2017 SyScan360 | SyScan360 Information Security Conference China ‧ Beijing

2017 SyScan360 | SyScan360 Information Security Conference
Omri Herscovici Omri Herscovici Check Point Software Technologies
Omer Gull Omer Gull Check Point Software Technologies

TOPIC

Pwned in Translation - from Subtitles to RCE

ABSTRACT

What if I told you, that when you're watching a movie on your PC or streamer - someone might also be watching you? And he might be doing so - using subtitles.

Yes, subtitles, those innocent looking text lines at the bottom of your screen.

Millions of people use them without a second thought – never wondering where they come from, where they're parsed or how they are rendered.

You might be surprised to find that there are actually more than 25 subtitle formats out there, most of which support exotic features such as HTML tags, raw images or even freeform binary (What?). Moreover, there is usually no standard library designed to parse subtitles, which leaves this task to be independently implemented by the various media players.

What can go wrong?

Well, basically - everything.

We will pioneer the uncharted subtitles attack vector and demonstrate its disastrous potential, and unravel the numerous vulnerabilities we found involving subtitles. There will be unsanitized JavaScript running on native web applications; files being manipulated; heaps being corrupted; and full RCE on the most common streaming platforms including VLC, Kodi (XBMC) and PopcornTime.

It seems there is no limit to what can be achieved by using these supposedly minor text files.

But wait, the plot thickens. Our presentation will delve even further into the subtitle supply chain. Some media players download subtitles automatically from shared online repositories (such as OpenSubtitles) where they are indexed and ranked.

By manipulating the website's ranking algorithm, we were able to guarantee our crafted malicious subtitles would be the ones downloaded by the video player, allowing us to take complete control over the entire subtitle supply chain - Look ma, no MITM or user interaction.

Do you like scary movies?

BIOGRAPHY

Omri Herscovici is a security researcher at Check Point Software Technologies. Omri is a developer and network security expert with extensive technical experience in software development, exploit and vulnerability research, and security architecture. In his past, Omri served seven years as an officer and R&D leader in an elite Israeli intelligence unit.


Omer has been a security researcher at Check Point Software Technologies LTD for the past year. Omer has diverse security background which includes networking, web application pentesting and exploit research. Previously Omer served in an elite IDF intelligence unit as an IT specialist.


Nikias Bassen Nikias Bassen Trustwave

TOPIC

The Ro(o)tten Apple: Vulnerabilities heaven behind the iOS sandbox

ABSTRACT

In modern days, no exploitation chain can be considered complete without a reliable privilege escalation vulnerability. This is why many security researchers spend a lot of their research time in finding those vulnerabilities.

Apple has set a new standard in iOS security by implementing many innovative techniques to prevent exploitation of PE vulnerabilities, however despite their continuous efforts some areas of iOS still remain more exposed than others to this kind of vulnerabilities.

This presentation will shed a light on some critical areas in the iOS kernel, that have been proven to contain many privilege escalation vulnerabilities that can potentially affect hundred of millions of iOS devices.

In this talk, we will overview these yet unexplored areas and present a chain of vulnerabilities, leading to a complete kernel privilege escalation exploit while bypassing all the latest kernel mitigations Apple introduced.

BIOGRAPHY

Nikias Bassen (@pimskeks) has been into reverse engineering for more than a decade. The breakthrough was back in 2011 when he joined the Chronic-Dev team to work on the iOS 5 + 5.1 jailbreaks. Ongoing research was focusing mostly on iOS, and in early 2013 he became part of the famous @evad3rs who released the evasi0n and evasi0n7 jailbreaks for iOS6 and 7. Being part of Zimperium zLabs since 2015 he is continuing his efforts in security research and reverse engineering targeting iOS. Nikias studied Computer Science at the University of Bremen, Germany, and holds a Diploma degree. He is also one of the masterminds behind the libimobiledevice project (http://libimobiledevice.org <http://libimobiledevice.org/>) – an open source implementation of the iOS device-computer communication protocols.


