Greetings from Heidelberg to Paris,
and thanks for a great time at HES14! A nice venue (a museum), sweet talks and stacks of spirit carried us through the three day con. It all set off with a keynote byTROOPERs veteran Edmond ‘bigezy’ Rogers, who stuck to a quite simple principle: “People do stupid things” and I guess every single one of you has quite a few examples for that on offer. Next to every speaker referenced that statement at some point during her/his talk. Furthermore we presented an updated version of our talk LTE vs. Darwin, covering our research of security in LTE networks and potential upcoming problems.
For those who missed HES2014, we prepared a short summary of some of the talks that inspired us.
Hacking Telco equipment: the HLR/HSS
This was one of the several eye-opening talks in the area of telecommunication infrastructure. As expressed by Laurent “the state of the core mobile network is critical from a security perspective”. Companies and vendors in the telecommunication business seem to ignore the criticality of the services they provide.
Laurent’s talk was focused on the security, or better insecurity, used to protect one of the most crucial components of a core telco-net: the HLR/HSS. It doesn’t matter if a 3G, 3.5G or 4G architecture, all of them rely on the well-functioning of the HLR/HSS. This element is responsible, amongst others, for the storage of encryption keys and client information, think IMSIs, and so on. It turns out, as shown by Laurent, that this very crucial systems are sometimes neglected from the security perspective. So his goal was to assess the security of some of the common HLR/HSS components.
The oracle front-end boxes responsible for the virtualization he found during his research were nothing more than an x86 AMD64 Solaris with 32GB RAM and enough disk space, local storage and frequently an external SAN. The boxes ship with a stock kernel or custom kernel telco-modules (like from Signalware as for SS7 communication). He and his team found the usual admin-nonsense like terminals which give you root access after being opened and loads of SUID binaries. Laurent and the team didn’t stop there however, they also did some fuzzing the SS7 stack and found for example that one duplicated MSU causes a two minutes downtime of the HLR/HSS. In fact, in a telco network that means that no calls are possible any longer!
The reverse engineering of some of the well documented, unstripped and notnobfuscated kernel modules and userland binaries showed that some were prone to race conditions and logic errors like null pointer dereferences which could be triggered from the SS7 international core.
In short, it wasn’t a glamorous day for the telecommunication providers, also because we gave our talk right after 😉
Applying science to eliminate 100% of buffer overflows
Buffer overflows have been the holy grail for security researchers since the publication of AlephOne’s paper in the 90s. Hence it may be time to find a definitive solution for these old and well known bugs.
Andreas Bogk from the CCC showed at HES how spatial safety and temporal safety can improve the security of vulnerable code. By employing SoftBound and CETS safe memory access in C it is possible to modify the user’s object code. If this sounds promising and interesting for you, be sure to have a look at the slides and the projects, namely SoftBound, CETS and Andreas’FreeBSD port.
The setup needed for doing penetration testing of android applications is not always as mature as one would like. By using emulators, proxies, traffic analyzers and logs one can’t get a good picture of what’s happening inside APKs. This is what Milan and Daniel want to change. By making use of Dex2Jar, JD-GUI, smali and APKTool they have created a tool which enables pentesters to manipulate the state of an application in real time. Vaccine repacks and injects a java bean shell into a given APK which makes the real time manipulation of an APKs state a reality. Have a look at the slides.
Vaccine should be published soon, presumably after defcon, check github.com/viris.
The Dangers Behind Open Source Monitoring Tools
Christian Sielaff and Daniel Hauenstein are two well known TROOPERS veterans and they joined us at HES, too. At HES they gave an updated version of their Troopers “OSMOSIS” talk including the publication of another zero-day. For those of you who do not know their talk: both of them have been assessing the security of some of the most widely deployed open source infrastructure monitoring tools. As they mentioned, servers in DMZs are compromised all the time, but what if you could take it to the next level by compromising the related monitoring infrastructure? This is not as crazy as it sounds, especially since monitoring solutions like CheckMK and Nagios offer the possibility to harvest data from agents running on the monitored systems, data which has to be parsed. That’s where the fun begins. Everyone would for sure appreciate if the developers behind tools like cacti, checkmk and others would show some interest in fixing relics like this http://bugs.cacti.net/view.php?id=2398.
All in all, HES14 was an awesome event that we all really enjoyed. Next to knowledge, new tools and ideas we took stacks of inspiration and spirit back home!
Thanks for reading, have a great day
Jayson, Brian and Hendrik