Loading presentation...

Present Remotely

Send the link below via email or IM


Present to your audience

Start remote presentation

  • Invited audience members will follow you as you navigate and present
  • People invited to a presentation do not need a Prezi account
  • This link expires 10 minutes after you close the presentation
  • A maximum of 30 users can follow your presentation
  • Learn more about this feature in our knowledge base article

Do you really want to delete this prezi?

Neither you, nor the coeditors you shared it with will be able to recover it again.


Blackhat 2012 / Defcon 20

Las Vegas, USA

Choong Leong Tan

on 13 September 2012

Comments (0)

Please log in to add your comment.

Report abuse

Transcript of Blackhat 2012 / Defcon 20

21-29 August Las Vegas, USA Blackhat 2012 & Defcon 20 9 days,
4 days training
2 days briefings
3 days defcon talks
Caesars Palace & Rio Background Keynote: Shawn Henry - Changing the security paradigm....taking back your network and bringing pain to the adversary former FBI Executive Assistant Director Shawn Henry
focus on a very large picture against terrorists and cyber crime. we are always on the defence whereby we react passively to attacks (apparently from Al Qaeda or China?).
He suggested that we “recon” potential enemies.
he encouraged that companies “recon” their enemies.
net scanning and social engineering of the potential enemy.
bold and were a little too sensitive in the sense of intruding into what is legal.
stopped short of suggesting we should hack the enemies. vulnerability that was reported in 2006.
allows Userland code to force the kernel to execute sysret instruction that would return to a non-canonical address.
results in exception raised while still in ring0.
This exception cannot be handled safely => priv. escalation on 64bit OS.
Some OS got patched then, many 64 bit OS didn't.
Why? What went wrong with the following conclusion:
Developers should know the platform they write OS for. sysret semantics is explicitly described in Intel SDM.
Also, after CVE-2006-0744, everyone should have checked its applicability to their system.
Intel’s mistake to let sysret throw an exception.
Intel didn't notified everyone, and updated SDM with an explicit warning. Rafal Wojtczuk - A Stitch In Time Saves Nine: A Stitch In Time Saves Nine: A Case Of Multiple OS Vulnerability defeating hacks such as XN, ASLR, stack cookies
Some ROP ARM Magic and tricks
switching between modes (ARM, THUMB, THUMB2),
mprotect (syscall) to make stack executable
Heap spraying with ROP Sled
Eg: used Android Render tree and RenderArena allocator for RenderObjects to do
pointer dereferencing and then find the pointer to the base of useful library.
followed by the typical pivot stack to bypass ASLR. Stephen Ridley and Stephen Lawler Advanced ARM Exploitation SUPL weaknesses and baseband attacks.
communication is not secured and many manufacturers do not implement their servers correctly.
AT&T’s SUPL server’s certificate is already expired and not renewed.
wifi hotspot and then
MITM the SUPL server using DNS poisoning attack. buffer overflow using the WAP PUSH SUPL messages. Ralf Philip Weimman - Scaling Baseband Attacks: More (unexpected) Attack surface or Security issues with SUPL Implementations Nexus S:
use NFC force users to visit a Web site or even gain complete control of the phone.
download malware
just need to get there
Nokia N9 Meego:
force the phone to pair with any device over Bluetooth by presenting the phone with an NFC tag.
works even if the user has Bluetooth pairing disabled because NFC overrides Charlie Miller - Don't stand so close to me: an analysis of the NFC attack surface TCPIP scan of mobile network operators’ network.
IP Range from RIPE
TOR to prevent triggering of IDS.
Ios and iphones found. Out of ½ million, 2000 jailbroken.
ssh opened.
login using alpine.
Meters (B2B equipments)
Traffic controllers
FTPs are opened Collin Mulliner – Probing mobile Operator networks. They wrote a valid sms blocker application to test the Google bouncer.
Priced at USD 49.99 so that no one ever bought it. slowly introduce malicious attacks.
Bouncer installed the application within minutes of publishing.
He added Javascript bridge to turn on and off malware.
Bouncer was not able to detect very mild malware. Only after very brutal DOS attack did the application get banned.
No users were informed of the banned app. Users continue to use the app. Nicholas Percoco, Sean Schulte -
Adventures in Bouncerland Shreeraj Shah - HTML5 TOP 10 THREATS – STEALTH ATTACKS AND SILENT EXPLOITS Java attacks are multi-platform.
same Windows 7 exploit sandbox evasion also works on Mac OS
Approaches in general:
uses type confusion, object arrays of object arrays, Help class
Java apps are easy to obfuscate.

Using a try-catch loop which is not possible through coding, it confused the JVM on the type of the object. Jeong Wook Oh -
Recent java Exploitation
Trends and Malware previously hacked HP printers with LAN network, able to own all the HP printers.
designed the FRAK framework. According to him, FRAK automates the “staring at binary blob” tedious part of the vulnerability hunting.

