The document describes several logic flaws in Chrome on Android that could be exploited. It discusses exploiting automatic file downloads to steal downloaded files or files from Google Drive by tricking the browser into downloading malicious files. It also describes using cross-site request forgery tokens and device IDs to programmatically install arbitrary apps from the Google Play store. The presentation aims to show how understanding application logic can lead to powerful "logic bug" exploits beyond simple memory corruption issues.
The document discusses common web application security vulnerabilities and best practices for prevention. It covers topics like cross-site scripting (XSS), SQL injection, insecure direct object references, command injection, cross-site request forgery (CSRF), and improper password storage. The document provides examples of each vulnerability and recommendations for prevention, including input validation, prepared statements, encryption, hashing passwords, and other techniques. The objectives are to create awareness of web security issues and how developers can build more secure applications using secure coding practices.
This document discusses malware collection and analysis conducted at the DSNSLab at NCTU. It introduces the lab director, Professor Xie Zhiping, and outlines the lab's research areas including malware analysis, virtual machines, digital forensics, and network security. It then provides an overview of the Secmap platform for automated malware analysis and collection. Methods of malware collection discussed include disk forensics, web crawling, shared repositories, email, and honeypots.
This document discusses program security for Android apps. It begins with an introduction of the speaker and covers topics like Android architecture, app threat models, app components like activities and intents, data storage security, cryptography, injection attacks, and reverse engineering defenses. The document provides examples of real security issues from apps like LinkedIn and Pandora and offers tips to defend against various threats like improper data handling, insecure communication, and client-side injection.
Practical White Hat Hacker Training - Introduction to Cyber SecurityPRISMA CSI
This document provides an overview of PRISMA, a cyber security consultancy firm. It discusses PRISMA's penetration testing and training services. It also covers topics related to penetration testing like methodologies, career paths in cyber security, and certifications. The document is intended to introduce PRISMA's services and activities to potential clients or training participants.
This document discusses improving detection rules coverage through infrastructure automation tools, testing frameworks, and metrics. It introduces tools like Packer, Vagrant, Terraform, and DetectionLab for building detection environments. Atomic Red Team and the MITRE ATT&CK framework are covered for testing detections. Metrics like the ATT&CK heatmap and KPIs are suggested for measuring coverage. Common pitfalls like assuming full coverage and not prioritizing are addressed.
The Dark Side of PowerShell by George DobreaEC-Council
PowerShell is now a ‘mandatory-to-use’ tool for IT professionals in order to automate administration of the Windows OS and applications, including Azure and Nano Server. Unfortunately, threat actors have recently taken advantage of this powerful scripting language just because PowerShell it’s already installed on your Windows machines, trusted by Admins and most AntiVirus tools! The session presents the steps that should get you starting on (Ethical) Hacking and Pen Testing with PowerShell and some new techniques like JEA (Just Enough Administration) that a defender can use in order to limit the effectiveness of PowerShell attacks.
Practical White Hat Hacker Training - Post ExploitationPRISMA CSI
This presentation part of Prisma CSI's Practical White Hat Hacker Training v1
PRISMA CSI • Cyber Security and Intelligence www.prismacsi.com
This document can be shared or used by quoted and used for commercial purposes, but can not be changed. Detailed information is available at https://creativecommons.org/licenses/by-nc-nd/4.0/legalcode.
PANDEMONIUM: Automated Identification of Cryptographic Algorithms using Dynam...CODE BLUE
Malware utilize many cryptographic algorithms.
To fight against malware, analysts have to reveal details on malware activities.
Accordingly, it is important to identify cryptographic algorithms used in malware.
In this track, I propose a faster and extensible method to automatically detect known cryptographic algorithms in malware using dynamic binary instrumentation and fuzzy hashing.
This document provides an introduction to red team operations from the perspective of a penetration tester transitioning to become a red teamer. It discusses some of the key differences between penetration testing and red teaming such as scope, reconnaissance required, stealth, and infrastructure setup. The document outlines principles for red team operations including protecting infrastructure, logging everything, managing information, and avoiding detection. It also provides examples of tactics, techniques and procedures used in red team operations as well as considerations for tools like Cobalt Strike to help evade detection.
The document provides an overview of techniques for penetrating OS X environments externally, including using the EmPyre remote access Trojan, phishing with OS X payloads, privilege escalation, persistence mechanisms like login hooks and crontab, host and network reconnaissance tools, and lateral movement options like SSH. The challenges of operating in an OS X environment and adapting typical Windows tactics are also discussed.
The document discusses various techniques for Linux and Windows privilege escalation, including exploiting SUID/SGID files, sudo misconfigurations, weak folder permissions, PATH variables, symbolic links, unquoted service paths, DLL hijacking, and the "Hot Potato" technique combining NBNS spoofing, WPAD MITM, and HTTP-SMB relaying. It provides examples and references for further reading on exploiting common misconfigurations to gain elevated privileges on Linux and Windows systems. The presenter's goal is to raise awareness of typical issues rather than enable harm.
Threat Analysis on Win10 IoT Core and Recommaended Security Measures by Naohi...CODE BLUE
Windows 10 IoT was released as a platform for IoT.
Windows 10 IoT Core, which is the lightest among Windows 10 IoT, is usable without charge, and can be run on single board computers like Raspberry Pi. So far, Linux-based platforms were considered as the platform for IoT devices, but now there is another option.
We conducted research on security system of Windows 10 IoT Core to judge whether it could be used safely.
We investigated the security design, the security functions, and default services, such as Web, FTP, and SSH, served by this OS. Furthermore, we also analyzed risks of intrusion and malware infection.
As a result of the investigation, like the newest Windows, we found that DEP, ASLR and CFG are also effective as countermeasures for being attacked vulnerabilities that affect the main memory. These countermeasures are not omitted from Windows 10 IoT Core.
On the other hand, we also found some designs and default settings of services and components are insecure.
For example, Windows update is disabled, Windows Firewall is disabled by default settings, Web interface is served on HTTP, and its authentication is basic authentication.
