RandoriSec 8 min

When Synacktiv contacted us to become a sponsor of a new offensive security conference based in Paris, we quickly agreed with a big YES! A week after the event we can say that it was the right decision to take: the conference was amazing!!!

Eight security researchers from RandoriSec went to the first edition of Hexacon. As usual, you can find a quick review of our favorite talks.

Emulate it until you make it! Pwning a DrayTek Router before getting it out of the box

Philippe Laulheret presented its journey through pwning a DrayTek router, without even taking it out of the box.

He targeted the Vigor series from DrayTek and was able to find the firmware online. He started by extracting it and looking at the part of the firmware which implements the web management interface. By looking methodically at the authentication process, he found a buffer overflow due to a logic bug in the credentials checking. By looking at the filesystem, he found out that the vendor is running a part of the firmware inside a QEMU VM, apparently due to weird architecture problems. This made him able to emulate it locally and confirm his bug. Moreover, he managed to find a trivial QEMU escape, by using a custom host command execution made by the vendor. This leads to a full compromise of the device.

This bug is only reachable from the LAN by default. However, in the case where the user has enabled the remote management option, it could allow an attacker to get a remote shell and then pivot on the LAN.

This research led to CVE-2022-32548. Additional information can be found on this blogpost.

Hara-Kirin: Dissecting the Privileged Components of Huawei Mobile Devices

This presentation’s topic was the hypervisor and trustzone used on Kirin System-On-Chip family, found on Huawei devices. Here, Alexandre Adamski and Maxime Peterlin explained how they broke: Hypervisor, monitor, TEE and trustlets. There is a high entry point for people who want to work on these components, as Huawei does not allow their devices to be unlocked. One has to find a bootloader vulnerability first, and then reverse and patch the Xloader and fastboot in order to control the kernel (NS-EL1). There was a bug collision with one of the vulnerabilities disclosed by Taszk Security Labs at Blackhat 2021. Once they achieved control over the kernel, they started digging around the hypervisor (NS-EL2). They found and exploited a vulnerability (CVE-2021-39979) inside the hypervisor logging system. Their next target was the secure monitor (EL3), that they broke due to a missing security check (CVE-2021-39994). They made a really clear presentation about the internals of the kirin’s secure world. They gave a lot of valuable information obtained through a really well done and tedious reverse-engineering process. They dissected the TEE OS, and finished on the exploitation of a vulnerability inside the HW_KEYMASTER trustlets. Without a doubt, the work they did here will be the reference for many research to come on this subject.

The slides of the presentation are available on their Github repository.

A journey of fuzzing Nvidia graphic driver leading to LPE exploitation

Thierry Doré explained how the Nvidia GPU driver has been fuzzed on Windows. He explained how the fuzzing corpus has been created and talked about the WTF fuzzer. During the fuzzing he found four CVEs and showed how to exploit two of them using interesting C++ object creation among other techniques. These four vulnerabilities were affected by a CVE number and has been fixed by Nvidia. Shout out to Thierry Doré for his great talk !

The slides of the presentation are available.

Toner deaf - Printing your next persistence

Cedric Halbron and Alex Plaskett presented their research on a Lexmark printer they targeted for Pwn2Own 2021. Only a remote code execution was expected for Pwn2Own, however, they worked to get persistence on the printer.

As the firmware of the printer was not available on the Internet, they had to extract it directly from the flash device. The filesystem stored in the firmware is not encrypted, they could easily extract the binaries used by the printer. They have access to the UART TX pin, so they can get some logs from the printer, among other things crashes from binaries. One of them was the hydra service that exposes print functionalities. They found in hydra a write file primitive on the system, but the written file has only a short life, around one minute. They decided to write a hook for ABRT when a crash occurs. This hook exposes a root shell outside of the world. Finally, they used an old bug in awk to trigger the crash. To get the persistence on the system, they found a command injection within the SNMP configuration file. The injection could be triggered from the admin interface through the webUI. Using this command injection, any installed backdoor can persist after reboot and any firmware update.

