Hack.lu 2013 Wrap-Up Day #2

And we are back for the 2nd wrap-up already! Today, we had a very bad weather (it rained all night long) but we had interesting (and complex) talks! The first one was presented by Inbar Raz who talked about “Physical (in)security – It’s not – all – about Cyber“. Inbar is malware researcher at Checkpoint. He was already invited as a speaker last year and came back with new ideas. Computers are present everywhere and sometimes remain hidden behind other hardware stuff in our daily life. Inbar’s talk was a review of some issues found on such devices. His first example was a kiosk in a cinema used to buy tickets. Kiosks are normally secured devices with limited features (a screen, a printer, a card reader) but sometimes, it’s easy to open an explorer (fully unrestricted of course) due to a security hole in the user interface. Can you imagine creating a new printer directly on the kiosk Explorer is also convenient to browse the filesystem. Inbar found a suspicious “credit” directory with unencrypted (of course) credit card numbers in it. It was funny to print them on the movie ticket and brought them back home. The second example targeted a PoS (“point of sale“). Those devices are easily reachable due to improper physical security. In Tel-Aviv, bars have tables, chairs and PoS directly installed on streets but network ports remains outside. Connect to them and just sniff some traffic. Then open SMB shares are your best friend! Only using Wireshark, no need to use deep underground hacking tools. Use a small pocket router which offer basic network services and connects to Wi-Fi or 3G networks and cross the street to another bar to grab some coffee then play safely. “For research purposes” as said Inbar. Unlocked achievements were:

• Credit card data (worst for the owner)
• Database files
• The program files of the billing system
• Potential access via Internet

The second talk was “Wiretapping an entire Cisco VOIP environment – Exploiting the Call Manager” by “Fran Cisco“. The context of this research: Cisco VOiP is widely deployed. Architectures are based on hardware & software phones and a call manager (CUCM or “Cisco Unified Communication Manager”). The RTP protocol is used to transport voice & video data. This was for a while the attacker target choice. Security of VoIP isn’t a new topic,  a talk was presented about wiretapping Cisco phones during hack.lu 2007. But why target the Call Manager? It is a critical component of the infrastructure, it allows the administration of all phones and handles all SCCP traffic sent over the network. The Cisco solution is running on top of a RedHat Enterprise Linux. It can be accessed via SSH (just create a new user) and filesystem can be mounted using the VMware-mount tool. Francisco’s strategy was to start with a black test (retrieve credentials) and switch to a white test (privileges escalation). What about credentials? An SQL injection was found while capturing packets between phones and the CUCM. Credentials were collected via this injection but encrypted. Next step was to decrypt them. How? By analysing the encryption algorithm in the Java package called com.cisco.ccm.security.  Francisco also found that the required material to en/decrypt is stored in the Java package and is the same for all CUCM deployments! Next steps were command execution to get “power user” rights and finally “root” access. A vulnerable Python script was found. It generates a new password for the Informix user. All those components pug together made possible an exploit (nice demo). This was addressed by Cisco as cisco-sa-20130717-cucm but Cisco did not patch all the found issues (only 3 of them – the SQLi, the prig escalation to Informix and to root). Conclusions: CUCM is vulnerable to root exploit due to many (6) different vulnerabilities.

After a coffee break (always welcome), Marion Marschalek presented “The big evil in small pieces – A malware reverser’s fairytale“. This fairytale was based on five acts:

• Anti-analysis?
• Multi-threaded!
• It was a file infector
• Timing defences, C++, Virtual functions calls, junk code … headache!
• Go to the core functionality!

• Predictable, global assignment of ID value
• Do NOT send fragmented packets (instead of remaining idle)

After the lunch break and interesting discussions, the classic lightning talks session was organised: Exploitation of SAP console, dropping EXE file using Teensy devices (presented by Didier Stevens). Aaron, from CERT.at, presented his project against “cryptocalypse” (I like this work). The idea is share (good) crypto settings to many eyes to prevent them to be altered by “big brothers” like NSA. His code is available here. Another project started by CERT.be and CERT.at: Geolocalisation of national CERT abuse service. Paste IP addresses in a form (extract from a log) and it will tell you which CERTs to contact… Interesting code is available here and here. Just one tip: when you are attending a conference with lightning talks, don’t under-estimate them. Attend the sessions, some projects presented are awesome!

