Conference:  Defcon 29

Authors:

2021-08-01

HTTP Desync Attacks and Web Cache Poisoning

• HTTP Desync Attacks can be used to exploit blind request tunneling vulnerabilities
• Internal headers can be exploited by injecting new lines and headers to cause desynchronization
• Web Cache Poisoning can be achieved by mixing and matching response headers and bodies
• Netlify CDN had a request header injection vulnerability that allowed for persistent control over every page on every site using the CDN
• Atlassian's Jira had a vulnerability that allowed for multiple responses to be received by sending multiple new lines in headers

Conference:  Defcon 29

Authors:

2021-08-01

The presentation discusses the security risks associated with big data technologies and provides recommendations for securing them.

• Big data technologies like Hadoop and Spark are vulnerable to remote code execution attacks through various interfaces and ports
• Data injection channels like Spark Streaming and Scoop need to be secured to prevent injection of malicious data
• Recommendations include removing or blocking unused dashboards and interfaces, implementing authentication and authorization, and securing communication channels between technologies

Conference:  Defcon 29

Authors:

2021-08-01

Reverse engineering shopping cart wheels using radio frequency signals

• The speaker of a phone or headphones can be used as a crude antenna to control shopping cart wheels
• The FCC website and Google Patents are useful resources for reverse engineering devices
• 2.4 GHz signals can be sniffed using off-the-shelf equipment
• Loop stick antennas are not good at transmitting signals over long distances

Conference:  Defcon 29

Authors:

2021-08-01

This talk outlines weaknesses in modern bootloaders which allow attackers to deploy unsigned code, despite protection mechanisms. The first phase discusses exploitation of bootloaders in modern Android smartphones, demonstrating weaknesses which allow for bypassing bootloader unlocking restrictions, decryption of protected user data, and deployment of malicious software to devices using full disk encryption. The second phase discusses bootloader weaknesses in the secondary hardware used by smartphones, using an embedded RF chip as a target, and demonstrating reverse engineering techniques which identified weaknesses in the signature verification mechanisms of the firmware update protocols used by the bootloader, allowing for deployment of custom firmware to the chip.

• Exploitation of bootloaders in modern Android smartphones
• Weaknesses allowing for bypassing bootloader unlocking restrictions, decryption of protected user data, and deployment of malicious software to devices using full disk encryption
• Bootloader weaknesses in the secondary hardware used by smartphones
• Reverse engineering techniques identifying weaknesses in signature verification mechanisms of firmware update protocols used by bootloader
• Deployment of custom firmware to the chip

Conference:  Defcon 29

Authors:

2021-08-01

The speaker discusses the upcoming Def Con event and the preparations being made for it, including challenges with creating and testing exploitable challenges, switching to a new engine, and creating a new logo and theme. They also mention the excitement of reuniting with the hacker family and the potential for more in-depth conversations due to the smaller attendance.

• Preparations for Def Con include creating and testing exploitable challenges
• Switching to a new engine called CTFd
• Creating a new logo and theme for the event
• Excitement about reuniting with the hacker family and potential for more in-depth conversations due to smaller attendance

Conference:  Defcon 29

Authors:

2021-08-01

The talk discusses how a JSON deserialization 0day vulnerability in Fastjson can be used to steal money on the blockchain. The speakers detail the vulnerability and how they were able to bypass security checks and mitigations, achieving remote code execution on important websites and affecting millions of users. They also propose a covert post-penetration exploit method for public blockchain nodes to steal user assets without notification.

• Fastjson is a widely used open source JSON parser with 23,100 stars on GitHub
• The speakers found a way to bypass security checks and mitigations by using the inheritance process of some basic classes, achieving remote code execution successfully
• They were able to control important websites and affect millions of users
• The Fastjson vulnerability affects a multi-billion-dollar blockchain
• The speakers designed multiple complex gadgets based on the features of the blockchain, achieving information leakage and pointer hijacking
• They propose a covert post-penetration exploit method for public blockchain nodes to steal user assets without notification

Conference:  Defcon 29

Authors:

