Program

Schedule

UTC+01:00 Friday November 19th Who
9:00am Opening speech TBA
9:10am Rooting Samsung Q60T Smart TV Jérémie Boutoille and Vincent Fargues
9:45am WooKey: Episode VII - The Force Awakens Phil Teuwen
10:20amBreak-
10:35am DNSpooq - Does DNS cache poisoning still matter? Shlomi Oberman
11:25am GUI-Mimic, a cross platform recorder and fuzzer of Graphical User Interface Vincent Raulin, Pierre-François Gimenez, Yufei Han, Valérie Viet Triem Tong and Léopold Ouairy
12:00amLunch break, with a replay of inércia 2021 demoparty-
2:00pm Exploiting CSP in WebKit to Break Authentication and Authorization Prakash Sharma and Sachin Thakuri
2:50pm Windows kernel snapshot-based fuzzing: the good, the bad and the ugly Damien Aumaitre
3:25pmBreak-
3:40pm High Speed Methods for Blind SQL Injections Ruben Ventura
3:40pm Optimizing Server Side Template Injection Payloads for jinja2 Remi Gascou
4:30pmClosing speechTBA
21:00pmCTF-

Details

Rooting Samsung Q60T Smart TV

- by Jérémie Boutoille @tlk___ and Vincent Fargues @Karion_

Jérémie and Vincent are security experts at Synacktiv in the reverse engineering team. They are specialized in mobile and embedded systems reverse engineering, vulnerability research and exploit development.

Every autumn, Zero Day Initiative (ZDI) organize a Pwn2Own contest edition focused on mobile and IoT devices. In 2020, twenty different devices were part of the contest. Among these devices, there were two smart TVs targeted : Sony X800H Series and Samsung Q60T Series. Smart TVs compromises are rewarded with a $20000 bounty and two Master of Pwn points. In 2020 edition, two teams got a partial win on Samsung Q60T because the compromise was done using a known bug. ZDI do not provide detailed information about these bugs, neither the targeted component (Web browser, custom service, etc.) It motivated us to look at this target to see how easy it was to get a root shell on this target. This talk will explain how we used a 1-day browser vulnerability to get a shell on the device. Then we exploited a vulnerable driver to escalate our privileges to root. With these privileges, we were able to extract the Firmware encryption key from the Trustzone and to decrypt Firmware files.

WooKey: Episode VII - The Force Awakens

- by Phil Teuwen @doegox

Philippe Teuwen (@doegox) is a Security Team Leader at Quarkslab happily sailing across the frontier between hardware and software, having enabled new vector attacks and open source tools such as adaptation of side-channel techniques towards whitebox cryptography, EEPROM tear-off attacks defeating various RFID security features, etc. He's in the editorial team of the International Journal of PoC||GTFO and loves organizing Hardware CTFs.

A long time ago in a mission far, far away, something like right before COVID19, all CESTI of this country united to share an ambitious test plan to evaluate the WooKey, an open-source project of a secure USB mass storage developed by ANSSI. We won’t spend too much time presenting the WooKey itself, it has already been extensively covered in several presentations. So why coming back with this again? Because each CESTI worked on different aspects of this large test plan, without much overlap. So there are still many interesting results to share. And, frankly, it’s less about talking about the WooKey than sharing a fun mission involving hardware hacks which may inspire you to try out similar attacks on other targets.

DNSpooq - Does DNS cache poisoning still matter?

- by Shlomi Oberman and Moshe Kol @0xkol

Shlomi Oberman is an experienced security researcher and leader with over a decade of experience in security research and product security. He has spoken internationally and his research has been presented in industry conferences such as CodeBlue Tokyo and Hack-In-The-Box as well as other conferences. He is also an experienced teacher, training researchers and engineers in Embedded Exploitation and Secure Coding, as well as an organizer of local community cyber-security events. Shlomi has the unique advantage of a broad technical understanding of the Security Field as well as deep knowledge of an attacker's mindset.

Moshe Kol is a wickedly talented security researcher, experienced in vulnerability research, reverse engineering, and exploitation. He has many years of networking and security research experience working for the MOD where he honed his skills originally developed at home. Moshe is behind high-profile security research such as Ripple20 and DNSpooq, and he presented his research in industry conferences such as Black Hat, DEFCON, CODE BLUE as well as other conferences. When he does not look for bugs, Moshe writes his Master's thesis in Computer Science at the Hebrew University of Jerusalem.

DNSpooq is a series of 7 vulnerabilities found in the open source DNS forwarder dnsmasq. DNSpooq and other vulnerabilities like SAD DNS demonstrate that DNS implementations are still insecure, even today, 13 years after the last major attack was described. These new attacks against DNS integrity raise an important question: Does DNS cache poisoning still pose a risk to home and commercial users? Given the wide acceptance of safe browsing with HTTPS, and other security enhancements like DNSSEC, HSTS and others, it is easy to dismiss DNS cache poisoning vulnerabilities as posing little risk to users. We will discuss how the security of web browsing has increased dramatically by relying on these new mechanisms and by shifting trust from DNS to other protocols, and show what more needs to be done. We will show how and under what conditions these vulnerabilities still pose a risk, talk about the difference between vulnerabilities in DNS forwarders and DNS servers and will introduce some new attacks that can be performed using DNS cache poisoning vulnerabilities like DNSpooq, that are not mitigated with the newest security mechanisms.