Moreover, we found a problem in the design of the remote debug service. This problem allows an attacker to create any user account and intrude using the web interface or SSH. Therefore, this problem might be abused by worm malware.
Lastly, we will introduce recommended security measures such as disabling unused services, changing settings, enabling the firewall, enabling web interface on HTTPS, etc.
This document summarizes three papers related to data compression and network security. The first paper studies how improper implementation of data decompression in network services can enable denial-of-service attacks. It identifies 12 categories of flaws and evaluates popular services finding 10 vulnerabilities. The second paper proposes the Bohatei system to improve defense against DDoS attacks using SDN/NFV. It presents a hierarchical decomposition approach and proactive tag-based steering. The third paper examines data compression as a source of security issues, studying past attacks like zip bombs and analyzing pitfalls in design, implementation, specification and configuration of compression in network services.
This document discusses anatomy of cloud hacks by analyzing past data breaches and vulnerabilities. It begins by looking at known attacks where compromised infrastructure was based in the cloud. Specific case studies of attacks on Code Spaces, Olindata, and Tesla are described. The document then covers techniques for enumerating cloud services and resources like storage containers. Methods for gaining an initial foothold like leaked credential hunting and exploiting server-side request forgery are also outlined.
For #Redpill2017, The most offensive security conference in Thailand.
This slide talks about the weak point of endpoint protection such as Antivirus, User Account Control, AppLocker.
Matt Oh, Microsoft
We are seeing new technique used everyday by malware. But, it is very hard to find any impressive techniques used in the wild. Recently there was huge buzz about Detrahere malware which used internally known issues with certificate signing in Windows 10 kernel driver. Even though the certificate check bypass technique itself is very interesting, also I found that the tactics used by the malware is more impressive. Even though the malware is mainly focused on Ad-hijacking functionality through Netfilter driver installation, but it also has rootkit ability through file system driver hooking. This feels like old days coming back with various new arsenals. The rootkit detects kernel debugging settings and will destroy the system when it finds one. The unpacking process can be very challenging job, too as it uses kernel driver image hollowing technique (something similar to process hollowing) to deobfuscate itself and run unpacked code. Our patchguard doesn't seem like triggering on this action, because all the sections are pre-allocated with execute permission already.
Through this talk, I want to present various techniques used by this malware focusing on the kernel level obfuscation and anti-analysis tactics. This will give us new insights on how new Windows rootkit malware might look like in the future and how detecting them from security systems and detonation systems can be a challenge.
The document discusses the path of cyber security and how to become a hacker or security professional. It outlines the typical steps of penetration testing: reconnaissance and analysis, vulnerability mapping, gaining access, privilege escalation, maintaining access, and covering tracks. It recommends starting with networking and programming skills, focusing on an area of expertise like web security, participating in competitions and creating a practice lab to learn. The presenter gives demonstrations on vulnerable VMs and recommends courses, CTF competitions, and building your own lab to advance your skills in security research, tool development, and operations.
Jagadeesh Parameswaran, Microsoft
Rahul Sachan, Microsoft
Windows Defender Advanced Threat Protection (WDATP) gives defenders unparalleled visibility into the enterprise. And Azure Advanced Threat Protection (AATP) gives the power to monitor attacks on the Domain Controllers and user identities. Come spend an hour with us as we pull back the covers and go through detailed examples of real attacks that we saw as we defended the Microsoft corporate environment using WDATP & AATP.
[CB16] Facebook Malware: Tag Me If You Can by Ido Naor & Dani GolandCODE BLUE
On June, thousands of Facebook users complained that they had been infected by a virus through their accounts after they received a message from a Facebook friend claiming they had mentioned them in a comment. Kaspersky Lab researcher Ido Naor and Dani Goland, CEO & founder of Undot, decided to investigate. They quickly discovered that the message had in fact been initiated by attackers and unleashed a two-stage attack on recipients. The first stage of the attack started when the user clicked on the “mention”. A malicious file seized control of their browsers, terminating its legitimate session and replacing it with a malicious one that captured their entire web traffic. The second stage included a highly sophisticated script that took over victims Facebook and Google Drive accounts. After puzzling the script, they managed to extract the proverbial needle from a haystack: an unknown Facebook vulnerability that allowed an attacker to exploit the notifications functionality.
In this talk, Dani and Ido will dive into the bites and bytes of the campaign and explaining how the attackers exploited Facebook to spread the malware.
--- Ido Naor
Ido is a senior security researcher at the Global Research & Analysis Team (GReAT), Kaspersky Lab. He joined Kaspersky two years ago and is leading the regional research in Israel.
Ido specializes in malware analysis, penetration testing and software reverse engineering and has been credited for his work by major enterprises such as: Google, Facebook, Linkedin, Alibaba and more.
Aside from research, Ido is a martial arts expert and a father of two daughters.
--- Dani Goland
Dani is the CEO and founder of Undot, an Israeli-based startup that developed a unified remote-control application to control home appliances.
Dani has more than a decade of experience in programming on a variety of frameworks and languages.
Aside from managing Undot, Dani is a frequent competitor in Hackathons (programming competitions) and won 1st places at HackTrackTLV 2016 and eBay Hackathon 2015.
Zombie browsers spiced with rootkit extensions - DefCamp 2012DefCamp
This document discusses the risks of malicious browser extensions and demonstrates a proof of concept homemade Firefox extension created by the author that is capable of command and control, stealing cookies and passwords, uploading and downloading files, executing binary code, bypassing geolocation restrictions, and remaining undetected by antivirus software. The author argues that browser extensions pose serious risks and outlines recommendations for browser developers, website developers, antivirus companies, companies, and users to help mitigate these risks.
This document summarizes a presentation about malicious browser extensions and rootkits. It discusses the history of malicious extensions for Firefox, Chrome, and Safari. It demonstrates how to create a homemade Firefox extension that can steal cookies and passwords, upload/download files, and execute binaries remotely without user interaction. The presentation notes risks of zombie browsers include bypassing firewalls/filtering and accessing all browser secrets. It also demonstrates defeating 2-factor authentication on Gmail and hacking ChromeOS, though the latter demo did not work due to security restrictions. The document concludes by calling on antivirus companies to improve extension detection, browser companies to restrict extensions further, and users to use separate systems for banking.
