RandoriSec 9 min

On this year 2022, some of us have participated to the Insomni’hack conference in Geneva (March 24th & 25th). We were very happy to meet again the infosec community IRL :) Here is a quick review of the talks that interested us.

Day 1

Keynote - Riccardo Sibilia - Head of Computer Network Operations Team - Swiss Armed Forces

Talk video: no record available

In this keynote, Riccardo Sibilia explains how Swiss Armed Forces created the “Cyber Battalion 42” which is the “cyber” branch of the Swiss Army. He also gives details on their new “Cyber basic Training” that conscripts can join. Women (military training is not mandatory for women) and people who failed physical tests can join this training. They participate in the CCDCOE ( NATO Cooperative Cyber Defence Centre of Excellence) which is an international cyber defense exercise in Tallinn.

During questions, someone asked if this cyber branch was helping Swiss companies. The answer was interesting: it was said that intelligence is shared with Swiss companies, but they don’t audit or pentest them because they don’t want to take part in the cyber security private market in Switzerland. This is an interesting difference with France, where the ANSSI can audit critical infrastructure (also known as “Opérateur d’importance vitale”).

Andy Robbins - It’s Raining Shells - How to Find New Attack Primitives in Azure - SpecterOps

Talk video: https://www.youtube.com/watch?v=a09_5SCPBZ0

The first interesting thing in this talk is that Andy Robbins explains why he prefers to find functionalities which can be abused over “classic” implementation vulnerabilities: it’s stable, long-term usable and more difficult to detect since it looks like a legitimate behaviour. Then, he explained the complexity of Azure objects inheritance and permission relations. The second interesting thing is his methodology description to find functionalities that can be abused or vulnerabilities, and how it’s applied to the current talk: finding Microsoft Graph API abusable methods.

  1. Begin with the end in mind
  2. Study intent and design of the system: read official/unofficial documentation, issues in GitHub
  3. Explore the system using various means: Azure Portal GUI, MS-authored CLI tools, develop custom client
  4. Catalogue abuse capabilities: list permission and test if the behaviour is coherent with what it should do, then automate the process
  5. Share findings, release a tool

We advise you to watch the video, it’s pretty inspiring and can help all of the people who struggle with R&D :)

Charlie Bromberg - Delegating Kerberos to bypass Kerberos delegation limitation - Capgemini

Talk video: https://www.youtube.com/watch?v=byykEId3FUs

Let’s be clear, the content of this talk is very dense. If you want to understand all the subtleties, it’s better to watch the talk and take time to understand each attack.

This talk is focused on Microsoft Kerberos delegation abuses. The first part of the talk is a reminder of the different delegations mechanisms:

  • Unconstrained delegation (KUD)
  • Constrained delegation (KCD)
  • Role Based Constrained Delegation (RDBC)

S4U2self and S4U2proxy (KCD) Kerberos extensions are explained, but also how they can be abused, and what the prerequisites are to do so.

One can find a lot of information on The Hacker Recipes including the talk video and the slides: https://www.thehacker.recipes/ad/movement/kerberos/delegations

Itai Liba & Assaf Carlsbad - Breaking SecureBoot with SMM - SentinelOne

Talk video: https://www.youtube.com/watch?v=ge_TnLfTv8I

In this talk, the speakers show us how they automated SMM bug findings in computer firmware. Their tool is called BRICK and it is based on IDA: https://github.com/Sentinel-One/brick

First, they show us how the tool works: the binary is passed through the IDA tool which generates outputs that are then used in a another Python tool. This tool, then, uses heuristics to spot potential bugs and summarize them in a beautiful HTML report. Then, they explain why a bug is reported by the tool, and how to exploit it. This part was very interesting and technical and can be hard without knowledge of SMM internals. The main idea was to find a vulnerable function in the SMM handler. The discovered bug is an arbitrary write in SMRAM, which is then abused to obtain an arbitrary read to finally be able to execute code via a ropchain. The ropchain is complex and the speakers encourage the audience to read details on their website:

The ropchain must bypass mitigation, and finally can disable permanently SecureBoot. The shown vulnerability relates to HP firmware and is linked to 2 CVEs:

  • CVE-2021-0157
  • CVE-2021-0158

Vladimir Meier - Defeating static signatures in black box antivirus engine - SCRT

Talk video: https://www.youtube.com/watch?v=s0f7HoZ35D4

Vladimir Meier has worked on antivirus (AV) evasion for years. He published several blogposts and tools:

This presentation is focused on string detection and bypass. The first part of the talk explains how antivirus (in this case Windows Defender) string signatures are stored and how they are used to detect a binary as a positive match. To do so, the speaker explains different techniques to spot exactly which part of binary (and specifically strings) is detected by the antivirus and how it can be automated. Part of the work are based on Taviso (https://github.com/taviso/loadlibrary) and @commial (https://github.com/commial/experiments/tree/master/windows-defender/VDM). As a bonus, he gives a method to patch the binary to encrypt strings, and decrypt them at runtime, based on Lief and Radare. If AV evasion is a subject of interest to you, we strongly advise watching this talk.

