New release : CTI Report - Pharmaceutical and drug manufacturing 

                 Download now

Hackito Ergo Sum 2015

November 6, 2015

Hackito Ergo Sum 2015

This year Intrinsec was present at the Hackito Ergo Sum conference which took place at the Cité des sciences et de l'industrie.

The slides and videos from the conferences should be available shortly.

Keynote by FX from Phenoelit

The conference began with a keynote address divided into two parts. The first part outlined the various aspects of hacking and hackers from recent years to the present day. The second part drew an analogy between human cells and a Turing machine, demonstrating that each biological mechanism a cell is capable of is similar to the mechanisms found in the machine. Considering this, the human body could then be seen as a cluster of Turing machines. Indeed, all four components of the machine are found in the human body: the ribbon is DNA, the reading head is RNA polymerase, the state register is mRNA, and the action table is likened to ribosomes. The only significant difference between these two entities is the information processing time, which is considerably longer in the case of the human body.

 

Applying machine learning methods to network mapping hunting – Camille Mougey & Xavier Martin

This presentation is a demonstration of the use of the IVRE (Instrument for Monitoring External Networks) software, developed by the CEA. This tool aims to simplify the analysis of the results of large-scale network scans, with a dual objective: for the Blue Team, to understand the network topology and detect anomalies; for the Red Team, to obtain information, observe the evolution of a target over time and find relevant information.

Thanks to machine learning techniques, it is possible to have results analyzed automatically by a server, without the need for time-consuming and potentially biased human analysis. For example, the tool can create groups of similar machines (web servers, printers, etc.), thus enabling the identification of isolated machines.

IVRE is available on GitHub: https://github.com/cea-sec/ivre

 

Cracking Sendmail crackaddr – Still a challenge for automated program analysis – Bogdan Mihaila

Bogdan Mihaila is a computer scientist working for the Technical University of Munich. His research focuses on creating a mathematical model to highlight programming errors such as, in the case presented, a buffer overflow.

This error was discovered in 2003 during a code review of the sendmail application and remains a concrete example of the difficulty of debugging in a computer program. Like the "goto fail" error in OpenSSL, this buffer overflow results from an implementation oversight in the code. When processing an email address, one of the variables used to limit the number of nested parentheses is not decremented, and the successive use of fifty parentheses in the email address allows this buffer overflow to be exploited. In practice, this type of error cannot currently be detected without manually reviewing the code.

Bogdan Mihaila therefore became interested in this "Sendmail crackaddr challenge," namely how to detect this type of error. To achieve this, he uses a simplified assembly language which he traverses using Markov chains. In the event of a buffer overflow, the variables analyzed by the program are no longer bounded, and the vulnerability is detected.

 

Complex malware & forensics investigation – Paul Rascagnères & Sebastien Larinier

Paul and Sebastien presented their tool, FastIR Collector, an advanced version of the now-defunct FastResponder. This tool automatically retrieves various artifacts from a Windows machine to detect potential traces of compromise. Its goal is to assist reversal investigators and forensic analysts in their search for indicators of compromise (IOCs), saving them considerable time.

Through six malware examples, the two researchers presented different use cases for the tool and what could be recovered. They were thus able to find malware using registry keys not displayed in regedit, either because they use Unicode encoding in their names or because they store JavaScript code as values, code which is then used during infection.

FastIR is available on GitHub: https://github.com/SekoiaLab/Fastir_Collector/

 

Mind your languages! – Olivier Levillain & Pierre Chifflier

The two researchers went beyond application security and focused on the intrinsic security of languages. The presentation consists primarily of examples in JavaScript, PHP, Java, Ruby, Perl, Python, and OCaml, showcasing unexpected or illogical results.

 

Malicious AVPs: Exploits to the LTE Core – Laurent Ghigonis & Philippe Langlois

The two researchers from P1 Security presented a vulnerability affecting Diameter Routing Agents (DRAs) used by telecommunications operators. This equipment is central to the management of LTE mobile networks, as it ensures the correct routing of all an operator's traffic. This is a follow-up to Laurent's presentation at HES2014.

