sorry for the lame-ass title (all your math are belong to us)

Video thumbnail (Frame 0) Video thumbnail (Frame 5180) Video thumbnail (Frame 10319) Video thumbnail (Frame 12723) Video thumbnail (Frame 16174) Video thumbnail (Frame 17242) Video thumbnail (Frame 18188) Video thumbnail (Frame 19668) Video thumbnail (Frame 22430) Video thumbnail (Frame 23665) Video thumbnail (Frame 24932) Video thumbnail (Frame 25859) Video thumbnail (Frame 26927) Video thumbnail (Frame 28388) Video thumbnail (Frame 30104) Video thumbnail (Frame 31401) Video thumbnail (Frame 32391) Video thumbnail (Frame 34863) Video thumbnail (Frame 37507) Video thumbnail (Frame 38507) Video thumbnail (Frame 40315) Video thumbnail (Frame 41302) Video thumbnail (Frame 42373) Video thumbnail (Frame 45152) Video thumbnail (Frame 46102) Video thumbnail (Frame 46981) Video thumbnail (Frame 47932) Video thumbnail (Frame 49645) Video thumbnail (Frame 52976) Video thumbnail (Frame 54012) Video thumbnail (Frame 54902) Video thumbnail (Frame 56127) Video thumbnail (Frame 58112) Video thumbnail (Frame 59245) Video thumbnail (Frame 60762) Video thumbnail (Frame 62179) Video thumbnail (Frame 63168) Video thumbnail (Frame 64947) Video thumbnail (Frame 67951)
Video in TIB AV-Portal: sorry for the lame-ass title (all your math are belong to us)

Formal Metadata

sorry for the lame-ass title (all your math are belong to us)
Title of Series
CC Attribution 3.0 Unported:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.
Release Date

Content Metadata

Subject Area
First of all, it's math. Not meth. So everybody be cool, I'm not gonna touch your central nervous system stimulant substances. Now that this is established, I can start telling my story. And this story, like all good stories, begins where it ends. Wait, no, not really. It begins at a birthday party where the sister of a friend asked if I could help her with MATLAB. No matter how horrible memories I had about MATLAB, I just couldn't say no. So the next day, there was I, sitting in my room, installing the trial. And that's when the hacking started... Believe me, there were a lot to hack in this case! Several gigabytes of installed materials, a few web servers, cloud integration, clustering capabilities, you name it. These software are bloated, they are basically their own little operating systems. Yup, I used plural. Because I thought why discriminate MATLAB? I should really give a chance to Maple and Mathematica to fail too!. I did, and they did fail, and these failures gave the material for my talk. Basically this will be a dump of exploits (RCEs, file disclosures, etc.), and if you use any of those software and you are at least a bit security conscious, you should definitely listen to it.
Email Functional (mathematics) Server (computing) Machine code INTEGRAL Multiplication sign Virtual machine Regular graph Rule of inference Web 2.0 Centralizer and normalizer Hacker (term) Semiconductor memory Information security Vulnerability (computing) Thumbnail Physical system Scripting language Computer font Dependent and independent variables Software developer Surface Flow separation Formal language Symbol table Mathematics Software Object (grammar) Library (computing)
Implementation Functional (mathematics) Server (computing) Serial port Computer file Code Java applet Multiplication sign Image registration Mereology Fluid statics Mathematics Encryption Implementation Data compression Physical system Point cloud Scripting language Algorithm Computer file Mathematical analysis Numerical analysis Integrated development environment Encryption Freeware Library (computing) Reverse engineering Data compression
Functional (mathematics) Random number generation Computer file Combinational logic Mereology Graph coloring Element (mathematics) Word String (computer science) Subject indexing Implementation Scripting language Algorithm Twin prime Block (periodic table) Computer file Equals sign Menu (computing) Numerical analysis Symbol table Subject indexing Word String (computer science) Number theory Resultant
Scripting language Execution unit Computer file Equals sign Online help Mereology Numerical analysis Symbol table Formal language Word Word String (computer science) Subject indexing Number theory Disassembler Library (computing)
Server (computing) Mobile app Algorithm Dependent and independent variables Server (computing) Mobile Web Host Identity Protocol Exclusive or Mathematics Telecommunication Telecommunication Internet forum Hill differential equation Reverse engineering
Mobile Web Execution unit Server (computing) Dependent and independent variables Mobile app Dependent and independent variables Code Length Electronic program guide Maxima and minima Password Maxima and minima Content (media) Exclusive or Message passing Fluid statics Single-precision floating-point format Password String (computer science) Encryption Source code Data structure Message passing Set theory
Mobile Web Exclusive or Message passing Meta element Server (computing) Error message Demo (music) Password Division (mathematics) Mass Extension (kinesiology) Exploit (computer security)
Email Server (computing) Implementation Functional (mathematics) Meta element Wrapper (data mining) Link (knot theory) Code Wrapper (data mining) Web page Calculus System call Performance appraisal Buffer solution Website Physical system Physical system
