Events

Black Hat 20 & DEFCON 25

Some of the ERNW Crew hit up Black Hat USA and DEFCON. Our own Omar Eissa even gave his first BH and DEFCON talks! See which talk we liked and what inspiration we took home.

BlackHat US 20:

ERNW´s Omar Eissa presented on Cisco Autonomic networks showing how
slides: https://www.blackhat.com/docs/us-17/wednesday/us-17-Eissa-Network-Automation-Isn’t-Your-Safe-Haven-Protocol-Analysis-And-Vulnerabilities-Of-Autonomic-Network.pdf
insinuator blogposts:
https://insinuator.net/2017/03/autonomic-network-overview/
https://insinuator.net/2017/03/autonomic-network-analysis/
https://insinuator.net/2017/04/autonomic-network-vulnerabilities/

 

BoradPWN
– Speaker: Nitay Artenstein
– Slides: https://www.blackhat.com/docs/us-17/thursday/us-17-Artenstein-Broadpwn-Remotely-Compromising-Android-And-iOS-Via-A-Bug-In-Broadcoms-Wifi-Chipsets.pdf
– Paper: https://www.blackhat.com/docs/us-17/thursday/us-17-Artenstein-Broadpwn-Remotely-Compromising-Android-And-iOS-Via-A-Bug-In-Broadcoms-Wifi-Chipsets-wp.pdf
– Broadly covered in main stream Media –> Wired article, tons of write-ups…link: https://www.wired.com/story/broadpwn-wi-fi-vulnerability-ios-android/
– Initial Blog Post: https://blog.exodusintel.com/2017/07/26/broadpwn/
– He took a deep dive into the internals of the BCM4354, 4358 and 4359 Wi-Fi chipsets and found an issue that he exploited to an extent where he created the world´s first wifi worm.
– This hits most of the mobiles users pretty hard. Affected devices are for example: Samsung Galaxy from S3 through S8, inclusive All Samsung Notes3. Nexus 5, 6, 6X and 6P, All iPhones after iPhone 5
– An infected device can be used to infect other mobile devices.
– Luckily currently there is no malware that is actively exploiting this issue.


CRACKING THE LENS: TARGETING HTTP’S HIDDEN ATTACK-SURFACE
– Speaker: James Kettle from PortSwigger, @albinowax
– Slides: https://www.blackhat.com/docs/us-17/wednesday/us-17-Kettle-Cracking-The-Lens-Exploiting-HTTPs-Hidden-Attack-Surface.pdf
– After looking into an unexpected Pingback the researcher started to dig deeper into misrouting attacks and thus target auxiliary systems by manipulating the HTTP Host header and other parts of the HTTP request.
– It is possible to attack internal applications by misrouting requests and thus access applications behind load balancers and proxies.
– He did so by using burps collaborator feature
– PortSwigger
– Blog: http://blog.portswigger.net/2017/07/cracking-lens-targeting-https hidden.html has detailed information.
– Key takeaways: It was shown that minor flaws in reverse proxies can result in critical vulnerabilities.To achieve defense in depth, reverse proxies should be firewalled into a hardened DMZ, isolated from anything that isn’t publicly accessible. Additionally, two tools to identify such vulnerabilities have been released:
https://github.com/PortSwigger/collaborator-everywhere and
https://github.com/PortSwigger/hackability


Orange Is The New Purple
– Speaker: April C. Wright
– Paper: https://www.blackhat.com/docs/us-17/wednesday/us-17-Wright-Orange-Is-The-New-Purple-wp.pdf
– Tackles the challenge of the gap between software builders and security teams. The “us” vs. “them” mentality when we’re all on the same team.
– Purple Team: A combo of Red and Blue Teams with the primary goal of maximizing the results of Red Team activities and improve Blue Team capability.
– Orange Team: Structured interactions between Red and Yellow Team members with the primary goal of providing education/benefits to the Yellow team.
– Investing time now in properly developing Purple and Orange teams lessen risks in the future.


WiFuzz: Detecting and Exploiting Logical Flaws in the Wi-Fi
Cryptographic Handshake

– Speaker: Mathy Vanhoef
– Slides: http://papers.mathyvanhoef.com/blackhat2017-slides.pdf
– Demo: https://youtu.be/XLvXL7HabYM
– It is is a model-based testing for the Wi-Fi handshake. i.e: check whether the implementation behaves according to documentation.
– They tested different access points, e.g.: OpenBSD, Broadcom, MediaTek (home routers), Windows, Aironet Windows Hotspots suffers from Denial-of-Service attacks OpenBSD suffers from unauthenticated permanent DoS
– Broadcom: cipher downgrade attack


DEF CON 25:
———–
A New Era of SSRF – Exploiting URL Parser inTrending Programming
Languages! – Orange Tsai
-slides:
https://media.defcon.org/DEF%20CON%2025/DEF%20CON%2025%20presentations/DEFCON-25-Orange-Tsai-A-New-Era-of-SSRF-Exploiting-URL-Parser-in-Trending-Programming-Languages.pdf
– Impressive research and talk.
– Initial Blog post:
http://blog.orange.tw/2017/07/how-i-chained-4-vulnerabilities-on.html
– Showing how libraries and programming languages handle URLs differently.
– He showed a case study where he chained four vulnerabilities to get code execution in GitHub enterprise instances.
– By showing his research he introduced a new Attack Surface on SSRF-Bypasses and New Attack Vectors on Protocol Smuggling.
– Fun with cats n´stuff (There are quite a few adorable cats in the slides!).


Friday the 13th: JSON attacks:
– Speakers Alvaro Muñoz and Oleksandr Mirosh from Hewlett Packard
Enterprise (HPE)
– Slides: https://media.defcon.org/DEF%20CON%2025/DEF%20CON%2025%20presentations/DEFCON-25-Alvaro-Munoz-JSON-attacks.pdf
– Showing how to attack .NET serializers and JSON serializers and in the end find a general approach to this attack.
– They compared commonly used libraries used in applications and how they behave by default and under what circumstances they can be exploited.
– One should never use user-controlled data to define the deserializer expected Type.
– A key takeaway as so often is not to deserialize untrusted data.


Sources for “Inspiration”:
https://media.defcon.org/DEF%20CON%2025/DEF%20CON%2025%20presentations/
http://www.eweek.com/security/black-hat-defcon-2017-security-conferences-to-reveal-new-threats
https://www.blackhat.com/us-17/briefings.html
http://hackaday.com/2017/07/29/broadpwn-all-your-mobiles-are-belong-to-us/http://links.covertchannel.blackhat.com/ctt?kn=11&ms=NTQ1NjA2MzkS1&r=Mjg0MjI4MTM4ODc1S0&b=2&j=MTIwMzkwNzI0MAS2&mt=1&rt=0

Thanks for reading!