Blog 5: Beyond the Thunderdome:
A Review of TROOPERS15

Troopers13_101     The final blog in our series “Beyond the Thunderdome: A Review of TROOPERS15” focuses Exploitation & Attacking. With the last of this series we hope we you are already fired up and inspired for what lays a head during our upcoming TROOPERS16 (March 14-18, 2016)! Can’t wait to see you there!


“The old is new, again. CVE20112461 is back” talk created and given by Luca Carettoni and Mauro Gentile

Apache Flex (formerly Adobe Flex) is an open source framework that can be used to build mobile applications, web applications as well as its old job, build Flash SWF files. Flex provides the option of Dynamic localization; by compiling the SWF file and the localization properties separately then combine them in the runtime. Despite of the benefits of such an option, it also leads to security threats, as it was discovered in 2011 that the Flex SDK is vulnerable to Cross Site Scripting (XSS) attacks. The vulnerability was acknowledged as CVE20112461 and Adobe announced the vulnerability and provided patches to run on SWF files to fix the vulnerability, in addition to the patches to the Flex SDK itself so that no vulnerable SWF files are created again. But that was not enough.

After four years, Luca Carettoni and Mauro Gentile discovered that many websites and CDNs are still vulnerable due to this problem. The main reason for that is Adobe provided a patch for the vulnerable SWF files and fixed the following FLEX version. However, no patch or real fix was provided to Flash player, which plays the infected files. Of course many SWFs were not patched and still exist on the web, hence the vulnerability even with newest browser and player versions.

As presented in the talk, this vulnerability opens the door to several exploitations, including Single Origin Policy SOP bypass. The speakers presented a Demo, where the attacker hosts a fake website, which embeds a popular website that includes a vulnerable SWF file. This fake page looks like the vulnerable web page, so it does not look suspicious to the user. In addition, the attacker provides the SWF a ‘resource module’ for localization. Whenever a victim plays the SWF, it sends HTTP requests to him. The victim’s replies reach the attacker, who can get useful information since the website uses cookies. Also the attacker can perform some actions on behalf of the victim via Cross Site Request Forgery.

Carettoni and Gentile created a tool called ParrotNG, that scans the Internet for vulnerable SWFs. The tool showed that a lot of popular websites and CDNs hold vulnerable SWFs. They also propose three options for protection from this vulnerability: Whether recompile the old SWFs with the latest version of FLEX SDK, patch them with the official Adobe patching tool, or just delete them in case they are not used.

Check out the slides here


“RF Retroflectors, Emission Security and SDR” talk created and given by Michael Ossman

Michael Ossmann has been joining TROOPERS for quite some years. Apart from his workshop on Software Defined Radio (SDR) he gave a talk on what he calls “RF Retroflectors”. A retroflector, which is actually known from the domain of light reflection, can be understood as a reflector which aims at reflecting the initial signal back to the sender along the same but oppositional directed vector, while minimizing scattering (or in the RF domain: noise). All in all the concept of RF retroflection is pretty much comparable with radar. While RF backscatter communication is well researched and thus well understood (e.g. UHF RFID), the lack of equipment for home usage results in RF retroflection being pretty much unnoticed and thus not researched. Even though it provides a potentially strong tool for unnoticeably eavesdropping on all kinds of signals. As modulating reflection of antennas is well understood and resulting “intentional illumination” (e.g. through special implants) is well known, Ossmann stressed the need for more research on “unintentional illumination” as well as for unintentional retroflectors which basically eliminate the need of special implants.

This research aims at understanding how to create devices which are (not) vulnerable to such kind of eavesdropping attacks as presented in this talk. Ossmann described how he approached the topic and how he finally ended up with an impressively simple but as powerful setup for RF retroflector based attacks. Starting with police radar guns as well as “Hot Wheels” toy radar guns from ebay, the setup evolved over radar guns for sports measurement to the famous 2.4GHz Coffee Can Radar by Gregory Charvat & friends which he finally combining with his very own developed HackRF. For those who don’t know about that outstanding piece of open source hardware, you should definitely take a look, as it is a great contribution to the field of SDR in general. For the particular case of this talk, Ossmann actually used two HackRF modules due to the half-duplex property of the SDR peripheral, allowing him to transmit and receive at the same time. In order to demonstrate the attack, he developed the so called CONGAFLOCK PCB (the silly-sounding NSA-style name is actually an intended feature 😉 ), which was initially presented at DEF CON 22 as part of the NSA Playset. However, while the CONGAFLOCK basically allows connecting ground and target signal as well as two wires which serve as a dipole antenna, Ossmann presented the successors called “FLAMENCOFLOCK”, “TANGOFLOCK” and “SALSAFLOCK” which basically add the capability of connecting either PS2, USB or VGA to the PCB. As expected, the following demo on eavesdropping the signals impressively demonstrated the high grade of efficiency of this simple setup as Ossmann showed how to retroflect a VGA signal, making it visible to the attacker in pretty decent quality. He even showed how to improve the quality of the signal with very simple interpolation tricks. Even though, Ossmann always stresses simplicity of his ideas and implementations, one can guess how much work and effort he put into all this and in particular in the HackRF, which by itself is a strong contribution to the SDR community and thus to the infosec world. All in all, Michael developed an as simple as powerful setup to show his idea of an RF retroflectors which demonstrates the enormous potential that area may have for further research. It helps stressing the fact, that such attacks are actually feasible and affect a lot of equipment we use and which carry and process sensitive information. In addition as well as As part of the Q&A, Michael emphasized, that even though the presented setup is very prone to failure when it comes to longer distances (due to orientation, interference and so on), theoretically the quality of antennas as well as the power of the transmitter are the only limiting factors. In the end, he answered the question about potential working distances for a working attack with the (in my opinion pretty educated) guess: hundreds of meters should be feasible with decent equipment. That’s remarkable enough to watch the talk recording, isn’t it…?!

Check out the slides here


Thanks again for reminiscing with us, and we look forward to seeing you at TROOPERS16! Keep checking out our website for updated information!