Yuriy Gurkin Yuriy Gurkin The founder and CTO of Gleg ltd.

TOPIC

Penetration through ICS Development Software - potentially devastating attack vector or not? CODESYS 0days examples.

ABSTRACT

Among well known ICS development tools there is a CODESYS Programming Software which is widely used in energy, factory and other Automation Technology Sectors. Those tools are used by engineers to create Controller Applications, HMI devices etc... But could someone attack that (or another) Development Software, and gain control over engineer PC, over connected real or tested ICS, even leave a backdoor (potentially for whole Controller line ) ?

It seems like successful attacks against development software could be really devastating especially if they stays unidentified.

E.G. In 2015 Volkswagen had lost 30 % (2.5 billions) of its shares in two days as a result of its Diesel engine controller software scandal ... It was a strange and unclear story, but what is clear - controller software being "tuned" is pretty serious thing.

So, let's take a look to CODESYS. Utilizing open-source EAST pentest framework we will show vulnerabilities in CODESYS software of older versions, and two 0days in newer versions.

BIOGRAPHY

Working in the infosec field since 2004. Has cofounded the company Gleg ltd which nowadays develops exploit packages for Immunity Inc's "Canvas" framework, Core Security's "Core Impact" framework.The company is also heading and promoting open-source EAST penetration testing framework and associated exploit packages.


Zoltan Balazs Zoltan Balazs MRG Effitas

TOPIC

How to hide your browser 0-Days

ABSTRACT

When it comes to browser exploits, so far there was no known technique to make network forensics of the exploit impossible. In my research I have demonstrated that it is possible to deliver browser exploits in an encrypted way (using AES after ECDH key agreement), which makes passive network analysis of the exploit impossible.

BIOGRAPHY

Zoltan (@zh4ck) is the Chief Technology Officer at MRG Effitas, a company focusing on AV testing.Before MRG Effitas, he had worked as an IT Security expert in the financial industry for 5 years and as a senior IT security consultant at one of the Big Four companies for 2 years. His main expertise areas are penetration testing, malware analysis, computer forensics and security monitoring. He released the Zombie Browser Tool that has POC malicious browser extensions for Firefox, Chrome and Safari. He is also the developer of the Hardware Firewall Bypass Kernel Driver (HWFWBypass) and the Sandbox tester tool to test Malware Analysis Sandbox es. He has been invited to give presentations worldwide at information security conferences including DEF CON, Hacker Halted USA, Botconf, AusCERT, Nullcon,Hackcon, Shakacon, OHM, Hacktivity and Ethical Hacking.Zoltan passed OSCE recently, and he is very proud of it


Brian Gorenc Brian Gorenc Trend Micro Zero Day Initiative
Abdul-Aziz Hariri Abdul-Aziz Hariri Trend Micro Zero Day Initiative
Jasiel Spelman Jasiel Spelman Trend Micro Zero Day Initiative

TOPIC

Transforming Open Source to Open Access in Closed Applications: Finding Vulnerabilities in Adobe Reader's XSLT Engine

ABSTRACT

The inclusion of open-source components into large, closed-sourced applications has become a common practice in modern software. Vendors obviously benefit from this approach as it allows them to quickly add functionality for their users without the need to invest costly engineering effort. However, leveraging open source for a quick functionality boost comes with security side effects that might not be understood by the vendor until it is too late. In those cases, misunderstood or poorly implemented open source allows attackers to bypass security mechanisms that may exist elsewhere in the proprietary system.

This talk provides insight into these side effects through an examination of Adobe Reader’s XSLT (Extensible Stylesheet Language Transformations) engine, which is based on the now abandoned open-source project called Sablotron – an XML processor fully implemented in C++. We focus on techniques for auditing the source code of Sablotron in order to find corresponding bugs in Adobe Reader. We also present a new source-to-binary matching technique to help you pinpoint the vulnerable conditions within Sablotron that also reside in the assembly of Reader. Real-world application of these techniques will be demonstrated through a series of code execution vulnerabilities discovered in Adobe Reader’s codebase. Finally, we'll highlight the trends in vulnerabilities discovered in Adobe Reader’s XSLT engine over the last year.

