A few people from RandoriSec went in Rennes for the 20 years of SSTIC! As usual now, the conference took place at Couvent des Jacobins from 1 to 3 June 2022. Here is a quick review of the talks that interested us.
Analyse forensique de la mémoire de GnuPG - Nils Amiet and Sylvain Pelissier
In this talk, Nils Amiet and Sylbain Pelissier have presented the memory analysis of the gpg-agent from GnuPG. The gpg-agent is the deamon that manages passphrasse and secret keys.
They found a vulnerability about the cache memory: The first 8 octets of the secret passphrase were not erased from memory.
They also published two
Volatility3 plugins that allows them to:
- Retrieve partially the secret passprahse by exploiting the vulnerability discovered
- Retrieve the complete secret passphrase in memory
The plugins are available on their Github repository: Volatility-gpg
Fuzzing Microsoft’s RDP Client using Virtual Channels - Valentino Ricotta
Valentino Ricotta presented a new way of targeting Microsoft’s RDP by targeting the client. This scenario can be achieved through a
honeypot by example.
He explained the concept of
Virtual Channel in the RDP protocol. These channels are used for different functionalities (clipboard, audio, etc.).
He also showed how he used WinAFL to perform coverage guided fuzzing on the RDP client and he explained his different fuzzing strategies.
At the end he talked about the vulnerabilities discovered:
- An “Arbitrary Malloc DoS”
- A Remote heap leak CVE-2021-38665
- A Remote Heap Buffer Overflow CVE-2021-38666
He also found two vulnerabilities in FreeRDP: CVE-2021-37594 and CVE-2021-37595.
Suprême TTD - That’s my PPL - Lucas Georges
Lucas George presented a way to use Time Travel Debugging (TTD), a Microsoft tool that allows recording the trace of a binary execution on Windows. This is a useful tool because it doesn’t compel to run a program several times in order to debug it. Lucas shows that Windows is protecting some processes and that even an admin cannot debug them. He explains how TTD is getting the trace from a binary and how TTD checks if a process can be attached. Finally, he found a way to bypass these checks using a read/write primitive into the Windows kernel to be allowed to record a trace on the protected processes.
Practical timing and SEMA on embedded OpenSSL’s ECDSA - Adrien Thrillard et al.
The presentation was about OpenSSL’s resilience against side-channel attacks. To start, a quick overview of some side-channel attacks from the past on ECDSA, mainly Minerva and TPM-Fail were discussed. Then, the presenter reviewed the OpenSSL threat model, and how it is possible to mitigate such attacks. Interestingly, the same physical system side channels are no longer part of OpenSSL’s threat modern since a few years. And while the cryptographic library implements mitigation for several same physical side-channel vulnerabilities (including Minerva), not all of the operations it performs are immune to these attacks. There is a function that does modular multiplication (
bn_mul_mont_fixed_top), and that is called after the loop on the bits of the random nonce of ECDSA, that starts with a check on the number of bits of its two big number arguments, and has a fast and slow path (if the number of bits is the same, it runs some ASM-optimised code; otherwise, it calls
bn_mul_fixed_top, which is much slower). This issue can be exploited in a way that is very similar to Minerva.
Ghost in the wireless, iwlwifi edition - Nicolas Ioos and Gabriel Campana
This talk comes from Nicolas Ioos and Gabriel Campana who both work at Ledger. It was a firmware bug triggered when Gabriel was trying to browse a web application hosted by his laptop from his smartphone which led to one of the most amazing talk of this SSTIC edition. They’ve done an impressive work on the analysis of the wireless stack from Intel, analyzing the Linux driver and also the chip firmware. During their talk, they explained their methodologies. They started by analyzing how the driver communicates with the firmware, which gave them clues about the firmware structure. The firmware is composed as a set of TLV (Tag-Length-Value) structures. Some of theses TLV contains ARCompact assembly bytecode, and some other contains the address of the different section. Everything needed to correctly load this into IDA Pro.
The firmware uses a secure boot mechanism, relying on an RSA signature, after a careful analysis of how this is done, they managed to find a way to load their own code inside the chips. From there, they built a debugger and a fuzzer.