Cesare Pizzi - REW-sploit: dissect payloads with ease - Sorint.lab

Talk video: https://www.youtube.com/watch?v=-sjM0k0hvMU

Cesare Pizzi presents his tool based on Unicorn Engine and Speakeasy to ease analysis of common offensive framework payloads, for example

  • cryptographic keys used for communication with the C2
  • second stage of Meterpreter
  • interception of interesting syscalls

The tool is designed for Meterpreter, Cobalt Strike Beacon but the author wants to add Donuts support. It can bin find here: https://github.com/REW-sploit/REW-sploit

Day 2

Keynote - Adventurous tales of Online Voting in Switzerland - Dr. Christian Folini

Talk video: https://www.youtube.com/watch?v=ZEYnoU4EDUQ

The topic is e-voting, and specifically in Switzerland. He talks about pros, cons, but also conceptual issues about e-voting. It was interesting because he also explains why a system design in Switzerland couldn’t be used in another country (for example if the code was open sourced). Switzerland is a democracy but with specificities :

  • a federal state,
  • several cantons with strong powers,
  • people regularly vote for political decisions.

He explains how institutions participate (or not) to the project and how it was treated by media.

Thomas Chauchefoin - Two bugs to rule them all: taking over the PHP supply chain - SonarSource

Talk video: https://www.youtube.com/watch?v=RLcK0kRGpjw

Here the goal is to achieve a supply chain attack on two major packet managers for PHP libraries: Composer/Packagist and PEAR.

The attack on Composer/Packagist consists of a command injection through the package metadata file. The metadata of the package contains the address to retrieve the code, and supports various VCS. Command injection (via ProcessExecutor) has been achieved by abusing function rewrite on the Mercurial VCS options. As a result, the attacker has can obtain a reverse shell: CVE-2021-29472.

The second attack on PEAR consists of the chaining of three vulnerabilities:

  1. biased password generator function
  2. serialization problems
  3. abusing package deployment queue

As a result, the attacker obtains (again) a reverse shell: CVE-2020-28948.

The attacks both have a major impact on PHP security ecosystem since large-scale supply chain attacks would be possible. In the end, the speaker offers mitigation like code signing implemented in Sigstore and Paragon Initiative for Composer (paragonie).

Simon Scannell - A Common Bypass Pattern to Exploit Modern Web Apps - SonarSource

Talk video: https://www.youtube.com/watch?v=V-DdcKADnFk

In this talk, Simon Scannell makes the statement that exploitation in modern Web applications is harder because there are:

  • mitigations
  • secure by default web development framework
  • sanitization libraries
  • ensuring of security overhaul checks

A secure design to handle user input should respect the following process:

  1. transform
  2. normalize
  3. sanitize

But some developments don’t follow the right order and:

  1. sanitize
  2. normalize
  3. transform

Therefore, the attacker has to find a way to alter data after sanitizing through the normalization or transform process, and that’s what the speaker did with the following apps:

  • Wordpress: CVE-2019-9787 - CSRF to remote code execution
  • Magento 2: CVE-2019-7877 & CVE-2019-7932 - pre-auth stored XSS to RCE
  • MyBB: CVE-2021-27889 & CVE-2021-27890 - unprivileged stored XSS to RCE
  • Zimbra: CVE-2021-35208 & CVE-2021-35209 - Webmail compromise via eMail

Abhay Bhargav - Hook, Line and Sinker - Pillaging API Webhooks - AppSecEngineer

Talk video: https://www.youtube.com/watch?v=xF2XUKtYaTg

Abhay Bhargav explains us how WebHook in applications can lead to SSRF. Most of the time, libraries used in web applications to make HTTP requests follow redirections by default. Hence, an attacker can specify a URL pointing to a server he controls. When the WebHook is triggered, a request is made to the attacker’s server which can respond with an HTTP redirection to an internal resource (for example Instance Metadata to retrieve IAM keys on an Amazon Infrastructure). However, the second prerequisite is that the attacker must be able to read the response of the server. It sometimes is the case when web applications allow access to server response, for example for debugging purposes. The attack is then demonstrated against DockerHub. Other scenarios are given such as dumping data from a CouchDB server connected to the web server hosting a vulnerable app. The best way to get rid if that class of vulnerabilities is to forbid a web application to follow HTTP redirections.

Jannis Kirschner - Symbolic Execution Demystified

Talk video: https://www.youtube.com/watch?v=gudLFiK0x5I

This talk is a beginner’s guide to symbolic execution. Symbolic execution can be very powerful when it comes to reverse engineer obfuscated parts of a binary. All examples and technics shown are illustrated with the challenge “z3_robot” from SharkyCTF2020. The check_flag routine contains a lot of constraints to check for a flag validity.

First, the speaker tries to resolve the challenge of the naive way by extracting manually the constraints and reimplementing them to try to solve them. Still, there are too many to solve manually.

After a quick reminder on the SAT and SMT solvers, he shows how the constraint can be solved with Z3 python library by declaring each constraint manually.

Then the speaker makes an explanation on symbolic execution. Symbolic execution treats function inputs as symbolic values instead of concrete ones, so that each branch taken by the program generates expressions that reflects the constraints the value must have to take that branch. It’s very efficient but there might be problems like loop detection, and also, it doesn’t scale on big routines because it explodes in complexity. A way to mitigate this is to mix concrete and symbolic execution: concolic execution. For that purpose the speaker presents different tools/frameworks that implement concolic execution: S^2E, Angr, Triton, Manticore and KLEE. He explains pros and cons of each one and what to use in each case.

Finally, the speaker explains why he chose Angr for the case and how to solve the challenge automatically with it, without declaring each constraint manually.