BIOGRAPHY

Brian Gorenc is the director of Vulnerability Research with Trend Micro. In this role, Gorenc leads the Zero Day Initiative (ZDI) program, which represents the world’s largest vendor-agnostic bug bounty program. His focus includes analyzing and performing root-cause analysis on hundreds of zero-day vulnerabilities submitted by ZDI researchers from around the world. The ZDI works to expose and remediate weaknesses in the world’s most popular software. Brian is also responsible for organizing the ever-popular Pwn2Own hacking competitions.


Abdul-Aziz Hariri is a security researcher with the Zero Day Initiative program. In this role, Hariri analyzes and performs root-cause analysis on hundreds of vulnerabilities submitted to the Zero Day Initiative (ZDI) program, which is the world's largest vendor-agnostic bug bounty program. His focus includes performing root-cause analysis, fuzzing and exploit development. Prior to joining ZDI, Hariri worked as an independent security researcher and threat analyst for Morgan Stanley emergency response team. During his time as an independent researcher, he was profiled by Wired magazine in their 2012 article, Portrait of a Full-Time Bug Hunter. In 2015, Abdul was part of the research team that submitted "Breaking Silent Mitigations - Gaining code execution on Isolated Heap and MemoryProtection hardened Internet Explorer" to the Microsoft bounty program. Their submission netted the highest payout to date from the Microsoft bounty program where the proceeds went to many STEM organizations. Twitter: @abdhariri


Jasiel Spelman is a vulnerability analyst and exploit developer for the Zero Day Initiative (ZDI) program. His primary role involves performing root cause analysis on ZDI submissions to determine exploitability, followed by developing exploits for accepted cases. Prior to being part of ZDI, Jasiel was a member of the Digital Vaccine team where he wrote exploits for ZDI submissions, and helped develop the ReputationDV service from TippingPoint. Jasiel's focus started off in the networking world but then shifted to development until transitioning to security. He has a BA in Computer Science from the University of Texas at Austin. Twitter: @WanderingGlitch


Maxwell Koh Maxwell Koh Trustwave

TOPIC

Bypass 2FA, Stealing Private Keys, and the Introduction to 2FAssassin

ABSTRACT

The "knowledge factor" (using passwords for authentication) will never be enough for security. We need the second layer of defense -- a "possession factor" or sometimes called the "Two-Factor Authentication", hence the term, "2FA". Nowadays many organization plans to adopt password-free login to authenticate their systems, thereby completely replacing the password-based authentication with key-based authentication, which they believed is more secure. However, the truth is far from reality. Although 2FA creates a formidable barrier against potential security breaches, however it doesn't guarantee much security at all, especially when it comes to the inefficacious and often futile private key protection. In that sense, we can say that the effectiveness of the 2FA depends on how well they can protect "something only user has". In fact, there are many ways to steal someone’s private keys without performing social engineering attacks. This talk is dedicated to discuss and demonstrate the newly discovered techniques to bypass the two-factor authentication by stealing and cracking OTP, private keys, and client certificates. By that means, an attacker must compromise the voice or text message accounts, software token, infecting memory agents, cracking passphrase, stealing hardware token, etc. With the help from the “2FAssassin” we could turn these looted keys for more fun and profits. The demonstration will include the scenario where the private keys are compromised and then show how an attacker could leverage the situation to gain more access into the corporate networks and for making profits. These are not limited to systems that used single sign-on (with 2FA enabled), public key authentication (e.g., password-less authentication, authorized_keys abuse), free software token (e.g., Google Authenticator), website owner (e.g., phishing sites created using stolen private key), and even software vendor (e.g., stolen private key can be used to sign the malicious malware). The tool will automate the exploitations against the common vulnerabilities that lead to the private key leakage. It can be used to compromise individual system, or the entire network using looted private keys. It also capable to analyze and identify potential private keys, key information extraction in order to profile the target servers, cracking and removing the passphrase, injecting arbitrary key-based backdoors, building multi-chained covert tunnels by leveraging on the loopholes found in vulnerable public key authentication. Nevertheless, the talk will end with recommendations to protect the private keys from theft, as well as what to do during the worst case scenario.