Attacking and Defending Mobile ApplicationsJerod Brennen
The rapid increase in mobile technology adoption in the workplace has resulted in a rise in mobile application attacks. This presentation provides attendees with insight into how mobile application attacks are perpetuated, as well as how we can develop to defend against them.
Mobile code mining for discovery and exploits nullcongoa2013Blueinfy Solutions
This document discusses mobile code mining for discovery and exploits. It introduces the speaker, Hemil Shah, and provides an overview of mobile infrastructure, apps, and changes in the mobile environment compared to web. It then discusses several mobile attacks including insecure storage, insecure network communication, UI impersonation, activity monitoring, and system modification. It also covers decompiling Android apps and analyzing app code for security issues.
The document discusses the history and risks of malicious browser extensions. It begins with a brief history of malicious Firefox extensions from 2004-2012, noting a rise from 5 extensions in 2011 to 48 from January to October 2012. The document then demonstrates a home-made Firefox extension that can perform command and control, steal cookies/passwords, and execute code remotely. It discusses disadvantages of browser extensions compared to other malware. Finally, it acknowledges risks of zombie browsers and calls on antivirus developers, browser developers, website developers and users to address these risks.
The document discusses the history and risks of malicious browser extensions. It begins with a brief history of malicious Firefox extensions from 2004-2012, noting a rise from 5 to 48 detected extensions between 2011-2012. Examples are shown of extensions that can steal cookies, passwords, files and execute binaries on the host system. Live demos are presented of proof-of-concept extensions developed for Firefox, Chrome, and Safari that demonstrate these risks. The document concludes by noting limitations of these extensions and providing recommendations to browser developers, antivirus companies, website developers and users to help mitigate these risks.
The document summarizes an Android security workshop that took place on February 24th, 2016 in Poland. The workshop included sessions on Android fundamentals, application component security, and the OWASP top 10 mobile risks. It also covered reverse engineering and malware analysis. The document provides an agenda and summaries of the topics discussed in each session, including details on Android architecture, security features in Android 6.0, application permissions and components, and common mobile risks. It aims to provide attendees with a basic understanding of Android security concepts and methodologies for analyzing mobile applications for security issues.
This document discusses smartphone security and analyzing Android apps. It begins with an introduction of the speaker and their background. It then covers topics like decrypting and reverse engineering iPhone apps, the Android architecture and permission model, analyzing HTTP traffic, bypassing lock patterns, and insecure data storage in Android apps. The document promotes analyzing apps to find vulnerabilities and demonstrates a tool called Manifestor.py for app analysis. It encourages standardizing development and stronger security practices to improve smartphone security.
This document discusses iOS app security best practices. It covers common security breach areas like jailbreak detection, securing sensitive keys, URL schemes, and third-party dependencies. For jailbreak detection, it notes that 100% detection is impossible and the focus should be on making bypassing detection harder. For keys, it recommends hashing and storing them remotely. For URL schemes, it advises moving to universal links and sanitizing input. For dependencies, it notes the risks of incorporating third-party code and importance of staying updated. It concludes by recommending checking the OWASP Mobile Security Testing Guide for vulnerabilities to address.
Web-App Remote Code Execution Via Scripting Engines by Rahul Sasi at c0c0n - International Cyber Security and Policing Conference http://is-ra.org/c0c0n/speakers.html
13 practical tips for writing secure golang applicationsKarthik Gaekwad
Writing secure applications in a new language is challenging. Here are some tips to help get you started for writing secure code in golang. Presented at Lascon 2015
Harsimran Walia presents information on analyzing Android malware. He discusses how the Android platform has become very popular for attackers due to its large market share and less restrictive development environment compared to iOS. He outlines different types of Android malware like data stealers and rooting malware. The paper also provides details on setting up a malware analysis lab and introduces both static and dynamic analysis tools. It then demonstrates the analysis process on a real premium SMS sending malware sample, showing how to decompile, modify, and test the malware.
HTML5 is the Future of Mobile, PhoneGap Takes You There Todaydavyjones
PhoneGap allows developers to build mobile apps using HTML, CSS and JavaScript instead of relying on platform-specific languages like Objective-C or Java. The document discusses PhoneGap's capabilities and advantages, including writing apps once that run on multiple platforms, using web technologies that are widely known by developers, and leveraging growing browser capabilities on mobile through HTML5. It also outlines PhoneGap's APIs, tools, libraries, and community to help developers get started building cross-platform mobile apps.
"I haz you and pwn your maal" by Harsimran Walia @b44nz0r at c0c0n - International Cyber Security and Policing Conference http://is-ra.org/c0c0n/speakers.html
The document discusses various web security topics such as Google hacking, session hijacking, cross-site scripting, and SQL injection. It provides an agenda covering vulnerability types, mitigation strategies, and tools for testing each vulnerability. Recommendations are given for securing websites against common attacks discovered through search engines.
Basic overview, testing, mitigation plan for popular web application vulnerabilities such as: XSS, CSRF, SQLi etc.
Updated "Web Security - Introduction" presentation.
This talk shows the possibilities of reversing Android applications. After an introduction about Android issues in the past, Tobias Ospelt explains how he managed to download several thousand Android applications from the Google Market, and which security issues are present in various apps. Apps can be decompiled, altered and recompiled, which means that for most apps it is very easy to steal code or to include malware. Some of the apps use obfuscation to disguise the code, but for example encryption keys can easily be extracted. Small game developers, as well as big companies are not aware of the risk that their code can be decompiled to java and disassembled to smali code. This is how a lot of protection mechanisms can be circumvented, such as licensing (cracking a Game) or corporate solutions (enforcing policies on the mobile). The talk shows how easy everybody can reverse android apps and how encryption keys can be extracted, even when the code is obfuscated. The material is a nice follow-up to the Android talk of Jesse Burns from last year at #days, although this talk is more focused on the apps and shows some more hacks/code/encryption/obfuscation/reversing.
