This year the GreHack edition was splitted on two days. The first day was related to the conference and the workshops and the second day was dedicated to the CTF. Same as last year, RandoriSec was a proud sponsor of the GreHack conference. Several RandoriSec consultants attended the conference.

This blog post is a review of our favorite talks.

Attacking hypervisors - A practical case – Corentin Bayet

Slides

In this conference, the speaker Corentin Bayet showed us how he conducted a vulnerability research targeting Virtualbox on Windows for PWN2OWN. He started by quickly explaining the core concepts of virtualisation and showed us the tools he used to write his exploits.

After a quick presentation of the state of the art, he attempted to reproduce a unitinialised memory read bug (CVE-2023-21988) in PGMPhysRead. The function handles memory reads in guest memory and supports MMIO access, but does not check that the output buffer (data read from guest virtual memory) is correctly filled. The bug was caused when an MMIO handler returned an error that caused the buffer to not be completely filled, and was patched by correctly filling the output buffer in the event of an error. However, he found that some mmio handlers do not correctly fill the output buffer and does not return errors, resulting in a variant of the bug. By doing state of the art, he found a variant of a pre-existing bug and obtained a leak to bypass ASLR on the host process.

Then, he started the vulnerability research, after a lot of unexploitable bugs, he searched in virtio drivers implemented in Virtualbox. Virtio Drivers use virtqueue which allows drivers to send a large amount of data without using contiguous memory. VirtioQueue are implemented by using a queue of segments descriptors which describes a chunk of contiguous memory for reading or writing. Virtualbox reads each segment’s descriptors and stores them in a VIRTQBUF object which has a fixed-sized list that can store 1024 segment descriptors. By default a virtqueue has at most 1024 descriptor segments but it can be changed by writing into a MMIO register. Virtualbox does not reflect the change in VIRTQBUF, which causes descriptors segments to be written out of bound when they are after the 1024 position. He chose to exploit the OOB write on the Virtio network card because VIRTQBUF is allocated on the stack, thus he has to exploit a stack buffer overflow.

The speaker could not totally control the descriptor content that was written in VIRTQBUF list; thus it cannot overwrite saved rip on the stack to gain code execution (Virtualbox is compiled without stack canary). Instead, he chose to overwrite arguments passed to function where VIRTQBUF was allocated, these arguments are pointers to object which contain functions that are dynamically called. By overwriting these arguments, he obtains an arbitrary write primitive and with the memory leak he has obtained from the previous bug, he overwrites stack frame of a function waiting on an event and obtains code execution.

Corentin Bayet and his colleague Bruno Pujos chained these two bugs with a window privilege escalation and successfully escaped from guest OS to host admin/NT_AUTHORITY_SYSTEM for PWN2OWN. The talk was very interesting and motivating to do vulnerability research on hypervisors.

MIFARE Classic: exposing the static encrypted nonce variant - I’ve got a bit more, should I throw it in? – Philippe Teuwen

Paper Blogpost

This talk by Philippe Teuwen exposes his recent research on a topic that isn’t really new : Mifare Classic badges.

These RFID badges are well known to implement a bad cryptographic protocol called CRYPTO-1, which has many vulnerabilities. Teuwen briefly talked over these, and went to the meat of the talk: his new attack. He discovered a backdoor entry which is shared across many card types.

CRYPTO-1 is based on a Linear Feedback Shift Register (LFSR). It specifies that for authentication purposes, the reader will send an authenticate command and specifies a keyslot for which to authenticate. The card will respond with a nonce. Most attacks rely on some properties of the nonce that will leak internal state of the LFSR and enable an attacker to recover the key.

The novel attack here relies on keys being repeated across multiple sectors (keyslots) of the same badge. The authentication nonce sent by the card somehow depends on the selected keyslot. By using a “smart” brute force, Teuwen is able to check if the selected key is reused on other sectors of the badge. Key reuse is leading to key recovery using already known attacks; thus one can recover two keyslots only by guessing that they share the same key.

This lead Teuwen to discover that some sectors seems to ask for an unknown key. He guessed that this key might be repeated across multiple sectors, and ended up finding this key. Apparently, this key is present across multiple smartcards, including ones from vendors Fudan, Infineon and NXP .

