We are pleased to announce the program of GreHack'19. Beware that schedule precise times are not definitely set yet and may vary a bit.

Abstract of talks to come...


08:00am breakfast
09:00am Opening speech
09:15am (keynote) Optimize your way to RCE with Chakra Bruno Keith
10:15am break
(Cancelled) 10:45am Atomic Threat Coverage: cover threats before they will cover you! Mateusz Wydra, Daniil Yugoslavskiy and Mikhail Aksenov
10:45am Oh! Auth: Implementation pitfalls of OAuth 2.0 & the Auth Providers who have fell in it Samit Anwer
11:30am Hunting for Bugs, Catching Dragons Nicolas Joly
12:15am lunch
2:00pm VBA for the masses Jonas Zaddach
2:45pm Wombat: one more Bleichenbacher attack toolkit Olivier Levillain and Aina Toky Rasoamanana
03:30pm break
4:00pm The rise of evil HID devices Franck Bitsch and Arthur Villeneuve
4:30pm IOT Security : Hack the Damn Vulnerable IoT Device Arnaud Courty
05:00pm Delayed Memories Requiem *anonymous pwners*
Closing speech
05:45pm Cocktail
06:30pm Workshops
09:30pm Pizzas
10:00pm CTF
06:00am Last flag submission - CTF
06:30am The End


Optimize your way to RCE with Chakra


As can be seen in recent years, JavaScript engine have been one of the main targets to compromise a browser. With public resources on the subject becoming more and more available, attackers have to dig deeper and deeper in order to find valuable bugs on their quest to achieve remote code execution. While searching you might end up with some super friendly bug that takes 30 mn to exploit using publicly documented techniques, other times you end up with something for which you have no clue how to exploit it. This talk will focus on such a bug I found and my process to turn it into a super reliable RCE. We will do a basic introduction of the bug but rather than focusing on the bug root cause, this talk will focus on the exploitation part and how attackers can go about turning limited primitives in better ones, repeating the process until they have all that is needed to achieve a reliable exploit.


Bruno is an independent security researcher who focuses on browser security. He previously wrote and presented about exploitation of various major browsers by targeting the JavaScript engine. He demonstrated browser exploits publically at hacking competitions such as Hack2Win eXtreme 2018 and Pwn2Own 2019. He used to play CTF intensively with the German team Eat, Sleep, Pwn, Repeat but is now retired.

Oh! Auth: Implementation pitfalls of OAuth 2.0 & the Auth Providers who have fell in it


Since the beginning of distributed personal computer networks, one of the toughest problem has been to provide a secure SSO and authorization experience between unrelated servers/services. The OAuth 2.0 authorization framework enables 3rd party apps to obtain discretionary access to a web service. Built on top of OAuth, OpenID Connect is a helpful “identity layer” that provides developers with a framework to build an authentication system. In this race of providing OAuth/Open ID Connect based access to assets, authorization service providers have been forced to release half-baked solutions in the wild because of which relying parties and users face myriad of issues ranging from authorization code compromise (unauthorized resource access) to account takeovers. In this talk we will discuss common malpractices that "relying party" and "authorization service provider" developers perform when implementing OAuth/OpenID based solutions. We will learn the attacks that can happen thereof and mitigation.


Samit is a Web and Mobile Application security enthusiast. He joined Citrix as Security Engineer soon after completing his Master's degree from IIIT Delhi in Mobile and Ubiquitous Computing in 2015. He has spoken on various security topics at the following venues - RomHack, SecurityFest, DEFCON China, BlackHat Asia, AppSec USA, and CodeBlue. His technical interests lie in using static program analysis techniques to mitigate security and performance issues on mobile/web apps, breaking web/mobile apps, and researching on cutting edge authentication and authorization mechanisms.

Hunting for bugs, catching dragons


While browser and plugin exploits are frequent, it’s less common to see exploits affecting targets without scripting capabilities. Are these worth attacking? How do we proceed? How do we identify valid entry points and bugs? This talk will cover some research done at Microsoft on Outlook and Exchange and discuss the results. Scary dragons will be spotted in this tour, hopefully you’ll catch some too.


Nicolas Joly is a security engineer at the Microsoft Security Response Center in the UK. He has more than 10 years of experience at reverse engineering and vulnerability discovery, and is now focused on finding and exploiting bugs. Prior to this, he used to hunt bugs for bounties and won several times pwn2own with Vupen Security. He also holds a master's degree from the Ensimag.