Bio: Tobias Ospelt is working as a security expert and tester for Dreamlab Technologies AG in Bern. He is mainly involved in web application and mobile security penetration tests. Tobias Ospelt joined Dreamlab after having achieved his Master Degree focusing IT-Security, and after having worked as a Research Assistant at the Zurich University of Applied Sciences.
This document summarizes several major security events that occurred in 2014, including large DDOS attacks against gaming companies and a Hong Kong voting system, as well as the discovery of vulnerabilities and malware. The Hong Kong DDOS attack reached 300 Gbps using reflection techniques like NTP amplification and involved a coordinated attack from botnets, floods, and other vectors. The document also discusses growing security issues involving the Internet of Things, including vulnerabilities found in routers and devices like IP cameras that can enable remote access, as well as malware targeting point-of-sale systems and the potential use of IoT devices in botnets.
Similar to CSW2017 Geshev+Miller logic bug hunting in chrome on android (20)
CSW2017Richard Johnson_harnessing intel processor trace on windows for vulner...CanSecWest
This document discusses using Intel Processor Trace (Intel PT) for hardware-based tracing on Windows. It provides an overview of Intel PT capabilities and how it can be used for fuzzing and vulnerability discovery. Specifically, it describes the development of WinAFL IntelPT, which integrates Intel PT tracing with the WinAFL evolutionary fuzzer to enable high-performance, hardware-driven fuzzing on Windows.
The document discusses automotive intrusion detection and cybersecurity. It provides an overview of automotive network architecture and the CAN bus protocol. It then discusses approaches to automotive intrusion detection, including building models of normal vehicle behavior to detect anomalies. The document outlines challenges in detecting threats on the CAN bus and proposes a distributed intrusion detection system architecture to enhance vehicle security.
This document describes exploiting a use-after-free vulnerability called "Hearthstone" in VMware Workstation to escape from a virtual machine. It begins with background on VMware RPC and the fuzzing framework used. It then explains the Hearthstone vulnerability, how it allows information leakage, and how that leakage can be used to conduct an out-of-bounds write to achieve code execution on the host system. The presentation concludes with a demonstration of the exploitation process and takes questions.
CSW2017 Weston miller csw17_mitigating_native_remote_code_executionCanSecWest
This document summarizes security features in Microsoft Azure to prevent control-flow hijacking and arbitrary code generation. It describes Control Flow Guard, Arbitrary Code Guard, and Code Integrity Guard which enforce control flow integrity, prevent dynamic code generation and modification, and only allow signed code pages. It also discusses some known limitations and bypasses that Microsoft is working to address through additional security features like Control-flow Enforcement Technology (CET).
CSW2017 Qiang li zhibinhu_meiwang_dig into qemu securityCanSecWest
The document summarizes a presentation on analyzing the security of QEMU. It introduces QEMU and describes its main attack surfaces, including device emulation, virtio, third-party libraries, VNC, Spice, and QMP. Examples of vulnerabilities found in Cirrus VGA, virtio filesystem, virglrenderer library, VNC, and QMP are provided. The document concludes with thoughts on efficient security analysis, noting that combining in-depth knowledge with fuzzing is most effective for finding bugs in complex software like QEMU.
This document summarizes a presentation about attacking the DirectComposition component of the Windows graphics subsystem. It discusses:
1) An overview of DirectComposition and its architecture.
2) Two zero-day vulnerabilities the researchers found - a double free bug and integer overflow bug that were exploited to achieve code execution.
3) Their fuzzing approach and how they increased coverage of important DirectComposition functions.
4) Mitigation techniques Microsoft employed in later versions and ways the researchers bypassed them, such as abusing tagWND and bitmap objects.
CSW2017 Kyle ehmke lots of squats- ap-ts never miss leg dayCanSecWest
The document discusses how threat actors often register spoofed domains to target organizations, and how analyzing domain registration patterns can provide strategic and tactical threat intelligence. It provides examples of analyzing spoofed domains targeting healthcare organizations to identify trends, and pivoting from domains used in attacks to find others associated with the same actors. The analysis of registration trends and WHOIS data on spoofed domains can help organizations monitor for potential threats and gain situational awareness during incidents.
CSW2017 Henry li how to find the vulnerability to bypass the control flow gua...CanSecWest
The document discusses techniques for bypassing Control Flow Guard (CFG) protections on Windows. It begins by introducing the author and their background in security research. It then outlines several potential attack surfaces for bypassing CFG, including using functions like VirtualAlloc and VirtualProtect that can mark memory as valid call targets, writing return addresses, and leveraging indirect calls without CFG checks. The document analyzes six CFG bypass vulnerabilities found by the author in Microsoft Edge and Chakra, and provides details on exploitation methods. It concludes by discussing improvements to harden CFG protections further.
CSW2017 Enrico branca What if encrypted communications are not as secure as w...CanSecWest
The document discusses analyzing over 73 million encryption certificates to test their security. It finds that over 25 million certificates share the same public key, over 2.5 million share the same modulus, and over 750,000 share divisors, indicating weak key generation. It also finds some certificates with invalid exponents, moduli divisible by small primes, and a few with an exponent of 1, all of which make the keys insecure. The analysis shows many keys assumed to be secure may actually be vulnerable to attacks due to flaws in key generation.
CSW2017 Mickey+maggie low cost radio attacks on modern platformsCanSecWest
This document discusses low-cost radio wave attacks on modern platforms. It summarizes previous work using electromagnetic interference to sniff crypto keys across walls or perform side-channel attacks. It then demonstrates using EMI to cause power surges, corrupt sensors and fan speeds, power motherboard components, and cause a blue screen of death on a system, with potential impacts including randomness generation issues, memory corruption, and targeted glitching attacks. It concludes with recommendations for mitigations like electromagnetic shielding, robust power supplies and motherboards, and built-in fault tolerance.
