\n
\n
\n
Top 3 \u2013 Favorites
<\/strong><\/em><\/h1>\nAmong the high-quality programming at this year's event, three presentations particularly caught my attention, both for the topics covered and the delivery. This is a subjective opinion, and I encourage you to watch them now. replay<\/em> of these presentations.<\/p>\n\n
Deep Attack Surfaces, Shallow Bugs<\/strong><\/em><\/a><\/strong><\/em><\/h3>\n<\/h3>\n
Presented by Valentina Palmiotti @Chompie1337<\/em>, this conference<\/a> echoes a tweet published last December about a critical vulnerability found in a Windows authentication protocol (https:\/\/twitter.com\/chompie1337\/status\/1602757336908660736<\/a>).<\/p>\n![\"\"](\"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2023\/06\/03.png\")
<\/p>\n
The first part is dedicated to the path of discovering a vulnerability. Several steps are systematically included:<\/p>\n
\n- \n
\n- Target selection<\/li>\n
- The discovery of the bug<\/li>\n
- Its exploitation<\/li>\n
- Success or failure<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n
The author highlights the rarity of publications by researchers who recount their failures, even though this is the most common outcome. She describes these failures as inherent to the profession and also essential. It is by following a methodical approach that researchers find vulnerabilities, and the complexity lies primarily in identifying where a flaw is located rather than in identifying the vulnerability itself. She also points out that most of the flaws found are often the same, which can become tedious.<\/p>\n
She thus distinguishes between two research approaches. One is for a "monogamous" researcher profile: the researcher focuses on a single project to master its code as much as possible, which avoids wasting time switching topics. The other is for a researcher less loyal to their targets, who tires more quickly and therefore regularly changes their scope. This is the case for the author, who has already obtained results for different operating systems or kernel components, for example. The choice of targets is based on various criteria such as their development history, source code accessibility, architecture, etc.<\/p>\n
Secondly, the application of this method was used to illustrate the search process. The objective was to find a critical vulnerability in a component for which few or no such vulnerabilities had been discovered in the past. The intended attack surface therefore had to meet the following criteria:<\/p>\n
\n- \u00ab"High Severity": The bug found must have a major impact in a broad sense.<\/li>\n
- \u00ab"Ubiquitous": The attack surface must be present on many systems with a default configuration<\/li>\n
- \u00ab"Complex": The target must have complex features with unreliable user input, with components added over time.<\/li>\n
- \u00ab"Unpopular" (optional): The project should not have been audited too extensively by researchers so that trivial vulnerabilities have not yet been discovered.<\/li>\n<\/ol>\n
She therefore examined the Windows environment and, after listing the protocols and servers of major interest according to the stated criteria, selected SMB. Next, she listed and categorized the different components of SMB to distinguish the following: "NetBIOS," "Dialect\/Capability Negotiation," "Session Setup\/User Authentication," "Client File Ops & other." After evaluating each, authentication was selected. Here is the chronology of the selection process:<\/p>\n
![\"\"](\"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2023\/06\/04.png\")
<\/p>\n
Figure 1 \u2013 Target selection process (Excerpt from the SSTIC presentation, slide 41)<\/em><\/p>\nWindows authentication relies on the Security Support Provider Interface (SSPI) and uses Security Support Providers (SSPs) in the form of DLLs. The main SSPs are Keberos, NTLM, PKU2U, CredSSP, SPNEGO, and NEGOEXTS. Since the latter two have very few known vulnerabilities (one for SPNEGO and none for NEGOEXTS), they were the natural choice.<\/p>\n
Once the target was determined, the code analysis phase could begin, starting by finding the implementation of NEGOEXT (loaded at startup in LSA) and then reverse engineering this protocol. After reading the protocol documentation, the goal was then to find the function of parsing<\/em> of messages. Once identified and after several analysis passes, a race condition can be exploited following the sending of multiple Negoex Session Setup requests. Its exploitation can allow an attacker to execute arbitrary code remotely.<\/p>\nFinally, to the problem of "Finding a bug with a major impact in a widely used and complex technology," Chompie responds with CVE-2022-37958, a vulnerability in SPNego NegoEx leading to a critical failure escape (CFE). And to conclude, attack surface analysis is just as much an art as vulnerability research.<\/p>\n
\n