2021-08-01

For decades, the EICAR test string has been used by antivirus and security vendors to safely test their detection engines without having to use live virulent samples which could cause harm. What would happen if you took that string, encoded it into a machine readable format like a QR code and started scanning various devices with the QR code? This talk shows how there are a lot of systems out there that aren't expecting an input string like EICAR and how many of them just collapse when shown the code. We will also discuss the types of systems you can target and how you may be able to extend this to more than a nuisance attack. REFERENCES: EICAR test string: https://www.eicar.org/?page_id=3950 EICAR wikipedia entry: https://en.wikipedia.org/wiki/EICAR_test_file QR codes: https://en.wikipedia.org/wiki/QR_code Risks surrounding QR codes: https://en.wikipedia.org/wiki/QR_code#Risks

Conference:  Defcon 29

Authors:

2021-08-01

In the recent years, we have seen some of the major players in the industry switch from x86-based processors to ARM processors. However, you might be surprised to know that Intel has long supported ARM to x86 transition with their binary translator, Houdini, which runs ARM binaries on x86. In this talk, we will discuss Intel's proprietary Houdini translator, which is primarily used by Android on x86 platforms, such as higher-end Chromebooks and desktop Android emulators. We will start with a high-level discussion of how Houdini works and is loaded into processes. We will then dive into the low-level internals of the Houdini engine and memory model, including several security weaknesses it introduces into processes using it. Lastly, we will discuss methods to escape the Houdini environment, execute arbitrary ARM and x86, and write Houdini-targeted malware that bypasses existing platform analysis. REFERENCES: * Ye, Roger. Android System Programming: Porting, Customizing, and Debugging Android HAL. Packt Publishing, 2017. * JNI Functions, Oracle, 12 Nov. 2002, https://docs.oracle.com/javase/7/docs/technotes/guides/jni/spec/functions.html * Chromium OS Docs. Linux System Call Table, https://chromium.googlesource.com/chromiumos/docs/+/master/constants/syscalls.md * The Development Environment : Android Developers. Android Developers, https://developer.android.com/topic/arc/development-environment * Nachoparker. Own Your Bits, 14 June 2018, https://ownyourbits.com/2018/06/13/transparently-running-binaries-from-any-architecture-in-linux-with-qemu-and-binfmt_misc/ * Git at Google. Android container in Chrome OS, archived at https://web.archive.org/web/20200128052853/https://chromium.googlesource.com/chromiumos/platform2/+/master/arc/container-bundle/ * Oberheide, J. & Miller, C. 2012, June. Dissecting the Android Bouncer [Presentation] @ SummerCON, Brooklyn, New York

Conference:  Defcon 29

Authors:

2021-08-01

Apple's iOS, macOS and other OS have existed for a long time. There are numerous interesting logic bugs hidden for many years. We demonstrated the world's first public 0day exploit running natively on Apple M1 on a MacBook Air (M1, 2020). Without any modification, we exploited an iPhone 12 Pro with the same bug. In this talk, we will show you the advantage and beauty of the IPC logic bugs, how we rule all Apple platforms, Intel and Apple Silicon alike, even with all the latest hardware mitigations enabled, without changing one line of code. We would talk about the security features introduced by Apple M1, like Pointer Authentication Code (PAC), System Integrity, and Data Protection. How did they make exploiting much harder to provide better security and protect user's privacy. We will talk about different IPC mechanisms like Mach Message, XPC, and NSXPC. They are widely used on Apple platforms which could be abused to break the well designed security boundaries. We will walk you through some incredibly fun logic bugs we have discovered, share the stories behind them and methods of finding them, and also talk about how to exploit these logic bugs to achieve privilege escalation. REFERENCES: https://www.youtube.com/watch?v=Kh6sEcdGruU https://support.apple.com/en-us/HT211931 https://support.apple.com/en-us/HT211850 https://support.apple.com/en-us/HT212011 https://support.apple.com/en-us/HT212317 https://helpx.adobe.com/security/products/acrobat/apsb20-24.html https://helpx.adobe.com/security/products/acrobat/apsb20-48.html https://helpx.adobe.com/security/products/acrobat/apsb20-67.html

