Yesterday, I went to Disneyland Paris! Not for a family trip but to attend a security conference. Great place isn’t it? Everybody knows the Disney park but the nearby hotels propose facilities to organize events. That’s what did Sysdream, the organizer of Hack in Paris 2011. I left home very early (to avoid traffic jams) and arrived just in time to register and take a coffee. Thanks again to Emilien for the press access!
Hack in Paris is organized like many other conferences. It is based on two days of trainings and two days of talks performed by international speakers. Honestly, when I’m going for an event in France, I’m always a bit scared about their habit to organize “Franco-Français” events (read: everything is in French). In the case of Hack in Paris, there was international speakers and all the talks were performed in good English. Good point! Even the audience was also a mix of people coming from several countries. What about the talks? The conference was based on a single talk at a time.
The first one was about pentesting iPhone or iPad applications (based on Apple IOS) by Flora Bottaccio and Sebastien Andrivet coming from a company based in Switzerland: ADVtools. The presentation focused on native IOS applications. They are distributed as .ipa files (in fact a hidden zip file) and deployed as .app files (like on MacOS). Their executable code is encrypted (Fairplay DRM) and signed with the Apple signature. They are developed in Objective-C. Applications usually store they data in different format:
- SQLlite3 files
- plist files (Properly lists)
- Keychain
- Binary data files
How to understand how and where applications store their data? iTunes is your best friend. Every time you sync your device, a backup is performed (by default, non encrypted) with ALL the device data. You just have to analyze the backup to find interesting stuff! After this introduction, the speakers explained their methodology to pentest the applications. They perform the following steps:
- Prepare the device: jailbreak it (mandatory) and install useful tools like Cydia, gdb, netcat and tcpdump)
- Prepare a workstation (recommended OS is Windows) with burpsuite, IDpro, wireshark and ADVsock2pipe (the list is very extensive)
- Prepare the network
- Perform the pentest: install the application from iTunes, perform passive reconnaissance and attack.
Two interesting tools were used during the presentation: ADVsock2pipe and ADVinterceptor. The first one is used to get a live pcap stream send via netcat and forward it to a local Wireshark. This is useful to analyze the network traffic generated by an iPad/iPhone on a Windows workstation. The second one acts as an intercepting proxy for DNS, HTTP(S) protocols.
This lab is very helpful to analyze the behavior of mobile applications. Live demos were performed and demonstrated how it is easy to find passwords or any sensitive data. What to conclude from this presentation?
- Lot of passwords are still stored in clear text in config files
- Every IOS application is verified by Apple (regarding ethic, battery, bandwidth, …) but they don’t check security! Do not trust Apple validation from a security point of view!
After a coffee break, Jean-Baptiste Aviat presented his tool called “Skyrack” (or ROP for masses). ROP means “Return Oriented Programming“. Wikipedia says:
“ROP is a computer security exploit technique in which the attacker leverages control of the call stack to indirectly execute cherry-picked machine instructions or groups of machine instructions immediately prior to the return instruction in subroutines within the existing program code, in a way similar to the execution of a threaded code interpreter.“
Not being a developer, it was difficult to follow the deep information given by Jean-Baptiste. One thing is sure: he knows his topic! Even if you don’t understand how ROP works, the most important is to know how to protect you. One of the countermeasures is ASLR (“Address Space Layout Randomization“) which can be enabled in Windows applications with the Microsoft tool called EMET. Jean-Baptiste’s tool will be released soon!
After the lunch break, we started again with a very good presentation about SVG files or, more precisely, how to use them to conduct attacks. This was presented by Mario Heirerich. To resume the presentation: Everybody is aware of the risks to open malicious PDF files? The same can be performed using SVG files! Did you know that those files are supported by default in your browser?
Mario started with a presentation of SVG (or “Scalable Vector Graphic“) files. Basically, they are XML files with a lot of features. The most interesting are: they can contain links, scripting & events and inclusion of arbitrary objects. Enough to become scared! They may contain an applet, a Flash file or a PDF and are deployed using an <img>, <object> or <embed> tag, directly accessed or via CSS. Imagine a malicious beautiful SVG file, you download it and double-click on it. This file has full access to your files/directories!
Mario performed several demos and showed how the different browsers handled malicious SVG files. The most awesome demo was an SVG file within an <img> tag. It contained a malicious PDF which started Skype and dial out a number. Brilliant!
What to conclude from this excellent talk:
- Image files do not necessary contain only graphical information!
- The SVG format needs definitively more attention from security researchers
- How to protect us against such attacks? There is a tool called SVGPurifier developed by Mario.
Then, Alain Zidouemba talked about rogue anti-virus programs. I was a little bit afraid about a commercial presentation when Alain started but fortunately, it wasn’t. He first gave some interesting facts about rogue anti-virus software. Here are some:
- Users are in panic when they see messages like “xxx infected files detected, click here to fix them“
- 9000 URLS ans 2000 IP addresses were detected distributing rogue AV software (labs.snort.org/iplists/ is a nice list)
- Some TLD’s are mainly used to distribute rogue AV like .cc
After the introduction, the presentation switched to an analyze of the MacDefender malware which was recently a hot-topic. The rogue AV implemented a strong registration process. Interesting to know: the analyze of the C&CÂ showed that 75% of the victims where US citizens and 27% of them used a Yahoo! email address.
The next presentation was performed by Tom Keetch. This was the presentation made during BlackHat Europe in Barcelona.
Finally, the last presentation was the one of Gary S. Miliefsky. He talked about “Proactive network security throughout vulnerability management“. The presentation started slowly and Gary spent a lot of time on security facts that everybody already knows: “Nothing is secure“. Then he spent a lot (too much?) time to explain what are CVE‘s (“Common Vulnerability Exposure“). Hopefully, the next part of the presentation was more interesting. Nice tools were presented like OVAL (“Open Vulnerability Assessment Language“). Based on a huge XML configuration file, this tools analyzes your host. It builds a list of installed software and associated vulnerabilities if they are. You could roughly compare it to the Secunia PSI. The most important fact given during the presentation: 95% of attacks are using known vulnerabilities. That’s why patching your systems and applications is so important!
This summarize my visit to Hack In Paris. Unfortunately, I was not able to stay longer to attend the next event: La Nuit du Hack (still ongoing while writing this blog post). See you next year for sure!