1.2 bsidesvienna-2022 2022-11-19 2022-11-19 1 00:05 https://cfp.bsidesvienna.at/bsidesvienna-2022/schedule/ Europe/Vienna 2022-11-19T10:30:00+01:00 10:30 00:30 Urania Dachsaal bsidesvienna-2022-478-melting-the-dns-iceberg-taking-over-your-infrastructure-kaminsky-style https://cfp.bsidesvienna.at/bsidesvienna-2022/talk/YNAKFT/ false Talk en What does the DNS have in common with an iceberg? Both are hiding invisible dangers! Beneath an iceberg there is... hiding even more ice, however, beneath the DNS there are hiding unexpected vulnerabilities! If you want to resolve a name via DNS, there are multiple open DNS resolvers all across the Internet. A very commonly used open DNS resolver is Google’s resolver with the IP address 8.8.8.8. However, not every system is using such an open resolver. Hosting providers, ISPs or alike are often using resolvers that are not directly accessible from the Internet. These are the so called “closed” resolvers. In my previous research “Forgot password? Taking over user accounts Kaminsky style” I have unearthed critical vulnerabilities in DNS resolvers of web applications, but I haven’t shared a second thought about the fact that these web applications were most likely using closed resolvers. So, this time I took a look at the root of the problem! In this talk, we’ll take a look at how we can indirectly access these closed resolvers from the Internet. Furthermore, I’ll introduce open-source tools and methods to discover vulnerabilities in them. How we can attack these closed resolvers and potentially compromise thousands of systems, will lastly be shown in a proof-of-concept exploit. 1. Introduction, explanation of DNS cache poisoning, and the core problem of this research - The talk starts off with a short introduction and a brief refresher on DNS cache poisoning and its consequences. - As a transition from DNS cache poisoning and it’s consequences, I’ll give a short summary of my previous DNS research (https://sec-consult.com/blog/detail/forgot-password-taking-over-user-accounts-kaminsky-style/). This shows, how I identified DNS vulnerabilities in web applications and how this would’ve allowed me to take over user accounts via DNS cache poisoning. - Out of the 146 analyzed web applications, DNS resolvers of two web applications were especially insecure, since they allowed trivial Kaminsky attacks. The resolvers used by these two web applications were identified to be most likely closed (not directly accessible from the Internet). - This sparked the question about the security of closed DNS resolvers. 2. Analysis of closed DNS resolvers - Firstly, I’m showing how closed resolvers can be indirectly accessed from the Internet via various means and which method we picked to scan around 7000 domains on the Internet. - Furthermore, I’m showcasing the required open-source “DNS analysis server” (successor of https://github.com/The-Login/DNS-Reset-Checker). As well, I’m explaining the test process of how to find vulnerabilities in closed resolvers. - After that, we explore the first example of a vulnerable closed DNS resolver and combine it with a short detour to Kaminsky attacks. This ensures a general understanding of off-path DNS cache poisoning attacks and why the discovered resolver is vulnerable. - We then go into an in-depth analysis of how we can find all the systems/domains that are using the vulnerable closed resolver. This shows how thousands of domains are linked to vulnerable resolvers due to being managed by one hosting provider or ISP. Here I’m using a hosting provider for “cloud and security” as well as an e-mail provider as examples. - Then, I’ll reveal the results of an Internet scan of roughly 7000 domains. Even though “only” 25 DNS resolvers were found to be vulnerable, thousands of systems are affected. - I next explain the possible attack vectors to exploit systems using these vulnerable resolvers. This ranges from simple spam protection bypasses (spoofing SPF, DKIM and DMARC) to complete system takeovers. 3. Conclusion - In the conclusion of the talk I'll cover some key takeaways and why the DNS is still a hot topic! /media/bsidesvienna-2022/submissions/YNAKFT/iceberg_logo_dns_zvR3H8M.png Timo Longin 2022-11-19T11:05:00+01:00 11:05 00:30 Urania Dachsaal bsidesvienna-2022-506-logrotten-it-s-not-a-bug- https://cfp.bsidesvienna.at/bsidesvienna-2022/talk/GDZYEC/ false Talk en Logrotate is prone to a race-condition on systems with a log directory that is in control of a low privileged user. This talk shows how easy it is to use logrotate in a dangerous way and illustrates the impact of this vulnerability. Finally the current state of logrotate will be discussed. Logrotate is designed to ease administration of systems that generate large numbers of log files. It allows automatic rotation, compression, removal, and mailing of log files. Each log file may be handled daily, weekly, monthly, or when it grows too large. It also gives you a root shell. Logrotate supports different methods for creating new files. For example the directive “copy” makes a copy of the logfile and “create” creates a new empty logfile after rotating. If someone exchanges the log directory with a symbolic link just before creating the new logfile, logrotate will put the new file into a different directory. Such a scenario can be exploited if logrotate runs as user root and a low privileged user is in control of the path to the log directory. If this user exchanges the log directory with a symbolic link at the right time, logrotate will write the new