Printer has become one of the essential devices in the corporate intranet for the past few years, and its functionalities have also increased significantly. Not only print or fax, cloud printing services like AirPrint are also being supported as well to make it easier to use. Direct printing from mobile devices is now a basic requirement in the IoT era. We also use it to print some internal business documents of the company, which makes it even more important to keep the printer safe.
Nowadays, most of the printers on the market do not have to be connected with USB or traditional cable. As long as you are using a LAN cable connected to the intranet, the computer can find and use the printer immediately. Most of them are based on protocols such as SLP and LLMNR. But is it really safe when vendors adopt those protocols? Furthermore, many printers do not use traditional Linux systems, but use RTOS(Real-Time Operating System) instead, how will this affect the attacker?
In this talk, we will use Canon ImageCLASS MF644Cdw and HP Color LaserJet Pro MFP M283fdw as case study, showing how to analyze and gain control access to the printer. We will also demonstrate how to use the vulnerabilities to achieve RCE in RTOS in unauthenticated situations.
[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...CODE BLUE
We are swamped with new types of malware every day. The goal of malware analysis is not to reveal every single detail of the malware. It is more important to develop tools for efficiency or introduce automation to avoid repeating the same analysis process. Therefore, malware analysts usually actively develop tools and build analysis systems. On the other hand, it costs a lot for such tool developments and system maintenance. Incident trends change daily, and malware keeps evolving. However, it is not easy to keep up with new threats. Malware analysts spend a long time maintaining their analysis systems, and it results in reducing their time for necessary analysis of new types of malware.
To solve these problems, we incorporate DevOps practices into malware analysis to reduce the cost of system maintenance by using CI/CD and Serverless. This presentation shares our experience on how CI/CD, Serverless, and other cloud technologies can be used to streamline malware analysis. Specifically, the following case studies are discussed.
* Malware C2 Monitoring
* Malware Hunting using Cloud
* YARA CI/CD system
* Malware Analysis System on Cloud
* Memory Forensic on Cloud
Through the above case studies, we will share the benefits and tips of using the cloud and show how to build a similar system using Infrastructure as Code (IaC). The audience will learn how to improve the efficiency of malware analysis and build a malware analysis system using Cloud infrastructure.
[CB21] MUSHIKAGO: IT and OT Automation Penetration testing Tool Using Game AI...CODE BLUE
MUSHIKAGO is an automatic penetration testing tool using game AI, MUSHIKAGO focuses on the verification of post-exploitation. A post-exploitation is an attack that an attacker carries out after invading the target environment. By focusing on post-exploitation verification, we can understand how far an attacker can actually penetrate and what kind of information is collected. MUSHIKAGO uses the GOAP (Goal-Oriented Action Planning), which is game AI commonly used in NPC (Non Player Character). To using GOAP, we can flexibly change the content of the attack according to the environment like NPC, and mimic the attacks by real APT attackers and testers. The operation and verification results of MUSHIKAGO can be checked on the dedicated web page. Moreover, MUSHIKAGO supports ICS (Industrial Control System), and can be used for penetration testing across IT and OT (Operation Technology).
[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...CODE BLUE
It started with computer hacking and Japanese linguistics as a kid. Zach Mathis has been based in Kobe, Japan, and has performed both red team services as well as blue team incident response and defense consultation for major Japanese global Japanese corporations since 2006. He is the founder of Yamato Security, one of the largest and most popular hands-on security communities in Japan, and has been providing free training since 2012 to help improve the local security community. Since 2016, he has been teaching security for the SANS institute and holds numerous GIAC certifications. Currently, he is working with other Yamato security members to provide free and open-source security tools to help security analysts with their work.
Who should attend? Anyone that works in security and wants to leverage their machine data to detect internal and advanced threats, monitor activities in real time, and improve their organization's security posture.
Description: Your adversaries continue to attack and get into companies. You can no longer rely on alerts from point solutions alone to secure your network. To identify and mitigate these advanced threats, analysts must become proactive in identifying not just indicators, but attack patterns and behavior. In this workshop we will walk through a hands-on exercise with a real world attack scenario. The workshop will illustrate how advanced correlations from multiple data sources and machine learning can enhance security analysts capability to detect and quickly mitigate advanced attacks.
Sony R&D Center has been though robotics history and products for years. As robotics platform and Robotics Operating System (ROS) getting matured, there is a requirement to handle the distributed system integration. Using Kubernetes on edge cluster system, there are a lot of advantages such as application lifecycle, deployment and recovery. Also using CNI and ROS Data Distributed System, it can construct distributed system on edge cluster, so that multiple robots can connect directedly and work collaboratively for the specific task. We will share how we can use Kubernetes on edge including deployment robotics application and possible problems based on our experience. Furthermore, we will share our approach to support edge dependent platform with device-plugin to attach hardware resources and even virtual devices which access to the host system such as 3rd party application.
SFBigAnalytics_20190724: Monitor kafka like a ProChester Chen
Kafka operators need to provide guarantees to the business that Kafka is working properly and delivering data in real time, and they need to identify and triage problems so they can solve them before end users notice them. This elevates the importance of Kafka monitoring from a nice-to-have to an operational necessity. In this talk, Kafka operations experts Xavier Léauté and Gwen Shapira share their best practices for monitoring Kafka and the streams of events flowing through it. How to detect duplicates, catch buggy clients, and triage performance issues – in short, how to keep the business’s central nervous system healthy and humming along, all like a Kafka pro.
Speakers: Gwen Shapira, Xavier Leaute (Confluence)
Gwen is a software engineer at Confluent working on core Apache Kafka. She has 15 years of experience working with code and customers to build scalable data architectures. She currently specializes in building real-time reliable data processing pipelines using Apache Kafka. Gwen is an author of “Kafka - the Definitive Guide”, "Hadoop Application Architectures", and a frequent presenter at industry conferences. Gwen is also a committer on the Apache Kafka and Apache Sqoop projects.
Xavier Leaute is One of the first engineers to Confluent team, Xavier is responsible for analytics infrastructure, including real-time analytics in KafkaStreams. He was previously a quantitative researcher at BlackRock. Prior to that, he held various research and analytics roles at Barclays Global Investors and MSCI.
Security research over Windows #defcon chinaPeter Hlavaty
Past several years Microsoft Windows undergo lot of fundamental security changes. Where one can argue still imperfect and bound to tons of legacy issues, on the other hand those changes made important shifts in attacker perspective. From tightened sandboxing, restricting attack surface, introducing mitigations, applying virtualization up to stronger focus even on win32k. In our talk we will go trough those changes, how it affects us and how we tackle them from choosing targets, finding bugs up to exploitation primitives we are using. While also empathize that windows research is not only about sandbox, and there are many more interesting target to look for.
