If a conference feels like a great vacation, then the organizers are doing it absolutely right! Hack.lu took place for the 14th time in Luxembourg. From the 16th – 18th October, the Alvisse Parc Hotel hosted the Hack.lu conference. Those three days were full of talks, workshops and “discussions about computer security, privacy, information technology and its cultural/technical implication on society“. Some members of the ERNW crew had the chance to attend Hack.lu this year and we all enjoyed it a lot!
Hack.lu is a single-track conference. The talks covered a large variety of topics with speakers from all over the world. In parallel there were practical workshops teaching different skills like fuzzing, Android Reverse Engineering and ARM IoT Firmware Emulation. If one was lucky and could sneak into a workshop before the rooms were full (mostly 20-30 seats), one could learn exciting new stuff.
A few talks grabbed my attention and made a lasting impression. On the first day, “WHAT THE FAX?!” by Eyal Itkin and Yaniv Balmas was a very enjoyable talk, nailing the balance between technical information and entertainment. They looked at multi-function printers with fax features. After reversing the freely available firmware and finding some Easter eggs like a compression algorithm used in Commander Keen computer game from the early 90’s and the unregistered URL fakeurl1234.com which every printer connects to, they found a component with a known vulnerability with which they were able to include a custom debugger. It is possible to send faxes which have a color extension. These are handled as jpeg files. Fuzzing this file format revealed a simple stack overflow which can be used to get full code execution with highest privileges. Finding a remote code execution vulnerability which affected millions of multi-function printers wasn’t enough. The icing on the cake included embedding the Eternal Blue exploit in the printer payload to pivot into the network and exploit further vulnerable Windows systems. A recording of the talk can be watched on YouTube.
Another great talk was Make ARM Shellcode Great Again by Saumil Udayan Shah. He demonstrated his improved version of an egghunter. An egghunter is used by exploit developers to locate their injected shellcode if a simple redirection of the program execution flow is not possible. The way a standard egghunter works is prepending an egg to the actual shellcode and scanning the memory for this egg to locate the shellcode and execute it. As a security measure some memory regions are marked as not executable. But with Saumil’s improved version, he checks each memory page with the mprotect syscall and simultaneously marks the memory page as executable. This allows the attacking shellcode to execute.
The second trick he called Quantum Leap code. ARM has two instruction modes: ARM and Thumb mode for which the instructions and their length differ. An attacker doesn’t necessarily know in which state the CPU is. To overcome the challenge of writing specific shellcode for each mode, he composed a polyglot shellcode. This code can be either executed in one of both modes and switches the CPU to thumb mode. This makes ARM exploitation much more reliable. Saumil also gave a workshop on ARM IoT Firmware Emulation which Pascal covered in greater detail.
In addition to so many awesome talks the workshops were at least as exciting. During the Android Reverse Engineering workshop, Axelle Apvrille showed some great ways and tools to reverse engineer android malware. We used radare2 on the LokiBot banking trojan, wrote some custom scripts to deobfuscate malware with the help or radare2 and I finally had a chance to test DAD. DAD standing for DAD is a Decompiler, following the recursive acronym naming convention of GNU, XNU and the likes. DAD is incorporated into Androguard, an Android reverse engineering and malware analysis platform. It’s always a good idea to add a few more tools as options if other decompilers fail.
Our own colleague, the one and only Priya Chalakkal, held a workshop teaching how to play with phone calls and mobile data. She prepared exercises for participants to build a custom basestation using sysmoBTS. They were able to construct a GSM (2G) network to which the participants were able to connect with their phones. Furthermore, a lab included playing with SIM cards using a smartcard reader to read and write to SIM cards. With the help of simTrace, a Man-in-the-Middle utility, it was possible to intercept the data traffic between phones and SIM cards. The third lab was a Man-in-the-Middle setup for VoLTE. Voice over LTE (VoLTE) is a recent voice technology where voice is transferred on the data network over 4G/LTE. It was taught how to route traffic from Burp Suite via the radio channel to an Android phone.
Besides all the talks and workshops it was possible to attend the CTF that was held by @FluxFingers, the CTF Team of Ruhr-Universität Bochum (Germany). It is kind of a tradition and the eighth time that they organized the CTF which challenges the attendees of the conference or even teams from remote. The overall topic was Arcade. In the time slots between the talks or during the breaks some of the ERNW crew started messing with the challenges. The challenges were from messy PHP code up to reversing and binary exploitation. FluxFingers integrated a troll challenge. It was officially called a stegano challenge, but it in the end it was a trap. They offered an archive that contained another archive and this again – archiveception-style, you know it – and the final binary data was just junk without a flag. We did the challenge even thought it was noted at multiple locations that this challenge did not contain any flag. RTFM I guess ;D.
A flipchart was in the main hall during the first and second day. Every conference attendee was encouraged to give a lightning talk and sign himself up. The social event for the lightning talk was on the second evening and a lot of fun. Afterwards, the PowerPoint karaoke let everyone giggling end up the evening. During the social event, some nice sandwiches were offered plus fresh beer. Maybe it is good that the discussions this evening have not been recorded ;o)
In conclusion, we thank the organizers of Hack.Lu 2018 for the great conference. It was an interesting and impressing time to exchange knowledge with the avant-garde of the Info-Sec community in Luxembourg. We are looking forward for the next year and hope to see you again.