CERTA\/CERT-FR: A look back at 20+ years of CERTs at ANSSI<\/strong><\/em><\/h3>\n<\/strong><\/em><\/p>\nThe deputy director of operations at ANSSI, Mathieu Feuillet, intervened to the closing presentation<\/a> by reviewing the history of the ANSSI CERT and its main activities.<\/p>\nFrom CERT-A, created in anticipation of the Y2K bug, to the CERT-FR we know today, the organization has grown progressively in response to cyber threats, evolving both structurally and in terms of the resources deployed. In parallel, CERT-FR also contributes to the development of the CSIRT ecosystem by supporting the various stakeholders. Today, the operations conducted at the heart of the agency address espionage, destabilization, and cybercrime attacks.<\/p>\n
The 2011 Bercy breach was a pivotal moment in the agency's operational activity. Indeed, the detection of this incident, a campaign "linked to China through open sources," represented the first large-scale operation that allowed for the establishment of principles subsequently applied numerous times. This event marked the beginning of the consistent targeting of France for political, diplomatic, economic, and industrial purposes. A timeline of attacks suffered by a key government sector was presented, highlighting the omnipresence of attacks that systematically involved at least four simultaneous malicious activities:<\/p>\n
![\"\"](\"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2023\/06\/05.png\")
<\/p>\n
Figure 2 \u2013 Periods of malicious activity for a sovereign sector X (Extract from the SSTIC presentation, slide 21)<\/em><\/p>\nFor the next three years, the attacks were persistent, large-scale, and targeted both government agencies and critical infrastructure. The latter were then included in the scope of the operation. Starting in 2017, these attacks returned, more discreet than before, and increasingly targeted IT services companies and other downstream entities, before rebounding on the targets themselves. Finally, since 2021, and still with the same rebound strategy, the targeted organizations are increasingly smaller and generally lack adequate security measures. In addition to the aforementioned targeted entities, embedded equipment such as routers, firewalls, and Wi-Fi access points are also being targeted.<\/p>\n
2021 has seen the most mass data breaches to date. New techniques have been deployed, including the publication of certain attacker indicators and methods to hinder attacks. 2021 was also the year of Pegasus, the spying on high-profile individuals through the compromise of their phones, as well as Solarwinds and Log4j, for which proactive measures were developed to better protect potential victims.<\/p>\n
Furthermore, regarding destabilization, the agency has notably had to combat hacktivism, which emerged significantly following the 2015 attacks and the 2022 war in Ukraine. These malicious actions are politically motivated and primarily involve denial-of-service attacks and defacement (for example, the sabotage operation of TV5 Monde in 2015<\/a>, or Ka-Sat in 2022).<\/p>\nAs for cybercrime, the emergence of ransomware began in 2018 with the targeting of large entities ("big game hunting"), less precise and more opportunistic than before. The victims are generally companies with the least security compared to the average ("In cybercrime, it's like when you're being chased by a lion: you shouldn't outrun the lion, you should outrun someone else"). The impacts of this type of attack vary and materialize in concrete ways. For example, for healthcare facilities, the consequences directly affect patients.<\/p>\n
In conclusion, defensive actions are essential and effective in the face of an increasing threat.<\/p>\n
\n
Bug hunting in Steam: a journey into the Remote Play protocol<\/strong><\/em><\/h3>\n
\n
Deep Attack Surfaces, Shallow Bugs<\/strong><\/em><\/a><\/strong><\/em><\/h3>\n<\/h3>\n
Presented by Valentina Palmiotti @Chompie1337<\/em>, this conference<\/a> echoes a tweet published last December about a critical vulnerability found in a Windows authentication protocol (https:\/\/twitter.com\/chompie1337\/status\/1602757336908660736<\/a>).<\/p>\n<\/p>\n
The first part is dedicated to the path of discovering a vulnerability. Several steps are systematically included:<\/p>\n
\n- \n
\n- Target selection<\/li>\n
- The discovery of the bug<\/li>\n
- Its exploitation<\/li>\n
- Success or failure<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n
The author highlights the rarity of publications by researchers who recount their failures, even though this is the most common outcome. She describes these failures as inherent to the profession and also essential. It is by following a methodical approach that researchers find vulnerabilities, and the complexity lies primarily in identifying where a flaw is located rather than in identifying the vulnerability itself. She also points out that most of the flaws found are often the same, which can become tedious.<\/p>\n
