Show filters Hide filters

Refine your search

Publication Year
1-15 out of 15 results
Change view
  • Sort by:
58:57 REcon English 2016

Breaking Band

In recent years, over-the-air exploitation of cellular baseband vulnerabilities has been a recurring topic in the security community as well as the media. However, since “All Your Baseband Are Belong To Us” in 2010, there has been little public research on exploiting cellular modems directly. Now, Breaking Band is back with a new season by popular demand We will describe our methodology for reverse engineering the RTOS, starting from unpacking proprietary loading formats to understanding the security architecture and the operation of the real-time tasks, identifying attack surfaces, and enabling debugging capabilities. Through this, we’ll give you a complete walkthrough of what it takes to go from zero to zero-day exploit, owning the baseband of a major flagship phone, as we have done at Mobile Pwn2Own 2015.
  • Published: 2016
  • Publisher: REcon
  • Language: English
57:44 REcon English 2016

How Do I Crack Satellite and Cable Pay TV?

Follow the steps taken to crack a conditional access and scrambling system used in millions of TV set-top-boxes across North America. From circuit board to chemical decapsulation, optical ROM extraction, glitching, and reverse engineering custom hardware cryptographic features. This talk describes the techniques used to breach the security of satellite and cable TV systems that have remained secure after 15+ years in use. Topics include: chemical decapsulation and delayering of ICs in acids, microphotography and optical bit extraction of ROM, binary analysis using IDA and homebrew CPU simulators, datalogging and injection of SPI and serial TS data, designing and using a voltage glitcher, extracting secret keys from RAM of a battery-backed IC, analyzing hardware-based crypto customizations, studying undocumented hardware peripherals, MPEG transport streams and non-DVB-standards, QPSK demodulation, interleaving, randomization, FEC of OOB (out-of-band) cable data. The result is knowledge of the transport stream scrambling modes and knowledge of the conditional access system used to deliver keys. Strong and weak points are identified, advanced security features implemented nearly 20 years ago are compared to modern security designs. A softcam is designed and tested using free software, working for cable and satellite TV.
  • Published: 2016
  • Publisher: REcon
  • Language: English
57:47 REcon English 2016

Visiting The Bear Den

During the last two years, three cheerful chaps tracked one of the most prolific espionage group out there. The group in question created a complex software ecosystem–composed of tens of different components–and also regularly pulls out 0-day exploits. This talk presents the results of the hunt.
  • Published: 2016
  • Publisher: REcon
  • Language: English
1:00:19 REcon English 2016

Google: Process Failure Modes

Creating processes on Windows is fraught with danger. There are many things that could go wrong. This is even more true when dealing with creating processes in system services under the behest of the user. At best making a mistake could result in creating processes from files the user can’t access, at worst they get system privileges. This presentation will go into detail on how processes are created in Windows and the many ways that it can go horribly wrong. I’ll discuss some of the shortcomings of the Windows process and Session models and how that can be abused to elevate privileges. Throughout I’ll provide examples of vulnerabilities and exploitation techniques I’ve discovered (some of which won’t be fixed any time soon) with clear anti-pattern examples to aid in discovering similar vulnerabilities. One of the issues I’ll discuss is the complexities around one of my most recent project zero blog posts (specifically raising dead) which dealt with session creation and stuck processes. Some of the other topics I’ll include are: Process creation internals Process creation w.r.t. impersonation Session Hopping Dangerous creation patterns
  • Published: 2016
  • Publisher: REcon
  • Language: English
57:38 REcon English 2016

Hardware-Assisted Rootkits and Instrumentation: ARM Edition

Security researchers have limited options when it comes to debuggers and dynamic binary instrumentation tools for ARM-based devices. Hardware-based solutions can be expensive or destructive, while software tools are often restricted to user mode. In this talk, we explore a common but often ignored feature of the ARM debug architecture in search of other options. Digging deeper into this hardware component reveals many interesting use-cases for researchers ranging from debugging and instrumentation to building a novel rootkit. First, we will shine a spotlight on a debug interface that dates back to ARMv6, and demonstrate how to control it from software in order to instrument code in normal world. We will introduce a prototype toolkit with IDA plugin that can perform real-time tracing, code coverage analysis, and more, of the Android kernel on COTS smartphones without requiring virtualization extensions or special hardware. Next, we will compare implementations of this hardware unit across multiple chipset vendors, and discuss applicability to other ARM CPUs found in your phone like WiFi and cellular basebands. The second half of our talk will add new meaning to the phrase “hardware-assisted rootkit”. Abusing this same debug interface we will have some fun with the Krait architecture in order to demonstrate a kernel-level rootkit for Android that can bypass the current state of the art in rootkit detection. We’ll discuss hijacking exceptions, interacting with TrustZone, and methods for detecting this unconventional rootkit. Finally, we will wrap up highlighting a use-case for exploit mitigations on embedded systems.
  • Published: 2016
  • Publisher: REcon
  • Language: English
55:51 REcon English 2016

