[et_pb_section bb_built= »1″][et_pb_row][et_pb_column type= »4_4″][et_pb_text]

Intrinsec was present this year for the thirteenth edition of Hack.lu, a security conference held in Luxembourg over three days (October 17-19, 2017). In this article, we offer a selection of the talks that most interested us. Indeed, this year's program was quite packed with no fewer than 35 talks over three days. Almost all of the talks were filmed and can be found on a dedicated YouTube playlist. https://www.youtube.com/playlist?list=PLCxOaebc_2yNlOGhuOjInlJvr0Ktb_FYz

Snuffleupagus

Sébastien (blotus) Blot, Thibault (buixor) Koechlin, Julien (jvoisin) Voisin

By default, PHP is relatively permissive, and few methods exist to strengthen its security. A solution like Suhosin should be avoided, as this module is not «"PHP7 ready"». In addition to traditional methods such as hardening the operating system or implementing a WAF, the engineers at NBS decided to develop their own tool. virtual patching for PHP, «"Snuffleupagus".

This comes in the form of an Apache module that can be configured to prevent access to certain functions such as system() in certain parts of the application or to prohibit certain characters in arguments. The presenters also demonstrated how the module could protect against vulnerabilities discovered in products such as Roundcube or WordPress.

YouTube link: https://www.youtube.com/watch?v=RzaRiuJ6MkI

WinDBG & Powershell

Paul Rascagnes

With the development of numerous applications based on the .NET framework, it is not surprising that more and more malware also relies on this framework, through the use of the Powershell language for example.

Paul Rascagnères, a security researcher at Talos, presented how to use the WinDBG debugger to analyze applications based on the .NET framework through two use cases:

• Analysis of a PowerShell script using the API Start().
• Automated analysis of a .NET packer using the PYKD extension.

Thanks to the use of the SOS extension, Windbg fully supports the .NET framework and is therefore a tool of choice when it is necessary to analyze malicious code or scripts relying on this framework. Paul concluded the presentation with a demonstration of a Python script for automating the analysis of malicious PowerShell files, available on GitHub: dotNET_WinDBG

YouTube link: https://www.youtube.com/watch?v=0mVaSm9WBRA

Malicious use of Microsoft “Local Administrator Password Solution”

Maxime Clementz, Antoine Goichot

LAPS is Microsoft's recommended solution for managing local administrator passwords in Windows environments. We previously featured it on this blog: Microsoft LAPS: Managing local administrator passwords

This solution, based on software AdmPwd It uses a DLL on workstations, called by the GPO and responsible for renewal. The two PwC researchers presented their work on repurposing the DLL to elevate its privileges on the workstation or for persistence purposes.

Indeed, no integrity or signature verification is performed on the DLL, so an attacker could potentially alter its normal operation by replacing it with a malicious one. The demonstration focused on two features: the ability to change the password at will and the ability to save the password to a text file after each change. Naturally, by default, the DLL cannot be modified by a standard user, so it is essential to verify the user's permissions on the file and ensure that updates are correctly applied to the workstation.

YouTube link: https://www.youtube.com/watch?v=opSctm4L8kE

The Bicho: An Advanced Car Backdoor Maker

Sheila Ayelen Berta, Claudio Caracciolo

Sheila Ayelen Berta demonstrated the tools she developed during her research on "non-connected" cars equipped with a CAN bus. The goal was to identify how the CAN bus communicates with the car's components, with the aim of inserting a backdoor into the vehicle and triggering remote actions.

Initially, the presentation focused on methods for auditing the CAN buses of different cars in order to intercept transmitted messages and replay them. Once the messages are identified, the tool Car Backdoor Maker enters the scene and allows a list of instructions to be loaded onto a piece of equipment which is then connected to the victim's car.

Once the backdoor is installed, it's possible to trigger actions remotely by sending a simple SMS. It's also possible to trigger actions based on the car's GPS location.

YouTube link: https://www.youtube.com/watch?v=9UASD7CE4lY

Keynterceptor: Press any key to continue

Niels van Dijkhuizen

Attacks using USB device emulation are not new, however, they all share the same weaknesses: they require access to an unlocked machine, and current tools are not capable of simultaneously intercepting and injecting data. Furthermore, several protections now exist to guard against these attacks; for example, [list of examples]. USG, USBProxy or USBGuard. Niels then presented his solution for intercepting and injecting content via USB, while bypassing various existing countermeasures.

The implant consists of a USB device that intercepts the keyboard and clones its USB characteristics (identifier, voltage, etc.), and a companion device. To send commands to the interceptor, the two devices communicate at 433 MHz. The companion device can then be contacted remotely using a 4G connection. It then becomes possible to manage both the companion and the interceptor from a smartphone.

The presentation concluded with a demonstration of the device, which was very interesting in the context of a red team.

YouTube link: https://www.youtube.com/watch?v=gHqIIU-Ys6M

A view into ALPC-RPC

Clement Rouault, Thomas Imbert

Following their short talk at BeeRumP «"From ALPC to UAC Bypass"» and in order to circumvent the UAC (User Access Control), They were interested in the workings of ALPC (Advanced Local ProcedureCall). This mechanism enables communication between multiple processes in client/server mode. They were particularly interested in the functions of RPC-over-ALPC.