He also talked about variants of this attack, leading to full dump of the card, and faster brute force. He also developed on possible supply-chain attacks that could exist for people with the knowledge of the backdoor.

Exploring malware distribution via user web browsing – Quentin Bourgue

This talk by Quentin Bourgue from Sekoia delved into the emerging ClickFix social engineering tactic (and variants) widely used for malware distribution.

The first initial access broker leveraging ClickFix has been spotted in March 2024 by Proofpoint researchers. As explicit as its name is, it tricks users into thinking that there is an issue to fix: quite classic, isn’t it? What’s new is that the users are asked to perform themselves the action on their system, bypassing any browser security features. Furthermore, these drive-by download attacks mostly execute fileless scripts (mainly via PowerShell or Mshta) to connect to C2 servers, bypassing software scanning security measures.

On a malicious reCAPTCHA v2 webpage, the users are kindly asked to paste their clipboard content in their Windows Run explorer to prove their humanity: Win + R + Ctrl + V + Enter. They actually execute multiple chained scripts until running Lumma stealer.

Malware distribution can be widely organized and even sold as a service on cybercrime forums. Sekoia’s Threat Detection & Research team proactively look for new distribution clusters and seek to enumerate their infrastructure. Discovery can be achieved through indicators like legitimate favicon used on non-legitimate domains, or web content containing ClickFix staples (e.g. “Ctrl + V”, “Press the key combination”). Then, infrastructure enumeration is conducted through other indicators, such as TLS certificates. For example, the ClickFix variant ClearFake used the same common names on their certificates for a couple of months.

This research also led to the discovery of telegram bots displaying statistics about these malware distributions.

Deep Dive in Laravel encryption security – Rémi Matasse and Michaël Benassouli

This research, presented by Synacktiv, focuses on a Laravel decryption function vulnerability. Laravel is a PHP framework widely used as more than 1 million websites use it.

The decryption function as well as the encrypt one are included in the Illuminate\Encryption package, used by default in Laravel applications. To encrypt the data, the function will use the APP_KEY variable that is generated when creating a new Laravel application. This variable can be retrieved in exposed .env and/or config/app.php files or by brute forcing encrypted data for reused of known APP_KEYs.

The vulnerability occurs as the decrypt function will deserialize the data by default when processing it and because Laravel contains several gadget chains. Therefore, if the APP_KEY has been found and data can be sent to the decrypt function, a remote code execution can be performed.

To perform the attack, a tool was developed by Synacktiv’s team called Laravel crypto killer. Indeed, it can be used to encrypt/decrypt the data and brute force for known APP_KEY. To execute the remote code execution, the tool takes, as input, the APP_KEY and an unserialized payload generated with tools such as phpgcc. Finally, the generated string can be passed to the decrypt function that will execute the payload !

The study conducted by the research team, of publicly available applications using Laravel, highlighted that hundreds of them were reusing known keys and were then potentially vulnerable.

This talk was very interesting as it underlines the importance of a proper project setting review and key management before publishing a new application.

Back to the failure - has your physical security really evolved in the last 40 years? – Simon Geusebroek

This talk is about physical penetration testing and he is described by the speaker as the application of traditional pentesting to the physical world. Instead of being done on computers or servers, it is done on facilities. They are similar in the sense that they are based on the same regulatory framework and have the same goal of finding vulnerabilities to improve security.

The introduction begins with a presentation of the 1992 film “Sneakers” with examples of physical intrusion. It draws parallels with today’s world, pointing out that all the techniques used in the film still work today. Firstly, the site manager may have neglected site security. This can also happen if the company wants to cut costs by externalizing security to a third party, who then hides behind their insurance in the event of a problem. However, this puts brand reputation, intellectual property and industrial knowledge at risk, with no guarantee against physical intrusion. In addition, everyone assumes that security is someone else’s responsibility.

He then demystifies 10 false beliefs that have existed since the early days of the Internet.

1. Absence of cylinders: He explains that even if the door is locked by a badge access system, the presence of a cylinder must be maintained. During a physical pentest, the absence of a cylinder facilitated intrusion, particularly with a 3€ cheap plastic key which unlocked the door in 1 second, although the door appeared to have robust badge access.