Default (computer science) Functional (mathematics) Email Server (computing) Key (cryptography) Code Java applet Virtual machine Open set Theory Uniform resource locator Function (mathematics) Calculation Website Remote procedure call Backdoor (computing)
Computer icon Curve Mathematics Demo (music) Key (cryptography) Code Calculation Virtual machine Hill differential equation Bit Remote procedure call
Server (computing) Functional (mathematics) Implementation Meta element Key (cryptography) Visual system Product (business) Electronic signature Web 2.0 Mathematics Data management Password Normed vector space Key (cryptography) HTTP cookie HTTP cookie
Scripting language Authentication Server (computing) Functional (mathematics) Online help Code System administrator Bit Instance (computer science) Cartesian coordinate system System call Product (business) Right angle HTTP cookie Remote procedure call Drum memory Resultant Physical system
Scripting language Laptop Dataflow Dynamical system Functional (mathematics) Scripting language Multiplication sign Electronic program guide Expression Interactive television Maxima and minima Mass Product (business) Aerodynamics Error message
Process (computing) Demo (music) Error message Window
Trail Dynamical system Loop (music) Computer file Multiplication sign Expression Parameter (computer programming)
Expression Videoconferencing Interactive television Directory service
Laptop Uniform resource locator Dynamical system Functional (mathematics) Hypermedia String (computer science) Expression Interpreter (computing) Maxima and minima
Laptop Proxy server Computer file Surface File format Virtual machine Web browser Neuroinformatik Textsystem Integrated development environment Software Infinite conjugacy class property Touch typing File system Proxy server Formal grammar
Server (computing) Computer file Telecommunication Network socket Virtual machine Bit Proxy server
Server (computing)
Dataflow Digital filter Implementation Server (computing) Functional (mathematics) Injektivität Proxy server Computer file Authentication Source code Parameter (computer programming) Disk read-and-write head Product (business) Mathematics Kernel (computing) String (computer science) Energy level Address space Vulnerability (computing) Authentication Injektivität Scripting language Source code Cartesian coordinate system Disk read-and-write head Web application Data management Query language Configuration space Convex hull
Server (computing) Cartesian coordinate system Connected space Vulnerability (computing)
Machine code Code Numerical analysis Front and back ends Product (business) Performance appraisal Mathematics Kernel (computing) Internetworking Personal digital assistant Kernel (computing) Telecommunication Website Convex hull Musical ensemble Remote procedure call Communications protocol Communications protocol Metropolitan area network
Scripting language Server (computing) Calculation Multiplication sign Musical ensemble Resultant Metropolitan area network
Computer programming Functional (mathematics) Code Computer program Heat transfer Code System call Telecommunication Kernel (computing) Hill differential equation Remote procedure call Communications protocol Genetic programming
Computer programming Multitier architecture Server (computing) Functional (mathematics) Message passing Calculation Expression Line (geometry) Vulnerability (computing)
Default (computer science) Computer programming Email Remote administration Java applet Open set 8 (number) Cartesian coordinate system IP address Host Identity Protocol Numerical analysis Software Musical ensemble Communications protocol Library (computing)
Server (computing) Remote administration Computer file Java applet Virtual machine Interactive television Bit Cartesian coordinate system File Transfer Protocol Web 2.0 Process (computing) Calculation Authorization Source code Resultant Computer worm
Demo (music) Software Twin prime Server (computing) MIDI Game theory
okay so SAFF Newstalk is sorry for limb title and it's Toma let's give a big welcome come on Thanks wow it's an honor to be here at DEFCON again I hope you do enjoy yourselves as well I'm Toma I've been calling myself a hacker for almost 10 years I'm from Hungary and I work for an IT security company in Hungary Manchester and developer this is my first time at Def Con and I'm most regular speaker at central Europe's echo conference activity that's enough about me how did I choose this topic it it was not the usual way so I didn't have any interest in in MATLAB and this software but I was at friend's birthday party and at 2 or 3 o'clock in the morning her sister asked me if I could have her in MATLAB and I had some vague memories about MATLAB back from University but of course we said yes so the United State there was I sitting in my room installing MATLAB and it's a rule of thumb what I install on my machine I try to hack and there was a lot of stuff to hack this software is huge there are several web servers cloud integration lots of functionalities lots of attack surfaces so hacking response why I died in but I didn't want to discriminate hid MATLAB so I also downloaded the trial of Mathematica and maple and together they gave you a pretty nice topic to talk about in this this talk probably won't be the most technical talk you were here at Def Con I want to show you any groundbreaking techniques methodologies but I will show you a bunch of 0 days in this free software let's start with MATLAB some simple stuff like every like a big scripting language MATLAB has also facilities to run native code native commands it has a system command which you can use to execute OS commands you can also use the bank symbol and the roughest it is to load native libraries libraries and calm objects - this is of course not a vulnerability in itself but can be used for malicious purposes for example spear phishing attack can be can be created with own malicious MATLAB script one other