FRAK has 4 stages,

Demonstrated on the Cisco IOS, he demoed how shellcode was added. Ang Cui - Embedded Device Firmware Vulnerability Hunting Mobile security researcher Bob Pan,
owner of the dex2jar project,
presented a PoC file infector for APK files.
involve injecting code into the classes.dex file in a legitimate APK and re-signing the APK with the attacker’s key.
demoed showing an apk that infects other apk in an evil cycle way.
programmed it such that the apk search for more uninfected apks to infect. BobPan - APK File Infection on an Android System introduced SCAPY software written in python which
capture Bluetooth packages in pcap format
Using the Ubertooth hardware device, an open source Bluetooth USB antenna, he captured Bluetooth packages and showed how to
view using wireshark and analyse the byte stream. The software comes with full source code and with instructions on how to use it. Ryan Holeman - Passive Bluetooth Monitoring pentesting major warranty websites: Apple, Pringles, Amazon (Kindles) and Lenov

websites are not well protected against guessing of serial IDs.
guess the sequence of the serial IDs of iPhones and Kindle devices or getting them from demo stores and then to do malicious acts such as:
Get the warranty void by disagreeing to the t&c.
Date of purchase. Good estimate of where the buyer is during purchasing time.
Report the product as stolen and removed warranty for the device.

Some findings:
Amazon gives you one month free Prime membership when you are correct.
Amazon may send you a replacement unit if some conditions are met.

He put up his solution source code on random serial id generation and IMEI generation for Apple and Lenovo on the web. Eddie wrote the NFCProxy android app which reads and replays NFC communication from credit cards. He also bought some cheap credit card readers online and proceed to test reading and sending the NFC communication across different device. The application can work in different modes:

1.Replay Reader: Just a plain reader and displays PDU
2.Relay Mode: Opens port and waits for connection from proxy. Place relay on a credit card or tag. Requires cyanogenmod tweaks to work
3.Proxy mode: swipes, forwards APDUs from reader to card, transactions displayed on screen, long clicking saves, exports, replay the APDUs.
4.Replay Card: swipe phone across reader, phone needs to be able to detect reader – card emulation mode.

The application has the potential to emulate/proxy or relay stolen credit card information to make purchases. - hijacked zygote process in Android.
- replaced line in init.rc
- installed "inferno" by Bell Labs
- got a working PDA
- wrote some phone apps. John Floren - Hellaphone:
Replacing the Java in Android - attempt to replace basestation using mesh technology
- SPAN open source software
- self organising networks based on TCP/IP
- phones wifi in ad-hoc mode
- hanged mobile phones on trees
- work in progress: assigning IPs. M0nk, stoker - Offgrid Communications with Android-Meshing the Mobile World Hacker training before briefings
4 days: Exploit Lab + Black belt edition
Saumil Shah + SK Chong (Malaysia)

well coordinated class where one learns the latest in exploitations.
about stack overflows, heap sprays, SEH, DEP, ASLR, ROP, use-after-free, pointer dereferencing all in one course. Exploit Laboratory by Saumil Shah Known vulnerable systems (reminder: only 64bit versions running on Intel CPUs are affected):
• Xen with PV guests
• Windows 7 and Windows 2008 R2
• FreeBSD
• NetBSD
Known non-vulnerable systems
• Apple OSX
• OpenBSD >=5.0 (fixed in July 2011)
• Linux kernel >= (fixed in 2006) ` Advanced ARM hacking course He postulate that if he needs to send an anonymous sms, he will just TOR + jailbroken iphones. The following were all the exercises conducted and practiced in this course:
1.Stack Overflow on WarFTPd.
2.SEH overwriting on sipXtapi.
3.VLC viewer Browser Exploit
4.IEPeers exploit using use-after-free bug
5.Vtable overwrite using use-after-free bug
6.PDF exploit using Javascript and use-after-free bug
7.JNLP bug on Windows IE using ROP and pointer dereferencing
8.Windows 7 Kernel exploitation using ROP
9.Android webkit exploitation. Course Exercises The most important aspects of this course are:
Typical exploits: Stack Overflows and heapsprays.
Overcoming Guard Stack (/GS) in Windows using structured exception handling (SEH) overwriting.
Explanation of data execution protection (DEP) and address space layout randomization (ASLR) and how they “try” to defeat exploits.
Browser exploits
Use-after-free bugs
Introduction to Return Oriented Programming(ROP) and how it defeated DEP.
Introduction to pointer dereferencing and how it defeated (ASLR).
Writing an exploit for Android using use-after-free bug in webkit Exploit Laboratory still the world's top hacker conference
nfc is the in-thing
lots of tools for monitoring and hacking (BT, NFC)
dun like Ralf
ROP, pointer dereferencing, heap spray and SEH are cool
most of the learnings are about what to do after the vuln. Not much about how to find.
must go as many times, even at the expenses of SSC take aways Darkred - Not So-limited Warranty Eddie Lee - NFC Hacking: The Easy Way
Full transcript