. And when I try to compute three times two, I get a kernel. So, I can run OS commands on the server. This shows that
38:45
sorry. This shows that the middle attack is really on remote code execution. You can also
39:00
offload some heavy works from Mathematica to external programs. So, you can call functions from Mathematica from these external programs. But there's dangerous functionality because these external programs can also talk back to you and they
39:22
can also send evaluate packets. So, such an external program can execute code on your Mathematica server. I'm going to show you this by slightly modifying one of the WSTP
39:41
examples. I'm adding two evaluate lines. First one just in some message. And the second one uses the run expression to the run process expression to start the calculator.
40:03
So, I'm compiling it, starting the external program and creating a link to this program in Mathematica. When I try to install this external program, you can see that calculator
40:23
runs. So, it's not an exploit, not a vulnerability, but just some dangerous functionality in the program. Okay. My last target, it's Maple. When I installed it and tried it, the first thing that stick out to me was that Maple documents are XML files. It was
40:46
not really a surprise that the software was susceptible to SSC attacks. But this, of course, requires that the victim opens a malicious Maple document. But there are two ports
41:08
listening on every IP address on the default Maple install. The first one is not really interesting. It just accepts the number and shuts down the port. But the second one,
41:21
TCP-19991, it's really interesting because it's a simple remote control server. Here is the protocol. You send it a ping. It sends it back on ACK. And now you can send the server a command, which can be starting a Maple application. Maple applications are defined as
41:47
Java libraries. So, they are going into the software. It's not an obvious way to exploit this command. But you can also open Maple documents with the open command. And if you
42:07
have to create a file share and put your malicious Maple document on that file share, then you can use this remote control server to open the malicious document from your
42:25
file share on the victim's Maple machine. There is an auto-execute feature in the which can be used to execute native commands with this. But it requires user interaction.
42:44
So, it's a bit hard to exploit. But you can combine this remote control server with the fact that the application is susceptible to XXC, does not need user interaction. But you can also do SRF or download files from victim's
43:09
machine using an out-of-band XXC attack, which I'm going to show you. So,
43:22
while Maple is starting, you can see that this is just a simple XXC payload. I'm starting an FTP server that will receive the file we are going to steal. I'm also starting a web server that serves the second stage of the XXC payload.
43:52
Okay. Fast forward. And I'm also starting an SMB server to serve my malicious
44:07
Maple document. And now I can use the remote control server to open that document in the victim's Maple. So, there's ping-acc.
44:26
And I'm opening that file from my server. And this is where you will see the result of the XXC exploit. You can see it's directly listing because Maple is in
44:43
Java. And you can do directly listing in Java with XXC. But I know you all want to see another calculator. So, I'm going to give you that shortly. It's the same attack. I'm just
45:21
demo. And this is the end of my talk. There are a lot of stuff to look at in this software still. So, these are just a few ideas. These are the things I will probably look at in the future. But I encourage you to do the same. Look around this software. And this is the end.
45:48
Thank you for listening to my talk.