OWASP Appsec USA 2014 Talk "Pwning the Pawns with Wihawk" Santhosh Kumar Santhosh Kumar
The document summarizes a presentation given by Santhosh Kumar and Anamika Singh on analyzing router vulnerabilities and the WiHawk router vulnerability scanner. The presentation covered analyzing sample routers to find issues, open source tools for firmware analysis, demonstrating exploits found, and the lack of responses from some vendors. It also described the WiHawk scanner which automates checking routers for common vulnerabilities and issues like default credentials, backdoors, and more.
Bare-metal, Docker Containers, and Virtualization: The Growing Choices for Cl...Odinot Stanislas
(FR)
Introduction très sympathique autour des environnements Cloud avec un focus particulier sur la virtualisation et les containers (Docker)
(ENG)
Friendly presentation about Cloud solutions with a focus on virtualization and containers (Docker).
Author: Nicholas Weaver – Principal Architect, Intel Corporation
This document discusses hacking into IPSec VPNs used by banks. It describes how banks previously used private networks but now rely on VPNs to connect over public infrastructure like the internet in a more cost effective way. However, VPNs are only relatively secure and rely on the security of the protocols and devices used. The document goes on to describe how IPSec VPNs can be vulnerable through issues with aggressive mode authentication and use of pre-shared keys, and provides information on tools that can crack pre-shared keys over aggressive mode. It recommends ways to improve security such as disabling aggressive mode and using certificates instead of pre-shared keys.
This document discusses hacking into IPSec VPNs used by banks. It describes how banks historically used private networks but now rely on VPNs to connect over public infrastructure in a cost-effective way. However, VPNs are only relatively secure. The document outlines vulnerabilities in the IKE aggressive mode handshake when using pre-shared keys to authenticate, allowing tools to crack keys. It recommends ways to improve VPN security, such as disabling aggressive mode, not using dynamic IPs, and filtering connections.
Webinar: STM32WB - microcontrolador dual-core certificado BLE 5.0Embarcados
STMicroelectronics apresenta a família STM32WB que é o primeiro e único dual-core Cortex-M4 e Cortex-M0 + MCU no mercado certificado Bluetooth Low Energy v5.0 e 802.15.4. Para acompanhar a chegada desses componentes, também estamos lançando o STM32CubeMonRF, uma ferramenta de software para ajudar os desenvolvedores a testar e configurar seu rádio com mais eficiência. Também estamos lançando o P-NUCLEO-WB55, um pacote de desenvolvimento contendo uma placa Nucleo 64 clássica e um dongle USB. Ambos são fornecidos com o aplicativo de demonstração do microcontrolador,onde oferece uma experiência verdadeiramente única, pronta para uso.
Assista o webinar em: https://www.embarcados.com.br/webinars/webinar-stm32wb/
Demystifying Binary Reverse Engineering - Pixels CampAndré Baptista
Reverse engineering is not just about uncovering the hidden behaviour of a given technology, system, program or device. It's actually an art and a mindset. Reversing is used by some government agencies, secret services, antivirus software companies, hackers and students. It can be used for many purposes: cracking/bypassing software, botnet analysis, finding 0day exploits, interpreting unknown protocols, understanding malware or finding bugs in apps.
The document discusses building an enterprise/cloud analytics platform using Jupyter notebooks and Apache Spark. It describes the challenges of deploying Jupyter notebooks at an enterprise scale, including collaboration, large-scale data analysis, security, and authentication. It outlines various approaches taken to address these challenges, such as running the entire Jupyter stack on a single large machine or giving each user their own container. However, these approaches have limitations. The document then introduces the Jupyter Enterprise Gateway as a solution developed by IBM to optimize resource allocation, support multi-users securely through impersonation, and enhance security overall when deploying Jupyter at an enterprise scale.
CONFidence 2014: Alexander Timorin: SCADA deep inside: protocols and security...PROIDEA
The document provides an overview and analysis of several industrial control system protocols including MODBUS, DNP3, PROFINET DCP, IEC 61850-8-1, IEC 61870-5-101/104, FTE, and Siemens protocols. It discusses the functionality of each protocol, security issues like the lack of authentication and encryption, and tools for analyzing and interacting with the protocols. Live demonstrations are provided of scanning networks using some of the protocols.
SCADA deep inside: protocols and security mechanismsAleksandr Timorin
The document discusses various industrial control system protocols including Modbus, DNP3, PROFINET DCP, IEC 61850-8-1, and IEC 61870-5-101/104. It describes their functions, security issues like lack of authentication and encryption, and available tools for analyzing the protocols. The speaker is a penetration tester who researches SCADA security and protocols.
Clear Containers is an Open Containers Initiative (OCI) “runtime” that launches an Intel VT-x secured hypervisor rather than a standard Linux container. An introduction of Clear Containers will be provided, followed by an overview of CNM networking plugins which have been created to enhance network connectivity using Clear Containers. More specifically, we will show demonstrations of using VPP with DPDK and SRIO-v based networks to connect Clear Containers. Pending time we will provide and walk through a hands on example of using VPP with Clear Containers.
About the speaker: Manohar Castelino is a Principal Engineer for Intel’s Open Source Technology Center. Manohar has worked on networking, network management, network processors and virtualization for over 15 years. Manohar is currently an architect and developer with the ciao (clearlinux.org/ciao) and the clear containers (https://github.com/01org/cc-oci-runtime) projects focused on networking. Manohar has spoken at many Container Meetups and internal conferences.
The power of linux advanced tracer [POUG18]Mahmoud Hatem
The document discusses Linux tracing techniques. It begins with an overview of the Linux tracing landscape and the main tracing systems. It then covers static tracing using tracepoints, dynamic tracing using kprobes and uprobes, and monkey patching techniques. It also looks deeper at CPU utilization analysis using hardware events, performance monitor counters, and the Top-Down Microarchitecture Analysis Method. The goal is to provide a better understanding of Linux tracing capabilities and how to identify performance bottlenecks.
This document provides an overview of using the TMS320DM8148 embedded processor with Linux. It discusses the hardware architecture supported by Linux, the embedded development board setup, toolchain and compiler installation, bootloaders, the Linux kernel, device drivers, file systems and more. The goal is to enable development of embedded Linux applications for the TMS320DM8148 chip using common open source tools.
Serving Deep Learning Models At Scale With RedisAI: Luca AntigaRedis Labs
This document provides an overview and roadmap for RedisAI, which allows serving deep learning models using Redis. Key points:
- RedisAI turns Redis into a full-fledged deep learning runtime by introducing tensors as a new data type and enabling model execution on CPU and GPU.
- Models can be exported from frameworks like TensorFlow and PyTorch and served using the RedisAI API. Scripts can also be used to define computations directly in RedisAI.
- RedisAI aims to keep models hot in memory, run anywhere Redis runs, and optimize resource usage. Future plans include DAG execution, auto-batching, ONNX support, and advanced monitoring.