file into the linked directory. After that the permissions of the created file will be adjusted and the attacker might have write access to that file. This talk explains the various scenarios where logrotate can be configured in dangerous ways. It will be explained which software packages that were prone to this kind of attack were found. Finally the current state of logrotate will be discussed. Wolfgang Hotwagner 2022-11-19T11:40:00+01:00 11:40 01:00 Urania Dachsaal bsidesvienna-2022-498-charlatans-in-infosec-from-kim-to-jonathan https://cfp.bsidesvienna.at/bsidesvienna-2022/talk/MUWQKG/ false Talk en A brief introduction to the world of InfoSec charlatans - from KimDotCom to JonathanData. Why it's important to expose them - and how you can do it. This talk not only covers historical charlatans, but also teaches common techniques and behaviors of fraudsters. It also explains why it is important to expose such fraudsters. InfoSec as a community and as a profession has attracted a lot of charlatans. In this talk you will get an overview of InfoSec charlatans. Starting from famous people like Kim (DotCom) to less known but still funny characters like Jonathan Scott (aka jonathandata1) - you will meet them all. You'll also learn how to spot charlatans and why this is important - for the community and for people outside the community. You'll get a deep dive into the mindset of scammers - including common techniques they use and how to fend them off. All techniques presented will be demonstrated with examples. After this presentation, you will have all the tools you need to protect the community (and yourself) from scammers/fraudsters/charlatans. Sebastian Bicchi 2022-11-19T13:40:00+01:00 13:40 01:00 Urania Dachsaal bsidesvienna-2022-489-no-code-malware-windows-at-your-service https://cfp.bsidesvienna.at/bsidesvienna-2022/talk/EAKWZL/ false Talk en Windows 11 ships with a nifty feature called Power Automate Desktop, which lets users automate mundane processes. In a nutshell, Users can build custom processes and hand them to Microsoft, which in turn ensures they are distributed to all user machines, executed successfully and reports back to the cloud. You can probably already see where this is going.. In this presentation, we will show how Power Automate Desktop can be repurposed to power malware operations. We will demonstrate the full cycle of distributing payloads, bypassing perimeter controls, executing them on victim machines and exfiltrating data. All while using nothing but Windows baked-in and signed executables, and Office cloud services. We will then take you behind the scenes and explore how this service works, what attack surface it exposes on the machine and in the cloud, and how Microsoft managed to enable it across their customer base without explicit user consent. We will also point out a few promising future research directions for the community to pursue. Finally, we will share an open-source command line tool to easily accomplish all of the above, so you will be able to add it into your Red Team arsenal and try out your own ideas. Michael Bargury 2022-11-19T14:45:00+01:00 14:45 00:30 Urania Dachsaal bsidesvienna-2022-491-nothing-to-hide-privacy-preserving-cryptographic-authentication-in-practice https://cfp.bsidesvienna.at/bsidesvienna-2022/talk/9ALTGS/ true Talk en Governments, email vendors, social media websites, and even your favorite food recipes forum require account registrations where you pass your secret, often the same, password over insecure channels, riddled with sniffing agents while subjecting your online identity to theft, data breaches, and a whole bag of privacy concerns. This doesn't need to be the case. With the massive explosion of fast, secure, and privacy-preserving cryptographic protocols, your credentials need never leave your device and websites don't need to store your passwords for authentication to complete. In this talk, I'll introduce zero-knowledge password protocols; a well-established field of cryptography that puts privacy first, as well as demo a full implementation of such a protocol live. The problem and the reason I made the project is very nicely put forth by the famous cryptographer Matthew Green: https://blog.cryptographyengineering.com/2018/10/19/lets-talk-about-pake/. The protocol I'm working with was very recently standardized by IETF (mid 2020) right here: https://datatracker.ietf.org/doc/html/draft-krawczyk-cfrg-opaque-06. The goal of this talk is to share the knowledge regarding this new protocol (namely, OPAQUE) and the field of zero-knowledge cryptography. The benefits for it in the terms of password authentication and privacy are tremendous and they're well studied. My contribution to the space will be a Go implementation of the protocol that can be used in any form, a backend, and a frontend JS SDK, as well as sharing a simplified explanation of the math behind it. The protocol, backend and frontend codes are open-sourced with a prototype. See here https://github.com/afjoseph/plissken. /media/bsidesvienna-2022/submissions/9ALTGS/logo_HIjZStH.png Abdullah Joseph 2022-11-19T15:20:00+01:00 15:20 01:00 Urania Dachsaal bsidesvienna-2022-481-hey-you-get-off-my-satellite- https://cfp.bsidesvienna.at/bsidesvienna-2022/talk/UR9EQT/ false Talk en Hey You! Get off my Satellite! Abstract: There are many components and systems that may be targeted in a space system by adversaries including ground station systems and satellites. In this presentation we will discuss ideas for providing cyber resiliency in