{"id":1875,"date":"2015-11-06T14:40:47","date_gmt":"2015-11-06T13:40:47","guid":{"rendered":"http:\/\/securite.intrinsec.com\/?p=1875"},"modified":"2015-11-06T14:40:47","modified_gmt":"2015-11-06T13:40:47","slug":"hackito-ergo-sum-2015","status":"publish","type":"post","link":"https:\/\/www.intrinsec.com\/en\/hackito-ergo-sum-2015\/","title":{"rendered":"Hackito Ergo Sum 2015"},"content":{"rendered":"

This year Intrinsec was present at the Hackito Ergo Sum conference which took place at the Cit\u00e9 des sciences et de l'industrie.<\/p>\n

The slides and videos from the conferences should be available shortly.<\/p>\n

Keynote by FX from Phenoelit<\/strong><\/p>\n

The conference began with a keynote address divided into two parts. The first part outlined the various aspects of hacking and hackers from recent years to the present day. The second part drew an analogy between human cells and a Turing machine, demonstrating that each biological mechanism a cell is capable of is similar to the mechanisms found in the machine. Considering this, the human body could then be seen as a cluster of Turing machines. Indeed, all four components of the machine are found in the human body: the ribbon is DNA, the reading head is RNA polymerase, the state register is mRNA, and the action table is likened to ribosomes. The only significant difference between these two entities is the information processing time, which is considerably longer in the case of the human body.<\/p>\n

 <\/p>\n

Applying machine learning methods to network mapping hunting<\/strong> \u2013 Camille Mougey & Xavier Martin<\/p>\n

This presentation is a demonstration of the use of the IVRE (Instrument for Monitoring External Networks) software, developed by the CEA. This tool aims to simplify the analysis of the results of large-scale network scans, with a dual objective: for the Blue Team, to understand the network topology and detect anomalies; for the Red Team, to obtain information, observe the evolution of a target over time and find relevant information.<\/p>\n

Thanks to machine learning techniques, it is possible to have results analyzed automatically by a server, without the need for time-consuming and potentially biased human analysis. For example, the tool can create groups of similar machines (web servers, printers, etc.), thus enabling the identification of isolated machines.<\/p>\n

IVRE is available on GitHub: https:\/\/github.com\/cea-sec\/ivre<\/a><\/p>\n

 <\/p>\n

Cracking Sendmail crackaddr<\/strong> \u2013 Still a challenge for automated program analysis \u2013 Bogdan Mihaila<\/p>\n

Bogdan Mihaila is a computer scientist working for the Technical University of Munich. His research focuses on creating a mathematical model to highlight programming errors such as, in the case presented, a buffer overflow.<\/p>\n

This error was discovered in 2003 during a code review of the sendmail application and remains a concrete example of the difficulty of debugging in a computer program. Like the "goto fail" error in OpenSSL, this buffer overflow results from an implementation oversight in the code. When processing an email address, one of the variables used to limit the number of nested parentheses is not decremented, and the successive use of fifty parentheses in the email address allows this buffer overflow to be exploited. In practice, this type of error cannot currently be detected without manually reviewing the code.<\/p>\n

Bogdan Mihaila therefore became interested in this "Sendmail crackaddr challenge," namely how to detect this type of error. To achieve this, he uses a simplified assembly language which he traverses using Markov chains. In the event of a buffer overflow, the variables analyzed by the program are no longer bounded, and the vulnerability is detected.<\/p>\n

 <\/p>\n

Complex malware & forensics investigation<\/strong> \u2013 Paul Rascagn\u00e8res & Sebastien Larinier<\/p>\n

Paul and Sebastien presented their tool, FastIR Collector, an advanced version of the now-defunct FastResponder. This tool automatically retrieves various artifacts from a Windows machine to detect potential traces of compromise. Its goal is to assist reversal investigators and forensic analysts in their search for indicators of compromise (IOCs), saving them considerable time.<\/p>\n

Through six malware examples, the two researchers presented different use cases for the tool and what could be recovered. They were thus able to find malware using registry keys not displayed in regedit, either because they use Unicode encoding in their names or because they store JavaScript code as values, code which is then used during infection.<\/p>\n

FastIR is available on GitHub: https:\/\/github.com\/SekoiaLab\/Fastir_Collector\/<\/a><\/p>\n

 <\/p>\n

Mind your languages!<\/strong> \u2013 Olivier Levillain & Pierre Chifflier<\/p>\n

The two researchers went beyond application security and focused on the intrinsic security of languages. The presentation consists primarily of examples in JavaScript, PHP, Java, Ruby, Perl, Python, and OCaml, showcasing unexpected or illogical results.<\/p>\n

 <\/p>\n

Malicious AVPs: Exploits to the LTE Core<\/strong> \u2013 Laurent Ghigonis & Philippe Langlois<\/p>\n

The two researchers from P1 Security presented a vulnerability affecting Diameter Routing Agents (DRAs) used by telecommunications operators. This equipment is central to the management of LTE mobile networks, as it ensures the correct routing of all an operator's traffic. This is a follow-up to Laurent's presentation at HES2014.<\/p>\n

After a review of how LTE networks work, the presentation focused on the technical details of the attack, which exploits a vulnerability in the implementation of the DIAMETER protocol (the successor to RADIUS) on these routers. Specifically, the length of a field is not correctly checked, allowing the attacker to exploit a stack-overflow vulnerability.<\/p>\n

After a night of exploitation, the researchers successfully exploited the vulnerability and gained administrator privileges on the equipment. From that point on, they were able to shut down the operator's 4G network.<\/p>\n

 <\/p>\n

Android malware that won't make you fall asleep<\/strong> \u2013 Lukasz Siewierski<\/p>\n

Android malware is annoying. It's not obfuscated, it does what it claims, and it doesn't use native code, only the standard API. That's why nobody studies it. So Lukasz started studying it.<\/p>\n

After a brief analysis of manifest.xml, particularly regarding system interpretation issues that allow rewriting the package name by inserting XML code, he presented several malware programs that use interesting biases to execute.<\/p>\n

The first one registers a DLL in Mono within the SMSReceiver. This library then retrieves a Lua script from the Command & Control module to determine its next steps. Therefore, without the Command & Control module, the malware cannot execute any commands.<\/p>\n

The second one stores JavaScript interfaces so that the attacker can execute whatever they want just by sending JavaScript into a web page.<\/p>\n

The third feature of the "application overlay": it opens a dialog box (login) when a legitimate application is launched, making it seem as if it is asking for the credentials again when in fact they will be sent to the malware.<\/p>\n

People have also taken the "text secure" application (now called "signal") and inserted a trojan into it before redistributing it as an "SMS security application".<\/p>\n

This malware does different things depending on the special characters received at the beginning of the SMS, for example:<\/p>\n