ZeroNights 2018, Eric Sesterhenn's, Luis Merino's, Markus Vervier's 'Zero Fax Given' →
From The Video Description: FAX machines, although being a reminiscent of a not-so-far past, are still present in lots of office spaces and can be frequently used for business and legal communications. Most of its technology was developed decades ago and, quite probably, remained mostly unchanged over the years. Legacy boxes, accessible via a phone call through the phone line and, frequently, connected to local networks via Ethernet. It sounds like a good plan for summertime research! - via ZeroNights 2018 Eric Sesterhenn's, Luis Merino's, Markus Vervier's video 'Zero Fax Given'
ZeroNights 2018, Junyu Zhou's, Wenxu Wu's 'Attack Surfaces Against GIT Web Servers Used By Thousands Of Developers' →
From The Video Description: We, Tencent Security Xuanwu Lab, have successfully carried out serveral remote attacks on the most popular git web servers in 2018. This time we are willing to share our full, in-depth details on this research. In this presentation, we will explain the inner working of this technique. Multiple 0-days of different git web servers are included in this presentation.
We will also present an in-depth analysis of the attack surfaces in the most popular git web servers, including the Gitlab, Github enterprise, Gogs and Gitea. For instance, we exploited a vulnerability on CI Runner to hack into the intranet of Gitlab; we have also found serveral remote code execution (RCE) and server-side request forgery (SSRF) vulnerabilities in Gogs and Gitea.
Finally, we will talk about two attack chains to successfully perform remote code execution on Gogs. To the best of our knowledge, this presentation will be the first to demonstrate these new attack surfaces of git web servers. - via ZeroNights 2018 and Junyu Zhou's, Wenxu Wu's 'Attack Surfaces Against GIT Web Servers Used By Thousands Of Developers'
ZeroNights 2018, HC Ma's 'Massive Scale USB Device Driver Fuzz WITHOUT Device' →
From the Video Description: USB is one of the most common interfaces supported on modern computers. Modern OSes offer tons of USB drivers to support frequently used USB device classes. For other 3rd party USB devices, Microsoft provides automatic driver downloading and installation via Windows AutoUpdate Service. In this talk, we consider this as a novel attacking surface exposed by Windows. via ZeroNights 2018 and HC Ma's 'Massive Scale USB Device Driver Fuzz WITHOUT Device'
ZeroNights 2018, Ilya Nesterov's & Sergey Shekyan's Unveiling The Cloak: A Look At What Happens When You Click That Link →
From The Video Description: We are going to introduce you to the world of cloaking: how it evolved from simple IP filtering to the sophisticated platforms used for fraud and bot detection.
Web cloaking is a technique used to circumvent the automatic content analysis systems used by major ad networks and content providers. Cloaking systems are used by those trying to publish content that would otherwise be blocked by content providers. Examples vary from regulated industries like pornography or cryptocurrencies to malware-distributing websites and political propaganda.
You will learn about the demand for services offering moderation circumvention, the levels of sophistication for various players in the market, and what can be done to defeat web cloaking successfully. We will discuss our adventures of buying the most advanced web cloaking service and thoroughly dissecting it. Ilya works with user-generated content platforms and Sergey works on web traffic automation detection. We will discuss how much web cloaking has in common with modern fraud and automated detection systems. We will go over web cloaking campaign survival time (some systems advertise their services lasting up to 3 months); the techniques developers use to achieve these numbers; and strategies they use to stay undetected for so long.
We will conclude by overviewing existing methodologies used to minimize the negative effects of web cloaking and suggest new defense mechanisms. - via ZeroNights 2018 and Ilya Nesterov's & Sergey Shekyan's Unveiling The Cloak: A Look At What Happens When You Click That Link'
ZeroNights 2018, David Baptiste's 'Vulnerability In Compiler Leads To Stealth Backdoor In Software' →
From The Video Description: It is a fact, software has bugs and compilers (software which build other software) are not an exception. The CVE-2018-8232 discloses a vulnerability found in ML compiler from Microsoft which is used to compile assembly code since decades. This vulnerability is able to introduce a misinterpretation of conditions resulting in a gap between what is written in the source code to what is really compiled and executed by a machine. Of course, if this gap of behavior would only be for the sake of speaking, it will not be fun. In this presentation, we will talk about how it has been possible to exploit the vulnerability to silently introduce operational backdoors in any software compiled with ML, with no risk to be discovered. The result is to provide to a normally not authorized user an access to a higher credential such as runas software does. Attendees to the talk will learn how critical compilers are for security, the methodology to introduce a backdoor in a software at compiler level and how a company such as Microsoft dealt (or did not deal) to correct a bug in a compiler which potentially impacted other software for at least 30 years. - David Baptiste's Vulnerability In Compiler Leads To Stealth Backdoor In Software
ZeroNights 2018, Joxean Koret's 'Diffing C Source Codes To Binaries' →
From The Video Description: "Often, when doing reverse engineering projects, one needs to import symbols from Open Source or «leaked» code bases into IDA databases. What everybody does is to compile to binary, diff and import the matches. However, it is often problematic due to compiler optimizations, flags used, etc… It can be even impossible because old source codes do not compile with newer compilers or, simply, because there is no full source, just partial source code. During the talk, I will discuss algorithms for importing symbols directly from C source codes into IDA databases and release a tool (that will run, most likely, on top of Diaphora) for doing so." - via Joxean Koret's 'Diffing C Source Codes To Binaries'
ZeroNights 2018, Vladimir Dashchenko's 'Denial, Anger, Bargaining, Depression, Acceptance - Reporting 0days To Vendors' →
From The video Description: The substitution of foreign ICS systems is an interesting process from the point of view of vulnerability searching. On the one hand, foreign companies have already made much progress in fixing vulnerabilities in their devices. On the other hand, international practices and experience of development, working with vulnerabilities and disclosing them are neglected by Russian vendors. In this talk, I will tell you several real-life stories of interacting with Russian ICS vendors and compare the experience of working with vulnerabilities in the products of both foreign and Russian vendors. - via Vladimir Dashchenko's 'Denial, Anger, Bargaining, Depression, Acceptance - Reporting 0days To Vendors'**
ZeroNights 2018, Alexandre Gazet's, Fabien (0xf4b) Perigaud's & Joffrey (@_Sn0rkY) Czarny's 'Turning Your BMC Into A Revolving Door'
From The Video Description: "Unmonitored and unpatched BMC (remote administration hardware feature for servers) are an almost certain source of chaos. They have the potential to completely undermined the security of complex network infrastructures and data centers. Our on-going effort to analyze HPE iLO systems (4 and 5) resulted in the discovery of many vulnerabilities, the last one having the capacity to fully compromise the iLO chip from the host system itself. This talk will show how a combination of these vulnerabilities can turn an iLO BMC into a revolving door between an administration network and the production network." - via Alexandre Gazet's, Fabien (0xf4b) Perigaud's & Joffrey (@_Sn0rkY) Czarny - 'Turning Your BMC Into A Revolving Door'