Hack.lu 2014 Wrap-Up Day #2

Security FlawsThe second day is over! I’m just back from a great speaker dinner in Esch s/Alzette. It’s time to write a quick wrap-up. There was again some Cisco forensics workshops on the schedule, that’s why I was not able to attend all today’s talks.

The second day opened with Marion Marshalek‘s keynote called “TS/NOFORM“. This title is derived from the document classification used by the United States. Marion started with an nice introduction based on Starwars characters to finish by a fact: Today, it’s not Starwars anymore but Cyberwars! Cyber means a lot of threats, by example, the control of media, the intellectual property being stolen, nation states spying (and being hacked), the loss of corporate data. Then she explained in details how some malware were tracked. Interesting fact: it’s quite easy to detect the location/nationality of the malware developers by analysing the vocabulary and texts used in the code.

The first regular talk was presented by Claudio Guarnieri. He is a well-known security research mainly know thanks to the Cuckoo project (he’s the leader of this project). His presentation was called “Embrace the Viper and live happy“. Claudio presented his new baby called “Viper“.

Claudio on stage
Claudio on stage

The idea of the tool came from the mess that we are all facing around our files (samples) and tools. What about exploits? They are written using multiple tools and languages and it became unmanageable to keep them properly stored. That’s why HD Moore created the Metasploit framework a few years ago. And what about malware analysis? According to Claudio, it is exactly the same: we have multiple tools, producing multiple output in many formats. They are hard to integrate! “It sucks”. Claudio started a project called VxCage to make filesystems cleaner but it was never finished. Today, Viper is born. It’s a framework  to store and manage samples. It provides an analysis module to inspect your samples and provides an easy way to create new modules. The project is written in Python. Right now, it is just a shell but other user interface could be possible. There is also a REST API. The structure is based on:

  • A file repository
  • A database (for metadata, notes, tags)
  • A shell history file
  • Core commands
  • Modules (+/- 30 as of today)

Some examples of existing modules are: Radare2, searching for known shell code patterns, analysis of PDF or Office documents, etc… The product is not perfect but works quite well. Claudio makes lot of nice demos. It seems very easy to use with simple and powerfull commands. Claudio said that some modules are incomplete, it lacks of scripting and automation. The product must still be improved but looks great. It is a community project and Claudio is looking for developers/contributors. Viper is available here.

The next talk focused on TR-069, a technical specification called CWMP (“CPE WAN Management Protocol“). It was presented by Shahar Tal. It defines a protocol used for remote management of end-user devices (the Internet box that we all of us have at home) and is based on SOAP/HTTP. Communications are performed between the user’s devices and a central server called ACS (“Auto Configuration Server“).

Shahar on stage
Shahar on stage

Basically, with TR-069, you allow “somebody” to access your device. The question which comes in mind immediately is: who do you trust to run code on your device at any time without approval? The Shahar’s idea was to focus to the ACS instead of the router (which has already been targeted too much!). What is an ACS is compromised? The attacker could:

  • Get private data (SSID, hostname, usernames, VoIP data)
  • Get the device complete config
  • Set parameters (DNS, Wireless, PPP)
  • Download log files

The first step is to find an ACS! How to achieve this? By compromising a router and checking the traffic or activity. By sniffing your own traffic or by scanning the Internet. Once found, the ACS becomes a regular target and, guess what? Many of them are not properly managed/configured. Shahar reviewed different examples of ACS and how they were compromised. Two examples:

  • OpenACS (free implementation written in Java). It was pwned after 3 days (remote code execution)
  • GenieACS. It was pwned after 2 days (also via RCE)

About bad configurations, if SSL is available, according to Shahar, only 15% of them are using SSL to manage their CPE! Interesting talk! If you compromise an ACS, you can potentially own thousands of home routers!

Then, Fyodor Yarochkin, a regular speaker at hack.lu, came to present “Detecting bleeding edge malware: a practical report“. Fyodor is good at presenting research about monitoring malicious activities, malwares and botnets. For him, when you’re compromised, you need to detect properly the who, when, how. The identification of the threat is very important. Fyodor explained how he tracked malicious on-going malware campaigns via DNS and HTTP monitoring. This correlated with public information. As example, he detected an attacker changing its domain name every 3 minutes, impressive!

Fyodor on stage
Fyodor on stage

I just had a quick look to the talk about USB fuzzing. He was presented by Jordan Bouyat. It was very close to the one that I attended at BlackHat last week! To resume briefly, USB fuzzing is interesting because USB ports are available everywhere today! After a short introduction about the USB and its features (bus, detection, etc), Jordan explained the approach his company used to setup an USB fuzzing lab. Based on Qemu, the solution has pro & con:

  • Pro: snapshots are very useful, it’s easy to parallelize tests and no specific hardware is required
  • Con: Not all operating systems can be virtualised and the hypervisor can have bugs in the USB support code

I expected a lot from the next talk. I was curious about the tool called WiHawk aka the “router vulnerability scanner“. If previously, we saw a talk about TR-069 which focused on ACS servers to pwn home routers, this talk focused again to them. Anamika Singh quickly resumed what is a router and what are its core features: route processing (deciding where to send packets), packets forwarding and special services like filters (ACL) or NAT. She started with a simple example where a password was discovered via an analyse of a router firmware and binwalk. Classic! Then she explained what is the purpose of the WiHawk and described its features. Based on IronWasp (it must be installed on top of it), the framework provides the following checks:

  • Search for default configs
  • Try to bypass authentication
  • Try to find well-known backdoors
  • Rom-O attack

The target can be specified as a single IP address, a network or, more interesting, a Shodan query (GeoIP - city, country, etc). This is an interesting tool but based IronWasp which needs .Net! According to the website, it runs under Linux with wine… To be tested!

Finally, my last talk was the one of Frederik Braun: “We’re struggling to keep up” (a brief history of browser security features). The talk was based on the past, present and future of browsers. Today, “the web is the platform” said Frederik! He showed two screenshots which perfectly resume the history of browsers. The first one is the Yahoo! homepage in the years 2000. The second one is gmail.com with plenty of nice features (fully dynamic web-content). Another fact: browsers are everywhere, event in your car! From the past, we always improved the browser to fix security issues: HTML is  stateless protocol, we invented cookies. We used plain-text communications? We invited HTTPS. It was opt-in? We implemented HSTS. It’s just a whack-a-mole game! Then Frederik review the present issues and the future… Frederik’s conclusion? The browser can aid to secure the website!

The last talk was the same of presented last week at BlackHat: “Evasion of high-end IDPS devices at the IPv6 era” by Enno Rey, Antonios Atlasis, Rafael. Tomorrow, nice talks are scheduled! Stay tuned for more news…

2 comments

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.