2. Default locks: Leaving default locks in the belief that they are sufficient is risky. In the same way that a list of default passwords wordlist for passwords, there are standardized physical keys on the Internet that can open many default locks for less than 40 euros. They can even open highly expensive doors.

3. Weak locks: Strong locks should also be used for emergency exits. He gives the example of a highly secured building with four levels of access control, encapsulated like Russian dolls, but with an emergency exit door at the back of the building that allows all the protection to be bypassed and direct access to level 4. The owner assumes that the intruder will use the main entrance. In reality, it is possible to break in through the emergency exit, which is protected by a cheap 10€ lock cylinder.

4. Just FUD: He uses the example of a fence that has already been breached, which is not uncommon. The path taken will probably be chosen by someone trying to break into the facility. This path effectively bypasses all the security mechanisms. Moreover, it’s often impossible to determine whether this path has already been used, as no alerts have been generated. Beware of misperceptions: if no detection has taken place, this does not necessarily mean that there is no vulnerability, but rather that the resources needed to detect it are not necessarily in place. As cyber security becomes more robust, physical intrusion becomes the weakest link in the overall security of IT systems. As an attacker: which choice would you make? Choice A: hardened, tested and heavily monitored cyber security Choice B: weak, untested and poorly monitored physical access.

5. Just a reminded for honest people: A determined attacker may succeed in penetrating a system, but this requires time and resources (tools, training, funding, etc.). An intrusion must be worth the potential gain compared to the effort required. Security systems increase the level of defence to make an attack costlier and therefore reduce the risk of it occurring.

6. Physical security cost: The most expensive solutions are not necessarily the most effective when it comes to security, as shown by the following example of the gate shows. During a physical pentest, a conventional gate protected a site, secured by a padlock and chain, and monitored by a camera. Although intrusion was possible, it was risky. The company decided to change it for a highly expensive monumental gate with the drown bolt exposed to the outside, making the key useless. In addition, a default key was used, and as seen before a 40€ kit can be used to open and close the gate. The illusion of legitimacy was also reinforced for the camera by using a working key.

7. Certification value: The premise is simple: we place a great deal of credibility on certification such as a2p, VdS, SBD, Sold Secure, Cen 3, and so on. However, they have their limitations: they do not consider age, installation details or the environment. The speaker gave the example of a door that is theoretically highly secure (> 50k€) but has an old and faulty dead latch that can be opened in a few seconds with a cheap tool.

8. This will protect you against evil intruders.100% guaranteed: Stacking on additional security devices is not always the best option, especially if weak points are not mitigated. In addition, poorly chosen equipment can even reduce security, as the example of the gate illustrates. It’s important not to blindly trust what vendors say, as their solutions may be biased by interests and may not be the most effective for your situation.

9. IDS: Having an IDS and vigilant staff does not necessarily guarantee that an intruder will be detected. Real intruders don’t try to hide. Their best strategy is to act transparently, to give themselves a legitimate appearance, to justify their suspicious actions and thus avoid any intervention. An intruder could, for example, take advantage of a lunch break to observe and analyze security of a sensitive site without being considered as thread. It is also possible to bypass security in very simple ways, because no one expects a real intrusion.

10. The weakest link: Externalize physical security to a third-party company can increase the risk. The speaker uses the example of a security guard who asks: - Who are you, what are you doing here? - We’re from head office, we’re checking the door, we’ve seen a door that’s not properly locked, it’s an abnormal situation, we must report it. It could even be dangerous. Then, the guard apologizes, and they can continue. It doesn’t end there, 1 hour later, in a more sensitive area of the company, the guard, who didn’t check if the attackers were legitimate, appeared and said to them “Thank you for your work, you’re doing an excellent job, keep up the good work”.

To conclude: When it comes to physical security, there’s no need to reinvent the wheel, just apply the same principles that have been used in cybersecurity for decades: don’t assume something works, test it! To strengthen security, we need to find weak points, test it, check and resolve them and start the process all over again. This simply follows the classic PDCA (plan-do-check-act) cycle.