Shooting the OS X El Capitan Kernel Like a Sniper

OS X El Capitan has introduced new exploit mitigations to the kernel. Such mitigations include “vm map copy” mitigation, System Integrity Protection/Rootless, SMAP (enforced on new model of Macbook Pro), etc. Combining with the existing modern OS exploit mitigations like kASLR, DEP, exploiting OS X El Capitan kernel became harder. Approaches to defeat those new mitigations have been discovered by security researchers in late 2015, but most of them have additional prerequisite to either the bug or the environment. For example, the technology to overwrite the size of vm map copy requires a perfect zone overflow (overflowed length controllable + content controllable), also some of the technology requires creating specific user client which is prohibited by sandboxed processes (Safari WebContent, Chrome sandbox, etc.) In this talk, we will introduce a new approach to exploit the El Capitan kernel from the most restrictive sandboxed process (Safari WebContent). The new approach is universal to all OS X kernel and doesn’t require too much on bug quality. Only a single write (not necessarily arbitrary value) is needed to pwn everything (including info leak, kASLR, DEP, SIP, SMAP bypass). The new technology will be illustrated by a live remote root demo during the talk.
  • Published: 2016
  • Publisher: REcon
  • Language: English
52:15 REcon English 2016

Dangerous Optimizations and the Loss of Causality

Increasingly, compiler writers are taking advantage of undefined behaviors in the C and C++ programming languages to improve optimizations. Frequently, these optimizations are interfering with the ability of developers to perform cause-effect analysis on their source code, that is, analyzing the dependence of downstream results on prior results. Consequently, these optimizations are eliminating causality in software and are increasing the probability of software faults, defects, and vulnerabilities. This presentation describes some common optimizations, describes how these can lead to software vulnerabilities, and identifies applicable and practical mitigation strategies.
  • Published: 2016
  • Publisher: REcon
  • Language: English
58:43 REcon English 2016

Go Speed Tracer

The past few years have seen a leap in fuzzing technology. The original paradigm established a decade ago resulted in two widely deployed approaches to fuzzing: sample based mutation and model based generation. Thanks to ever-increasing computational performance and better engineering, newer guided fuzzing approaches have proven to be supremely effective with a low cost of deployment. This talk will explore a few different approaches to guided fuzzing through dynamic analysis including code coverage analysis, constraint solving, and sampling/profiling based feedback mechanisms. Novel contributions in this talk include: - Opensource Windows Driver enabling Intel “Processor Trace” - DBI based tracing engine for Windows/Linux/OSX binaries - American Fuzzy Lop with full support for Windows binary targets
  • Published: 2016
  • Publisher: REcon
  • Language: English
59:48 REcon English 2016

Abusing the NT Kernel Shim Engine

The Kernel Shim Engine is the kernel’s analogue to the user-mode shim engine (ShimEng). Although the latter now has had some pretty good research done on it, the KSE remains a mystery. First introduced in Windows XP as merely a Plug-and-Play compatibility layer for custom registry flags, it morphed into a nearly-full blown Shim Engine implementation, with the ability to misuse it for both persistence and stealth hooks in the kernel. In this talk, you’ll learn how to use the KSE for hooking drivers (dispatch tables, IRPs, and entrypoints) as well as kernel APIs both legitimatelly and illegitimately. You’ll also see some WinDBG scripts & techniques for detecting and enumerating installed kernel shims for forensic purposes. Finally, a tool called DriverMon is planned for release at the conference, which uses the KSE to provide ProcMon for Drivers.
  • Published: 2016
  • Publisher: REcon
  • Language: English
59:38 REcon English 2016

Reverse Engineering ISC controllers

  • Published: 2016
  • Publisher: REcon
  • Language: English
46:44 REcon English 2016