CSW2017 Minrui yan+Jianhao-liu a visualization tool for evaluating can-bus cy...CanSecWest
This document presents CAN-Pick, a visualization tool for evaluating CAN-bus cybersecurity. CAN-Pick allows users to analyze CAN traffic in real-time, replay messages, fuzz the network, and examine UDS diagnostic services. It supports multiple hardware interfaces and operating systems. The tool's features include packet visualization, diff checking, fuzzing modes, and an online programming interface. Examples demonstrate using CAN-Pick for replaying messages, UDS scanning, and evaluating proposed security designs for CAN networks. The goal of CAN-Pick is to help researchers and practitioners evaluate the security of in-vehicle networks.
Harri Hursti gave a presentation on security issues with electronic voting machines in the US. He discussed how independent security reviews of voting machines ended in 2007 and have not been conducted since, despite 52 models being used in the 2016 election. He provided examples of machines having network connections contrary to claims, such as a machine that transmitted results via modem. Hursti argued that more independent review of current voting machine security is needed given the issues uncovered in past research and real election incidents.
CSW2017 Privilege escalation on high-end servers due to implementation gaps i...CanSecWest
This document discusses how abusing CPU hot-add weaknesses could allow escalating privileges in server datacenters. It describes how CPU hot-add works, allowing addition of new CPUs to a running system without shutting down. Two memory regions important for hot-add are identified as assets to protect: 0x38000 holding SMI code, and 0x0e2000 holding SIPI vectors. An attack corrupting 0x38000 to inject malicious SMI code and escalate to SMM privileges is demonstrated. Mitigation using hardware protection of memory regions from DMA is discussed.
CSW2017 Scott kelly secureboot-csw2017-v1CanSecWest
This document summarizes Scott G. Kelly's presentation on secure boot flaws in IoT and embedded systems. Kelly discusses how secure boot is intended to work by only allowing authorized firmware to run, but that many systems implement it incorrectly. Common flaws include using symmetric keys that can be extracted from devices, having an "optional" secure boot that can be easily disabled, and having a weak root of trust if the first code executed is stored in unprotected flash. Kelly urges vendors to properly implement secure boot to prevent malware from replacing firmware and compromising systems.
This document provides an overview of how the authors exploited three bugs in Google's Nexus 6P/Pixel devices running Nougat to achieve remote code execution during Mobile Pwn2Own 2016. It describes a chain of exploits involving a V8 bug to compromise the renderer process, an IPC bug to escape the sandbox, and a bug in Google apps that allowed installing unauthorized apps. Google responded quickly by patching the V8 and IPC bugs overnight on October 26th and pushing a Google apps update the next day. The presentation then discusses the anatomy of the Chrome sandbox on Android and possible avenues for escaping it.
This document discusses techniques for hijacking the .NET framework and Just-In-Time compiler to monitor and analyze PowerShell commands at runtime. It provides background on PowerShell attacks, .NET fundamentals like assemblies and the JIT compiler, and methods for decompiling and manipulating .NET binaries. The goal is to allow PowerShell to run normally while analyzing obfuscated commands and remaining stealthy to avoid detection.
This document summarizes a presentation given by three security researchers from Tencent KEEN Security Lab at CanSecWest 2016 about compromising Apple graphics. They discuss fuzzing Apple's graphics drivers to find vulnerabilities by targeting interfaces that are reachable from the Safari sandbox. As a case study, they describe a race condition vulnerability they discovered in AppleIntelBDWGraphics that could lead to a double free and kernel code execution on macOS systems with Intel Broadwell graphics. They provide tips for making fuzzing more effective, such as targeting less restricted interfaces and leveraging relationships between different graphics interfaces and objects.
The document summarizes research into hacking the Kevo smart lock using a Bluetooth-enabled smartphone. The researcher was able to bind their phone to the Kevo fob and unlock the smart lock while the owner was asleep by taking advantage of the fob's brief window of continued radio transmission after being bound to another device. Potential fixes discussed include adding a button to the fob, using broadcasting instead of point-to-point Bluetooth mode, or requiring authentication through a smartphone app instead of the standalone fob. A demo video of the attack is referenced.
The document discusses virtualization system security testing. It summarizes the work of the 360 Marvel Team, which focuses on attack and defense techniques in virtualized systems. The team has developed a fuzzing framework to test for vulnerabilities in hardware virtualization components like Qemu and Vmware. The framework analyzes data flowing to components, changes it to trigger abnormalities, and records results. Using this framework, the team has found over 20 vulnerabilities. The document outlines the framework's functions, workflow, and how it was used to analyze vulnerabilities in the Qemu e1000 network device and Vmware e1000 network device through a case study.
WTF is Food Journalism? An introduction to Food MediaDamian Radcliffe
Slides from the introductory class of my Food Journalism in France class, as part of a study abroad program in summer 2024. https://geo.uoregon.edu/programs/europe-france/food-journalism-france
Internet Celebrities and Purposeful Content Creationsilnan
This presentation is my proposal for my 2025 South-by-Southwest (#SxSW2025) Book Reading. There will be an overview of the the three parts of my new book "Digital Culture in the Platform Era: Studying influence, celebrity, and superstars online." Specifically, this overview will focus on the different personality types that drive online engagement, the purposeful content that one creates to connect with their community, and how we reach online to be meaningful to others.
How Can Microsoft Office 365 Improve Your Productivity?Digital Host
Microsoft Office 365 is a cloud-based subscription service offering essential productivity tools. It includes Word for documents, Excel for data analysis, PowerPoint for presentations, Outlook for email, OneDrive for cloud storage, and Teams for collaboration. Key benefits are accessibility from any device, advanced security, and regular updates. Office 365 enhances collaboration with real-time co-authoring and Teams, streamlines communication with Outlook and Teams Chat, and improves data management with OneDrive and SharePoint. For reliable office 365 hosting, Digital Host offers various subscription plans, setup support, and training resources. Visit https://www.digitalhost.com/email-office/office-365/
DataVinci: Expert Google Analytics Agency offering GA4 Consulting Services, GTM Consulting Services, and CRO solutions to elevate your digital strategy and optimize conversions.
This guide explains how businesses can prepare for and respond to Disaster Recovery IT Services Orange County. It covers the basics of keeping important data safe, quickly recovering systems after problems, and minimizing downtime to ensure business operations continue smoothly.
