Earlier in June, we managed to attend WarCon. The place was outstanding in terms of style, yet a little overflowing with the success for attendance. Anyway, TVs were showing slides with audio in a room nearby with chairs and sofas. The organization was great, a big thanks to antisnatchor and h0wl for their work. The event is really cosy and small enough to have a chance to discuss with everyone. Talks are short, so it is easier for attention, and less waiting if the topic is none of your interest; the speakers are really accessible if you want to follow up.
Crypto security modules (veorq)
This talk explains HSM (Hardware Security Module), including a quick presentation of PKCS#11 API, then introduces FM (Functionality Module). FM is a code that is executed inside the HSM, developed using the framework provided by the HSM vendor. Therefore it is executed inside a trusted environment, and has access to internal objects of the HSM. Furthermore, it also has access to the file system. Hence, it is possible to manage data or objects that won’t be accessible through PKCS#11 providing additional access security. To summarize, the FM is a great way to execute code in a secured environment, even more than HSM itself. This topic will be further discussed at BlackHat 2024
Authenticode Masquerade (Jennifer Gehrke)
Jennifer presented a way to bypass authentication in the context of Windows IPC, where one side wants to authenticate the other side of the communication. Microsoft’s documentation is not optimal, to say the least, and it is easy for a developer to misuse the API described performing authentication with IPC. She focused on Authenticode, leaving aside process and binary identification. Authenticode allows signing a binary to authenticate the publisher and guarantee code integrity. It supports multiple hashes, SHA-1 and SHA-256, but the behaviour is not strictly defined when multiple hashes are actually present in the binary. For instance, an IPC server might wrongly authenticate a client that holds both a valid and an invalid signature. Sadly, no public tooling was released along with the talk but a great food for thought.
DTLS Hello race condition DoS (Sandro Gauci)
An interesting research on WebRTC (Web Real-Time Communication) security, where denial of service on the server side is achieved. The talk describes a vulnerability on multiple WebRTC servers implementation that use ephemeral UDP ports. WebRTC uses different protocols to establish multimedia communication:
- Interactive Connectivity Establishment (ICE) to notably identify public address and port available for each side of the communication
- Datagram Transport Layer Security (DTLS), TLS over UDP, to securely exchange secrets used to encrypt the different media streams
- Secure Real-time Transport Protocol (SRTP) to securely transport media streams When DTLS uses ephemeral UDP port, an attacker can race the legitimate client and send an invalid DTLS ClientHello resulting in the server closing the connection, hence blocking the legitimate client. An attacker repeatedly sending DTLS ClientHello on the full UDP port range of the server can prevent communication for any legitimate client. The proposed correction is to either use fixed UDP port, that won’t close on any handshake failure, or bind the ICE and DTLS using IP address and port so that attacker need to spoof the proper address and port combination. More details are in this article by the speakers.
Linux privesc via arbitrary x86 MSRs read/write bug: case study from a CTF challenge (Disconnect3d)
A hands-on talk on a challenge from a CTF, where the msr device file is writable by an unprivileged user. Model-specific registers (MSR) are x86 registers holding specific information from the processor, including for instance the kernel address of the SYSCALL handler. The user can then replace the address by its own handler to perform privilege escalation. But the machine has Supervisor Mode Access Prevention (SMAP), Supervisor Mode Execution Protection (SMEP) and Kernel page-table isolation (KPTI) features active. The ending ROP chain allows privilege escalation to recover the flag, but this excuse allowed for a great deep dive in Linux kernel exploitation.
Attacking the FreeBSD hypervisor (abu_y0ussef)
This talk explains a bug in the emulation of a network card by FreeBSD hypervisor: Bhyve. Using TCP segmentation offload, the emulated card updates the checksum of each packets instead of the (attacker-controlled) guest OS. In the case of UDP packet, a missing offset check leads to out-of-bound read and an out-of-bound write of the calculated checksum. The offending packet header is on the stack, and it is possible to overwrite the saved RIP. But the stack frame space is tight, so a small chain is written to pivot the stack to the packet header that holds a bigger ROP chain that executes xcalc. More details are available in this article by the speaker. The demo consisted of a FreeBSD guest in a FreeBSD host, the hardest part was to figure out which is which before seeing xcalc.