BIOGRAPHY

Maxwell is a penetration tester with Trustwave's SpiderLabs Asia-Pacific. Maxwell is based out of Singapore and his primary focus is on providing penetration testing service to clients in the Asia-Pacific region.


Wenyuan Xu Wenyuan Xu Zhejiang University
Janhao Liu Janhao Liu Qihoo360

TOPIC

Dolphin Attacks:Manipulating Voice Controllable Systems silently

ABSTRACT

Speech recognition (SR) systems such as Siri or Google Now have become an increasingly popular human-computer interaction method, and have turned various systems into voice controllable systems (VCS). VCSs are considered to be secure, because it is commonly believed that any attacks that manipulating VCS may be heard and detected. In this talk, we show a completely inaudible attack, (Dolphin Attack), that transmits ultrasounds with embedded voice commands. By leveraging the hardware vulnerability of the microphone circuits, the embedded voice commands can be successfully recovered, and more importantly interpreted by the speech recognition systems. We validate Dolphin Attack on popular speech recognition systems, and various VCSs. By injecting a sequence of inaudible voice commands, we show a few proof-of-concept attacks, which include activating Siri to initiate a FaceTime call on iPhone, activating Google Now to switch the phone to the airplane mode, and even manipulating the navigation system in an automobile. We propose hardware and software defense solutions and suggest to re-design voice controllable systems to be resilient to inaudible voice command attacks.

BIOGRAPHY

Wenyuan Xu is currently a professor in the College of Electrical Engineering at Zhejiang University. She received her B.S. degree in Electrical Engineering from Zhejiang University in 1998, an M.S. degree in Computer Science and Engineering from Zhejiang University in 2001, and the Ph.D. degree in Electrical and Computer Engineering from Rutgers University in 2007. Her research interests include wireless networking, smart systems security, and IoT security. Dr. Xu received the NSF Career Award in 2009 and was selected as a young professional of the thousand talents plan in China in 2012. She was granted tenure (an associate professor) in the Department of Computer Science and Engineering at the University of South Carolina in the U.S. She has served on the technical program committees for several IEEE/ACM conferences on wireless networking and security. She has published over 60 papers and her papers have been cited over 3000 times (Google Scholar).


Jianhao Xu is currently the chief director of Intelligent and Connected Vehicle Security Lab, the leader of SKY-GO team. Be responsible for scientific study on the information security relevant to The Internet of Vehicles, Intelligent and Connected Vehicle and Automatic Drive. Main contributor for the breakthrough china have made in attacking Tesla high-tech driving system. Major scholar on the study of Tesla autopilot system . Twice into the Tesla Hall of Fame; and lead the team to attack a variety of domestic and international networking vehicles. Address on conference on global information security DEFCON/ISC/Syscan360/Pacsec/POC. Participating in detailing the roadmap of information security of intelligent and connected vehicle made by china in 2025. Years of experience on security service, safety evaluation and others; experts employed by a handful of information security institute. Published Annual report on 2015 Intelligent and Connected Vehicle Security, Best practice on internet-connected information security , Annual report on 2016 Intelligent and Connected Vehicle Security ,co-author of safety of intelligent Auto hardware. Assisting the evaluation and consultancy of information safety of many vehicle companies, thus receiving high recognition from customers and counterparts.