And the regular talks started again. The second half-day was kicked off by Andrea Barisani and Daniele Bianco from inversepath.com. They presented “Fully arbitrary 802.3 packet injection: maximising the Ethernet attack surface“. They started with a good reminder… What’s inside an IEEE 802.3 Ethernet frame! What’s interesting? The “Frame Check Sequence” (FCS) and “Start-of-Frame Delimiter” (SFD). Previously, to inject such frames, costly hardware was required. Today, cheap solutions exist. They used this device to inject frames: XMOS XC-2 Ethernet kit. Note that some frames can be discarded by low-cost passive network tapping device like this star (I own one btw). Note that some patching is required in the e1000e Linux driver to be able to generate such frames. Demonstration were performed such as “converting” a UDP packet (a DNS request) into a SYN TCP packet! (packet in packet injections). Amazing! If you are interested, I suggest you to have a look at the project page: http://dev.inversepath.com/802.3.

Another break and we were ready to follow the last tracks for today: David Szili and Mihaly Zagon presented “Time to evolve. Applying red and blue team CTF tactics in IT security“. The idea of this talk came during the cyberlympics 2012. Blue and red team are two common terms in infosec: Red are attackers and blue are defenders. Can we use CTF tactics in real life? The problems are multiple: we buy something but we don’t configure it (harden). If we configure it, it’s not done properly and, once properly configured, it’s not used! From a blue team perspective: Don’t wait, be proactive! “WTF is happening?” should not be question. Think about monitoring & alerting. Establish a “monitoring culture“:

• Slow the attackers down
• Detect them
• Identify them

Honeypots can be useful to detect attack probes (or real ones). From a red team perspective, there are “classic” assessments (vulneratiliby assessment vs pentesing). Good ideas are to test your monitoring capabilities and your infosec staff. Classic team collaboration tools are pentest frameworks (Armitage) or information sharing tools (Dradis). Do we need a new tool? The Warlord framework is almost there! Wrapped around Metasploit, this framework proposes a centralised console to be used during your attacks. You can access results live, save notes, access logs etc. A demo was performed, it’s interesting! To be tested! Then the speakers switched back to the blue team and gave some tips to defeat attackers. First one, create false files with interesting names like “blah.conf” on the Desktop and enable access logging for them (object audit). If an attacker tries to access them, an event will be created. This is easy to implement and, compared to a real honeypot, it can be implemented on production machines. A second example was based on the ‘infantry.ps1‘ scripts (based on artillery (by Dave Kennedy) + honeyport.ps1. This is a script listening to a single juicy port (ex: 8080). It will respond to any connection attempts and log the received requests. Same with databases. Add a row or a table with specific data (a signature) and search for this signature in your logs or IDS. Interesting talk with lot of interesting ideas to implement or test…

Then, Fyodor Yarochkin & Vladimir Kropotov came with “Pearls of cybercrime: malicious campaigns of year 2013“. The talk reviewed their new findings in 2013 about cybercrime activities in .ru (only Russia was covered). First, what about the victims? They are two types: Primaty victims (or end-users) are less important that the intermediate victims (online services). Those are used to spead campaigns. Intermediate victims are mainly web server, DNS server, hijacked domains or banner campaigns. Why are they attractive? They generate high traffic and have good reputation rankings! What about the campaigns in 2013? News and media resources are very popular. Malware are served during lunchtime between 12-15h. Interesting too, they use non-standard HTTP ports. Vladimir gave some examples of compromised websites and how they were compromized. Why landing on non standard ports? More users get it (less corporate networks) and they could hit small business, home networks (less protected). What about DNS abuse? domain reputation does not work. Sub-domains are created in compromised domains to be used in campaigns. How to detect? different country zones pointing to the same place. Finally, different techniques and trends were reviewed: Proxy detection, domain rotations, cookies, social media usage (blogs, Twitter, etc) as C&C. A lot of information and examples were displayed in slides. Too much content to digest everything live. I suggest you to read the slides once published. And for 2014? More Android targets, vendor reputation filters will be less effective,cybercriminals will abuse DNS, hosting and use non-standard ports. Be ready to survive!

Finally, Jon Butterworth, Corey Kallenberg and Xeno Kovah from MITRE presented “BIOS chronomacy: Fixing the core root of trust for measurement“. What are the motivation to check BIOS security? It’s the first code that run on the CPU and there is no integrity checking. They reviewed what has been targeted at BIOS level like the keyboard controller then some well-known attacks against BIOS:

• 1998: The Chernobil virus targeted BIOS by bricking the system
• 2006: The ACPI BIOS root kit or “using CPU system management mode to circumvent OS security functions“
• 2007: Implementing and detecting a PCI rootkit
• 2009: Persistent BIOS infection or “Deactivate the root kit” or “Attacking Intel BIOS“
• 2011: Mebromi BIOS rootkit
• 2012: De Mysteriis Dom Jobsivs Mac EFI Rootkit