Twitter: @n_joly

VBA for the masses


Even though VBA macros have been a major entrance route for malware for quite some time, little work has been published on analysis tools. Malware authors are eschewing static pattern-based signatures with relatively simple string obfuscation, but since Microsoft Office is de-facto the only platform to execute VBA macros, dynamic analysis requires a full VM with Office. As a result, observables are noisy and course-grained, mostly limited to file system and network activity. This talk proposes a sandboxed interpreter for VBA macros. The interpreter is more faithful in its behavior than any other VBA analysis tool currently available, allowing it to execute most macro code in the wild. It is fast, delivering results in a few seconds. The Java code is easily extensible to cover new VBA functions used by malware. In summary, this VBA interpreter is an open source solution to identify malicious VBA macros in Microsoft Office documents. It is much faster than current solutions based on full VM emulation, more faithful than approximative approaches to malicious macro detection such as SpiderMonkey’s constant propagation, and outputs observables such as generated files, accessed URLs and invoked command lines for further processing.


Jonas Zaddach is a malware and security researcher for Cisco Talos. He received his Ph.D. from Telecom ParisTech, with a thesis focusing on automated dynamic analysis of embedded software. Now, he is carrying on his passion for automating malware analysis inside Talos.

Wombat: one more Bleichenbacher attack toolkit


Despite being more than 40~years old, RSA is still a widely used cryptographic algorithms. PKCS\#1~v1.5, an old standard which defines how to use it in practice, is even present in current specifications (e.g.~TLS up to TLS~1.2), although most of its implementations are naturally vulnerable to an attack devised by Daniel Bleichenbacher in~1998. To be able to assess the prevalence of such a vulnerability in various protocols, we are developing Wombat, one more Bleichenbacher attack toolkit.


Olivier Levillain is an associate professor in cybersecurity at Télécom SudParis. Before that, he has been in charge of the cybersecurity training center at ANSSI (the French cybersecurity agency). He also used to work in ANSSI laboratories on various subjects, ranging from attacks on low-level harsware mechanisms to public key infrastructures. More recently, he has been working on secure network protocols (and particularly on SSL/TLS) and on programming languages ("Mind Your Languages").

Aina Toky Rasoamanana is a PhD candidate in cybersecurity at Télécom SudParis. Last year, he has done a master in Cryptography at Rennes 1 University. He did his internship with Olivier Levillain around a cryptographical attack.

The rise of evil HID devices


Our talk will present the principle of malicious HID attack with its strengths and weaknesses. Three USB devices that can be used to launch an attack will be compared: a "rubber ducky", the WHID Injector device and the USBNinja cable. We will present the results of forensic analyses performed on corporate computers after our Redteam launched attacks using the previously introduced USB devices. We will focus on the traces left by these devices at the operating system level (event logs of interest, USB traces ...) and the data exfiltration techniques that can be used during this type of attack. We will introduce a principle of hardware investigation and how to locate interface pinout to try to dump the content of the suspicious device to analyse its “malicious” capabilities.


Arthur VILLENEUVE : Arthur is a pentester and red teamer within CERT SG team. When he is not giving cold sweats to his colleagues, he improves his attack infrastructure and tools. He also likes to play CTF with the Tipi'hack team.

Franck BITSCH : Franck fights cybercrime on a daily basis as blueteam member of the CERT SG team. When he is not carving data from a filesystem you can find him playing with hardware stuff and a soldering iron.

IOT Security : Hack the Damn Vulnerable IoT Device


The DVID project is a fully opensource project. The main objective is to provide to interested people a designed vulnerable board to improve their skill in IoT Hacking. Composed by simple component like Atmega328p, AT-09 and ESP8266, each training offers a specific vulnerable environment to learn to exploit well known vulnerabilities. After a retrospective of real life example from Top10 OWASP IoT, I will present the DVID project, its timeline (conception, building, manufacturing and shipping), show live demo of a well known vulnerability and give details about future features like an Escape Game.


About Arnaud Courty:
Researcher and IoT Hacker, my main mission is to evangelise companies to take care about security from the design step. I work on internal and external offensive security analysis and assessment of security maturity of embedded systems upstream their industrialization. Since the beginning of IoT, I specializes myself in vulnerabilities research adapted to the embedded systems but also awareness of designers, developers and integrators. I take advantage of security events and working groups to campaign for a less vulnerable IoT world.