Bertin Bervis Bertin Bervis Cybertrust Spa , Santiago Chile

TOPIC

Exploiting and abusing web applications flaws in industrial and network communication devices

ABSTRACT

PLCS, data acquisition servers and industrial network communication gateways/routers often comes with a web server/web service enable, these web applications usually are being put in production with a lot of bugs and issues. Vulnerablities like stored XSS , path traversal,LFI, or RCE those are really easy to find in this devices but task needs to be done manually since automated tools/scanners usually crash the web application during the scan execution .In the worse scenario these web servers are being publish in the internet and remote attackers can take over these vulnerablilities in order to get access ,remote execution or persistance in browsers.

In this presentation, i,m going to demonstrate real cases about several vulnerablities found in web servers from PLCs, Weather stations and industrial gateways/routers from well known vendors in the industrial field , i will demostrate practical exploitation step by step about issues that i found and have been reported to every vendor affected, i will share tips and techniques to spot easy and quickly vulnerablities in these web appications in industrial devices.

BIOGRAPHY

Bertin Bervis is a security researcher from Costa Rica currently working for a cyber security firm in Santiago de Chile called CyberTrust Spa as security consultant, Bertin has been speaker in several security conferences around the world like DEFCON , Blackhat And Ekoparty


Matt Suiche Matt Suiche COMAE TECHNOLOGIES

TOPIC

The Shadow Brokers – Cyber Fear Game-Changers

ABSTRACT

Who are/is TheShadowBrokers? We have no clue. Nobody really does. The Shadow Brokers are one of most controversial characters of this Cyber-Era. The mysterious group emerged mid-summer 2016 when they started to anonymously, publicly drop tools and operational notes that allegedly belonged to the NSA Tailored Access Operations unit. This group referred to itself as The Shadow Brokers and quickly became the NSA’s worst nightmare since Edward Snowden.

Previous whistle blowers released documents redacted of sensitive nature, such as authors. But with The Shadow Brokers, what emerged was a different level of dangerous and more aggressive leaks that didn’t only release highly sensitive tools, but also revealed a wide range of modus operandi that included agents’ names and the full disclosure of the NSA’s complex (and many argue irresponsible) attack against the backbone of the Middle East’s financial institutions. For now, The Shadow Brokers are happy to have the general public guessing their identity and true origins. Is it an intelligence organization running a highly complex set of misdirection and penetration? Is it a second Snowden with access to the NSA’s most sensitive cyber weapons? We may never know. What is certain, is that the emergence of The Shadow Brokers is a game-changer and presents a massively embarrassing (and dangerous) breach for the NSA, the world’s most advanced signal intelligence agency and best resourced government backed hacking organization. This embarrassment became a muse for the most destructive and fast-spreading ransomware (WannaCry) in History, shutting down hospitals and companies across the Globe. Followed one month later by NotPetya, another highly destructive malware disguised as a ransomware which spread primarily in Ukraine.

BIOGRAPHY

Matt Suiche is the founder of the cybersecurity start-up Comae Technologies and cyber-security conference OPCDE. Prior to founding Comae, he was the co-founder & Chief Scientist of the application virtualization start-up CloudVolumes which was acquired by VMware in 2014. His also previous employers include the Netherlands Forensics Institute and Airbus. Matt is best known as the founder of MoonSols for his work in the memory forensics and computer security fields. His most notable research contributions include Windows hibernation file analysis and Mac OS X physical memory analysis. Most recently Matt released the first Blockchain decompiler for Ethereum smart-contracts called Porosity. Since 2009-2017 Matt has been recognized as a Microsoft Most Valuable Professional in Enterprise Security for his work in discovering multiple security flaws in multiple Microsoft Windows kernel components and various contributions.  Matt has also been a frequent speaker at various computer security conferences such as Black Hat Briefings, Microsoft Blue Hat Hacker Conference, Hackito Ergo Sum, Europol High Tech Crime Experts Meeting, CanSecWest, PacSec, Hack In The Box, SyScan and Shakacon.


