I needed something new in my life, so I decided to take my favorite dog out for a walk in the ATT&CK jungle to check out the newly added sub-techniques…
Continue reading “Back from the ATT&CK jungle…”
Continue readingBold Statements
Continue reading “Back from the ATT&CK jungle…”
Continue readingDigital networking is already widespread in many areas of life. In the healthcare industry, a clear trend towards networked devices is noticeable, so that the number of high-tech medical devices in hospitals is steadily increasing.
In this blog post, we want to elucidate a vulnerability we identified during the security assessment of a patient monitor. The device sends HL7 v2.x messages, such as observation results to HL7 v2.x capable electronic medical record (EMR) systems. A user with malicious intent can tamper these messages. As HL7 v2.x is a common medical communication standard, we also want to present how this kind of vulnerability may be mitigated. The assessment was part of the BSI project ManiMed, which we would like to present in the following section.
Continue reading “Medical Device Security: HL7v2 Injections in Patient Monitors”
Continue readingNowadays, Bluetooth is an integral part of mobile devices. Smartphones interconnect with smartwatches and wireless headphones. By default, most devices are configured to accept Bluetooth connections from any
nearby unauthenticated device. Bluetooth packets are processed by the Bluetooth chip (also called a controller), and then passed to the host (Android, Linux, etc.). Both, the firmware on the chip and the host Bluetooth subsystem, are a target for Remote Code Execution (RCE) attacks.
One feature that is available on most classic Bluetooth implementations is answering over Bluetooth pings. Everything an attacker needs to know is the device’s Bluetooth address. Even if the target is not discoverable, it typically accepts connections if it gets addressed. For example, an attacker can run l2ping, which establishes an L2CAP connection and sends echo requests to the remote target.
In the following, we describe a Bluetooth zero-click short-distance RCE exploit against Android 9, which got assigned CVE-2020-0022 . We go through all steps required to establish a remote shell on a Samsung Galaxy S10e, which was working on an up-to-date Android 9 when reporting the issue on November 3 2019. The initial flaw used for this exploit is still present in Android 10, but we utilize an additional bug in Bionic (Android’s libc implementation), which makes exploitation way easier. The bug was finally fixed in the security patch from 1.2.2020 in A-143894715. Here is a demo of the full proof of concept:
Continue reading “CVE-2020-0022 an Android 8.0-9.0 Bluetooth Zero-Click RCE – BlueFrag”
Continue readingWith the current situation, it’s not easy to find the right angle to start this blog post, so I won’t even try… but with Troopers cancelled, my Bloodhound workshop went down the drain, and I didn’t get a chance to meet or catch up with all of you and share my latest BloodHound adventures. So I decided to write a quick post to share all this…
Continue reading “Dog Whisperer Update”
Continue readingWe recently came across an issue when playing around with VMware NSX-T which not anyone might be aware of when getting started with it. Because many of our customers start with transitioning to NSX-T, we want to share this with you. In short, the Distributed Firewall (DFW) of NSX-T can be easily bypassed in the default configuration because it only works effectively if at the same time, the SpoofGuard feature is enabled on all logical switch ports which is not the case by default.
Continue reading “VMware NSX-T Distributed Firewall can be bypassed by default”
Continue readingLately, we came across a remote code execution in a Tomcat web service by utilizing Expression Language. The vulnerable POST body field expected a number. When sending ${1+2}
instead, the web site included a Java error message about a failed conversion to java.lang.Long
from java.lang.String
with value "3"
.
From that error message we learned a couple of things:
String
Whenever you are able to execute code within a Java Context, the most interesting part is to check whether we can get a Runtime
object and execute arbitrary OS commands.
Sending ${Runtime.getRuntime()}
resolves to java.lang.Runtime@de30bb
. Great, so we can use Runtime.exec(String cmd)
to execute arbitrary code? Continue reading “DNS exfiltration case study”
Attackers are everywhere. They are now on the cloud too! Attacking the most popular cloud provider – AWS, requires the knowledge of how different services are setup, what defences do we need to bypass, what service attributes can be abused, where can information be leaked, how do I escalate privileges, what about monitoring solutions that may be present in the environment and so on! We try to answer these questions in our intense, hands-on scenario driven training on attacking and subsequently defending against the attacks on AWS.
