We are pleased to announce the program of GreHack'19. Beware that schedule precise times are not definitely set yet and may vary a bit.

Abstract of talks to come...


08:00am breakfast
09:00am Opening speech
09:15am (keynote) Optimize your way to RCE with Chakra Bruno Keith
10:15am break
10:45am Atomic Threat Coverage: cover threats before they will cover you! Mateusz Wydra, Daniil Yugoslavskiy and Mikhail Aksenov
11:30am Hunting for Bugs, Catching Dragons Nicolas Joly
12:15am lunch
2:00pm VBA for the masses Jonas Zaddach
2:45pm Wombat: one more Bleichenbacher attack toolkit Olivier Levillain and Aina Toky Rasoamanana
03:30pm break
4:00pm The rise of evil HID devices Franck Bitsch and Arthur Villeneuve
4:30pm IOT Security : Hack the Damn Vulnerable IoT Device Arnaud Courty
05:00pm Delayed Memories Requiem *anonymous pwners*
Closing speech
05:30pm cocktail
06:00pm Workshops
09:00pm Pizzas
10:00pm CTF
06:00am Last flag submission - CTF
06:30am The End


Optimize your way to RCE with Chakra


As can be seen in recent years, JavaScript engine have been one of the main targets to compromise a browser. With public resources on the subject becoming more and more available, attackers have to dig deeper and deeper in order to find valuable bugs on their quest to achieve remote code execution. While searching you might end up with some super friendly bug that takes 30 mn to exploit using publicly documented techniques, other times you end up with something for which you have no clue how to exploit it. This talk will focus on such a bug I found and my process to turn it into a super reliable RCE. We will do a basic introduction of the bug but rather than focusing on the bug root cause, this talk will focus on the exploitation part and how attackers can go about turning limited primitives in better ones, repeating the process until they have all that is needed to achieve a reliable exploit.


Bruno is an independent security researcher who focuses on browser security. He previously wrote and presented about exploitation of various major browsers by targeting the JavaScript engine. He demonstrated browser exploits publically at hacking competitions such as Hack2Win eXtreme 2018 and Pwn2Own 2019. He used to play CTF intensively with the German team Eat, Sleep, Pwn, Repeat but is now retired.

Hunting for bugs, catching dragons


While browser and plugin exploits are frequent, it’s less common to see exploits affecting targets without scripting capabilities. Are these worth attacking? How do we proceed? How do we identify valid entry points and bugs? This talk will cover some research done at Microsoft on Outlook and Exchange and discuss the results. Scary dragons will be spotted in this tour, hopefully you’ll catch some too.


Nicolas Joly is a security engineer at the Microsoft Security Response Center in the UK. He has more than 10 years of experience at reverse engineering and vulnerability discovery, and is now focused on finding and exploiting bugs. Prior to this, he used to hunt bugs for bounties and won several times pwn2own with Vupen Security. He also holds a master's degree from the Ensimag.

Twitter: @n_joly

VBA for the masses


Even though VBA macros have been a major entrance route for malware for quite some time, little work has been published on analysis tools. Malware authors are eschewing static pattern-based signatures with relatively simple string obfuscation, but since Microsoft Office is de-facto the only platform to execute VBA macros, dynamic analysis requires a full VM with Office. As a result, observables are noisy and course-grained, mostly limited to file system and network activity. This talk proposes a sandboxed interpreter for VBA macros. The interpreter is more faithful in its behavior than any other VBA analysis tool currently available, allowing it to execute most macro code in the wild. It is fast, delivering results in a few seconds. The Java code is easily extensible to cover new VBA functions used by malware. In summary, this VBA interpreter is an open source solution to identify malicious VBA macros in Microsoft Office documents. It is much faster than current solutions based on full VM emulation, more faithful than approximative approaches to malicious macro detection such as SpiderMonkey’s constant propagation, and outputs observables such as generated files, accessed URLs and invoked command lines for further processing.


Jonas Zaddach is a malware and security researcher for Cisco Talos. He received his Ph.D. from Telecom ParisTech, with a thesis focusing on automated dynamic analysis of embedded software. Now, he is carrying on his passion for automating malware analysis inside Talos.

Wombat: one more Bleichenbacher attack toolkit


Despite being more than 40~years old, RSA is still a widely used cryptographic algorithms. PKCS\#1~v1.5, an old standard which defines how to use it in practice, is even present in current specifications (e.g.~TLS up to TLS~1.2), although most of its implementations are naturally vulnerable to an attack devised by Daniel Bleichenbacher in~1998. To be able to assess the prevalence of such a vulnerability in various protocols, we are developing Wombat, one more Bleichenbacher attack toolkit.


Olivier Levillain is an associate professor in cybersecurity at Télécom SudParis. Before that, he has been in charge of the cybersecurity training center at ANSSI (the French cybersecurity agency). He also used to work in ANSSI laboratories on various subjects, ranging from attacks on low-level harsware mechanisms to public key infrastructures. More recently, he has been working on secure network protocols (and particularly on SSL/TLS) and on programming languages ("Mind Your Languages").

Aina Toky Rasoamanana is a PhD candidate in cybersecurity at Télécom SudParis. Last year, he has done a master in Cryptography at Rennes 1 University. He did his internship with Olivier Levillain around a cryptographical attack.

IOT Security : Hack the Damn Vulnerable IoT Device


The DVID project is a fully opensource project. The main objective is to provide to interested people a designed vulnerable board to improve their skill in IoT Hacking. Composed by simple component like Atmega328p, AT-09 and ESP8266, each training offers a specific vulnerable environment to learn to exploit well known vulnerabilities. After a retrospective of real life example from Top10 OWASP IoT, I will present the DVID project, its timeline (conception, building, manufacturing and shipping), show live demo of a well known vulnerability and give details about future features like an Escape Game.


About Arnaud Courty:
Researcher and IoT Hacker, my main mission is to evangelise companies to take care about security from the design step. I work on internal and external offensive security analysis and assessment of security maturity of embedded systems upstream their industrialization. Since the beginning of IoT, I specializes myself in vulnerabilities research adapted to the embedded systems but also awareness of designers, developers and integrators. I take advantage of security events and working groups to campaign for a less vulnerable IoT world.