The slides of the presentation are available.

Life and death of an iOS attacker

Luca Todesco gave us a picture of what iOS exploitation is nowadays. He made a chronology of recent techniques and mitigation implemented on recent iOS versions that makes the life of an attacker difficult. He explained mitigation as PAC (Pointer Authentication Code), which consists of signing pointers and vtables with different keys implemented in XNU, or Bullet-proof JIT that protect JIT page. Also, he talked about kernel and hardware mitigation like KTRR, PPL or kernel PAC. Functions have been implemented to prevent some bypasses, we can mention mach_msg2 because mach_msg wasn’t tied to CFI, kalloc_ro() for kernel allocations adds to zalloc() hardening. He explained that the public info on iOS exploitation is 1-2 years late. Finally, he concluded his talk by showing us an exploit successfully working on iOS 16.

The unavoidable pain of backups: security deep dive into the internals of NetBackup

NetBackup is a data backup solution developed and maintained by Veritas. Its architecture is comprised of clients, media servers, primary servers, and an opscenter.

In this presentation, Nicolas Devillers, Anaïs Gantet and Mouad Abouhali from Airbus Security Lab presented their research that led many vulnerabilities on different binaries part of NetBackup. They first spent some time to get familiar with the target (NetBackup), by reading documentation, setting up labs and talking with architects, then, they listed the binaries that are part of NetBackup, and filtered out the most interesting ones by selecting daemons that run with elevated privileges, and that listen for network traffic that can come from a client. During their analysis, they developed tools to perform Man-in-the-middle attacks on some communications. They discovered about thirty vulnerabilities including remote code executions, XML External Entity attacks, SQL injections, path traversals, information leaks and more. They demonstrated an attack scenario where an infected client encrypts the files from the backup data (like a ransomware), and another one where a client exploits the NetBackup components, and pivots to other clients.

The slides of the presentation are available on their Github repository.

Hacking the Cloud with SAML

Felix presented the new challenges Cloud environments are facing, especially regarding the SAML standard. Nowadays, we see a shift towards identity-based solutions to easily integrate 3rd parties. An identity provider (IdP) is in charge of verifying users’ identities. The exchange format used is mainly SAML on a lot of IdP. However, the trust model changes a bit between a purely on-premise model and a cloud model: the cloud provider may have to interact with potentially malicious or compromised IdPs. After highlighting the main IdP concepts, Felix demonstrated how he identified multiple vulnerabilities on SAML implementation: CVE-2022-34716 in .NET allowing External Entity injection during XML signature verification, CVE-2022-29824 in libxml2 containing a heap-buffer-overflow in xmlBufAdd or even CVE-2022-34169 in XSLTC containing an Integer Truncation. Amazing work and presentation, where the exploitation reasoning for the integer truncation was also demonstrated! The slides of the presentation are available..

Exploring Ancient Ruins to Find Modern Bugs: Discovering a 0-Day in MS-RPC service

MS-RPC is a service available on almost every Windows systems. It is therefore a very interesting target for attackers. But how does it work internally? That is what Ophir explains at the beginning of this talk. When a MS-RPC binding is established between a client and a server, an authentication service provider may be used (for instance, Kerberos). In this case, a Security Callback function is called before the actual access to the RPC Interface. The thing is, once the Security Callback has been called, its result is stored in a cache. Stiv carries on the talk, showing how this caching mechanism can lead to a bypass of the authentication verification. With a bit of automation (the tools can be found on their GitHub below), the security researchers found two vulnerabilities, assigned CVE-2022-38034 and CVE-2022-38045 with base scores of 4.3 and 8.8, respectively.

The presentation was not only technically interesting, but also very well explained. A lesson both in skills and pedagogy.

The slides and a PoC can be found on Akamai’s GitHub, and a blogpost explains the vulnerabilities in detail.