- A demo of RedisAI will be provided
The document discusses tools to improve a LAMP web development stack. It recommends source control, development platforms, task tracking, automated testing, static analysis, automated deployment, and continuous integration. These tools enable collaboration, testing, deployment automation, and integration of code changes. Specific open source tools are recommended for each category like Git, PHPUnit, PHP Code Sniffer, and Jenkins. The document argues these tools improve workflow, quality, and speed of development.
This document provides an overview and introduction to using Raspberry Pi. It begins by outlining what topics will be covered, including an introduction to Raspberry Pi hardware, operating systems, installation, programming with Python and GPIO pins. It then describes what a Raspberry Pi is, its specifications, history and affordable price. Steps for minimum hardware requirements, installing an operating system on an SD card, and initial boot up are outlined. The document discusses operating systems, package management, and demonstrates programming and projects including an LED blink example. Remote access options like SSH and VNC are also covered.
Similar to [cb22] Your Printer is not your Printer ! - Hacking Printers at Pwn2Own by An-Jie Yang (20)
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...CODE BLUE
While hackers have known the importance of sharing research to improve security for years, the importance of coordinated vulnerability disclosure is increasingly recognized by governments around the world. The principals of disclosure an protecting security researchers are common across borders, but different countries have some key differences. This panel will present a global perspective that may in turn inform key public policy and company behavior.
ENISA has published 'Coordinated Vulnerability Disclosure policies in the EU' in April 2022 . This report not only provides an objective introduction to the current state of coordinated vulnerability disclosure policies in the Member States of the European Union, but also introduces the operation of vulnerability disclosure in China, Japan and the USA. Based on these findings, the desirable and good practice elements of a coordinated vulnerability disclosure process are examined, followed by a discussion of the challenges and issues.
This session aims to share the contents of this report and clarify the challenges and future direction of operations in Japan, as well as national security and vulnerability handling issues in the US, in a panel discussion with representatives from various jurisdictions.
The panelists are involved in the practice of early warning partnership notified bodies in Japan, the authors of the above report in Europe and the contributors to the above report in the US.
In Japan, the issues of system awareness, incentives, increase in the number of outstanding cases in handling and so-called triage in handling vulnerabilities will be introduced.
From the United States, the Vulnerabilities Equities Process for National Security and the publication of a non-prosecution policy for vulnerability research will be introduced, as well as a historical background on the issue.
The aim is that the panel discussion will enable the audience to understand the international situation surrounding CVD, as well as future trends, in particular the important role of vulnerability in cybersecurity and the challenges faced by society around it.
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...CODE BLUE
While hackers have known the importance of sharing research to improve security for years, the importance of coordinated vulnerability disclosure is increasingly recognized by governments around the world. The principals of disclosure an protecting security researchers are common across borders, but different countries have some key differences. This panel will present a global perspective that may in turn inform key public policy and company behavior.
ENISA has published 'Coordinated Vulnerability Disclosure policies in the EU' in April 2022 . This report not only provides an objective introduction to the current state of coordinated vulnerability disclosure policies in the Member States of the European Union, but also introduces the operation of vulnerability disclosure in China, Japan and the USA. Based on these findings, the desirable and good practice elements of a coordinated vulnerability disclosure process are examined, followed by a discussion of the challenges and issues.
This session aims to share the contents of this report and clarify the challenges and future direction of operations in Japan, as well as national security and vulnerability handling issues in the US, in a panel discussion with representatives from various jurisdictions.
The panelists are involved in the practice of early warning partnership notified bodies in Japan, the authors of the above report in Europe and the contributors to the above report in the US.
In Japan, the issues of system awareness, incentives, increase in the number of outstanding cases in handling and so-called triage in handling vulnerabilities will be introduced.
From the United States, the Vulnerabilities Equities Process for National Security and the publication of a non-prosecution policy for vulnerability research will be introduced, as well as a historical background on the issue.
[cb22] ”The Present and Future of Coordinated Vulnerability Disclosure” Inte...CODE BLUE
While hackers have known the importance of sharing research to improve security for years, the importance of coordinated vulnerability disclosure is increasingly recognized by governments around the world. The principals of disclosure an protecting security researchers are common across borders, but different countries have some key differences. This panel will present a global perspective that may in turn inform key public policy and company behavior.
ENISA has published 'Coordinated Vulnerability Disclosure policies in the EU' in April 2022 . This report not only provides an objective introduction to the current state of coordinated vulnerability disclosure policies in the Member States of the European Union, but also introduces the operation of vulnerability disclosure in China, Japan and the USA. Based on these findings, the desirable and good practice elements of a coordinated vulnerability disclosure process are examined, followed by a discussion of the challenges and issues.
This session aims to share the contents of this report and clarify the challenges and future direction of operations in Japan, as well as national security and vulnerability handling issues in the US, in a panel discussion with representatives from various jurisdictions.
The panelists are involved in the practice of early warning partnership notified bodies in Japan, the authors of the above report in Europe and the contributors to the above report in the US.
In Japan, the issues of system awareness, incentives, increase in the number of outstanding cases in handling and so-called triage in handling vulnerabilities will be introduced.
From the United States, the Vulnerabilities Equities Process for National Security and the publication of a non-prosecution policy for vulnerability research will be introduced, as well as a historical background on the issue.
The aim is that the panel discussion will enable the audience to understand the international situation surrounding CVD, as well as future trends, in particular the important role of vulnerability in cybersecurity and the challenges faced by society around it.
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...CODE BLUE
While hackers have known the importance of sharing research to improve security for years, the importance of coordinated vulnerability disclosure is increasingly recognized by governments around the world. The principals of disclosure an protecting security researchers are common across borders, but different countries have some key differences. This panel will present a global perspective that may in turn inform key public policy and company behavior.
ENISA has published 'Coordinated Vulnerability Disclosure policies in the EU' in April 2022 . This report not only provides an objective introduction to the current state of coordinated vulnerability disclosure policies in the Member States of the European Union, but also introduces the operation of vulnerability disclosure in China, Japan and the USA. Based on these findings, the desirable and good practice elements of a coordinated vulnerability disclosure process are examined, followed by a discussion of the challenges and issues.
This session aims to share the contents of this report and clarify the challenges and future direction of operations in Japan, as well as national security and vulnerability handling issues in the US, in a panel discussion with representatives from various jurisdictions.
The panelists are involved in the practice of early warning partnership notified bodies in Japan, the authors of the above report in Europe and the contributors to the above report in the US.
In Japan, the issues of system awareness, incentives, increase in the number of outstanding cases in handling and so-called triage in handling vulnerabilities will be introduced.
From the United States, the Vulnerabilities Equities Process for National Security and the publication of a non-prosecution policy for vulnerability research will be introduced, as well as a historical background on the issue.
The aim is that the panel discussion will enable the audience to understand the international situation surrounding CVD, as well as future trends, in particular the important role of vulnerability in cybersecurity and the challenges faced by society around it.
