NoSuchCon 2014 Conference – Day 2
As part of its monitoring activities, Intrinsec attended the second edition of the NoSuchCon international conference, which took place from November 19 to 21, 2014, at the Niemeyer space at the headquarters of the French Communist Party (PCF) in Paris. The presentations were in English, technical, and straightforward. (bullshit-free).
(source : http://www.nosuchcon.org/)
We offer summaries of the various presentations from the conference: Day 1, day 2 (this article) and day 3.
We would also like to thank the organizers and student volunteers who managed this event very well, as well as the speakers who shared their knowledge and discoveries.
Day 2
«Understanding and defeating Windows 8.1 Patch Protections: it's all about gong fu! (part 2) » – Andrea Allievi (Cisco)
Slides: http://www.nosuchcon.org/talks/2014/D2_01_Andrea_Allievi_Win8.1_Patch_protections.pdf
Andrea Allievi recalled the protection mechanisms added to the latest versions of Windows to make it more difficult to compromise the operating system.
Especially : Patch Guard protects the Windows kernel and the Driver Signing Enforcement restricted to only drivers signed for execution within the kernel.
The mechanism Patch Guard It works by abruptly shutting down the operating system if it is compromised. Various vulnerabilities have been discovered and are being patched by Microsoft each time. Andrea therefore chose a different offensive approach: rather than trying to bypass/block this mechanism, he sought to use it to protect his malicious code!
After three months of hard work, he managed to install a hook on the kernel API for file creation and to protect it by Patch Guard. Thus, if anti-softwarerootkits If you try to remove it, the protection will kick in and shut down the system!
«Mimikatz» – Benjamin Delpy
Slides: http://www.nosuchcon.org/talks/2014/D2_02_Benjamin_Delpy_Mimikatz.pdf
Benjamin Delpy, creator of the mimikatz tool, reviewed how authentication (LSA, NTLM, Kerberos) works in Windows and the design choices behind the SSO mechanism. (Single Sign-On) which allows the attack Pass-The-Hash and which has no countermeasures.
Windows domains tend to move from NTLM authentication to the Kerberos protocol, and its research is now focused on this area.
Benjamin presented the already known features of mimikatz: Overpass-The-Hash (obtaining Kerberos tickets via password hashes alone), Pass-The-Ticket (ticket theft and reuse), Golden/Silver tickets (generation of domain administrator tickets or service-specific tickets that are valid for a long period).
Regarding the Golden Tickets An attacker only needs the krbtgt account fingerprint, and this rarely changes (due to modifications in the domain's functional level). Two values are valid: the current one and the previous one! This fingerprint can be leaked at several levels: dump domain (AD password audit or compromise), copying of a domain controller's file system (backup tape or share), compromise of a hypervisor hosting a domain control (and therefore access to the file system).
It should also be noted that the password for the krbtgt account is not renewed automatically and this procedure is not recommended by Microsoft because it is not reliable (citing an example of a denial of service on a domain that lasted half a day).
The new attack presented is called Pass-The-Cache This involves extracting the Kerberos ticket cache from Ubuntu or Mac OS X machines accessing the Windows domain, then converting it with mimikatz and injecting it for use. This makes it possible to attack users on these two systems and then impersonate them on a Windows domain.
«Pass the Cache» attack: Mimikatz tool is now able to import Linux and OS X cached Kerberos tickets and reuse them on Windows #NSC14
— NoSuchCon (@NoSuchCon) November 20, 2014
The mimikatz tool also allows, via driver injection, the removal of protection from protected processes (for example, lsass.exe) or the system to protect a program (for example, mimikatz). It is also possible to render antivirus software ineffective by disconnecting it from the OS notification system.
Benjamin concluded by praising Microsoft's efforts to strengthen the security of Windows systems and domains in a challenging context (performance, backward compatibility, etc.).
«Google Apps Engine security» – Nicolas Collignon (Synacktiv)
Slides: http://www.nosuchcon.org/talks/2014/D2_03_Nicolas_Collignon_Google_Apps_Engine_Security.pdf
Google Apps Engine (GAE) is the offering cloud from Google, which allows the design and hosting of web applications (PaaS: Platform as a Service). Nicolas Collignon presented the security flaws that can appear when using this platform, from three perspectives.