She thus distinguishes between two research approaches. One is for a "monogamous" researcher profile: the researcher focuses on a single project to master its code as much as possible, which avoids wasting time switching topics. The other is for a researcher less loyal to their targets, who tires more quickly and therefore regularly changes their scope. This is the case for the author, who has already obtained results for different operating systems or kernel components, for example. The choice of targets is based on various criteria such as their development history, source code accessibility, architecture, etc.<\/p>\n
Secondly, the application of this method was used to illustrate the search process. The objective was to find a critical vulnerability in a component for which few or no such vulnerabilities had been discovered in the past. The intended attack surface therefore had to meet the following criteria:<\/p>\n
\n- \u00ab"High Severity": The bug found must have a major impact in a broad sense.<\/li>\n
- \u00ab"Ubiquitous": The attack surface must be present on many systems with a default configuration<\/li>\n
- \u00ab"Complex": The target must have complex features with unreliable user input, with components added over time.<\/li>\n
- \u00ab"Unpopular" (optional): The project should not have been audited too extensively by researchers so that trivial vulnerabilities have not yet been discovered.<\/li>\n<\/ol>\n
She therefore examined the Windows environment and, after listing the protocols and servers of major interest according to the stated criteria, selected SMB. Next, she listed and categorized the different components of SMB to distinguish the following: "NetBIOS," "Dialect\/Capability Negotiation," "Session Setup\/User Authentication," "Client File Ops & other." After evaluating each, authentication was selected. Here is the chronology of the selection process:<\/p>\n
<\/p>\n
Figure 1 \u2013 Target selection process (Excerpt from the SSTIC presentation, slide 41)<\/em><\/p>\nWindows authentication relies on the Security Support Provider Interface (SSPI) and uses Security Support Providers (SSPs) in the form of DLLs. The main SSPs are Keberos, NTLM, PKU2U, CredSSP, SPNEGO, and NEGOEXTS. Since the latter two have very few known vulnerabilities (one for SPNEGO and none for NEGOEXTS), they were the natural choice.<\/p>\n
Once the target was determined, the code analysis phase could begin, starting by finding the implementation of NEGOEXT (loaded at startup in LSA) and then reverse engineering this protocol. After reading the protocol documentation, the goal was then to find the function of parsing<\/em> of messages. Once identified and after several analysis passes, a race condition can be exploited following the sending of multiple Negoex Session Setup requests. Its exploitation can allow an attacker to execute arbitrary code remotely.<\/p>\nFinally, to the problem of "Finding a bug with a major impact in a widely used and complex technology," Chompie responds with CVE-2022-37958, a vulnerability in SPNego NegoEx leading to a critical failure escape (CFE). And to conclude, attack surface analysis is just as much an art as vulnerability research.<\/p>\n
\n
CERTA\/CERT-FR: A look back at 20+ years of CERTs at ANSSI<\/strong><\/em><\/h3>\n<\/strong><\/em><\/p>\nThe deputy director of operations at ANSSI, Mathieu Feuillet, intervened to the closing presentation<\/a> by reviewing the history of the ANSSI CERT and its main activities.<\/p>\nFrom CERT-A, created in anticipation of the Y2K bug, to the CERT-FR we know today, the organization has grown progressively in response to cyber threats, evolving both structurally and in terms of the resources deployed. In parallel, CERT-FR also contributes to the development of the CSIRT ecosystem by supporting the various stakeholders. Today, the operations conducted at the heart of the agency address espionage, destabilization, and cybercrime attacks.<\/p>\n
The 2011 Bercy breach was a pivotal moment in the agency's operational activity. Indeed, the detection of this incident, a campaign "linked to China through open sources," represented the first large-scale operation that allowed for the establishment of principles subsequently applied numerous times. This event marked the beginning of the consistent targeting of France for political, diplomatic, economic, and industrial purposes. A timeline of attacks suffered by a key government sector was presented, highlighting the omnipresence of attacks that systematically involved at least four simultaneous malicious activities:<\/p>\n
<\/p>\n
