Here is my quick wrap-up of Black Hat Europe 2015 which just terminated today. Due to a high workload, I joined Amsterdam only today to attend the second day of briefings and… I’m not disappointed! As usual, there was very interesting sessions and other less attractive. I also missed a very nice one based on friends’ feedback. That’s always the same issue with multi-tracks events. After an early drive in a rainy morning to Amsterdam, the registration completed and some caffeine, it was already time for the first round of talks.
The first one started with Nikhil Mittal who talked about CI tools: “Continuous Integration: Why CI tools are an attacker’s best friends”. Continuous integration is a set of software engineering practices that speed the delivery of software by decreasing integration times (thank you Wikipedia). Nikhil’s first slide gave the idea of the talk: “Continuous Intrusion”:
As usual, the issues are linked to dangerous features and misconfigurations. A good quote to always keep in mind:
A single improperly configured tool can ruin you security.
Nikhil reviewed three popular tools: Jenkins, TeamCity, Go. They are used to integrate code from multiple developers via code repository, build servers and master servers to finally deploy the apps to slave computers. From an attacker point of view, this is a nice target to pivot, increase privileges, etc. Usually, compromizing a CI tool means domain admin in most cases.
The first one to be reviewed was Jenkins. It is the most popular tool. What are its issues:
- No authentication by default
- No protection against brute-force attacks
- No password policy for users
- Runs with SYSTEM (or high level) privileges on Windows
- All users could access output of builds (read privileges to anonymous) (release < 1.580)
How to abuse it? It’s so simple:
- Add a build step -> if allowed/configured it’s possible to execute commands on remote hosts by regular users
- It is possible to retrieve credentials in clear text
To search for Jenkins facing the Internet, you can use the following Google dork: intitle:”Dashboard [Jenkins]”. Nikhil performed two live demos: In the first one, he executed basic Powershell functions. In the second one, he demonstrated how to get a reverse shell using his powercat.ps1 tool.
The next one was TeamCity. The issues are:
- Registration of new users allowed by default
- No password policy for users
- Runs with SYSTEM (or high privileges)
If you’re project admin, you can upgrade your privileges to superuser by stealing the superuser token from the master. The associated Google dork is: intitle:”Project – TeamCity”. Here again, the vulnerabilities were demonstrated live.
For the last one, Go, guess what? Same story with almost the same vulnerabilities. Liked the one which discloses Github credentials in clear text in the console. To complete his presentation, Nikhil disclosed a vulnerability for Jenkins (pre-auth RCE). It was a very nice talk, straight to the point with clear facts that can be easily reused by pentesters.
After a first coffee break, I followed Marco Balduzzi & Vincenzo Ciancaglini who spoke about “Cybercrime in the deep web”. I was expected a presentation with many statistics about the deep web but it was not the case. They started a project three years ago: to index the deep web. Their presentation was split in two parts. In the first part, they presented the tool used to crawl, index, store and enrich pages from the deep web. The tool is called “DeWA” – “Deep Web Analyzer“. It’s always important to know what exactly the deep web. It’s a buzz-word used by many media. It can be defined as “every content not indexed by search engines“. We have:
- The dark net : private overlay networks
- The dark web: websites hosted on dark nets
There is a difference between what’s hidden and what’s really interesting for criminals. They are searching for pages hidden via the following technologies:
- Tor (.onion)
- I2P (.i2p)
- Namecoints, Emercoins (alternate DNS systems – blockchain based DNS).
- Rogue TLD’s & private DNS (OpenNIC, Cesidian Root, name.space)
The data sources are: user data, pastebin sites, twitter, reddit, URL listing sites, TOR gateways, I2P host files, Scouting feedback. Since November 2013, they collected:
- 40.5M events
- 611K urls
- 20.500K domains
So, what did they found for criminals?
- Guns & Ammo
- Passports and fake id
- Counterfeited money
- Credit cards
- Doxing (stars, politicians, etc)
- Assassins (note the extended suffering option!)
- Crowdfunding evil (when people will die)
The second part of the web was a review of some wellknown malware which uses the deep web for their operations:
A nice research! The next talk in my schedule: “VoIP wars: Destroying Jar Jar Lync” by Fatih Ozavci. The abstract of the presentation was juicy and promised a nice talk. I started with an awesome intro like the Star Wars movies (credits of the picture: @PeteAitch)
The presentation was a first stage of a new research: Skype for Business. This is the new name of the Lync tool that is more and more used in corporate environments as unified messaging solution. The presentation covered several vulnerabilities assigned to the Microsoft product (released yesterday):
Fatih reviewed the product, its components and how the default security is defined. By default lot of security features are enforced:
- SIP over TLS is enforced for clients by default
- SRTP uses AES
- SIP replay attack protections
- Clients validate server response signatures
- SIP trunks (PSTN gw) security: TLS enabled & IP restricted, no authentication support
To perform the demo, Fatih used his tool called Viproy. The latest version is now a standalone Metasploit module and it supports TLS interception with TLS certs. Some nice demo (video) where proposed. Basically, XML message can be used to offer URLs to clients and to make them open it in a browser. Another one was nice: sending a fake link to client asking to download a new Skype update which is a reverse shell. Finally, the last demo was abusing multiple clients at the same time via BeEF and the browser autopwn module. Very interesting but not so evident to realize in a corporate environment!
After the lunch, lot of people moved to the “Forum” (the biggest room) to attend a presentation about self-driving cars by Jonathan Petit: “Self-driving and connected cars: Fooling sensors and tracking drivers“. Such cars are equipped with multiple sensors (GPS, LIDAR, cameras, wheel encoder, ultra-sonic sensors, …).
Jonathan focused in a first part on the camera (model: MobilEye C2-270) which provides lane detection, rear collision alert and pedestrian alert. It was a “blinding” attack. Jonathan explained how they tested the camera to make it blind and how long it takes to recover. The second sensor tested was the LIDAR (model: IBEO LUX 3) which provides objects detection and object tracking. Here again, he demonstrated how to abuse the LIDAR. A first conclusion to the talk is clearly: “Do not trust sensors!“.
Then, Jonathan explained the purpose of the 802.11p protocols which allows cars to communicate between each others. Basically, they broadcast constantly beacons which contain a lot of useful information.
The problem is that beacons are broadcasted in clear text and can be collected by any (rogue) sensor. A beacon sniffer was built and deployed at sensitive places on a campus to track cars. It was demonstrated that we can easily built a surveillance system based on the cars’ beacons.
The last talk was about “a new tool to discovering Flash 0-day attacks in the wild” by Peter Pi. As an introduction, he explained that 2015 is(was) the Flash year! Many 0-day attacks hit the Flash player. There were two questions to solve to achieve the goal?
- How to get infected samples in the wild?
- How to identify those 0-day from the collected samples?
What are the source channels to find interesting content?
- Products’ feedback (large number of samples – very effective)
- URL crawling
- VT intelligence
- URL patterns
Peter presented his tool called AFED – “Advanced Flash Exploit Detector“. Nothing special… In parallel to this talk, there was another one which was really impressive (based on a friend’s feedback: Bypassing local Windows authentication to defeat full disk encryption.
The day ended with a panel session with Jeff Moss, Marion Marschalek, Haroon Meer and Jennifer Savage. An interesting discussion about the current security landscape. Dates and location of the next edition are already known: November, 1-4 in London!