First, there are the mistakes that developers can make. Nicolas reminds us that this platform isn't magic and doesn't protect against classic web vulnerabilities: SQLI, XSS, CSRF, XXE, etc., which remain the developers' responsibility. Some APIs, such as urlfetch And socket Furthermore, they are not secure by default: developers must explicitly request validation of certificates and the remote host for SSL/TLS exchanges. Nicolas also reminded everyone that the elasticity property of the cloud (increasing the number of instances with the load) poses a dilemma in the event of a denial-of-service attack: either the customer will be overcharged, or they implement a quota, but the service will be made unavailable more easily!
At the infrastructure level, tests cannot be run locally by developers, who therefore have credentials that grant indiscriminate access to both test and production instances. Compromising a developer's workstation can thus allow access to production, which is less common in a traditional infrastructure. Furthermore, GAE allows the parallel execution of multiple versions with or without debugging features: it is therefore possible to compromise production version 2 from production version 1 or development version 3!
Vulnerabilities have also been discovered in the sandbox used by Google to segment applications. The protection offered is weaker if the development mode is used.
Google Apps Engine (GAE) security findings by @synacktiv on stage at #NSC14 pic.twitter.com/9kvp1JCT7P
— Jeff Oudenard (@jeffman78) November 20, 2014
«Blended Web and Database Attacks on Real-time, In-Memory Platforms» – Ezequiel Gutesman (Onapsis)
Advances in computer hardware mean that it is now possible to have databases of several hundred gigabytes running entirely in memory for significant performance gains.
SAP, the publisher of the eponymous ERP system, implemented such a database: HANA. Its design goes beyond a traditional database, as it includes a web server and allows for the direct hosting of applications!
This target is of interest to Ezequiel Gutesman because highly sensitive company data is intended to be stored there (risks of espionage, sabotage or fraud) and the attack surface is substantial.
The hosted web applications and the database are tightly linked: for example, application users are necessarily database users, and the application's source code is stored in the database. Therefore, SQL injection will be restricted to data accessible by the current user; however, if the user has privileged access, it will be possible to modify the pages (defacement or addition of malicious code).
Restricting SQL injections to the current user leads to hybrid attacks: social engineering and SQLI.
The countermeasures are classic: fine-grained restriction of user privileges and use of prepared statements.
HANA can also use a statistical computing engine based on R. Ezequiel offers configuration recommendations to ensure that it is properly protected.
In conclusion, critical business processes and information are migrating to new technologies whose security must be assessed (research, penetration testing, auditing). HANA was designed with security in mind, but several factors still rely on human error (administrators, developers, and end users).
The presentation concludes with practical guides. (cheatsheets) useful when a HANA database is discovered in a penetration test.
«USBArmory» – Andrea Barisani (Reverse Path)
Slides: http://www.nosuchcon.org/talks/2014/D2_05_Andrea_Barisani_forging_the_usb_armory.pdf
The "USBArmory" product is a free and open system that aims to create a "smart" USB key that can provide security features.
The features currently being considered are as follows:
- USB flash drive with automatic encryption and antivirus scanning
- SSH client and agent for use on untrusted machines (kiosks)
- OpenVPN or Tor router
- password manager
- digital wallet
- authentication token generator
- platform for performing penetration tests or low-level USB attacks
Product design began in early 2014. open source. Several iterations have been carried out and Andrea Barisani hopes to release the final version in December 2014.
The presentation was also an opportunity to review the choices, difficulties and errors encountered during the design of the product, always in an open spirit.
«Fuzzing and Patch Analysis: SAGEly Advice» – Richard Johnson (SourceFire/Cisco)
Slides: http://www.nosuchcon.org/talks/2014/D2_06_Richard_Johnson_Sagely_Advice.pdf
Richard Johnson presented a method for searching for vulnerabilities in programs. The techniques are based on random searches. (fuzzing) have obvious limits of exhaustiveness and the speaker therefore introduced the concolic test generation method.
This method involves instrumenting the program under test to establish a branching tree (at each logical test) in order to generate all the entries necessary to cover the maximum number of program execution paths, without testing identical paths twice (a risk of the approach by fuzzingThe results are good and allow us to discover many vulnerabilities.
The second part, which Richard didn't have time to cover, showed how to discover vulnerabilities by examining the changes made by vendors' security patches. The approach presented reduces the number of changes that need to be analyzed manually.
— Clément Notin