interesting aspect of this native command execution is that you can download matlab mobile and you can create a free registration at MathWorks servers and you can actually run matlab functions all MathWorks servers and this is not whitelisted or practiced it so you can also run these system commands on the earth servers granted it's in a talker environment i did not try to escape it but we all know that it's just privileged escalation by the way ok so I mentioned using malicious MATLAB scripts in in a phishing attack or something like that mmm but it should be fairly easy to protect these attacks because you just have to scan your scripts for these dangerous functions but math works have a solution against IP theft which is the function P code which P code you can obfuscate your MATLAB script so it won't be data is what they do MATLAB each have uses it lots and lots of functionalities in MATLAB are implemented as P files we coded MATLAB script even to mathworks has a warning that dismally an obfuscation it's not not secure enough to trust your sensitive data to but because lots of matlab's functionality is implemented as P files I needed to reverse engineer this algorithm and this was kind of painful because there are a huge number of native libraries that call Java jars that in turn execute MATLAB be files that sometimes go back to Java libraries so from an external viewpoint it's it's quite a mess and it got me confused a few times one of these even created a nice fahrenheit topic I have found a nasty back with static code analysis but it turned out that that code was some leftover that code that is not used anyway so eventually I have found the P code implementation and I was able to create a Python script that decodes P files back to MATLAB script it was a
huge internal debate with myself I should release this Python script but I have decided against it because even though MATLAB has that warning lots of people use P code to protect their research and I didn't want to expose it but I will show you the most interesting step of the Pequod's algorithm because P code consists of three steps that's a serialization step compression and in an encryption step the latter two are implemented in underscore part library and they are pretty straightforward they are really easy to reverse-engineer so if you are interested in it you should do it you could do it without problems the serialization was more interesting because it's it it's a lot of probably C++ code and it would have been really painful to reverse engineer even with some decompiler but what was interesting is that almost the whole algorithm could be understood by just looking at the B files just looking at the data
so here is a B file it's already colored hoodie but even without the colors it should stick out that there are separate blocks that contain function names and numbers used in the scripts and string literals so what remains to understood is this first block and and this last if you look at the first black it really seems to be 7d words that have very small values and if you look at these values first is 0 x OC which is 12 and if you count the function names it's 12 the second number is 2 and there are 2 numbers so these 7d words it seems these are the numbers of symbols in the B file there are seven of them I I was able to identify three of them but it turned out that it's not really important so this was enough to reverse the algorithm what remains is this last block which seems to be the combination of some random numbers that are in white and some 0x 80 80 pairs 80 80 something parts after a while it it turned out that if you subtract 0 X 80 80 from these parts then the result is is an index into disarray so the first one is 0 X 80 80 you subtract 0 80 80 and the zeroth element of the array is ax and if we go back to the original
script you can see that it is indeed starts with the X and the next symbol is is an equal sign so maybe zero to five F
represents the equal sign and maybe all these numbers represent some symbols or reserved words in MATLAB language so this was the part when I asked for the help of a disassembler I looked for these these numbers in the disassembly
of the library and I found an array of of the resort words and symbols which could be easily extracted from the binary so it only needed to stab stitute those numbers with the symbols and reserved words to get the original MATLAB script so it took a few days but it was easy enough to to