Learn More: https://skywardit.com/services/
Nomad Internet: Leading Internet Provider for Rural Areas in the USANomad Internet
Nomad Internet specializes in delivering reliable, high-speed wireless internet to rural areas and travelers across the United States. Whether you're in a remote location or on the move, our flexible plans and exceptional customer support ensure you stay connected wherever you are. Experience seamless internet access with Nomad Internet, designed to meet the unique needs of rural and traveling users.
The Money Wave 2024 Review_ Is It the Key to Financial Success.pdfnirahealhty
What is The Money Wave?
The Money Wave is a comprehensive financial program designed to equip individuals with the knowledge and tools necessary for achieving financial independence. It encompasses a range of resources, including educational materials, webinars, and community support, all aimed at helping users understand and leverage various financial opportunities.
➡️ Click here to get The Money Wave from the official website.
Key Features of The Money Wave
Educational Resources: The Money Wave offers a wealth of educational materials that cover essential financial topics, including budgeting, investing, and wealth-building strategies. These resources are designed to empower users with the knowledge needed to make informed financial decisions.
Expert Guidance: Users gain access to insights from financial experts who share their experiences and strategies for success. This guidance can be invaluable for individuals looking to navigate the complexities of personal finance.
Community Support: The program fosters a supportive community where users can connect with like-minded individuals. This network provides encouragement, accountability, and shared experiences that can enhance the learning process.
Actionable Strategies: The Money Wave emphasizes practical, actionable strategies that users can implement immediately. This focus on real-world application sets it apart from other financial programs that may be more theoretical in nature.
Flexible Learning: The program is designed to accommodate various learning styles and schedules. Users can access materials at their convenience, making it easier to integrate financial education into their daily lives.
Benefits of The Money Wave
Increased Financial Literacy: One of the primary benefits of The Money Wave is the enhancement of financial literacy. Users learn essential concepts that enable them to make better financial decisions, ultimately leading to improved financial health.
Empowerment: By providing users with the tools and knowledge needed to take control of their finances, The Money Wave empowers individuals to take proactive steps toward achieving their financial goals.
Networking Opportunities: The community aspect of The Money Wave allows users to connect with others who share similar financial aspirations. This network can lead to valuable partnerships, collaborations, and support systems.
Long-Term Success: The strategies taught in The Money Wave are designed for long-term success. Users are encouraged to adopt a mindset of continuous learning and growth for sustained financial well-being.
Accessibility: With its online format, The Money Wave is accessible to anyone with an internet connection. This inclusivity allows individuals from various backgrounds to benefit from the program.
THE SOCIAL STEM- #1 TRUSTED DIGITAL MARKETING COMPANYthesocialstem05
WELCOME TO DIGITAL WORLD!
THE SOCIAL STEM, #1 trusted digital marketing company in jalandhar, is a trusted digital partner.
As DIGITAL THINKERS, social stem is dedicated to enhancing the presence of your business digitally, so get ready to dive in the ocean of digital world.
THE SOCIAL STEM offers a full range of Digital Marketing Services including SEO, SMO, PPC, website designing, web development,Content marketing, and many more.
We at social stem know how to boost your online presence and announce your brand to millions of customers.
At THE SOCIAL STEM, we are passionate about harnessing the power of digital marketing to elevate brands and drive business success. Our expert platoon is dedicated to creating customized strategies that align with your goals and drive measurable results.
From SEO and content marketing to social media management and PPC campaigns, we utilize a multifaceted approach to ensure your brand stands out in the digital landscape.
OUR VISION AND MISSION
THE SOCIAL STEM#1 trusted digital marketing company in jalandhar visions to become the leading digital marketing company in Jalandhar, renowned for our innovative strategies, extraordinary customised services and superlative results.
THE SOCIAL STEM#1 trusted digital marketing company in jalandhar mission is to provide our clients with expert digital solutions that drive ROI.We also empower businesses by enhancing their online visibility and turning into loyal customers. We endeavour to create customised marketing strategies, aligning with our clients’ goals, ensuring sustainable growth and success.
2. Agenda
• Fuzzing and memory corruptions
• Introduction to logic flaws
• General approach to hunting logic bugs
• Application in Mobile Pwn2Own 2016
• Exploit improvement
4. Fuzzing and Pwn2Own
• Fuzzing has become mainstream
• AFL, LibFuzzer, Radamsa, Honggfuzz, etc.
• It’s almost too easy…
• People find and kill bugs they rarely understand…
• Increasing likelihood of duplicates
• libstagefright, Chrome, etc.
• Code changes
• Improved exploit mitigations
5. Android Mitigations
• More and better security mechanisms
• Improved rights management, SELinux, TrustZone
• ASLR, DEP, PIE, RELRO, PartitionAlloc, Improved GC
• Significant increase in exploit development time
• Multiple bugs are usually chained together
• PoC isn’t enough for the competition
• We can’t afford spending too much time on Pwn2Own
6. Memory Corruptions vs. Logic
Flaws
• Memory corruptions
• Programming errors
• Memory safety violations
• Architecture-dependent
• General mitigations
• Logic flaws
• Design vulnerabilities
• Intended behaviour
• Architecture-agnostic
• Lack of general mitigation mechanisms
7. We Love Logic Bugs
• Equally beautiful and hilarious vectors
• Basic tools
• Actual exploits might be somewhat convoluted
Q: How many bugs do you have in your chain?
A: We abuse one and a half features.
Q: What tool did you use to find that bug?
A: Notepad.
12. Identifying Logic Flaws
• I don’t know what I’m doing…
• Lack of one-size-fits-all methodology
• Thou shalt know thy target
• Less known or obscure features
• Trust boundaries and boundary violations
• Threat modelling
16. Mobile Pwn2Own 2016
“All entries must compromise the devices by browsing to web content
[…] or by viewing/receiving an MMS/SMS message.”
http://zerodayinitiative.com/MobilePwn2Own2016Rules.html
Category Phone Price (USD)
Obtaining Sensitive
Information
Apple iPhone $50,000
Google Nexus $50,000
Samsung Galaxy $35,000
Install Rogue
Application
Apple iPhone $125,000
Google Nexus $100,000
Samsung Galaxy $60,000
Force Phone Unlock Apple iPhone $250,000
17. Where do we start?
• Ruling out SMS/MMS
• Limited to media rendering bugs
• Chrome
• Core components
• URI handlers
• IPC to other applications
20. Google Admin
public void onCreate(Bundle arg3) {
this.c = this.getIntent().getExtras().getString("setup_url");
this.b.loadUrl(this.c);
// ...