[cb22] Are Embedded Devices Ready for ROP Attacks? -ROP verification for low-...CODE BLUE
Yuuma Taki is enrolled in the Hokkaido Information University Information Media Faculty of Information Media (4th year).
At university he is focusing on learning about security for lower-level components, such OS and CPU. In his third year of undergraduate school, he worked on trying to implement the OS security mechanism "KASLR", at Sechack365.
Currently, he is learning about ROP derivative technology and embedded equipment security.
[cb22] Under the hood of Wslink’s multilayered virtual machine en by Vladisla...CODE BLUE
In October 2021, we published the first analysis of Wslink – a unique loader likely linked to the Lazarus group. Most samples are packed and protected with an advanced virtual machine (VM) obfuscator; the samples contain no clear artifacts and we initially did not associate the obfuscation with a publicly known VM, but we later managed to connect it to CodeVirtualizer. This VM introduces several additional obfuscation techniques such as insertion of junk code, encoding of virtual operands, duplication of virtual opcodes, opaque predicates, merging of virtual instructions, and a nested VM.
Our presentation analyzes the internals of the VM and describes our semi automated approach to “see through” the obfuscation techniques in reasonable time. We demonstrate the approach on some bytecode from a protected sample and compare the results with a non-obfuscated sample, found subsequent to starting our analysis, confirming the method’s validity. Our solution is based on a known deobfuscation method that extracts the semantics of the virtual opcodes, using symbolic execution with simplifying rules. We further treat the bytecode chunks and some internal constructs of the VM as concrete values instead of as symbolic ones, enabling the known deobfuscation method to deal with the additional obfuscation techniques automatically.
[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...CODE BLUE
Kimsuky is a North Korean APT possibly controlled by North Korea's Reconnaissance General Bureau. Based on reports from the Korea Internet & Security Agency (KISA) and other vendors, TeamT5 identified that Kimsuky's most active group, CloudDragon, built a workflow functioning as a "Credential Factory," collecting and exploiting these massive credentials.
The credential factory powers CloudDragon to start its espionage campaigns. CloudDragon's campaigns have aligned with DPRK's interests, targeting the organizations and key figures playing a role in the DPRK relationship. Our database suggested that CloudDragon has possibly infiltrated targets in South Korea, Japan, and the United States. Victims include think tanks, NGOs, media agencies, educational institutes, and many individuals.
CloudDragon's "Credential Factory" can be divided into three small cycles, "Daily Cycle," "Campaign Cycle," and "Post-exploit Cycle." The"Daily Cycle" can collect massive credentials and use the stolen credentials to accelerate its APT life cycle.
In the "Campaign Cycle," CloudDragon develops many new malware. While we responded to CloudDragon's incidents, we found that the actor still relied on BabyShark malware. CloudDragon once used BabyShark to deploy a new browser extension malware targeting victims' browsers. Moreover, CloudDragon is also developing a shellcode-based malware, Dust.
In the "Post-exploit Cycle," the actor relied on hacking tools rather than malicious backdoors. We also identified that the actor used remote desktop software to prevent detection.
In this presentation, we will go through some of the most significant operations conducted by CloudDragon, and more importantly, we will provide possible scenarios of future invasions for defense and detection.
[cb22] From Parroting to Echoing: The Evolution of China’s Bots-Driven Info...CODE BLUE
Social media is no doubt a critical battlefield for threat actors to launch InfoOps, especially in a critical moment such as wartime or the election season. We have seen Bot-Driven Information Operations (InfoOps, aka influence campaign) have attempted to spread disinformation, incite protests in the physical world, and doxxing against journalists.
China's Bots-Driven InfoOps, despite operating on a massive scale, are often considered to have low impact and very little organic engagement. In this talk, we will share our observations on these persistent Bots-Driven InfoOps and dissect their harmful disinformation campaigns circulated in cyberspace.
In the past, most bots-driven operations simply parroted narratives of the Chinese propaganda machine, mechanically disseminating the same propaganda and disinformation artifacts made by Chinese state media. However, recently, we saw the newly created bots turn to post artifacts in a livelier manner. They utilized various tactics, including reposting screenshots of forum posts and disguised as members of “Milk Tea Alliance,” to create a false appearance that such content is being echoed across cyberspace.
We particularly focus on an ongoing China's bots-driven InfoOps targeting Taiwan, which we dub "Operation ChinaRoot." Starting in mid-2021, the bots have been disseminating manipulated information about Taiwan's local politics and Covid-19 measures. Our further investigation has also identified the linkage between Operation ChinaRoot and other Chinese state-linked networks such as DRAGONBRIDGE and Spamouflage.
[cb22] Who is the Mal-Gopher? - Implementation and Evaluation of “gimpfuzzy”...CODE BLUE
Malwares written in Go is increasing every year. Go's cross-platform nature makes it an opportune language for attackers who wish to target multiple platforms. On the other hand, the statically linked libraries make it difficult to distinguish between user functions and libraries, making it difficult for analysts to analyze. This situation has increased the demand for Go malware classification and exploration.
In this talk, we will demonstrate the feasibility of computing similarity and classification of Go malware using a newly proposed method called gimpfuzzy. We have implemented "gimpfuzzy", which incorporates Fuzzy Hashing into the existing gimphash method. In this talk, we will verify the discrimination rate of the classification using the proposed method and confirm the validity of the proposed method by discussing some examples from the classified results. We will also discuss issues in Go-malware classification.
[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...CODE BLUE
This document discusses the results of long-term scanning and analysis of Winnti 4.0 and ShadowPad malware command and control (C2) protocols. It finds that Winnti 4.0 C2s primarily use TLS, HTTPS, and HTTP, while ShadowPad variants primarily use TCP, HTTPS, and HTTP. Analysis of the protocols reveals encryption methods, packet structures, and server-side functionality. Over time, the number and distribution of active C2s changed, likely in response to research publications and incident response actions. The document advocates for anonymization techniques and merits and risks of future research publications.
[cb22] What I learned from the direct confrontation with the adversaries who ...CODE BLUE
In November 2019, I started monitoring the Bitcoin operation by the adversaries who hid IP addresses of their C&C server in the blockchain. In June 2020, I started collaborating with Professor Christian Doerr of the Hasso Plattner Institute based on the idea of redirecting C&C server communication to a sinkhole server (called takeover), and we successfully achieved this in August. However, the adversaries quickly took evasive action, where they managed to implement an evasion mechanism in only two weeks and restarted their attack. Although we could not conduct our takeover, our monitoring system could worked well. The end of their attack was brought upon by the surge in Bitcoin prices. Due to the fees for the Bitcoin miners, a transaction had reduced the adversaries' profits, and we confirmed the last C&C update was in January 2021 and the abandonment of the attack infrastructure came in March. Since then, no similar attacks have been observed by my monitoring system.