reverse-engineer the algorithm only just by looking the data I've already told you about MATLAB mobile and I've told that you can connect to math first servers with it but it's not only mad for servers you can connect to but you can create your own and you can connect to the communication between the mobile application and the server is HTTP communication it's plain HTTP there is no possibility to set up HTTPS but the bodies are seemed to be base64 encoded binary blobs so they are maybe encrypted these are
the request and response bodies I have reverse-engineered the server
code and it turned out that it is indeed encrypted but it is encrypted by excelling the plaintext message with the server's password so it's really strong encryption but it gets better because every single plaintext message is
prefixed with a string method connector - v1 this means that if you had one single message you can access all the first 18 bytes of it with MATLAB connector underscore v1 and you get the password so this is pretty nice but the maximum password length is 32 bytes so what if somebody sets 32 bytes password no worries because because of the structure of the plaintext messages these adjacent messages there are always 32 static but at the beginning of the message so this is how we first start and this is how response starts so if you got one message from the mobile MATLAB mobile application to the server you can deduce the password I have birds
with Pro extension that does exactly this it retrieves the
password and creates a massive connector tab that shows you the plaintext message and lets you edit it I didn't try to test further the meta mobile server but this would be a big hub for that for eg fuzzing the server or something like that this extension and all of my demos all of my exploits will be available on my github shortly after my talks you can download and play with it okay while I
was looking for the implementation of MATLAB mobile I have found an interesting verb dot XML in the MATLAB server it described some servlets of which do seem very interesting the engines of it and the MATLAB servlet the matter servlet evaluates functions via a get request it is widely still there are only a handful of functions that can be code and it is localhost only but I was looking at all these functions that can be called and it turned out that the PS
link private function is basically just a wrapper around Aviva Aviva is the meta function used to evaluate arbitrary metal functions what this means is you can call arbitrary MATLAB functions the system function included by just one get request to local to the MATLAB server so you can you can have a website that
but an image with such an URL and if somebody with an open matlab opens your website it will execute whatever matlab command you want so this means basically remote code execution on victim's machine as we were shortly see so yeah you can see the calculator open Thanks
okay so the is it also evaluates matlab functions but if this does not work on a default configuration so you you will have to turn on engine server but it still can be used to and no backdoor somebody's machine with engine server there is no white or a blacklist you can call any matter functions it requires an API key but this is burnt into MATLAB its MATLAB and it's also localhost only at least in theory because they used the get request you were a Java function to get the originating URL which uses the host header so it can be very easily faked
there's the key and I also have a demo
for this so I'm starting MATLAB and I'm
going to show you the simple curve command that can be used to start calculator on victims machine by a math lab I'm just gonna fast forward the bit so we can see that it's forbidden because ng soffit is not running right now this is the code that can be used to turn it on okay it's on we try again we got the calculator so it's it's again remote code execution but it needs ng
server to be turned on okay moving on to another math first product it's called meta productions where it can be used to deploy a MATLAB functions on the web it has an express based management dashboard which uses a scientist to store the session it uses the cookie session and the key grip NPM packages for this but it has a huge implementation problem because they have an array of two keys it contains MATLAB and Simulink but in reality only the first one is ever used they never rotate the keys we can
confirm this by creating a signature from for a cookie using eg OpenSSL so you can see here's the password and we get the same signature that we got from the server what this means for an attacker is that we can
a super cookie that grants administration rights to any MATLAB productions worse always and this can of
course be used to run code on the matter
production server because you can upload a matlab function that contains only the system function and you can call it remotely so I have a Python script that create new MPs instance it's create creates a new application and deploys and start it and this application contains only the faction MATLAB call so if we run this Python script you can see it's working and we have a new MPs application it's running or right so now we can use the MPs dot pi script to run commands on the MPS server so as you can see it's a bit slow but but it eventually answers with the result so this is remote code execution without any authentication to the MPs or okay so
I did not do a thorough inspection of MPs I did not have the time yet but I have found some additional flows it's just an example it's stored access I'm sure there are several others so it's a nice start I think okay so