}
ResetPinActivity.java
21. Google Admin
• Attacking with malware
adb shell am start
–d http://localhost/foo
-e setup_url file:////data/data/com.malware/file.html
22. Google Admin
Chrome
file:///tmp/foo.html
Uncaught DOMException: Blocked a frame with origin "null" from accessing a
cross-origin frame.
<HTML><BODY>
<IFRAME SRC="file:///tmp/foo.html" id="foo"
onLoad="console.log(document.getElementById('foo').contentDocument.body.innerHTML);">
</IFRAME>
</BODY></HTML>
23. Google Admin
Chrome on Android API 17
file:///sdcard/foo.html
Yep, that’s fine!
<HTML><BODY>
<IFRAME SRC="file:///sdcard/foo.html" id="foo"
onLoad="console.log(document.getelementById('foo').contentDocument.body.innerHTML);">
</IFRAME>
</BODY></HTML>
24. Google Admin
• Malicious app creates a world readable file, e.g. foo.html
• foo.html will load an iframe with src = “foo.html”
after a small delay
• Sends a URL for foo.html to Google Admin via IPC
• Change foo.html to be a symbolic link pointing to a file in the
Google Admin’s sandbox
• Post file contents back to a web server
25. Same-Origin Policy
• Chrome for Android vs. Chrome
• Different SOP
• Custom Android schemes
• Worth investigating…
26. SOP in Chrome for Android
HTTP / HTTPS Scheme, domain and port number must match.
FILE
Full file path for origin until API 23. Starting with API 24, all origins are
now NULL.
CONTENT Scheme, domain and port number must match.
DATA All origins are NULL.
28. Android Content Providers
• Implement data repositories
• Exportable for external access
• Declared in AndroidManifest.xml
• Read and write access control
• Content URIs
• Combination of ‘authority’ and ‘path’
• content://<authority><path>
• content://downloads/my_downloads/45
• What about SOP?
29. Android Download Manager
• System service that handles long-running HTTP downloads
• Back to SOP…
content://downloads/my_downloads/45
content://downloads/my_downloads/46
content://downloads/my_downloads/102
30. Automatic File Downloads
• Thank you, HTML5!
• Confirmed to work in Chrome
• <a href=“foo.html” download>
• <a href=“foo.html” download=“bar.html">
• Zero user interaction
• Link click using JavaScript
• Perfect for Pwn2Own
32. Exploit #1 – Stealing
Downloaded Files
GET /index.html
index.html
Attacker’s
Web Server
Victim’s
Browser
Android
Download Manager
33. Exploit #1 – Stealing
Downloaded Files
GET /index.html
index.html
https://attacker.com/index.html
Attacker’s
Web Server
Victim’s
Browser
Android
Download Manager
34. Exploit #1 – Stealing
Downloaded Files
GET /index.html
index.html
GET /evil.html
evil.html (download)
evil.html (download)
Attacker’s
Web Server
Victim’s
Browser
Android
Download Manager
35. Exploit #1 – Stealing
Downloaded Files
GET /index.html
index.html
GET /evil.html
evil.html (download)
evil.html (download)
https://attacker.com/index.html
Attacker’s
Web Server
Victim’s
Browser
Android
Download Manager
36. Exploit #1 – Stealing
Downloaded Files
GET /index.html
index.html
GET /evil.html
evil.html (download)
evil.html (download)
GET my_downloads/54
evil.html
Attacker’s
Web Server
Victim’s
Browser
Android
Download Manager
37. Exploit #1 – Stealing
Downloaded Files
GET /index.html
index.html
GET /evil.html
evil.html (download)
evil.html (download)
GET my_downloads/54
evil.html
content://downloads/my_downloads/54
Attacker’s
Web Server
Victim’s
Browser
Android
Download Manager
38. Exploit #1 – Stealing
Downloaded Files
GET /index.html
index.html
GET /evil.html
evil.html (download)
evil.html (download)
GET my_downloads/54
evil.html
GET my_downloads/53
secrets.pdf
secrets.pdf
Attacker’s
Web Server
Victim’s
Browser
Android
Download Manager
39. Mobile Pwn2Own 2016
Category Phone Price (USD)
Obtaining Sensitive
Information
Apple iPhone $50,000
Google Nexus $50,000
Samsung Galaxy $35,000
Install Rogue Application
Apple iPhone $125,000
Google Nexus $100,000
Samsung Galaxy $60,000
Force Phone Unlock Apple iPhone $250,000
40. Exploit Enhancement
• Downloading arbitrary files
• User sessions
<a id='foo' href='https://drive.google.com/my_drive.html' download> link </a>
<script>
document.getElementById('foo').click();
</script>
43. evil.html (download)
Exploit #2 – Stealing Google
Drive Files
GET my_downloads/54
evil.html
Attacker’s
Web Server
Google Drive
Web Server
Victim’s
Browser
Android
Download Manager
44. evil.html (download)
Exploit #2 – Stealing Google
Drive Files
GET my_downloads/54
evil.html
Attacker’s
Web Server
Google Drive
Web Server
Victim’s
Browser
Android
Download Manager
content://downloads/my_downloads/54
47. evil.html (download)
my_drive.html
(download)
GET /my_drive.html
Exploit #2 – Stealing Google
Drive Files
GET my_downloads/54
evil.html
GET my_downloads/55
my_drive.html
my_drive.html (download)
bounce.html
GET /bounce.html
Attacker’s
Web Server
Google Drive
Web Server
Victim’s
Browser
Android
Download Manager
https://attacker.com/bounce.html
48. evil.html (download)
my_drive.html
(download)
GET /my_drive.html
Exploit #2 – Stealing Google
Drive Files
GET my_downloads/54
evil.html
GET my_downloads/55
my_drive.html
my_drive.html (download)
bounce.html
history.back();
GET /bounce.html
Attacker’s
Web Server
Google Drive
Web Server
Victim’s
Browser