After describing how ALPC works, they presented the steps of reverse engineering This allowed them to understand the structure of ALPC exchanges. This enabled them to create a Python library, Python for Windows, allowing for the simplification of the implementation of ALPC exchanges.

Using these ALPC and RPC messages, they were able to fuzz the protocol and find numerous vulnerabilities, including a UAC bypass, referenced as CVE-2017-11783. The conference presented all the technical details required to recreate the exploit code.

YouTube link: https://www.youtube.com/watch?v=D-F5RxZ_yXc

The untold stories of Hackers in detention

During this presentation, two hackers arrested for cybercrimes shared their stories, from their arrest to their imprisonment. Through their accounts, they attempted to convey to the audience best practices to adopt in case of arrest, appropriate behavior while incarcerated, and how they coped with the aftermath. We will not go into further detail, as no presentation materials or videos were available, at the presenters' request.

Infosec and failures

Angel Albertini

During this keynote address, Ange Albertini shared his perspective on "failures" in the world of cybersecurity. His aim wasn't to point fingers at anyone in the field, but rather to encourage everyone to reflect on their ability to accept setbacks and persevere. It's difficult to summarize all the key messages in a few sentences, but the tone was consistently positive and encouraging. We highly recommend watching the full video, which will resonate with both beginners and experienced professionals.

YouTube link: https://www.youtube.com/watch?v=erZ2JlfTtcE

SIGMA: Generic signatures for log events

Thomas Patzke

When it comes to analyzing logs and detecting attacks, no standardized format currently exists, unlike Yara or Snort at the network level. SIGMA attempts to address this problem.

By creating rules in YAML format, SIGMA allows for log analysis and the detection of attacks that could occur on a system or web application. As an example, Thomas Patzke presented concrete examples of SIGMA's use, such as:

• Mimikatz detection during access to the LSASS.exe process
• Webshell detection
• Identity theft detection on Windows (attempts to log in to multiple accounts from a single source).

The great strength of this tool is that it includes a converter that generates ready-to-use queries for tools like Splunk or Elasticsearch. This tool is open source and looks promising given its features.

YouTube link: https://www.youtube.com/watch?v=OheVuE9Ifhs

In Soviet Russia, Vulnerability Finds You

Inbar Raz

The main focus of this conference was the discovery of vulnerabilities "by chance" while browsing the internet. Through examples, the speaker presented various vulnerabilities, their consequences, and the sometimes difficult communication with the affected parties.

• Taxi company: Without authentication and just with a phone number, it was possible to retrieve customer details.
• International airport in Eastern Europe: Discovery of the airport's central switch from a self-service terminal using the default administrator password.
• Tinder bot: research into a network of fake Tinder accounts enticing the user to use online dating sites, and the searches until the person behind these accounts is found.
• A coffee chain in Israel: How, starting with simple online access to its loyalty account and using its magnetic card, it was able to create fake valid payment cards and know the balance of all customers.

In conclusion, Inbar recommends that everyone continue to be curious and report any identified vulnerabilities.

Front door Nightmares. When smart is not secure

ObiWan666

Obiwann666 investigated the security of so-called "smart" locks, focusing primarily on the electronic mechanisms they incorporate. After a presentation on the general operation of the various prototypes analyzed, five attack vectors were identified:

• Electronic bypass: By connecting directly to the lock's motor, it is possible to force it open.
• Signal replay: By analyzing the opening and closing sequence transmitted to the motor, it is possible to replay them in order to trigger them on the fly.
• Brain implant attack: If it is possible to access the electronic part of the lock, the attacker is able to temporarily replace its "brain" with a "custom brain" in order to open the lock.
• Traditional lockpicking: Locks generally have a slot allowing them to be opened with a regular key in case of emergency, which can be opened using lockpicking tools.
• Miscellaneous Various methods have also been used to bypass the mechanisms of these locks, such as using a drill or a bump key…

Despite the various vulnerabilities discovered, the presenter does not rule out the use of these smart locks, provided of course that they are used for specific needs and correctly implemented.

Vulnerability disclosure, governments and you

Jeroen van der Ham

THE Responsible Disclosure, Reporting discovered vulnerabilities outside of any legal framework remains complicated. The speaker, working for the Dutch equivalent of the French National Cybersecurity Agency (NCSC-NL), presented the approach taken by his government to facilitate the reporting of vulnerabilities impacting all private and public companies in the country.

He then used examples to illustrate various hackers who had reported vulnerabilities and the resulting consequences, both in terms of legal repercussions and the rewards offered by companies. In conclusion, businesses are increasingly understanding that coordinated vulnerability reporting allows for the rapid implementation of patches without damaging their reputation.

YouTube channel: https://www.youtube.com/watch?v=A8I-PnqMMKs

[/et_pb_text][/et_pb_column][/et_pb_row][/et_pb_section]