All of this may sound easy, it is not. You should definitely check their talk and the associated paper! In addition, all the tools developed by Gabriel and Nicolas are available on Github: intel wifi research tools
DroidGuard: A deep dive into SafetyNet - Romain Thomas
After an excellent talk and a great lunch break, the next talk of the day was from Romain Thomas. He has done an incredible research on how the SafetyNet protection offered by Google works. SafetyNet is an Android component which verifies the device integrity (rooted, bootloader unlocked, custom ROM, emulator detection, hooked, etc.). It’s available for applications which deal with sensitive information to check if they are not running in a dangerous environment, which could easily weaken their security.
The security measure uses a dedicated workflow which starts with a SafetyNet request done with a high-level API exposed through the Google SafetyNet SDK. This call is going to create an intent sent to the GMS (Google Mobile Service). From the intent, a protobuf is created and sent to a specific GMS component called DroidGuard. At this moment things start to become mind blowing. Romain explained how DroidGuard is constructed. In short, DroidGuard is an APK bundled with some library, in fact, there are a lot of JNI calls inside the code. The core internal of Droidguard lives inside a native library. It’s an impressive virtual machine with different layers of obfuscation. The virtual machine is modified each two weeks by Google, meaning you also need to automatize a lot of stuff in order to efficiently analyze new versions.
This talks along with the paper gives a lot of interesting information about the internals and some nice reverse tricks.
An Apple a Day keeps the Exploiter Away - Eloi Benoist-Vanderbeken and Fabien Périgaud
Fabien Périgaud presented the exploit mitigation that have been added since 2019 on iPhone devices. This presentation focused on Apple’s efforts to counter the exploitation of their products.
Some security measures implemented since 2019:
APRR on the browser: Protection that dynamically changes the protections of the JIT memory page between RW and RX to avoid keeping a page in RWX protections.
PAC on some versions: Protection which consists of signing data and code pointers.
Verification of binary signatures with CoreTrust
Reduction of the attack surface from the Safari sandbox (fewer possible system calls, fewer ioctls, fewer services in userland, etc.).
Signature of Objective-C pointers.
No longer possible to easily manipulate a remote process.
PAC being more used on the kernel side
Stack data initialized with 0xAA, no more kernel stack memory leaks.
Kernel heap hardening: The kernel heap memory is divided into several zones, each area is specific to a type of object, impossible to reuse an object in a different area. The allocated memory block addresses are also more random.
amfid hardening: It is no longer possible to sign a binary with an expired certificate to bypass CoreTrust. Making hooks on amfid has become more complicated (difficult to inject code into another process).
Better memory protections on the kernel side (Page Protection Layer): Some memory pages can only be modified from a specific function.
If you want to have a nice overview on security mechanisms implemented by Apple to secure iPhones, we strongly recommend to read the slides and watch the video!
Rump: SQL injection automation with Metasploit - Redouane Niboucha
During this rump session, Redouane, a RandoriSec member, presented a library for automating and simplifying SQL injection exploitation within Metasploit modules. This library adds a layer of abstraction to allow module writers to perform SQL injection attacks with a common interface, regardless of the type of SQL injection vulnerability (common, boolean-based blind or time-based blind), and regardless of the database management system in use.
The presenter started by showing the difficulties involved in writing SQL injection proof of concepts, then the goals of this library, he then presented the usage of the library, how to create SQL injection objects, how the provided block works, and how to perform the injection with the high-level interface (with some code that works for every DBMS, for every SQL injection type). He then demonstrated the use of the library on some vulnerabilities that were discovered in the past years, CVE-2018-17179 on OpenEMR (and for which the truncation _length and encoder options proved to be useful), and CVE-2020-9465 on EyesOfNetwork, which was a time-based blind SQL injection vulnerability that was chained with other vulnerabilities to obtain a root shell on the appliance, and for which some optimizations the library offers proved to be useful.
The library is already used in 15 modules of the framework, supports 4 database management systems, has methods for reading and writing files whenever it’s possible, and a lot of other features.
Lost in translation: Comblez le fossé entre AppSec et développeurs avec CodeQL - Xavier René-Corail
Xavier René-Corail, the director of the Github Security Lab presented how to perform static code analysis with CodeQL, and how it is used to hunt for vulnerabilities in software. He started by presenting the activities of his lab, then, he discusses static code analysis using CodeQL, and takes as an example, the Log4Shell vulnerability. CodeQL starts by parsing the code to obtain an abstract syntax tree, it then stores information about the AST in a relational database. It supports some high-level libraries like Control Flow Graph, Data Flow and Taint Tracking, Type inference and range analysis. The presenter did taint tracking to figure out that the Log4j Logger info method performs JNDI lookups with user-provided data.