Android
Download Manager
content://downloads/my_downloads/54
49. evil.html (download)
my_drive.html
(download)
GET /my_drive.html
Exploit #2 – Stealing Google
Drive Files
GET my_downloads/54
evil.html
GET my_downloads/55
my_drive.html
my_drive.html (download)
bounce.html
GET /img?id=12345678
img_foo.jpg
(download)
history.back();
GET /bounce.html
Attacker’s
Web Server
Google Drive
Web Server
Victim’s
Browser
Android
Download Manager
50. evil.html (download)
my_drive.html
(download)
GET /my_drive.html
Exploit #2 – Stealing Google
Drive Files
GET my_downloads/54
evil.html
GET my_downloads/55
my_drive.html
my_drive.html (download)
bounce.html
GET /img?id=12345678
img_foo.jpg
(download)
POST /exfiltrate
history.back();
img_foo.jpg (download)
GET my_downloads/56
my_drive.html
GET /bounce.html
Attacker’s
Web Server
Google Drive
Web Server
Victim’s
Browser
Android
Download Manager
53. Mobile Pwn2Own 2016
Category Phone Price (USD)
Obtaining Sensitive
Information
Apple iPhone $50,000
Google Nexus $50,000
Samsung Galaxy $35,000
Install Rogue Application
Apple iPhone $125,000
Google Nexus $100,000
Samsung Galaxy $60,000
Force Phone Unlock Apple iPhone $250,000
54. Bettererer Exploit
• We can also make POST requests
• Download pages containing CSRF token
• Use CSRF token in POST request
• We’ve got everything now…
55. Exploit #3 – Install APK from
Play Store
• Grab a CSRF token
https://play.google.com/store
• Grab victim’s device ID
sa
https://play.google.com/settings
• Install APK via POST request using CSRF token and device ID
function(){window._uc='[x22Kx1pa-cDQOe_1C6Q0J2ixtQT22:1477462478689x22,
x220x22, x22enx22,x22GBx22,
<tr class="excPab-rAew03" id="g1921daaeef107b4" data-device-id="
g1921daaeef107b4" data-nickname="" data-visible="true" jsname="fscTHd">
id=com.mylittlepony.game&device=g1921daaeef107b4&token=Ka1pa-
dDQOe_1C6Q0J2ixtQT32:1477462478689
https://play.google.com/store/install?authuser=0
56. Exploit #3 – Install APK from
Play Store
evil.html
Attacker’s
Web Server
Google Play
Web Server
Victim’s
Browser
Android
Download Manager
57. Exploit #3 – Install APK from
Play Store
evil.html
Attacker’s
Web Server
Google Play
Web Server
Victim’s
Browser
Android
Download Manager
content://downloads/my_downloads/54
58. store.html (download)
GET /store.html
Exploit #3 – Install APK from
Play Store
evil.html
store.html (download)
GET /bounce.html
bounce.html
Attacker’s
Web Server
Google Play
Web Server
Victim’s
Browser
Android
Download Manager
https://attacker.com/bounce.html
59. store.html (download)
GET /store.html
Exploit #3 – Install APK from
Play Store
evil.html
store.html (download)
history.back();
GET /bounce.html
bounce.html
Attacker’s
Web Server
Google Play
Web Server
Victim’s
Browser
Android
Download Manager
content://downloads/my_downloads/54
60. store.html (download)
GET /store.html
GET my_downloads/55
store.html
settings.html
(download)
GET /settings.html
Exploit #3 – Install APK from
Play Store
evil.html
store.html (download)
history.back();
settings.html (download)
GET /bounce.html
bounce.html
Attacker’s
Web Server
Google Play
Web Server
Victim’s
Browser
Android
Download Manager
61. store.html (download)
GET /store.html
GET my_downloads/55
store.html
POST /install
settings.html
(download)
GET /settings.html
Exploit #3 – Install APK from
Play Store
evil.html
store.html (download)
history.back();
settings.html (download)
GET /bounce.html
bounce.html
Attacker’s
Web Server
Google Play
Web Server
Victim’s
Browser
Android
Download Manager
GET my_downloads/56
settings.html
62. Mobile Pwn2Own 2016
Category Phone Price (USD)
Obtaining Sensitive
Information
Apple iPhone $50,000
Google Nexus $50,000
Samsung Galaxy $35,000
Install Rogue Application
Apple iPhone $125,000
Google Nexus $100,000
Samsung Galaxy $60,000
Force Phone Unlock Apple iPhone $250,000
63. Keep calm and… aw, snap!
• Pending Chrome update?!
• Automatic updates failed us
• Segmentation fault from AJAX requests
• Never had time to investigate
• Can still use HTML forms to POST back
• Absolute mess compared to AJAX
65. Exploit Improvement
• Removing Pwn2Own debugging
• Completely removing AJAX
• Moving the bulk of the logic off to the agent
• Intelligent agent
• Less C&C traffic
• Hiding malicious activities from the user
66. Changing Focus
• Prompt for redirecting to another application
• Media players, PDF readers and other applications
• <a href=‘rtsp://sexy.time.gov.uk/cam1’>Click me!</a>
• In focus test in JavaScript
• document.hidden == true
67. Toasts
• Small popups at the bottom of the screen
• Automatic file downloads
• “Downloading…”
69. Going Further
• Wait for the screen to get locked?
• JS is slightly delayed when the browser isn’t in focus, or the lock
screen is activated
• Loop JS function every 100 ms
• Test time passed since last function call
70. How realistic is this?
700
750
800
850
900
950
1000
1050
1100
Minimised
71. How realistic is this?
700
750
800
850
900
950
1000
1050
1100
Minimised Locked
72. The Patch
• CVE-2016-5196
• Chromium Bug ID 659492
• The content scheme is now a local scheme
• Similar to file:// scheme
• Cannot redirect from http:// to content://
• Cannot read other content:// files