31C3 Recap

As every year some of us used the holidays to visit the Chaos Communication Congress to socialize with like-minded people and to hear interesting talks.
I mean what other reasons than learning about security might exist to leave behind all your lovely in-laws you’ve been sharing some relative’s house with the days before … 😉
Here is a short recap of some of the talks we found most interesting:

Mining for Bugs with Graph Database Queries by Fabian Yamaguchi
One of my favorite talks at this years congress was about the open source tool joern, a code analysis platform for C/C++ applications. Fabian, the main author of joern, presented his work on vulnerability discovery in large code bases. One of the key points of his work is robustness, meaning that the resulting tools should produce meaningful results in large and noisy real world projects even if this results in a loss of accuracy. The second important point is that tools should assist human auditors, not replace them, which seems to be one of the more interesting current research directions (see also this paper). At its core joern combines standard compiler technology with modern graph databases to offer auditors a powerful way to search for certain code constructs. To do this joern parses source code into an AST (Abstract Syntax Tree) and creates the corresponding CFG (Control Flow Graph), as well as a Data Dependency Graph (PDG) for all functions. This creates the Code Property Graph which combines all three representation forms into a single unified layer.
The Code Property Graph is stored inside a graph database (joern uses neo4j), which can be queried using a powerful graph traversal language named gremlin ( The combination of gremlin with some wrapper tools included in joern gives an auditor the possibility to construct powerful search queries against the code base. Fabian presented different queries he used to search for vulnerabilities in the VLC video player, as well as the Linux kernel that resulted in really impressive results (and a high number of discovered vulnerabilities). Joern is definitely a tool you should check out and I’m looking forward to more impressive research by its author.
– Felix

Mobile self-defense by Karsten Nohl
This talk was highly covered by the media and therefore may have had some actual impact on the general public. The main message was: Surveillance of your phone is happening and it is easy – all thanks to the capabilities of SS7 and bad configurations. Karsten started by referencing the previous talk by Thomas Engel: “SS7: Locate. Track. Manipulate.” which had explained some of the vulnerabilities in detail: Using a rogue network operator, it is possible track any phone and intercept mobile communication, which allows certain companies to offer tracking as a service.
Not all network operators have mitigations against those attacks in place (and in most cases it is not as easy as blocking a “SendIdentification”-SS7 packet). In some networks, SS7 is not even needed to intercept communication: For example, countries like India, South Korea and Thailand have 3G encryption disabled, making interception trivial.
Karsten presented a collaborative project that shows if your provider has mitigation against SS7 vulnerabilities and encryption in place (contributions are welcome! 🙂 ). Karsten’s company SRLabs created an app (SnoopSnitch) that can be used to detect several types of attacks, using an Android device with Qualcomm chip. For example, SnoopSnitch
is able to detect silent SMS which are commonly used by governments to track phone users. The collected data can then be uploaded to the SRLabs servers to allow further research on that subject, track developments and raise awareness. For more details visit the project homepage
– Benedikt

The Perl Jam: Exploiting a 20 Year-old Vulnerability by Netanel Rubin
In this talk Netanel Rubin presented his research on surprising security issues of the programming language Perl. After describing the basic Perl datatypes (scalars, arrays and hashes), he introduced the concept of lists which have some unexpected behavior when compared to other programming languages. An example is that an implicit cast of a list into a scalar will result in the last element of the list. Netanel explained this weird behavior with the fact that lists are no actual data type but actually are only expressions. After that he described potential vulnerabilities that can originate due to incorrect handling of lists. He illustrated that the handling of GET variables within the perl CGI module behaves in an interesting way when multiple parameters share the same name – in this case perl converts the parameters to a list instead of just using the first or last occurrence of a variable. Because this behavior is nearly undocumented, it can lead to security critical bugs. Netanel used this misbehavior of Perl’s CGI module to discover a critical security issue in Bugzilla, a bug tracking application which is used by many popular open-source projects. By manipulating a benign HTTP request during the registration process, he can register with an arbitrary email address bypassing the normal email validation step. Because many open source projects restrict access to security critical bugs depending on the email domain of an account, this could allow viewing of confidential bug reports.
In the last part of his presentation Netanel spoke about the DBI module, a common way to connect to databases using perl. The DBI->quote() method can be used to escape parameters before inserting them into database queries. However, if the variable passed into the quote method is a list (for example because it was returned by the aforementioned CGI module), a second parameter can be passed to the quote method, disabling the normal escaping. This opens the way to classical SQL injection attacks.
During the whole talk Perl was bashed in a quite aggressive way which offended some people in the audience, however Netanel defended his presentation stating that Perl makes it too easy for a developer to write insecure code. From my personal perspective Perl was not designed for large scale web applications and even if CGI and other modules exist since decades, Perl should not be recommended as a programming language for web applications. Nevertheless many large projects are (still) written in Perl and hence suffer from some of the described vulnerabilities, which in turn means understanding and patching these problems is very important even though a less “offending” presentation style might help to reach more developers.
– Kevin

