Some feedback from the HITB 2012 conferenceWed 20 June 2012 by cedric
Recently, HITB 2012 took place in Amsterdam (Okura Hotel) and some of us attended.
Impressed by the quality of the conference, we will try to summarize here all presentations that we attended.Also, Sogeti NL organized three challenges (Web application, WiFi and Social Engineering).
Sébastien RENAUD and Kévin SZKUDLAPSKI of Quarkslab presented a new feature in Windows 8 comparing it with Windows 7.
Indeed, Microsoft introduced a new interface: 'Metro'. Metro enables users to download applications in the Windows store. Each application is checked (API and DLL Characterics), and its signature is controlled. But the API list checking has its limits, if we retrieve the API address dynamically.
Metro provides a new way to secure users from malicious applications offering only one way to download applications (from Windows Store which will check these applications), and providing a certain level of isolation for each of them thanks to the new sandbox concept 'AppContainer'.
Curious about the title, we attempted this talk presented by Itzhak Avraham (Founder of zImperium) & Nir Goldshlager (Senior Researcher in zImperium).
Here were presented ways to find bug in Google services. As we know many Bug bounty programs exist to encourage security researchers to find bugs in softwares to help firms making more secure programs. Thereby, bugs finding sometimes looks like a race against the clock. What these two researchers did, is to track services and acquisitions of Google services to test it.
They shown that some mitigations techniques prevented from XSS, but there was still some possible ways using the Error message, or non-suspected functions that finaly weren't protected. Itzhak Avraham and Nir Goldshlager tried also to attack acquiered services by Google, and it got some interesting results. Indeed, acquiered services are sometimes not checked, or not enougth and sometimes also contains vulnerable & exploitable applications, to gain much more accesses.
Adam Gowiak (from Security Exploitations) has presented ways to attack the digital satellite platforms. Digital satellite TV set-top-box devices are not so well known platforms to attack because of the dedicated hardware and software. Connected to the internet, they provide: IPTV, Video on Demand, remote DVR, Internet radio, and so on.
Among these vulnerabilities, it was possible to perform a remote attack against the network, satellite set-top-box and put a persistent malware code. In addition, a vulnerable set-top-box allows a malicious user to capture and share satellite TV signal as he wants to (without paying) after getting root access on the box.
Others attacks were presented like privilege elevation in Carbo set-top-box (in addition to Hermes), persistent backdoor installation, message spoofing on XML files, Hermes System Software Upgrade keys which are broadcasted in plain-text, replay attack against PUSH VOD, and so on.
As we could see, many security issues exists in set-top-box, mainly because of the bad implementations. But these infrastructures that are also exotic, and are not convenient at all because of some changes made, especially on the web browser configurations and so on. This talk gave a good overview of satellite TV set-top-boxes security, and attacks that could be performed in the same ways with boxes in other countries.
Finally, we could not miss the iPhone talks from the iOS jailbreak guys (Joshua Hill, Cyril, Nikias Bassen, David Wang to quote only a few).
They first explained all the security measures that Apple takes to protect the integrity and confidentiality of their devices. Then they detailed the techniques used to jailbreak the latest devices using Corona. This jailbreak was released before HITB but has finally been well-explained in this presentation.
The racoon (VPN binary) format string attack (still there in 2012!) allowed them to execute code, but they needed an additional kernel vulnerability (the HFS+ kernel exploit) in order to patch the kernel memory and disable all the security checks at runtime.
They use the already well-known bootrom vulnerability to inject the jailbreak. The injected files concern the racoom binary and allow to get code execution at each startup. ROP (Return Oriented Programming) is needed since everything that get executed needs to be signed.
The kernel vulnerability allows them to patch the kernel memory since everything is RWX.
They are able to bypass the ASLR at each startup using a launchd flag (DisableASLR) that will probably disappear.
There is no public bootrom or bootloader vulnerability for the last devices (iPad2/3 or iPhone 4S) so they are not able to decrypt the firmware files. Consequently, they can't decrypt the kernel and analyze it. Since no one can exploit a target without knowing it, they needed to get the kernel dump at runtime.
To inject the jailbreak, they use a vulnerability in the regular Backup mechanism (with iTunes) and the racoon binary. Note: It will be interesting to see if it is possible to do it remotely using the new iCloud services.
They also needed a way to bypass ASLR because they could not use yet the Disable ASLR flag. They used the regular crash report from Apple to get base addresses information and compute the right ROP payload to execute on the device. They did that from the computer jailbreak tool directly using the regular iTunes procedure and an otherwise unused NULL pointer vulnerability in MobileBackup.
It was really great having all the jailbreak teams in one place!
Sogeti Netherland organized three different challenges: Web application, WiFi, and Social Engineering.
We focused on the Social Engineering challenge. We had to fill a form: we got to find a lot of phone numbers to call and as much information as possible to help us getting further information. The funny thing was that we got only 'Nederlander' company to call.
After that, we got to call the company with the presence of Sogeti Staff, and ask them about the Operating System they use, OS version, if they use adobe reader, and corresponding version. There was also some URLs that we could make them visit (pdf, a page with flash, and so on) that could gave us much more points.
The real challenge was to keep the speaker on the phone, being as much understandable as possible (not as simple when you are talking to people not specialized in computer areas). What was really interesting is the fact that some (non-technical) people were really kind and helpful and gave us all kind of information (browser, operating system, e-mail client) and were ready to give us their respective versions but did not know where to look for that. Instead, they proposed to give us the IT support...
To sum things up, great conference and we hope to get there next year!