moving onto another mass product its Mathematica and it can also execute native command but notebooks Mathematica notebooks are not scripts so they won't evaluate when you open them but there are expressions expressions or the dynamics that can be used to evaluate expressions automatically but these dynamic expressions have some protections against malicious notebooks they want there are some automatic functions expressions that are dangerous and they won't evaluate we are dynamic expression without user interaction at least they shouldn't but I have found the way by trial and error to bypass this product protection so I'm gonna
show the poll on trial and error process in this demo the first thing I've tried was the was a simple run command which can be used to run commands but it pops up the CMD window so I didn't lie that it turned out that Ram process does not pop up the CMD window so it lives better
now I'm trying to wrap this into a dynamic and it became quite disaster
because every time a dynamic is displayed it evaluates the expression so
it was a loop and so eventually I
managed to quit and I have also found a way to to get around this infinite loop we can use the tracks impose dynamic parameter to basically make dynamic update only once when it first displayed so now if we try to save this into a file okay and so trying to open the file
and there's indeed warning so it won't execute people without the without user
interaction I was looking through the documentation and I found another expression called oh sorry there's something other in this video too there are so-called safe directories and documents inside see if directories are
not checked for these dangerous
functions so dynamics we are always evaluated from them so if you can get somebody to download your malicious notebook to a safe location then you are
good to go no tricks sorry but if you don't have that luxury you can use the interpreter expression which is used to
ran expressions from a string and it should be a dangerous function but it turned out it's not so this can be used to auto execute commands with a
Mathematica notebook so this is how you can bypass the dynamic production okay
so really similar to to Mathematica notebooks are computable document format documents these are almost the same but they are run in restricted environment they are run in a sandbox but you can also run them from a browser so it somewhat widens the touch surface the biggest restriction of of the sandbox is that you have no file system access you can't download files you can't even execute commands but there are still some ways to to abuse these CDF's what I was looking through the documentation I have found out that you can do tcp/ip from CDF's and my very first thought was that I can create socks proxy with that so if I can get someone to open my CDF document which implements the socks proxy then it will open proxy into the victim machine into the victim Network so I thought it would be pretty cool so I did implement that proxy and I'm gonna show you this with a
Linux machine that runs axe server this is the victim and it will open the CDF file that implements the socks proxy and I'm gonna use it to create a screenshot of the axe desktop remotely through the Sox server so I'm using so cut to to redirect the Sox
communication into a UNIX socket okay start in the CDF file creating the listening socket for the experiment server fast forward it a bit okay so now
it's everything is running I can use xwd to download screenshot from the access server it runs quite a while when fast forwarding again when it's done I'm converting it to PNG and you can see that creating this top screenshot was
indeed successful [Applause]
so another war from research product is a lightweight grid manager it's a clustering solution for from valve or from research it's basically a tomcat based web application to manage Mathematica kernels it needs authentication to to make changes but you can start corners without authentication it has some protection though because you can set up an IP whitelist but these protections have some very serious implementation flows first for the authentication this is the config file stupid that implements the authentication you can see that it's only for get and post requests this is the first level us shortly why and they
also have an AGP listener available this is a second flow so the first one is is a problem because the application will accept parameters from the query string and this means you can use a head HTTP request and it does not require authentication it does not it's not in the configuration files so you can change any configuration without authentication by just using add request but you have to have to bypass the IP filter first you can use a GP for this because because yrh GP you can lie about the source address you can see that you are coming from localhost so the application will accept the exceptio request because the IP filter is implemented in in the application level and not in the application server level so this can be used to bypass the IP theater there is one more vulnerability in this implementation that makes it really easy to exploit this it has the the the you can set the corners pass we are setting and that functionality contains an OS command injection vulnerability so this means if you combine these three vulnerabilities you can have arbitrary OS command injection on any likely treat managers were without any authentication I have created a Python script that does