GUI-Mimic, a cross platform recorder and fuzzer of Graphical User Interface

- by Vincent Raulin, Pierre-François Gimenez, Yufei Han, Valérie Viet Triem Tong and Léopold Ouairy

We are members of Inria/CentraleSupelec, in the CIDRE team. You can find the team's website at https://team.inria.fr/cidre/.

The CIDRE team is a cybersecurity research team spread across different faculties and laboratories in Rennes. Our project is focused on Windows malware analysis with the help of machine learning techniques. After obtaining my engineering degree at Ensimag, I joined this team to develop an explainable malware detector. GUI-Mimic is the first step toward this goal.

In program analysis, a fuzzing toolset is needed to automatically trigger software operations in a natural while efficient way. Especially in dynamic analysis of malware, such a toolset can help execute the suspicious files to unveil their malicious payloads hidden by other benign-looking behaviors. In the fields of software testing, this tool is necessary for triggering and testing the programmed functionalities. Nevertheless, there has not yet been an easy-to-use tool that works on Windows for the purpose of generating activity through the Graphical User Interface (GUI). To meet this requirement, in our work, we develop GUI-Mimic. It is designed to integrate some useful features for stimulating different types of software -- mouse and keyboard recording, random mouse and keyboard inputs, editing, trimming, randomization, transformations -- to deliver an easy-to-deploy GUI fuzzer over different Operating Systems. https://gitlab.inria.fr/vraulin/GUI-Mimic.

Exploiting CSP in WebKit to Break Authentication and Authorization

- by Prakash Sharma @1lastBr3ath and Sachin Thakuri @sachinnthakuri

Prakash Sharma is a Security Engineer at Threat Nix. His area of focus is in application security, where he constantly involves himself in finding unique ways of exploiting vulnerabilities and novel techniques otherwise unknown. He also enjoys finding subtle flaws in browsers' implementation of security features. He has been acknowledged by tech giants like Apple, Google, Facebook, Microsoft, etc. for his contributions in discovering vulnerabilities in their systems and improving their security posture. Aside from security, he is also an amateur photographer and an avid traveller.

Sachin Thakuri is an experienced security professional focusing on application and mobile security who has been in this field for 6+years. Featured on various international media for his work, he is currently running his own security company that is based in Nepal.

When it comes to modern web applications, browsers are the first line of defense. While built-in security features that come compiled with browsers are responsible for preventing a wide array of attacks, any seemingly trivial mistake in browsers' implementation of such security features can have devastating effects. In this session, we will talk about a vulnerability in Webkit (Safari, and all browsers in iOS devices including Firefox and Chrome) and a security feature in browsers which when abused allowed us to leak certain cross-site information which made almost every application using authentication/authorization technologies such as Single Sign-On and OAuth vulnerable, thus giving us instant access to user accounts. The talk will also include our take and workarounds on the latest browser features like ITP, SameSite Cookies, etc., and uses techniques and approaches to bypass common measures implemented to prevent such vulnerabilities.

Windows kernel snapshot-based fuzzing: the good, the bad and the ugly

- by Damien Aumaitre @erynian

Security Research at Quarkslab. He enjoys tinkering with operating systems, specially with low-level code like hypervisors.

Snapshot-based kernel fuzzing is really useful but can be tricky to setup. This talk will provide feedbacks on what is to be expected when you plan to do snapshot-based kernel fuzzing along with advices gained with what I learnt during the development of rewind.

High Speed Methods for Blind SQL Injections

- by Ruben Ventura @tr3w_

Ruben Ventura got involved in the fields of hacking and information security over 18 years ago. He has worked performing diverse security information services internationally for governments, law-enforcement agencies , many firms and a financial institution. He has been invited to speak at many international conferences such as Hack in Paris, Hackfest Quebec, BSides Philly, DragonJar Colombia, GreHack among many others. His interests include reverse engineering, music production, theoretical physics, molecular biology, psychology, meditation, lifting weights and coffee.

Cutting-edge and highly optimized methods for performing blind SQL injections will be presented. While sqlmap needs 10 seconds to extract 10 hashes, one of the tools released here needs just 1 second. A wide variety of techniques are used and combined in order to achieve this: inferential and deductive algorithms which only extract fragments of the information and the missing pieces are deduced (works 100% of the time), decision-making algorithms, tricks for avoiding the use of semaphores in multi-thread execution, injections that reach the desired data without the need to know any of the column or table names, bitwise techniques, and injections that use bit-superposition to extract multiple quantities of information with only one blind injection. The implementation of these ideas within carefully crafted code has resulted in the creation of the fastest tools on the planet for performing blind SQL injections. These tools will be released and explained.

Optimizing Server Side Template Injection Payloads for jinja2

- by Remi Gascou @podalirius_

When attacking Python-based web applications, we often need to find a way to execute commands on the server and escape from the application context. In order to get access to the underlying Python backend of a web application, an attacker can exploit common vulnerabilities such as Server Side Template Injection (SSTI) or Code Injections (CI) but how can we escape from this context? In this paper, I present a general approach to solve this problem by exploring python modules and python objects to find paths to high value targets, such as the os module or built-in functions. I will then use this technique to create the shortest payloads to access the os module in Python's jinja2 template engine.