Conference:  Defcon 29

Authors:

2021-08-01

OAuth 2.0 device authorization gives users on limited-input devices like TVs an easier way to authenticate against and authorize a cloud website/app by entering a code on a computer/phone. This authentication and authorization flow leads to new phishing attacks that: - do not need server infrastructure--the login page is served by the authorization provider using their domain and cert - do not require a client application--application identities can be reused/spoofed - do not require user consent of application permissions Since the phish attacks hijack oauth session tokens, MFA will be ineffective as the attacker does not need to reauthenticate. The ability to defend against these attacks is hindered by limited info and functionality to detect, mitigate, and prevent session token compromise. I'll demonstrate these new phishing attacks, access to sensitive user data, and lateral movement. Defensive measures against these phishing attacks will be discussed, specifically the challenges in detection, mitigation, and prevention, and the overall lack of support for managing temporary credentials. Open-source tools have been developed and will be used to demonstrate how users can: - self-phish their organizations using these techniques - audit security settings that help prevent/mitigate the attacks REFERENCES: 1.0 Evolving Phishing Attacks 1.1 A Big Catch: Cloud Phishing from Google App Engine and Azure App Service: https://www.netskope.com/blog/a-big-catch-cloud-phishing-from-google-app-engine-and-azure-app-service 1.2 Microsoft Seizes Malicious Domains Used in Mass Office 365 Attacks: https://threatpost.com/microsoft-seizes-domains-office-365-phishing-scam/157261/ 1.3 Phishing Attack Hijacks Office 365 Accounts Using OAuth Apps: https://www.bleepingcomputer.com/news/security/phishing-attack-hijacks-office-365-accounts-using-oauth-apps/ 1.4 Office 365 Phishing Attack Leverages Real-Time Active Directory Validation: https://threatpost.com/office-365-phishing-attack-leverages-real-time-active-directory-validation/159188/ 1.5 Demonstration - Illicit Consent Grant Attack in Azure AD: https://www.nixu.com/blog/demonstration-illicit-consent-grant-attack-azure-ad-office-365 https://securecloud.blog/2018/10/02/demonstration-illicit-consent-grant-attack-in-azure-ad-office-365/ 1.6 Detection and Mitigation of Illicit Consent Grant Attacks in Azure AD: https://www.cloud-architekt.net/detection-and-mitigation-consent-grant-attacks-azuread/ 1.7 HelSec Azure AD write-up: Phishing on Steroids with Azure AD Consent Extractor: https://securecloud.blog/2019/12/17/helsec-azure-ad-write-up-phishing-on-steroids-with-azure-ad-consent-extractor/ 1.8 Pawn Storm Abuses OAuth In Social Engineering Attack: https://www.trendmicro.com/en_us/research/17/d/pawn-storm-abuses-open-authentication-advanced-social-engineering-attacks.html 2.0 OAuth Device Code Flow 2.1 OAuth 2.0 RFC: https://tools.ietf.org/html/rfc6749 2.2 OAuth 2.0 Device Authorization Grant RFC: https://datatracker.ietf.org/doc/html/rfc8628 2.3 OAuth 2.0 for TV and Limited-Input Device Applications: https://developers.google.com/identity/protocols/oauth2/limited-input-device 2.4 OAuth 2.0 Scopes for Google APIs: https://developers.google.com/identity/protocols/oauth2/scopes 2.5 Introducing a new phishing technique for compromising Office 365 accounts: https://o365blog.com/post/phishing/#oauth-consent 2.6. Office Device Code Phishing: https://gist.github.com/Mr-Un1k0d3r/afef5a80cb72dfeaa78d14465fb0d333 3.0 Additional OAuth Research Areas 3.1 Poor OAuth implementation leaves millions at risk of stolen data: https://searchsecurity.techtarget.com/news/450402565/Poor-OAuth-implementation-leaves-millions-at-risk-of-stolen-data 3.2 How did a full access OAuth token get issued to the Pokémon GO app?: https://searchsecurity.techtarget.com/answer/How-did-a-full-access-OAuth-token-get-issued-to-the-Pokemon-GO-app ===