Guang Gong Guang Gong Qihoo360

TOPIC

Butterfly Effect and Program Mistake ---- Exploit an "Unexploitable" Chrome Bug

ABSTRACT

Does the flap of a butterfly’s wings in Brazil set off a tornado in Texas? I don’t know. But I do know a negligible tiny logical bug in v8 engine can lead to remote code execution in Chrome. In PwnFest contest 2016, I exploited a logical mistake(CVE-2016-9651) in v8 engine to gain remote code execution. This logical mistake was very small and It appeared unexploitable at first glance. But by the combination of several unusual exploitation tricks, I finished a stable exploit at last. The journey of exploiting this vulnerability tells me: Never give up easily on “unexploitable” bugs. In this talk, I will firstly introduce the "invisible" private property in v8 engine, then disclose the logical mistake related with private property, after that I'll detail how to exploit this tiny bug to gain remote code execution especially the trick of turning an OOB read vulnerability to an OOB write vulnerabilty.

BIOGRAPHY

Guang Gong(@oldfresher) is a senior security researcher of Qihoo360 and the team leader of 360 AlphaTeam. His research interests included Windows rootkits, virtualization and cloud computing. He currently focuses on mobile security, especially on hunting and exploiting Android’s vulnerabilities. He has spoken at several security conferences such as Black Hat, CanSecWest, PHDays, SysCan360, MOSEC, PacSec . He is the winner of Pwn2Own 2015(the target: Nexus 6), Pwn0Rama 2016 (the category of mobile devices), Pwn2Own 2016 (the target: Chrome), PwnFest 2016(the target: Pixel XL)


Qiang Li Qiang Li Qihoo360
Zhibin Hu Zhibin Hu Qihoo360

TOPIC

The Virtio Security in Qemu

ABSTRACT

QEMU 是现代开源虚拟化解决方案的一个基本组成部分,特别是在 KVM 和 Xen 中。作为一款全面的虚拟化解决方案,QEMU 能够模拟处理器、内存和外设。如要改善虚拟机的性能,virtio 架构通常是首要之选。目前,几乎所有云平台都默认使用 virtio 设备。但事实表明,高性能与高安全性不可同时兼得。在本次演讲中,我将探讨 virtio 的安全性。内容将包括 virtio 架构的详情及其为何能改善性能。此外,我还将探讨 virtio 在整个数据流资源管理中的攻击面,以及数据流链中的薄弱环节,包括逻辑与实施漏洞。我们发现了与virtio 相关的大量漏洞,在本次演讲中,我们将介绍多个案例以及编写 virtio 漏洞概念验证的一些细节。

BIOGRAPHY

360公司安全研究员,从事漏洞发现与分析方向,发现包括QEMU / Linux内核/ Virtualbox等大量的vulns,同时也是CanSecWest, Ruxcon的演讲者



Tielei Wang Tielei Wang Pangu
Hao Xu Hao Xu Pangu

TOPIC

Finding iOS vulnerabilities in an easy way

ABSTRACT

There is a saying: consider the past you shall know the future. The talk will share our experience in how we find new iOS vulnerabilities while studying previously fixed vulnerabilities.

These new vulnerabilities are usually in the same function, context, or have the same root cause as the fixed vulnerabilities, or are even introduced by incorrect/incomplete fixes. The talk will show you an interesting battle history of fixing bugs by Apple.

BIOGRAPHY

Tielei Wang is a member of Team Pangu. He was a research scientist at the Georgia Institute of Technology from 2012 to 2014 and received his Ph.D. degree in 2011. His research interests include system security, software security, and mobile security. He discovered a number of zero-day vulnerabilities and won the Secunia Most Valued Contributor Award in 2011. He has published many papers in top research conferences including IEEE Security and Privacy, USENIX Security, ACM CCS, and NDSS, and gave several presentations at BlackHat USA, CanSecWest, POC, and RUXCON.


Hao Xu is a member of Team Pangu. He has been involved in information security for over 10 years. His research interests range from OSX/iOS/Windows kernel security, rootkit and malware analysis, hardware virtualization technology, and reverse engineering. He is a regular speaker at BlackHat USA, Syscan 360, POC, Xcon.