Although this attack has already concluded and is unlikely to restart unless the value of Bitcoin declines, I would like to share the know-how I have learned through the direct confrontation with the adversaries. That is, at the time of the confrontation with them, this attack was highly novel, and the adversaries themselves did not fully understand the best solution for its' operation. They needed to evolve their tactics, techniques, and procedures (TTPs) while operating the system. We carefully analyzed their TTPs and tried to catch them off their guard. Even more troublesome was the need to understand as quickly as possible what they intended to do each time they were affected by the Bitcoin halving or making a simple operational error. This presentation is a culmination my insights learned from interactions with these adversaries and I am looking forward to sharing this information with everyone.
[cb22] SMARTIAN: Enhancing Smart Contract Fuzzing with Static and Dynamic Da...CODE BLUE
Smartian is a tool that enhances smart contract fuzzing with static and dynamic data-flow analyses. It integrates static analysis to identify promising sequences of function calls for generating initial fuzzing seeds. It then uses dynamic analysis to mutate function arguments to realize expected data flows across functions. Smartian implements bug oracles for 13 classes of smart contract bugs. Evaluation shows Smartian outperforms other fuzzers and symbolic executors on benchmarks with known bugs, demonstrating the effectiveness of integrating static and dynamic analyses for smart contract fuzzing.
[cb22] Scaling the Security Researcher to Eliminate OSS Vulnerabilities Once ...CODE BLUE
Imagine a world where a security researcher becomes aware of a security vulnerability, impacting thousands of Open Source Software (OSS) projects, and is enabled to both identify and fix them all at once. Now imagine a world where a vulnerability is introduced into your production code and a few moments later you receive an automated pull request to fix it. Hundreds of thousands of human hours are invested every year in finding common security vulnerabilities with relatively simple fixes. These vulnerabilities aren't sexy, cool, or new, we've known about them for years, but they're everywhere!
The scale of GitHub and tools like CodeQL (GitHub's code query language) enable one to scan for vulnerabilities across hundreds of thousands of OSS projects, but the challenge is how to scale the triaging, reporting, and fixing. Simply automating the creation of thousands of bug reports by itself isn't useful, and would be even more of a burden on volunteer maintainers of OSS projects. Ideally, the maintainers would be provided with not only information about the vulnerability, but also a fix in the form of an easily actionable pull request.
When facing a problem of this scale, what is the most efficient way to leverage researcher knowledge to fix the most vulnerabilities across OSS? This talk will cover a highly scalable solution - automated bulk pull request generation. We'll discuss the practical applications of this technique on real world OSS projects. We'll also cover technologies like CodeQL and OpenRewrite (a style-preserving refactoring tool created at Netflix and now developed by Moderne). Let's not just talk about vulnerabilities, let's actually fix them at scale.
This work is sponsored by the new Dan Kaminsky Fellowship; a fellowship created to celebrate Dan's memory and legacy by funding open-source work that makes the world a better (and more secure) place.
[cb22] Red light in the factory - From 0 to 100 OT adversary emulation by Vi...CODE BLUE
Since 2010 Stuxnet caused substantial damage to the nuclear program of Iran, ICS security issues have been raised. Lots of researchers dig into the hacking skills and path and those known attacks in the history and more malwares and events happened. Enterprises need an efficient way to find vulnerabilities but they might not have the budget for ICS pentesters , which need strong background knowledge , and all the fields they have. To solve this problem, we try to make a rare OT targeting , open source adversary emulation tool as a plugin on MITRE open source tool - Caldera. Users can easily combine IT attacks with our OT adversaries and change steps of attacks or send manual commands in the process.
We summarize the experience of reviewing over 20 factories traffic and analyzing 19 MITRE defined ICS malwares, PIPEDREAM/Incontroller in 2022. We found the main trend of ICS malwares changes from single protocol targeting to modularized , multiple protocols supporting. The actions in malwares can be summarized as a 4 stages attacking flow, We will explain it with the real attacks from malwares. We use the above conclusions to build automatic adversary emulation tool.
Now the tool already supports 10 common protocols and over 23 techniques on the MITRE ICS matrix , which is able to reproduce over 80% of defined ICS malware actions in OT. We also follow the 4 stages conclusion to add some attacks havent been used by any malwares. We have tested it on real oil ,gas ,water, electric power factory devices , protocol simulations for SCADA developers and honeypot. We will have a demo in this presentation.
stackconf 2024 | Make You Ops-Life Easy – ansible usecases you didn´t out of ...NETWAYS
Most of you are familiar with Ansible. We are excited to show you some use cases within the “normal Ansible scope”. Using Ansible-AWX as a platform, we have streamlined tasks for admins and for developers, enabling effortless automation of routine operations. With services designed to simplify the daily work, we can all be a bit more lazy (#faul) 😉
Are you navigating the complexities of compliance frameworks like SOC2, CIS, and HIPAA and seeking a more efficient path? This talk breaks down these frameworks simply and shows you a time-saving trick, making it perfect for anyone wanting to make their organization’s compliance journey much easier. I’ll start by outlining the basics of these frameworks and highlighting the challenges businesses face in implementing them. As the creator and maintainer of the terraform-aws-modules projects, I’ll be excited to share how using these open-source Terraform AWS modules can streamline the compliance process. I’ll walk you through real-life examples showing how such solutions significantly reduce the effort and time required for compliance. At the end of the talk, attendees will get actionable insights on using Terraform AWS modules for efficient compliance management.
stackconf 2024 | Test like a ninja with Go by Ivan Presenti.pdfNETWAYS
Not tested? Not done! Yet another talk about tests? I aim to present you with the techniques and tools you might use to build efficient and reliable tests. We’ll use Go, which provides a great testing experience. I’ll show you overlooked techniques such as benchmarking, fuzzing, etc. Plus, I’ll introduce you to the most popular libraries and packages used to test Go code.
stackconf 2024 | Insights into Managed Service Provision A STACKIT Retrospect...NETWAYS
Embark on the innovative journey of STACKIT, a premier European cloud provider, as we showcase our expertise in Kubernetes-based managed services. This talk will delve into the dynamic processes of deploying and managing robust services like PostgreSQL, InfluxDB and MongoDB on Kubernetes clusters, a testament to our technological prowess. We’ll unravel our multifaceted strategies for processing customer requests, from the initial API call to the final deployment stage. Our discussion will highlight diverse methodologies, including the integration of databases with message queues and the direct creation of Kubernetes resources, offering insights into their unique efficiencies and challenges. Join us to deeply understand the trade-offs of each approach. We’ll address vital issues such as scaling capabilities, backup strategies and effective resource management.
stackconf 2024 | Talos Linux One (Immutable) OS to Rule Them All by Pip Oomen...NETWAYS
Talos Linux is Linux designed for Kubernetes – secure, immutable, and minimal. It is based on a hardened kernel and a minimal user space, ie. no SSH, shell or console. All system management is done via a gRPC API. In this presentation the audience will be introduced to Talos Linux and be shown how to get a full-blown Kubernetes cluster up and running within minutes on a Cloud Platform, as well as on a developer workstation.
stackconf 2024 | Ignite DevOps Driving School – Explaining DevOps in 5 Minute...NETWAYS
DevOps is not a title, not a box to buy, nor a software to install – how can you explain DevOps in 5 minutes, e.g. as an elevator pitch riding up to the top floor with your boss?