As an attacker or defender, if you have ever asked any of the following questions, this training is for you:
On November 3rd, 2019, we have reported a critical vulnerability affecting the Android Bluetooth subsystem. This vulnerability has been assigned CVE-2020-0022 and was now patched in the latest security patch from February 2020. Continue reading “Critical Bluetooth Vulnerability in Android (CVE-2020-0022) – BlueFrag”
Continue readingDid you know that in the ever evolving field of Web and Desktop apps, it turns out these can all now be powered with JavaScript? You read that right: JavaScript is now used to power both web apps (Node.js) as well as Desktop apps (Electron). What could possibly go wrong?
So, the burning question is: how does this affect Web and Desktop app security? If you want to find out, come to our training and you will experience this in a 100% hands-on fashion! 🙂
You will learn about how to hack Web and Desktop apps, with a special focus in JavaScript attack vectors tailored for Node.js and Electron but also broader attack vectors that will also work against regular Web and Desktop apps.
What are the main attack vectors against Web and Desktop apps? How can apps defend against these? How do JavaScript frameworks change this? Come to find out!
Continue readingOnce again, we are super excited to announce that Blackhoodie is happening at Troopers 2020. This is the 3rd time that Blackhoodie is joining with Troopers. As always, one of the main motivation for Blackhoodie is bringing more women into reversing and other core security topics. So we would like to see more women apply to the training slots. However, if you are not a woman and still feel really excited about Blackhoodie, you are welcome to apply. The registration is open now. Please hurry up and make your registration now. We will close the registration once the seats are filled up with enough quality submissions. We do have a very limited number of seats at this training site. So we apologize in advance if we can’t accommodate everyone, even though we wish we could!
Blackhoodie is a free event. In order to register, go to this link and fill in your details with a brief motivation of why you would like to join Blackhoodie. We will get back to you with the selection outcome as soon as the registration is closed. Current deadline for registration is Feb 12th 2020.
The event is happening on March 15th, 16th and 17th. We will have an introduction session with lightening talks on March 15th (Sunday) starting at 13:00. On 16th and 17th, there will be workshops. We just have one track with 3 trainings one after the other.
Print Media Academy Kurfürsten-Anlage 52-60 69115 Heidelberg Germany Getting there
15th March 2020 – Ligtening talks starting from 13:00
16th – 17th March 2020 – Trainings
Training 1: How to (mis)use TLS? by Caroline Description: Let’s understand how TLS works and demystify some famous flaws in TLS: what went wrong ? How could we exploit it ? How was is fixed ? To answer this questions, the idea is to get our hands on networking, man-in-the-middle, rogue certificates crafting, heartbleed exploitation. Material: have a kali linux virtual machine installed. If you don’t know how to do that, I can provide an installation guide.
Training 2: Untangling C++: Reversing and Auditing C++ Binaries by Gal Zaban Description: This training is an advanced class for security researchers who want to expand their horizons and skills in reversing modern C++ binaries. C++ Binaries are full of mysteries, they have objects, inheritance, templates, vtables and many more and reverse engineering them is a task on its own. The training will explain advanced C++ reverse engineering topics including techniques and tools for dealing with research of C++ Binaries. We will start with the identification of basic C++ patterns including identifying statics, globals, arrays, etc. Than we will continue with objects and inheritance in a binary and how to represent all of those in IDA, afterward, we will study work methods and design patterns in C++. Finally, we will practice, fight and untangle deep and modern C++ programs using both static and dynamic analysis. Class outline: - C++ Reverse Engineering Intro. - Globals, Statics and Arrays - Objects + Objects Creation. - Inheritance. - Multiple Inheritance. - Understanding relationship between objects. - Virtual tables and virtual calls. - Templates. - Important Design Patterns. - IDA Pro- concepts and working methods for reverse engineering C++. - Representation of C++ objects in IDA. - Tips for creating setup and environment for C++ binaries. - Existing tools for C++. - Deep understanding of a C++ Binary's Logic. - Conclusions and wrap-up. - Suggestions for future tasks and resources to keep learning and improving C++ RE skills.
Training 3: Attacking Active Directory by Kelly Villanueva Active Directory, a service used to manage users, computers, and other objects in corporate networks,is used by almost all large corporations, making it a prime target for exploitation and abuse. Despite efforts to patch existing vulnerabilities and standardize best practices, the security exposure derived from Active Directory increases as environments become more complex, and offensive security professionals can leverage Active Directory to perform activities like lateral movement, credential theft, and reconnaissance. This workshop will provide an overview of Active Directory fundamentals, explain common attack primitives, and use open source tools to get hands-on experience attacking Active Directory.
If you have any further questions, you can contact me by schalakkal@ernw.de.
Cheers,
Priya
Continue reading