When Governments Attack

Targeted malware campaigns against Activists, Lawyers and journalists are becoming extremely commonplace. These attacks range in sophistication from simple spear-phishing campaigns using off the shelf malware, to APT-level attacks employing exploits, large budgets, and increasingly sophisticated techniques. Activists, lawyers and journalists are, for the most part, completely unprepared to deal with cyber-attacks; most of them don’t even have a single security professional on staff. In this session Eva Galperin and Cooper Quintin of the Electronic Frontier Foundation will discuss the technical and operational details of malware campaigns against activists, journalists, and lawyers around the world, including EFF. They will also present brand new research about a threat actor targeting lawyers and activists in Europe and the Post-Soviet States. With targeted malware campaigns, governments have a powerful tool to suppress and silence dissent. As security professionals we are in a unique position to help in this fight.
  • Published: 2016
  • Publisher: REcon
  • Language: English
47:41 REcon English 2016

More Flash, More Fun!

Adobe Flash is a popular target for attackers in the wild. This presentation describes my research into Adobe Flash, which discovered over a hundred vulnerabilities in the software. It details some strategies for finding bugs through code review, fuzzing and reverse engineering and provides examples of bugs discovered using these methods. It also examines recent exploits, and how they bypass new Flash mitigations.
  • Published: 2016
  • Publisher: REcon
  • Language: English
27:25 REcon English 2016

M/o/Vfuscator-Be-Gone

After last year’s talk by Christopher Domas titled “The M/o/Vfuscator”, we spent a great amount of time to analyze the inner workings of the famous one-instruction-compiler. We are happy to announce and release the (to our knowledge) first demovfuscator this year at recon0xA. This talk presents a generic way of recovering the control flow of the original program from movfuscated binaries. As our approach makes zero assumptions about register allocations or a particular instruction order, but rather adheres to the high-level invariants that each movfuscated binary needs to conform to. Consequently, our demovfuscator is also not affected by the proposed hardening techniques such as register renaming and instruction reordering. To achieve this, we use a combination of static taint analysis on the movfuscated code and a satisfiable modulo theory (SMT) solver. We successfully used our demovfuscator against several movfuscated binaries that emerged during several CTFs during the last months (Hackover CTF, 0CTF and GoogleCTF) proving that it already can handle real-world binaries different from the synthetic samples created by us. Our demovfuscator is under active development and we are working towards our next, ambitious goal: Generically getting rid of the instruction substitution and generating a much more compact and readable result. We will share our insights on this topic as well.
  • Published: 2016
  • Publisher: REcon
  • Language: English
29:20 REcon English 2016

BBS-Era Exploitation for Fun and Anachronism

The bulletin board era was a golden age for those of us who were into computers (and in existence) at the time. Yet, think of how much better it could have been if we’d had today’s exploitation tradecraft to bring to bear back then. In this presentation, we’re taking modern technology back with us a couple decades and aiming it at BBS-era software, possibly to see what we can learn from attacking these scrutable-yet-unusual systems but mostly just because we can. We’ll use tools and techniques that didn’t publicly exist at the time to run, reverse engineer, attack, debug, and exploit old code. Finally, we’ll demonstrate some of the fun we could’ve had, if only we knew then what we know now… Source code and proofs-of-concept will be released.
  • Published: 2016
  • Publisher: REcon
  • Language: English
21:44 REcon English 2016

JavaJournal

Despite the multitude of Java decompilers available, we often have the need to debug or trace malicious or obfuscated Java bytecode. Existing Java debuggers and tracers are mostly targeted towards Java developers, are closed-source, and are not meant to handle malicious or obfuscated targets. We present a new open-source cross-platform framework for debugging Java, written completely in Python, designed specifically for reverse engineering. We also present a Java method call tracer as a sample Python application that utilizes this framework.
  • Published: 2016
  • Publisher: REcon
  • Language: English
out of 1 pages
Loading...
Feedback

Timings

  101 ms - page object
   81 ms - search
    5 ms - highlighting
    1 ms - highlighting/32751
    3 ms - highlighting/32735
    2 ms - highlighting/32740
    3 ms - highlighting/32744
    3 ms - highlighting/32743
    3 ms - highlighting/32741
    5 ms - highlighting/32752
    3 ms - highlighting/32750
    4 ms - highlighting/32742
    1 ms - highlighting/32753
    2 ms - highlighting/32737
    4 ms - highlighting/32754
    2 ms - highlighting/32746
    1 ms - highlighting/32739
    3 ms - highlighting/32738

Version

AV-Portal 3.8.0 (dec2fe8b0ce2e718d55d6f23ab68f0b2424a1f3f)