DevOps is like a driving license for running code in production.
The Tata Technologies investor deck provides an overview of the company's strategic vision, financial performance, and growth prospects. It introduces the company’s mission, values, and core business segments, highlighting its competitive edge and market position. Financial performance is detailed with key metrics like revenue growth and profitability. The deck outlines strategic initiatives for innovation and market expansion, recent operational achievements, and key client partnerships. Future growth projections and investment opportunities are discussed, emphasizing the company's potential. Additionally, it highlights Tata Technologies' commitment to sustainability and corporate social responsibility, offering potential investors a clear understanding of the company's business model and future prospects.
stackconf 2024 | Ignite: Distributed Tracing using OpenTelemetry and Jaeger b...NETWAYS
Several years ago, when you had a monolithic application, it was fairly easy to debug and diagnose since there was probably only one service with a couple of users. Nowadays systems are broken up into smaller microservices deployed in containers on top of Kubernetes in multiple clusters across different cloud environments. In these kinds of distributed environments, there is a need to observe it all, both the overall picture, and, if need be, at a more granular level. Observability can be roughly divided into three sub-categories: logging, metrics, and tracing. In this blog post we’ll show you how simple it is to get set up with tracing in your new or existing MinIO application. We’ll build a small MinIO app that does a few basic requests; this will be our base application to which we’ll add tracing to gain a better picture of how system components and functions interact.
Using Large Language Models in Public Services (Past Tense)
#smart_conference #Nile_University #IEEE #AI #LLM #NLP
The presentation explored the transformative potential of large language models (LLMs) in revolutionizing public service delivery. As artificial intelligence and natural language processing technologies advanced, LLMs offered unprecedented opportunities to streamline operations, enhance citizen engagement, and drive innovative solutions for pressing societal challenges.
This Presentations defines communication skills as the ability to exchange information via the use of language, both receptively and expressively. It examines several forms of communication based on organizational linkages and flow. Semantic concerns, emotional/psychological considerations, corporate policies, and personal attitudes can all operate as communication barriers. Effective communication is two-way, with active listening and feedback, and it is clear, concise, complete, concrete, respectful, and accurate. Good communication skills are essential for career success, dispute resolution, connection building, and increased productivity.
6. Introduction
• In the early days
• to use the printer, it was necessary to
• Use IEEE1284 or USB to connect to the Computer
• Install Printer driver before printing
• Usually only a single printer feature
Printer
6
7. Introduction
• Nowadays
• Printer can provide a variety of services which make printer not only more
convenient but also closer to IoT
• It can be found immediately when connected to intranet
Printer - IoT
7
image: Flaticon.com
13. Introduction
• Red Team
• Printer is one of the most common devices in the intranet
• Good target to hide our actions
Motivation
13
14. Introduction
• Red Team
• Printer is one of the most common devices in the intranet
• Good target to hide our actions
• Sometimes integrate with Active Directory
Motivation
14
26. Analysis
• Firmware version v6.03
• From Canon official
• At the beginning, we use binwalk
• But the firmware is obfuscated
• We cannot use IDA directly
Canon - Firmware Extract
26
27. Analysis
• We also try some previous works
• TREASURE CHEST PARTY QUEST: FROM DOOM TO EXPLOIT
• by Synacktiv
• Hacking Canon Pixma Printers – Doomed Encryption
• by Contextis research
Canon - Firmware Extract
27
28. Analysis
• We also try some previous works
• TREASURE CHEST PARTY QUEST: FROM DOOM TO EXPLOIT
• by Synacktiv
• Hacking Canon Pixma Printers – Doomed Encryption
• by Contextis research
• But it cannot extract the firmware :(
Canon - Firmware Extract
28
29. • We can find some information from obfuscated firmware
Analysis
Canon - Firmware Extract
29
Size Magic
30. We decide to use this patten to search other firmwares
without obfuscated
30
31. Analysis
• We need to download other firmwares from Canon official website
• Original firmware download URL is
Canon - Firmware Extract
31
https://pdisp01.c-
wss.com/gdl/WWUFORedirectTarget.do?id=MDQwMDAwNDc1Mj
A1&cmp=Z01&lang=EN
33. Analysis
Canon - Firmware Extract
34
https://pdisp01.c-
wss.com/gdl/WWUFORedirectTarget.do?id=MDQwMDAwNDc1Mj
A1&cmp=Z01&lang=EN
040000475205
Type Ordinal
Number
Version
Pdf,firmware …
Other model
Firmware version
34. Analysis
• We can list all versions of firmware
• V2.01
• V4.02
• V6.03
• V9.03 !?
• V10.02 !?
Canon - Firmware Extract
35
37. Analysis
• The total file size is 130GB
• grep NCFW and some plaintext
Canon - Firmware Extract
38
38. Analysis
• WG7000 Series is not obfuscated !
• We analyze the firmware of WG7000 to find the key function
Canon - Firmware Extract
39
39. Analysis
• Try to use the same function to deobfuscate the firmware of MF644CDW
• Bingo !
Canon - Firmware Extract
40
Plaintext message
40. Analysis
• Image Base Address
• We spent some time looking for image base address of firmware
• rbasefind
Canon - Firmware Analysis
41
41. • Original base is 0x40b00000
• It doesn’t seem to be the correct base
Analysis
Canon - Firmware Analysis
42
Should be strings
42. Analysis
• Image Base Address
• We can find a correct function and debug message to adjust to the correct
offset
• We found the base is 0x40affde0
Canon - Firmware Analysis
43
46. Analysis
• Relatively easy
• Binwalk -Z
• Take about 3 - 4 days
• It will get correct firmware !