this you can see is the GM application I'm gonna start listener and I am going to start connect partial by exploiting these vulnerabilities you can see that I have a connection back and I can execute commands on the GM server
okay one other thing about a GM it's not available that there is no trial or evaluate license but I really wanted to test it and I dig through the internet and I found University website where there was a mathematical license number available for public so maybe maybe don't do that [Music]
okay so Mathematica and in general for from products use the W STP protocol to communicate internally between the kernel and the front-end and externally in a clustering situation or or with some third party native applications this protocol uses plain text communication so it's pretty easy to launch man-in-the-middle attack against it and in this case man in the middle attack means remote code execution because you can send a WS TP evaluate packet which will be evaluated on the
receiving side I'm ganache this by
connecting Mathematica to a grid and I'm running a simple calculation on the grid so I'm gonna calculate three times two using the grid and it gives that the result but when I start my man in the middle attack script which uses axe inject to replace any packets we'd be one evaluate packet I'm using ARP spoof to ARP poison launching listener and when I try to compute three times two I get a canary bird shot so I can run OS commands on the server this shows that [Music]
this shows that the me to attack is really an remote code execution okay you
can also upload some heavy works from Mathematica to external programs so you can call functions from automatic a--from these external programs but that's dangerous functionality because these external programs can also talk back to you and they can also us and evaluate packets so such an external program can execute code on your
Mathematica server I'm gonna show you
this by slightly modifying one of the W STP examples I'm adding to evaluate
lines first one just in some message and the second one uses the run expression to the Ramprasad expression to start calculator so combining it start in the external program and creating the to this program in Mathematica when I try to install this external program you can see that calculator runs so it's not an exploit not a vulnerability but just some dangerous functionality in the
program okay my last target it's maple when I installed it and tried it the first thing that stuck out to me was that maple documents are XML files it was not not really surprised that the software was acceptable to xxe attacks but this of course requires that the victim opens a malicious maple a document but there are two ports listening on on every IP address on the default maple install the first one is not really interesting it just observed number and shuts down the port but this second one TCP one nine nine nine one it's really interesting because it's a simple remote controls over here is the
the protocol you send it up in it sends its back on ACK and now you can send sent over a command which can be starting a paper application maple applications are defined as Java libraries so they are burned into the software it's not not an obvious way to exploit this command but you can also [Music] open mail documents with the open command and if you have a fashion and
put your malicious maple document on that fire then you can use this remote controls over to open the malicious document from your fashion on the victims paper machine there is an author who executes feature in paper which can be used to execute native commands with this but it requires user interaction so it's a bit hard to explore it but you can combine this remote control server with the fact that the application is susceptible to react sexy does not need user interaction but you can also do as RF or download files from victims machine using an out-of-band xxe attack which
I'm gonna show you so while maple is starting you can see that this is just a simple xxe payload I'm starting an FTP server that will receive the D file we are going to steal I'm also starting web server that serves the X X the second stage of the exact C payload okay and I'm also starting an SMB server to serve my malicious paper document and now I can use the remote control server to open that document in the victims maple so there's being AK and I'm opening that file from my sword war and this is value we'll see the result of the xxe exploit you can see it directly listing because paper is in Java and you can do direct releasing in job of it xx II but I know you are you all want to see another calculator so so I'm gonna give you that shortly it's the same attack I'm just yeah does your calculator it it's an ASCII calculator okay
this was my last demo and this is the end of my talk there are a lot of stuff to look at these software steal so these are just a few ideas these are the things I will probably look at in the future but I encourage you to do the same Luke around this software and this is the end thank you for listening to my talk [Applause]