From The Video Description: FAX machines, although being a reminiscent of a not-so-far past, are still present in lots of office spaces and can be frequently used for business and legal communications. Most of its technology was developed decades ago and, quite probably, remained mostly unchanged over the years. Legacy boxes, accessible via a phone call through the phone line and, frequently, connected to local networks via Ethernet. It sounds like a good plan for summertime research! - via ZeroNights 2018 Eric Sesterhenn's, Luis Merino's, Markus Vervier's video 'Zero Fax Given'
From The Video Description: We, Tencent Security Xuanwu Lab, have successfully carried out serveral remote attacks on the most popular git web servers in 2018. This time we are willing to share our full, in-depth details on this research. In this presentation, we will explain the inner working of this technique. Multiple 0-days of different git web servers are included in this presentation.
We will also present an in-depth analysis of the attack surfaces in the most popular git web servers, including the Gitlab, Github enterprise, Gogs and Gitea. For instance, we exploited a vulnerability on CI Runner to hack into the intranet of Gitlab; we have also found serveral remote code execution (RCE) and server-side request forgery (SSRF) vulnerabilities in Gogs and Gitea.
Finally, we will talk about two attack chains to successfully perform remote code execution on Gogs. To the best of our knowledge, this presentation will be the first to demonstrate these new attack surfaces of git web servers. - via ZeroNights 2018 and Junyu Zhou's, Wenxu Wu's 'Attack Surfaces Against GIT Web Servers Used By Thousands Of Developers'
From the Video Description: USB is one of the most common interfaces supported on modern computers. Modern OSes offer tons of USB drivers to support frequently used USB device classes. For other 3rd party USB devices, Microsoft provides automatic driver downloading and installation via Windows AutoUpdate Service. In this talk, we consider this as a novel attacking surface exposed by Windows. via ZeroNights 2018 and HC Ma's 'Massive Scale USB Device Driver Fuzz WITHOUT Device'
From the Video Description: It has been years since NTLM authentication protocol is introduced in Windows. NTLM relay is one of the most famous attacks, which attacker can act as the victim without knowing the credentials. Microsoft has released lots of patches against it. There are usually two steps in the working exploits nowadays, one for leak NET-NTLM Hash of a victim, the other is relaying it to another machine.
In this presentation, we will introduce and detail two new attack vectors. The first one is leaking NET-NTLM Hash in Chrome, while previous attacks targeting browsers can only affect IE/Edge. It can be chained with other services to achieve remote code execution without any interaction with a victim. The other one is bypassing MS08-068 patch in some condition and achieving direct remote code execution by relaying Net-NTLM Hash to the machine itself. Finally, we will release a tool, which can be used to launch those attacks automatically. - via Jianing Wang's & Junyu Zhous' 'NTLM Relay Reloaded: Attack Methods You Do Not Know'
From The Video Description: It is a fact, software has bugs and compilers (software which build other software) are not an exception. The CVE-2018-8232 discloses a vulnerability found in ML compiler from Microsoft which is used to compile assembly code since decades. This vulnerability is able to introduce a misinterpretation of conditions resulting in a gap between what is written in the source code to what is really compiled and executed by a machine. Of course, if this gap of behavior would only be for the sake of speaking, it will not be fun. In this presentation, we will talk about how it has been possible to exploit the vulnerability to silently introduce operational backdoors in any software compiled with ML, with no risk to be discovered. The result is to provide to a normally not authorized user an access to a higher credential such as runas software does. Attendees to the talk will learn how critical compilers are for security, the methodology to introduce a backdoor in a software at compiler level and how a company such as Microsoft dealt (or did not deal) to correct a bug in a compiler which potentially impacted other software for at least 30 years. - David Baptiste's Vulnerability In Compiler Leads To Stealth Backdoor In Software
From The Video Description: "Often, when doing reverse engineering projects, one needs to import symbols from Open Source or «leaked» code bases into IDA databases. What everybody does is to compile to binary, diff and import the matches. However, it is often problematic due to compiler optimizations, flags used, etc… It can be even impossible because old source codes do not compile with newer compilers or, simply, because there is no full source, just partial source code. During the talk, I will discuss algorithms for importing symbols directly from C source codes into IDA databases and release a tool (that will run, most likely, on top of Diaphora) for doing so." - via Joxean Koret's 'Diffing C Source Codes To Binaries'
From The video Description: The substitution of foreign ICS systems is an interesting process from the point of view of vulnerability searching. On the one hand, foreign companies have already made much progress in fixing vulnerabilities in their devices. On the other hand, international practices and experience of development, working with vulnerabilities and disclosing them are neglected by Russian vendors. In this talk, I will tell you several real-life stories of interacting with Russian ICS vendors and compare the experience of working with vulnerabilities in the products of both foreign and Russian vendors. - via Vladimir Dashchenko's 'Denial, Anger, Bargaining, Depression, Acceptance - Reporting 0days To Vendors'**
From The Video Description: "Unmonitored and unpatched BMC (remote administration hardware feature for servers) are an almost certain source of chaos. They have the potential to completely undermined the security of complex network infrastructures and data centers. Our on-going effort to analyze HPE iLO systems (4 and 5) resulted in the discovery of many vulnerabilities, the last one having the capacity to fully compromise the iLO chip from the host system itself. This talk will show how a combination of these vulnerabilities can turn an iLO BMC into a revolving door between an administration network and the production network." - via Alexandre Gazet's, Fabien (0xf4b) Perigaud's & Joffrey (@_Sn0rkY) Czarny - 'Turning Your BMC Into A Revolving Door'