• Other part is similar to Canon
HP - Firmware Extract
47
47. Analysis
• HP - MFP M283fdw
• OS
• RTOS - Modify from ThreadX/Green Hills
• ARM11 Mixed-endian
• Code - little-endian
• Data - Big-endian
HP - Firmware Analysis
48
49. Attack Surface
Service Port Description
RUI TCP 80 Web interface
PDL TCP 9100 Page Description Language
PJL TCP 9100 Printer Job Language
IPP TCP 631 Internet Printing Protocol
LPD TCP 515 Line Printer Daemon Protocol
SNMP UDP 161 Simple Network Management Protocol
50
• Nowadays, there are many services enabled by default
50. Attack Surface
• Nowadays, there are many services enabled by default
Service Port Description
SLP TCP 427 Service Location Protocol
mDNS UDP 5353 Multicast DNS
LLMNR UDP 5355 Link-Local Multicast Name Resolution
… … …
51
51. Attack Surface
• After we evaluate the overall architecture, we decide to focus on service
discovery and DNS series of services
• SLP
• mDNS
• LLMNR
52
55. Hacking printers at Pwn2Own
• SLP is a service discovery protocol that allows computers and other devices
to find services in local area network
Service Location Protocol
57
56. Hacking printers at Pwn2Own
• SLP Architecture without Directory Agent
Canon - SLP
58
User Agent
Client
Service Agent
Printer
57. Hacking printers at Pwn2Own
• SLP Architecture without Directory Agent
Canon - SLP
59
User Agent
Client
Service Agent
Printer
Unicast/Multicast
Service Request
Attribute Request
58. Hacking printers at Pwn2Own
• SLP Architecture without Directory Agent
Canon - SLP
60
User Agent
Client
Service Agent
Printer
Unicast
Service Reply
Attribute Reply
59. Hacking printers at Pwn2Own
• SLP Packet Structure
Canon - SLP
61
Bit 0 - 7 Bit 8 - 15 Bit 16 - 23 Bit 24 - 31
Version Function-Id Length
Length, contd. O F R Reserved Next Ext Offset
Next Ext Offset, contd. XID
Language Tag Length Language Tag (Variable)
Payload (Variable)
60. Hacking printers at Pwn2Own
• Canon only implemented service request and attribute request
Canon - SLP
62
Bit 0 - 7 Bit 8 - 15 Bit 16 - 23 Bit 24 - 31
Version Function-Id Length
Length, contd. O F R Reserved Next Ext Offset
Next Ext Offset, contd. XID
Language Tag Length Language Tag (Variable)
Payload (Variable)
Function Code Message Type
1
6
Service Request
Attribute Request
61. Hacking printers at Pwn2Own
• Attribute Request (AttrRqst)
• Allow a User Agent to discover attributes of given service (by supplying its
URL) or for entire device type
Canon - SLP
63
https://www.ietf.org/rfc/rfc2608.txt
62. Hacking printers at Pwn2Own
• Attribute Request (AttrRqst)
Canon - SLP
64
Bit 0 - 7 Bit 8 - 15 Bit 16 - 23 Bit 24 - 31
Version Function-Id Length
Length, contd. O F R Reserved Next Ext Offset
Next Ext Offset, contd. XID
Language Tag Length Language Tag (Variable)
Payload (Variable)
… …
Length of <scope-list> <scope-list> string (Variable)
… …
Length of URL URL (Variable)
https://www.ietf.org/rfc/rfc2608.txt
63. Hacking printers at Pwn2Own
• There is a vulnerability when Canon is parsing the body of AttrRqst
• It will convert escape character to character
Canon - Vulnerability
65
¥41 A
64. Hacking printers at Pwn2Own
• There is a vulnerability when Canon is parsing the body of AttrRqst
Canon - Vulnerability
66
65. Hacking printers at Pwn2Own
• There is a stack overflow when Canon is parsing the body of AttrRqst
Canon - Vulnerability
67
66. Hacking printers at Pwn2Own
• There is a stack overflow when Canon is parsing the body of AttrRqst
Canon - Vulnerability
68
Although there is validation in normal case
67. Hacking printers at Pwn2Own
• There is a stack overflow when Canon is parsing the body of AttrRqst
Canon - Vulnerability
69
No validation in escaping case
68. Hacking printers at Pwn2Own
• Protection
• No Stack Guard
• No DEP
• No ASLR
Canon - Exploitation
70
image: Flaticon.com
70. We just need to find a buffer to store our shellcode and
return to it
72
71. Hacking printers at Pwn2Own
• BJNP
• A service discovery protocol designed by Canon
• Exploited by Synacktiv
• It will store session data on the global buffer
Canon - Exploitation
73
73. Hacking printers at Pwn2Own
• Exploit Step
• Use BJNP to store our shellcode on a global buffer
Canon - Exploitation
75
74. Hacking printers at Pwn2Own
• Exploit Step
• Use BJNP to store our shellcode on a global buffer
• Trigger stack overflow in SLP and overwrite return address
Canon - Exploitation
76
75. Hacking printers at Pwn2Own
• Exploit Step
• Use BJNP to store our shellcode on a global buffer
• Trigger stack overflow in SLP and overwrite return address
• Return to the global buffer
Canon - Exploitation
77
76. Hacking printers at Pwn2Own
• Require you to prove that you have pwned the target
• In terms of printer, we choose to print "DEVCORE logo" on the LCD
screen at first
Pwn2Own Austin 2021
78
78. Hacking printers at Pwn2Own
• Require you to prove that you have pwned the target
• In terms of printer, we choose to print "DEVCORE logo" on the LCD
screen
• In the end, due to time constraints, we finally only chose to print the
message on the screen
Pwn2Own Austin 2021
80
79. Hacking printers at Pwn2Own
Pwn2Own Austin 2021
84
http://youtu.be/vQbQImZ3XRw?t=18405
80. Hacking printers at Pwn2Own
• Debugger ?
• If we want to debug it, we need to have a debug console
• Need to teardown the printer
• Use an old exploit to install customized debugger
• Need to downgrade the printer
Canon - Exploitation
85
81. Hacking printers at Pwn2Own
• But we are too lazy, we just use sleep debug to debug it :)
Canon - Exploitation
86
ROP/shellcode
Do something
Sleep
Reboot
83. Hacking printers at Pwn2Own
• LLMNR is very similar to mDNS. It provides base name resolution on the
same local link
Link-Local Multicast Name Resolution
88
84. Hacking printers at Pwn2Own
• LLMNR protocol
HP - LLMNR
89
Client A
Client B
Client C
Client D
Multicast
Address of Client C ?
Send requests to 224.0.0.252
Address of Client C ?
Address of Client C ?