Figure 2 \u2013 Periods of malicious activity for a sovereign sector X (Extract from the SSTIC presentation, slide 21)<\/em><\/p>\nFor the next three years, the attacks were persistent, large-scale, and targeted both government agencies and critical infrastructure. The latter were then included in the scope of the operation. Starting in 2017, these attacks returned, more discreet than before, and increasingly targeted IT services companies and other downstream entities, before rebounding on the targets themselves. Finally, since 2021, and still with the same rebound strategy, the targeted organizations are increasingly smaller and generally lack adequate security measures. In addition to the aforementioned targeted entities, embedded equipment such as routers, firewalls, and Wi-Fi access points are also being targeted.<\/p>\n
2021 has seen the most mass data breaches to date. New techniques have been deployed, including the publication of certain attacker indicators and methods to hinder attacks. 2021 was also the year of Pegasus, the spying on high-profile individuals through the compromise of their phones, as well as Solarwinds and Log4j, for which proactive measures were developed to better protect potential victims.<\/p>\n
Furthermore, regarding destabilization, the agency has notably had to combat hacktivism, which emerged significantly following the 2015 attacks and the 2022 war in Ukraine. These malicious actions are politically motivated and primarily involve denial-of-service attacks and defacement (for example, the sabotage operation of TV5 Monde in 2015<\/a>, or Ka-Sat in 2022).<\/p>\nAs for cybercrime, the emergence of ransomware began in 2018 with the targeting of large entities ("big game hunting"), less precise and more opportunistic than before. The victims are generally companies with the least security compared to the average ("In cybercrime, it's like when you're being chased by a lion: you shouldn't outrun the lion, you should outrun someone else"). The impacts of this type of attack vary and materialize in concrete ways. For example, for healthcare facilities, the consequences directly affect patients.<\/p>\n
In conclusion, defensive actions are essential and effective in the face of an increasing threat.<\/p>\n
\n
Bug hunting in Steam: a journey into the Remote Play protocol<\/strong><\/em><\/h3>\n
<\/p>\n
The first part is dedicated to the path of discovering a vulnerability. Several steps are systematically included:<\/p>\n
- \n
- \n
- \n
- Target selection<\/li>\n
- The discovery of the bug<\/li>\n
- Its exploitation<\/li>\n
- Success or failure<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n
The author highlights the rarity of publications by researchers who recount their failures, even though this is the most common outcome. She describes these failures as inherent to the profession and also essential. It is by following a methodical approach that researchers find vulnerabilities, and the complexity lies primarily in identifying where a flaw is located rather than in identifying the vulnerability itself. She also points out that most of the flaws found are often the same, which can become tedious.<\/p>\n
She thus distinguishes between two research approaches. One is for a "monogamous" researcher profile: the researcher focuses on a single project to master its code as much as possible, which avoids wasting time switching topics. The other is for a researcher less loyal to their targets, who tires more quickly and therefore regularly changes their scope. This is the case for the author, who has already obtained results for different operating systems or kernel components, for example. The choice of targets is based on various criteria such as their development history, source code accessibility, architecture, etc.<\/p>\n
Secondly, the application of this method was used to illustrate the search process. The objective was to find a critical vulnerability in a component for which few or no such vulnerabilities had been discovered in the past. The intended attack surface therefore had to meet the following criteria:<\/p>\n
- \n
- \u00ab"High Severity": The bug found must have a major impact in a broad sense.<\/li>\n
- \u00ab"Ubiquitous": The attack surface must be present on many systems with a default configuration<\/li>\n
- \u00ab"Complex": The target must have complex features with unreliable user input, with components added over time.<\/li>\n
- \u00ab"Unpopular" (optional): The project should not have been audited too extensively by researchers so that trivial vulnerabilities have not yet been discovered.<\/li>\n<\/ol>\n
She therefore examined the Windows environment and, after listing the protocols and servers of major interest according to the stated criteria, selected SMB. Next, she listed and categorized the different components of SMB to distinguish the following: "NetBIOS," "Dialect\/Capability Negotiation," "Session Setup\/User Authentication," "Client File Ops & other." After evaluating each, authentication was selected. Here is the chronology of the selection process:<\/p>\n
<\/p>\nFigure 1 \u2013 Target selection process (Excerpt from the SSTIC presentation, slide 41)<\/em><\/p>\n
