We are already in November, fall is back! This is also the sign of the new edition of hack.lu, a classic security conference organized in Luxembourg.
The first day started with workshops. I attended the crypto analysis workshop prepared by Eric Filiol, an expert in this domain. Cryptography is certainly not my predilection domain but it’s always interesting to listen to some new concepts and feedback from a very competent person. The workshop was based on the Megiddo library. The message to keep in mind is the following: If not properly used, encryption can be dangerous or weak. The library has been developed to detect and break such implementation without effort. The second chosen workshop was about malicious PDF analysis, given by “Mr PDF” himself, Didier Stevens. Using his toolbox, several malicious PDF files were analyzed with a growing complexity. Very interesting and this proves even more that PDF definitively means “Penetration Document Format“!
After the lunch, the regular lectures started. The first one was presented by Andrei Costin: “Hacking printers for fun & profit“. If workstations, servers and other devices are quite properly protected or (at least) are considered by security vendors, it’s a fact that printers and fax-machines receive less attention. In this situation, why taking the trouble to “pwn” workstations while lot of vulnerabilities are found on printers. About the number of vulnerabilities, the top-1 on the printers market is Xerox with 44 known vulnerabilities (HP comes in second place). The attack vectors are multiple: bricking the devices, malicious PDF files (again!), spam messages. The languages used by printers are also vulnerable. Example: PostScript has two commands: “setdevparams” and “setsystemparams“. Useful but dangerous! The control of printers can be performed via forged documents. Fake sites can propose documents ready to print and looking interesting for the visitors: discount coupons, tickets, etc. What about the firmwares? Several printers download firmwares from vendor websites using basic HTTP and files are not signed! How to protect your printers? Restrict network access to the devices, used them in dedicated VLANs properly protected by a firewall. Interesting, Snort has rules to detect suspicious traffic sent to printers.
The second presentation was: “Closer to metal: reverse-engineering the Broadcom NetExtreme’s firmware” by Guillaume Delugre (a regular hack.lu speaker). Broadcom is a common model of NIC in many devices. The first question was: “Can we trust hardware manufacturers?”. Certainly not! Guillaume presented his research. The goal was to replace the standard firmware of a Broadcom NIC by a forged one containing a rootkit (what a surprise!). A NIC is certainly a good place to install malicious code: it has direct low level access to the OS (via the PCI bus). The first step was to write a kernel proxy module between the NIC and userland. The NIC memory is seen as a virtual char device. The presentation ended with a demo of a Broadcom NIC with a modified firmware which was able to respond to ICMP request direclty (and without any interaction with the OS).
The last one for today was “Dynamic, Metamorphic (and open source) Virtual Machines” by Anthony Desnos. The topic was interesting: how to make suspicious code undetectable by common anti-virus? There are several techniques of obfuscation. Anthony’s research was to hide malicious code in a simple virtual machine. Honestly, I just followed the first minutes than I switched to the CTF contest.
And this first day finished with a lunch with Belgium info security people in the centrum of Luxembourg. About the conference, this is a strong organization, well organized, good network. A lot of people are regular visitors, this proves that they appreciate the event. Stay tuned for more information about day two!