By Davy Douhine | June 19, 2018
RandoriSec was at the SSTIC conference in Rennes, France. SSTIC (Symposium sur la sécurité des technologies de l’information et des communications in French) is an old security conference which started in 2003 and the majority of the presentations are in French! This year it was the 16th (0x10) edition occurring at the Couvent des Jacobins, an old convent.
Most of the slides and the videos are available at the SSTIC website:
In addition, the SSTIC committee print every year a book with all the papers presented (not including the short presentations). The book is available in PDF format:
The agenda was great with different subjects and topics (reverse engineering, offensive security, SDR, IoT, Virtualization, JavaCard, etc.).
Some interesting figures:
- Around 800 participants this year!!!
- It was the first SSTIC for the majority of the audience
- More than 10% of the audience got sick after the first day due to food poisoning
- 4 guest presentations: Halvar Flake (Reverse engineering), Daniel Jeffery (Let’s Encrypt), Jason Donenfeld (Wireguard) and Patrick Pailloux (DGSE).
- 14 long presentations
- 11 short presentations (mainly new tools)
- 26 rump sessions (very very short presentation, open to everyone in the audience)
- 3 days of conference with almost no rain
- The last ticket was sold one week before the event!
Closed, heterogenous platforms and the (defensive) reverse engineers dilemma – Halvar Flake
It was the keynote of the conference and the thoughts developed by Thomas Dullien aka Halvar Flake were very interesting and accurate about the reverse engineering community. Thomas wanted to have a look back at twenty years of reverse engineering. The observations made by Thomas are not good and show that many improvements can be made in order to facilitate the work made by reverse engineers. Some points mentioned by Thomas are focused on product vendors such as the lack of debug functions to prevent reverse engineering. But, there is some remarks against the reverse engineering community mostly due to the number of frameworks or tools doing the same thing and also the lack of interoperability between tools.
Subverting your server through its BMC: the HPE iLO4 case – Alexandre Gazet, Fabien Perigaud and Joffrey Czarny
Very good work made by Alexandre, Fabien and Joffrey about the security of the HP iLO servers. If you are not aware about their work, we strongly recommend to view the presentation made by the authors at Recon.cx in Brussels (https://recon.cx/2018/brussels/resources/slides/RECON-BRX-2018-Subverting-your-server-through-its-BMC-the-HPE-iLO4-case.pdf). To sum up, the authors found a critical vulnerability in the HP iLO web interface allowing them to bypass the authentication mechanism and to obtain remote code execution on the server. On this talk, they showed how to implement a backdoor on the HP iLO server! They developed some tools to test your HP iLO server:
Slides in English:
Three vulns, one plug – Gwenn Feunteun, Olivier Dubasque and Yves Duchesne
Short presentation about a smart plug tested by the authors. As usual (unfortunately), the security level of this device was not good. They found a backdoor listening on a specific UDP port and only available using a “magic” code. In addition, the UART debug port is available and not disabled. The most funny issue was concerning the appairing method for the plug. In fact, the phone uses the Caesar cipher to transmit the Wifi key to the plug!!!
Video in French:
Sandbagility : un framework d’introspection en mode hyperviseur pour Microsoft Windows – Eddy Deligne and Francois Khourbiga
The authors presented a Python framework called Sandbagility. This framework is able to automate and control a Windows Virtual Machine. The goal of this framework is to ease the process of malware analysis by interacting directly to the hypervisor. They performed some demos with the Wannacry ransomware and showed how easy it is to extract information from the malware.
Paper in French:
Video in French:
Starve for Erlang cookie to gain remote code exec – Guillaume Teissier, Guillaume Kaim and Olivier Vivolo
Rabbitmq, ejabberd and Couchdb are network daemons developed in Erlang. The authors performed some research about the Erlang language and how the Erlang distribution protocol works. They found that a cookie is used,with a fixed length of 20 uppercase characters, to authenticate the processes. Having an access to the Erlang distribution service allows to execute commands on the server. The research performed show that the cookie generation is predictable! Therefore, they developed a tool able to bruteforce the cookie and to obtain remote code execution:
Hacking Harness open-source – Ivan Kwiatkowski
Ivan presented a tool called Freedom Fight Mode. The aim of this tool is to provide a “smart” shell to be used during post-exploitation phase (i.e webshell, reverse shell, etc.), but also to avoid leaving forensics evidence. Some nice features were added to the tool such as download and upload files, but also the possibility to execute python scripts on the remote server. It’s a nice tool to have in your toolbox during penetration testing jobs or red team engagements:
Closing Conference – Patrick Pailloux (DGSE)
Patrick Pailloux, the technical director of the DGSE (“Direction Générale de la Sécurité Extérieure”), French equivalent to the United Kingdom’s MI6 and the United States’ CIA, performed the closing conference. Mr. Pailloux explained that the DGSE is a secret and undercover agency and he can not disclose details about their activity :) However, he presented the objectives of the agency which are to protect the country by spying the French enemies! The last part of his talk was more to try to recruit people. The DGSE is looking for skilled people with information security capabilities. If you want to protect your country, you can apply ;)