Windows authentication relies on the Security Support Provider Interface (SSPI) and uses Security Support Providers (SSPs) in the form of DLLs. The main SSPs are Keberos, NTLM, PKU2U, CredSSP, SPNEGO, and NEGOEXTS. Since the latter two have very few known vulnerabilities (one for SPNEGO and none for NEGOEXTS), they were the natural choice.<\/p>\n
Once the target was determined, the code analysis phase could begin, starting by finding the implementation of NEGOEXT (loaded at startup in LSA) and then reverse engineering this protocol. After reading the protocol documentation, the goal was then to find the function of parsing<\/em> of messages. Once identified and after several analysis passes, a race condition can be exploited following the sending of multiple Negoex Session Setup requests. Its exploitation can allow an attacker to execute arbitrary code remotely.<\/p>\n
Finally, to the problem of "Finding a bug with a major impact in a widely used and complex technology," Chompie responds with CVE-2022-37958, a vulnerability in SPNego NegoEx leading to a critical failure escape (CFE). And to conclude, attack surface analysis is just as much an art as vulnerability research.<\/p>\n
\n
CERTA\/CERT-FR: A look back at 20+ years of CERTs at ANSSI<\/strong><\/em><\/h3>\n
<\/strong><\/em><\/p>\n
The deputy director of operations at ANSSI, Mathieu Feuillet, intervened to the closing presentation<\/a> by reviewing the history of the ANSSI CERT and its main activities.<\/p>\n
From CERT-A, created in anticipation of the Y2K bug, to the CERT-FR we know today, the organization has grown progressively in response to cyber threats, evolving both structurally and in terms of the resources deployed. In parallel, CERT-FR also contributes to the development of the CSIRT ecosystem by supporting the various stakeholders. Today, the operations conducted at the heart of the agency address espionage, destabilization, and cybercrime attacks.<\/p>\n
The 2011 Bercy breach was a pivotal moment in the agency's operational activity. Indeed, the detection of this incident, a campaign "linked to China through open sources," represented the first large-scale operation that allowed for the establishment of principles subsequently applied numerous times. This event marked the beginning of the consistent targeting of France for political, diplomatic, economic, and industrial purposes. A timeline of attacks suffered by a key government sector was presented, highlighting the omnipresence of attacks that systematically involved at least four simultaneous malicious activities:<\/p>\n
<\/p>\nFigure 2 \u2013 Periods of malicious activity for a sovereign sector X (Extract from the SSTIC presentation, slide 21)<\/em><\/p>\n
For the next three years, the attacks were persistent, large-scale, and targeted both government agencies and critical infrastructure. The latter were then included in the scope of the operation. Starting in 2017, these attacks returned, more discreet than before, and increasingly targeted IT services companies and other downstream entities, before rebounding on the targets themselves. Finally, since 2021, and still with the same rebound strategy, the targeted organizations are increasingly smaller and generally lack adequate security measures. In addition to the aforementioned targeted entities, embedded equipment such as routers, firewalls, and Wi-Fi access points are also being targeted.<\/p>\n
2021 has seen the most mass data breaches to date. New techniques have been deployed, including the publication of certain attacker indicators and methods to hinder attacks. 2021 was also the year of Pegasus, the spying on high-profile individuals through the compromise of their phones, as well as Solarwinds and Log4j, for which proactive measures were developed to better protect potential victims.<\/p>\n
Furthermore, regarding destabilization, the agency has notably had to combat hacktivism, which emerged significantly following the 2015 attacks and the 2022 war in Ukraine. These malicious actions are politically motivated and primarily involve denial-of-service attacks and defacement (for example, the sabotage operation of TV5 Monde in 2015<\/a>, or Ka-Sat in 2022).<\/p>\n
As for cybercrime, the emergence of ransomware began in 2018 with the targeting of large entities ("big game hunting"), less precise and more opportunistic than before. The victims are generally companies with the least security compared to the average ("In cybercrime, it's like when you're being chased by a lion: you shouldn't outrun the lion, you should outrun someone else"). The impacts of this type of attack vary and materialize in concrete ways. For example, for healthcare facilities, the consequences directly affect patients.<\/p>\n
In conclusion, defensive actions are essential and effective in the face of an increasing threat.<\/p>\n
\n
Bug hunting in Steam: a journey into the Remote Play protocol<\/strong><\/em><\/h3>\n
![\"\"](\"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2023\/06\/06.png\")
<\/p>\n![\"\"](\"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2023\/06\/07.png\")
<\/p>\n