zero-gravity. Both theoretical and real-world examples of cybersecurity issues concerning satellite systems will be covered. This presentation will step through attack trees for targeting satellite systems. Recommendations best practices for securing satellite systems will be discussed. In addition, new ideas industry is currently developing for improving the cyber resiliency of space systems will be presented. Paul Coggin 2022-11-19T16:50:00+01:00 16:50 00:45 Urania Dachsaal bsidesvienna-2022-479-self-labeling-electronic-shelf-labels https://cfp.bsidesvienna.at/bsidesvienna-2022/talk/93FVM7/ false Talk en Electronic Shelf Label (ESL) tags are increasing in popularity. More and more stores switch their price tags to digital ones for various reasons, such as competing with online wholesalers. In this talk, we analyzed the 433MHz connection of a popular ESL tag and identified multiple security flaws that allowed us to spoof the RF signal and display arbitrary content on the displays. Furthermore, the original manufacturer of the E-Tag labeled microcontrollers was discovered. This talk will give an overview of analyzing unknown hardware with an unknown RF protocol without any prior known research. We took apart multiple ESL tags distributed by a chinese manufacturer. These tags are especially popular in China and consist of an e-ink display and an LED. The base station will be connected to the local LAN and will translate packets to a proprietary 433MHz GFSK modulated protocol. We reversed this protocol and found multiple security vulnerabilities. The protocol does not protect against replay attacks. Hence, the tags can always be reset to an older price by replaying the previously recorded frames. Furthermore, we are able to craft our own packets and correctly modulate them with a HackRF. Therefore, we can fully control the display of all tags in a store. The only information required is the tag ID which is printed on the top of the label or could be sniffed from previous tag transmissions. A GNURadio Sketch was developed to correctly receive all packets and to forward them to a UDP port. A Python program is listening on this port and analyzing all contents. In addition, the script can be used to easily reprogram any ESL tag. On top of that, a quick hardware security assessment was performed. We decapped the MCU of an E-Tag, which was only branded with the line "E-Tag M1". It turned out to be produced by STMicroelectronics and is most likely an STM8 microcontroller. All in all, this talk will lead through the teardown of an unknown RF device and showcase, how signals can be intercepted and analyzed with predefined GNURadio blocks and some custom Python code. /media/bsidesvienna-2022/submissions/93FVM7/testsetup_GQmzJZn.jpg Steffen Robertz 2022-11-19T17:40:00+01:00 17:40 00:30 Urania Dachsaal bsidesvienna-2022-497-malware-and-exfiltration-a-telegram-story https://cfp.bsidesvienna.at/bsidesvienna-2022/talk/PV7STU/ false Talk en Exfiltration and command and control are essential parts of the adversary's kill chain. One of the primary goals of a malicious adversary is to exfiltrate data from an environment undetected and uninterrupted. As a result, several attackers have opted for third-party services typically sanctioned for use in most enterprises. The accepted status of such applications coupled with an established developer ecosystem makes services such as Slack and Telegram suitable for their exfiltration and command and control tool of choice. We have observed the usage of Telegram in different types of malicious activities including but not limited to ransomware, phishing, remote access trojans and stealers. We will discuss active samples found in the wild with a particular emphasis on stealers. Stealers are a class of malware that are primarily interested in gathering information on a host. Recent examples of Telegram in Stealers include Lapsus$ compromise of major enterprises such as Microsoft, Okta, and Nvidia. They are particularly interested in credentials and information related to financial assets (fiat and crypto): E.g. Saved passwords Cryptocurrency wallets Credit cards Files from personal directories Direct messaging applications sessions (Telegram, WhatsApp, etc.) OS information Machine credentials Geolocation Screenshots(in some cases live webcam view) Our discussion will cover the exfiltration and detection evasion techniques on different platforms, including but not limited to Windows, macOS, and Android. In furtherance of the point, we introduce how malware-as-a-service provides easily accessible kits to entry-level and sophisticated malicious actors, thus reducing entry barriers, particularly in the stealer and ransomware community. In our analysis, we observed a varied level of attacker operational competency. Attackers falter in several stages of the attack process, and we discuss some of their shortcomings and the best practices when it comes to using Telegram. The techniques we discuss include: Correlating attacker identity to the real world - Image Correlation - Username correlation Message Interception via - Updates - WebHooks Throughout the talk, we provide several samples that use Telegram as an exfiltration vector and had one or no detections in VirusTotal. The absence of detections underscore the essence of building an enterprise that is aware of the shortcomings of vendor security products as well as open source intelligence sources. We also provide detections and common patterns we see associated with samples in the space. Godwin Attigah