Traue keinem Scan, den du nicht selbst gefälscht hast by David Kriesel
David Kriesel, a researcher at the University of Bonn, talked about his encounters with Xerox. The American company makes 26 billion dollars yearly revenue by equipping businesses and government agencies in the world with copiers and scanners. In the summer 2013 David found out that the Xerox machines WorkCentre and ColorQube change documents after scanning.
First he described the problem in detail: The scanner compresses (with JBIG2, an image compression standard) the image. If it contains text, the device stores each letter as an image file and remembers where it occurred in the document. After scanning, the digital document does contain as many letters as its analog template, but JBIG2 identifies (through pattern matching) pieces that are highly similar, replacing them with a sort of clone stamped version that saves space. In his tests David noted that often the number 6 would be turned into an 8.
The error is tricky, because the displayed character is not blurred, illegible or defaced. It is simply wrong. The bug in the compression algorithm exists since eight years and users could not do anything against it.
David recommended urgently that, if you use a Xerox machine, you should apply the potential update which fixes the bug. Since Xerox devices are rarely sold in a direct way to customers, but mostly office or IT service providers sell the equipment, it’s more than likely that out there still thousands of Copiers from Xerox can be found which constantly manipulate documents.
It was an interesting talk that showed if you use a scanner frequently for processing documents, it might be a good idea to check the digital document after scanning.
– Ayhan

Too Many Cooks – Exploiting the Internet-of-TR-069-Things by Lior Oppenheim and Shahar Tal
At first the two guys gave a quick intro tour on TR-069 which is a protocol used by ISPs to configure customer devices like your ADSL router.
Some findings were already presented earlier at DEFCON22. For that talk, through portscanning they found out that 1.12% of devices had port 7547 open – which is next to most open port 80 with 1.77%! As they scanned the port again in November 2014, they got a 1.18% response, which are more than 46m devices in the Internet of Things. About 2.2m more than the last time.
They identified that in 52% of cases a software called ‘RomPager’ from AllegroSoft is behind the open port. ‘RomPager’ is an embedded HTTP server. In 98% of the devices version 4.07 is used, which is from 2002 (the current version provided by AS is 5.4), so there are 11.3m devices out there listening on port 7547 with the old version 4.07.
After some firmware analysis Lior discovered that there is a ZynOS-header in every firmware, which is a RTOS and also known to be vulnerable for “rom-0” (CVE-2014-4019).
So they did some manual testing, like fuzzing over HTTP headers and got crashes on the username sub-header of digest authentication. After following up the code to find the ‘why?’, they got their exploit #1. Problem is, that you have to know the exact memory layout – because each device and firmware version has a different address space layout.
The second vulnerability they found is related to HTTP requests,where the HTTP handlers structurces could get overwritten.
Finally they presented their current finding: the, as they call it, Misfortune Cookie. However those magic cookies weren’t shown at all ;).
But, at least, they described how they got there. As the ‘RomPager’ has no dynamic memory allocation, there might be a pre-allocated cookies array which can be abused.
They stated that this technique worked on any model of any brand which they had access to. With a few magic cookies it’s possible to bypass any authentication and browse with admin privileges on the webinterface.
Countermeasures were discussed as well. Alas, there’s no easy way to get safe. You could cancel your Internet subscription, use an alternative firmware (if supported) and, of course, you should pay attention when buying a new router. Disabling TR-069 auto-configuration in your router’s settings won’t help either; port 7547 always stays open and the router remains being vulnerable.
The guys contacted the vendors and AllegroSoft. Some patched firmware is already out and AllegroSoft stated that they can’t force vendors to upgrade to the latest version of ‘RomPager’.
IMHO this was a very interesting and funny talk, with lots of easy-to-understand info showing an overall huge security risk.
– Stefan