Earlier in May we had the opportunity to attend to the famous OffensiveCon. To put it simply: it was amazing. The talks were incredible and they covered a wide variety of technical topics. All content was clean and well presented. The organization was great, with great food, and most important: great parties with fancy cocktails in really cool places. All the legends are true, this the best conference in Europe. We cannot wait for next year. Thanks a lot to the organizers of OffensiveCon for such an event.
Escaping the Safari Sandbox: A Tour of Webkit IPC - Quentin Meffre
WebKit is a browser engine which is used by the Safari Browser used in Apple Devices. At the beginning of its presentation, Quentin presented the architecture of WebKit. Initially, Webkit ran in a unique process, where a vulnerability could have a huge impact. Now the engine is divided in multiple processes where each process has a specific task to perform. The most exposed processes are WebContent
processes where the web page is generated. These processes are the one with the biggest restrictions. For the interprocess communications, WebKit uses Mach messages. This mechanism allows sending Objective-C objects between different processes. It leads to different deserialization vulnerabilities. Apple has implemented a lot of mitigation to prevent the exploitation of this mechanism. Finally, Quentin talked about the Pointer Authentication Code (PAC) mitigation. He presented how DYLD could be used to bypass it and how it was used in Operation Triangulation.
ACE up the Sleeve: Hacking into Apple’s New USB-C Controller - Thomas Roth (Stacksmashing)
Thomas presented how he was able to execute code on the latest USB-C microcontroller used by Apple: ACE3. The previous version of USB-C microcontroller, ACE2, could be partially dumped from the flash and can be reflashed. It cannot be done now on the ACE3 microcontroller. Only patches can be dumped. There is no information about this chip produced by Texas Instrument. He wanted to modify this patch to gain code execution on the microcontroller. The firmware used by Apple implemented a tiny secure boot to avoid arbitrary code execution on the chip. After he tried to reverse the different patches based on the ACE2 firmware, he decided to try to perform fault injection to bypass the secure boot. He decided to use electromagnetic waves to inject fault when a patch is loaded. He needed to find the best moment to inject a fault in the process execution. The secure boot used in the ACE3 firmware computes different CRC. Thomas found an interesting window to inject faults. He successfully injected a fault during the boot process which allows him to load an invalid patch and get code execution on the ACE3 microcontroller. With its presentation Thomas demonstrated that it is possible to get code execution on a microcontroller without any public information about it.
Iconv, Set the Charset to RCE: Exploiting the Glibc To Hack the PHP Engine - Charles Fol
This presentation was about a buffer overflow in the Glibc.
This buffer overflow concerns the iconv
function, which is used to convert a string with a different encoding.
The buffer overflow found by Charles cannot exceed 3 bytes and only a few values can be used to for the overflow.
First, Charles looks at well-known libraries such as libxml
to exploit this vulnerability but it did not find one to exploit the vulnerability.
Finally, he saw that the vulnerability could be exploited in the PHP interpreter.
First, he demonstrated how he got remote code execution on a WordPress plugin from an arbitrary file read primitive.
The second target chosen by Charles was RoundCube, a mail server written in PHP, where he could control directly arguments passed to iconv
.
For the last demonstration he did, Charles showed it was possible to exploit a PHP server when the server reads a file and the user does not have access to the file content.
Each time Charles presented how to exploit this vulnerability in iconv
, he deeply explained PHP internals and the challenges he faced to get code execution on the PHP server.
Beyond Android MTE: Navigating OEM’s Logic Labyrinths - Joffrey Guilbon, Max, Mateusz Fruba and Georgi Geshev
Despite the clickbait, this was one of our favourite talks of the whole conference. With a great storytelling and a lot of humor, Joffrey and Max talked about their experience playing at the Pwn2Own contest in the mobile category. They demonstrated how they pwned Xiaomi and Samsung devices, using nice logic bugs and XSS ! They targeted the market application of each vendor: Galaxy Store for Samsung and MiPicks for Xiaomi. These applications have the permission to install applications and are reachable remotely through deeplink. On the Galaxy Store they found two bugs, one including a JS remote debugger left in place, and another one allowing them to leak the Samsung access token. For MiPicks, they used an XSS to get code execution inside a webview. This webview exposes a install
method used for… installing apps. Thanks to Xiaomi which has disabled many features during the competition (and only for the geographic area of the contest…), they couldn’t confirm their entry. Still, they found various ways to achieve their goals. This talk clearly demonstrates how un-rated bugs can leverage great primitives, like remote code execution in the untrsuted_app
context. Of course, those are noisy bugs, throwing activity on the user’s phone, nobody said it was stealthym but it is clearly enough for a Pwn2Own and a great talk. Next time someone tells you XSS are useless bugs, just show them this talk. Interrupt lab has a long history of Pwn2Own victory in the mobile category. They already did a presentation about how they tackled many Pwn2Own a few years back in 2018. This was deemed chainspotting. In both of these talks, we find some common co-authors and similar techniques.
0-Click RCE on the Tesla Infotainment Through Cellular Network - David Berard, Vincent Dehors
Ooops, they did it again ? This time, D.Berard and V.Dehors pwned the Tesla through the cellular connectivity. They discovered that the daemon ql_awd
running on the Connectivity card is accepting AT command over TCP. One of the handlers was vulnerable to a command injection. Unfortunately, a firewall forbid them to access the daemon. They figured out a way to deactivate the firewall. During the Connectivity card boot, they observed that if the daemon firewall
did not manage to grab the xtables lock, it failed to load the iptable rules. If the Connectivity card doesn’t have an internet access, it will reboot. They played on these behaviors to reliably obtain a state where the firewall is disabled. From there, they gained root access on the Connectivity card. In order to pivot to the Infotainment, they exploited a heap buffer overflow in the Ofono daemon. It was using a specific plugin for Quectel modem, called Iris, one of the AT handler was vulnerable. This time the sandboxing deployed made the exploitation more tedious. Tesla developed an LSM called XPIN
, anyway, they managed to bypass it because the mprotect
hook did not check when a mapping was modified. They abused this behavior to store their code inside the .data section of a library, and made it executable. The Ofonod daemon has the CAP_NET_ADMIN
capabilities. They used this capability to create a route to the security gateway for their CAN packets. Impressive work and great talk. What else ?