After a review of how LTE networks work, the presentation focused on the technical details of the attack, which exploits a vulnerability in the implementation of the DIAMETER protocol (the successor to RADIUS) on these routers. Specifically, the length of a field is not correctly checked, allowing the attacker to exploit a stack-overflow vulnerability.

After a night of exploitation, the researchers successfully exploited the vulnerability and gained administrator privileges on the equipment. From that point on, they were able to shut down the operator's 4G network.

 

Android malware that won't make you fall asleep – Lukasz Siewierski

Android malware is annoying. It's not obfuscated, it does what it claims, and it doesn't use native code, only the standard API. That's why nobody studies it. So Lukasz started studying it.

After a brief analysis of manifest.xml, particularly regarding system interpretation issues that allow rewriting the package name by inserting XML code, he presented several malware programs that use interesting biases to execute.

The first one registers a DLL in Mono within the SMSReceiver. This library then retrieves a Lua script from the Command & Control module to determine its next steps. Therefore, without the Command & Control module, the malware cannot execute any commands.

The second one stores JavaScript interfaces so that the attacker can execute whatever they want just by sending JavaScript into a web page.

The third feature of the "application overlay": it opens a dialog box (login) when a legitimate application is launched, making it seem as if it is asking for the credentials again when in fact they will be sent to the malware.

People have also taken the "text secure" application (now called "signal") and inserted a trojan into it before redistributing it as an "SMS security application".

This malware does different things depending on the special characters received at the beginning of the SMS, for example:

  • / : It redirects the SMS to a number
  • ! : It is uninstalling.

That's why Polish banks are now sending OTPs in SMS messages that start with !

Finally, the conference concluded with technical details regarding Android's operation. SMS uses a port system (similar to TCP or UDP) to determine whether messages are standard SMS, WAP push, etc. Some ports are free, and by default, the phone doesn't use them—no notifications, etc. It might therefore be possible to use these ports to send commands to the phone invisibly.

 

Mechanical Locks Opening and Forensic Analysis – Alexandre TRIFFAULT

This conference on lockpicking deals with the physical traces left by intruders using non-destructive attacks to force locks.

The presentation begins with a live demonstration of 4 attack techniques that leave little or no trace visible to the naked eye:

  • Single picking: using a standard lockpicking kit
  • Electric gun: using an electric gun to clean the pins
  • Manual pistol: same technique as before, but with manual activation
  • Bump Key: using a special key and a hammer to force the door open

Using a microscope, Alexandre highlighted the various marks left on the different parts of the lock, primarily on the pins. Although invisible without tools, these marks are specific and allow identification of the attack used to open the door. However, this analysis is destructive since the lock must be disassembled to extract the pins.

 

Pentesting airports: field experiences – Raoul «Nobody» Chiesa

Raoul Chiesa and his team had the opportunity to realize their dream: to perform penetration testing at one of the largest European airports. Despite some disagreements regarding the service price, due to the client's lack of knowledge on the subject, they were selected to carry out a complete security assessment.

After sharing a few anecdotes about his personal experiences and involvement in the security field, Raoul Chielsa presented the results of the penetration test conducted with his team, SecurityBroker. For an entity of such importance and scale, one would expect exemplary security, but the results were quite surprising. Indeed, in addition to the usual vulnerabilities in common products like OpenSSL, the results also included SMB NULL sessions, guest Wi-Fi networks allowing access to the airport's internal network, administrative interfaces accessible with trivial or default credentials, and more. This allowed them to access databases containing the personal information of all passengers who had passed through the airport, the customs scanners, and even modify the information displayed on the airport's information screens (who hasn't dreamed of doing that? ;)).

Ultimately, we can question the security of airports, a critical infrastructure. This example is glaring, but most of these vulnerabilities have also been found during unofficial penetration tests at other airports around the world.

Contact