85. Hacking printers at Pwn2Own
• LLMNR protocol
HP - LLMNR
90
Client A
Client B
Client C
Client D
Response from Client C
LLMNR Response
86. Hacking printers at Pwn2Own
• LLMNR Header (Base on DNS header format)
HP - LLMNR
91
Bit 0 - 7 Bit 8 - 15 Bit 16 - 23 Bit 24 - 31
ID Flags
QDCOUNT ANCOUNT
NSCOUNT ARCOUNT
Queries (Variable)
87. Hacking printers at Pwn2Own
• LLMNR queries use the same format as DNS query
HP - LLMNR
92
Bit 0 - 7 Bit 8 - 15 Bit 16 - 23 Bit 24 - 31
ID Flags
QDCOUNT ANCOUNT
NSCOUNT ARCOUNT
Queries (Variable)
0x3 www 0x6 google 0x3 com
0 Type Class …
0xc0 0xd
88. Hacking printers at Pwn2Own
• There is a stack overflow when LLMNR is parsing the queries
HP - Vulnerability
93
89. Hacking printers at Pwn2Own
• There is a stack overflow when LLMNR is parsing the queries
HP - Vulnerability
94
Fixed size buffer on stack
90. Hacking printers at Pwn2Own
• There is a stack overflow when LLMNR is parsing the queries
HP - Vulnerability
95
Without any length verification
91. We tried to exploit it in the similar way as Canon, but …
96
92. Hacking printers at Pwn2Own
• Protection
• No Stack Guard
• XN (DEP)
• Memory Protect Unit (MPU)
• No ASLR
HP - Exploitation
97
image: Flaticon.com
93. Hacking printers at Pwn2Own
• Some limits in this vulnerability
• We can only overflow about 0x100 bytes
• Null terminated
• XN(DEP) and MPU
• Preventing us from executing shellcode
HP - Exploitation
98
image: Flaticon.com
94. Hacker not Friendly ?
image: Flaticon.com
Can be bypassed ?
How to implement it ?
99
95. Hacking printers at Pwn2Own
• Let's delve into HP RTOS
HP - Exploitation
100
96. Hacking printers at Pwn2Own
• Let's delve into HP RTOS
• Linked with application code into a single image
HP - Exploitation
101
97. Hacking printers at Pwn2Own
• Let's delve into HP RTOS
• Linked with application code into a single image
• Many tasks run
• in the same virtual address space
• in kernel-mode
HP - Exploitation
102
99. Hacking printers at Pwn2Own
• MMU in HP M283fdw
• Use one-level page table translation
• Translation table entry for translating a 1MB section
• Translation table is located at 0x4003c000
HP - Exploitation
104
100. Hacking printers at Pwn2Own
HP - MMU
105
Page index
31 20 12 11 10 9 8 7 6 5 4 3 2 1 0
13
Index into first level table
14
15
16
17
18
19
Virtual Address
TTBR
Translation Table Entry
Translation Table
Physical Memory
101. Hacking printers at Pwn2Own
HP - MMU
106
Page index
31 20 12 11 10 9 8 7 6 5 4 3 2 1 0
13
Index into first level table
14
15
16
17
18
19
Virtual Address
TTBR
Translation Table Entry
Translation Table
Physical Memory
0
31 20 12 11 10 9 8 7 6 5 4 3 2 1 0
13
1
B
C
XN
Domain
P
AP
TEX
AP
X
S
nG
0
0
Section Address
14
15
16
17
18
19
102. Hacking printers at Pwn2Own
• MMU in HP M283fdw
• Translation table is on known address
• We can bypass XN through modifying translation table entry !
HP - Exploitation
107
103. Hacking printers at Pwn2Own
• MMU in HP M283fdw
• Translation table is on known address
• We can bypass XN through modifying translation table entry !
• But it's protected by Memory Protection Unit(MPU)
HP - Exploitation
108
105. Hacking printers at Pwn2Own
• Memory Protection Unit
• The MPU enables you to partition memory into regions and set individual
protection attributes for each regions
• Enable when booting
HP - Exploitation
110
Physical Memory
Region 0
(Page Table, Code)
Region 1
(Data)
Region …
Read only
RW
106. Hacking printers at Pwn2Own
• Memory Protection Unit
HP - Exploitation
111
Physical Memory
Region 0
(Page Table, Code)
Region 1
(Data)
Region …
Read only
RW
Write access
107. Hacking printers at Pwn2Own
• Memory Protection Unit
• The MPU is configured by a series of memory mapped register in System
Control Spaces
• MPU_CTRL 0xE0400304
HP - Exploitation
112
MPU_TYPE
MPU_CTRL
MPU_RNR
…
…
MPU registers
108. We can easily use ROP to overwrite it with 0 to disable
MPU
113
109. Hacking printers at Pwn2Own
• After we disable MPU and overwrite translation table entry
• We can modify any code page
• Modify the code of LPD(Line Printer Daemon) in order to read our
payload to specific address
• Convert LPD to Debug Console
HP - Exploitation
114
110. Hacking printers at Pwn2Own
• After we disable MPU and overwrite translation table entry
• We must invalidate
• Translation Lookaside Buffer
• D-cache and I-cache
HP - Exploitation
115
111. Hacking printers at Pwn2Own
• Exploit Step
• Trigger stack overflow in LLMNR and overwrite return address
HP - Exploitation
116
112. Hacking printers at Pwn2Own
• Exploit Step
• Trigger stack overflow in LLMNR and overwrite return address
• ROP to disable MPU
HP - Exploitation
117
113. Hacking printers at Pwn2Own
• Exploit Step
• Trigger stack overflow in LLMNR and overwrite return address
• ROP to disable MPU
• ROP to modify translation table entry
HP - Exploitation
118
114. Hacking printers at Pwn2Own
• Exploit Step
• Trigger stack overflow in LLMNR and overwrite return address
• ROP to disable MPU
• ROP to modify translation table entry
• Flush TLB
HP - Exploitation
119
115. Hacking printers at Pwn2Own
• Exploit Step
• Trigger stack overflow in LLMNR and overwrite return address
• ROP to disable MPU
• ROP to modify translation table entry
• Flush TLB
• ROP to invalidate I-cache and D-cache
HP - Exploitation
120
116. Hacking printers at Pwn2Own
• Exploit Step
• Trigger stack overflow in LLMNR and overwrite return address
• ROP to disable MPU
• ROP to modify translation table entry
• Flush TLB
• ROP to invalidate I-cache and D-cache
• ROP to modify code of LPD
HP - Exploitation
121
117. Hacking printers at Pwn2Own
• Exploit Step
• Trigger stack overflow in LLMNR and overwrite return address
• ROP to disable MPU
• ROP to modify translation table entry
• Flush TLB
• ROP to invalidate I-cache and D-cache
• ROP to modify code of LPD
• Use modified LPD to read our shellcode and jump to shellcode
HP - Exploitation
122
118. Hacking printers at Pwn2Own
• Require you to prove that you have pwned the target
• Originally, we just wanted to print the message on the LCD screen
Pwn2Own Austin 2021
123
119. Hacking printers at Pwn2Own
• Require you to prove that you have pwned the target
• Originally, we just wanted to print the message on the LCD screen
• But luckily, we later saw that a little bit like the DEVCORE logo can be
printed
• Just modify the string and trigger printer test
Pwn2Own Austin 2021
124
127. Mitigation
• Update
• Canon and HP printer have been patched, please update to the latest
• Disable unused service
• The attack surface of printer is too huge
• Many services are opened by default
132
128. Mitigation
• Update
• Canon and HP printer have been patched, please update to the latest
• Disable unused service
• The attack surface of printer is too huge
• Many services are opened by default
• Firewall
133