نویسنده: Admin

At Pwn2Own Vancouver 2021 I have demonstrated an 0day VM escape exploit for Parallels Desktop hypervisor. The exploit chain that I developed was based on logic issues. In this deep technical presentation I will share the technical details of the exploit, as well as various preliminary and contextual knowledge related to it.
Logic security vulnerabilities (i.e. those that can be exploited without any memory corruptions) are becoming increasingly important in offensive security research right now, as Rust and other memory-safe programming languages are rapidly taking over popular code bases. When evaluating the attack surface of Parallels Desktop, as an expert in both hypervisors and memory corruption bugs, I saw many opportunities for classical buffer overflows, but chose to try and find a logic bug instead. As hypervisors are ultra-complex low level software, exploitable logic bugs in them are extremely rare. I was lucky to find such a “one of a kind” bug.
Despite the bug was quite simple, the exploit turned out to be not so easy. Exploitation of the bug required me to develop a kernel module for the guest OS from which I was escaping, reverse-engineer some internal RPC protocol of the hypervisor, and emulate it in the exploit code. Eventually the exploit was reliable 100% by design, and executed arbitrary code on the host Mac. During the Pwn2Own competitions it came as a surprize that my exploit did not meet any collisions with other competition entries. Because the bug itself was quite easy, I expected that at least one participant would find and utilize it independently in their own Pwn2Own exploit. But it didn’t happen. That made me aware of the fact that a bug that looks easy does not necessarily imply an easy discovery or an easy exploitation process, an estimation which is very important for strategic aspects of offensive security research.

ادامه مطلب

We will look into how we can bypass kASLR, kLFH, and do hands-on exploitation using data-only attack, which effectively bypasses SMEP and other exploit mitigations.

Upon completion of this training, participants will be able to learn:

  • Exploit development process in kernel mode
  • Mitigation bypasses
  • Pool internals & Feng-Shui
  • Arbitrary Read/Write primitive
ادامه مطلب

This is not your traditional SCADA/ICS/IIoT security course! How many courses send you home with a $500 kit including your own PLC and a set of hardware/RF hacking tools?!? This course teaches hands-on penetration testing techniques used to test individual components of a control system, including embedded electronic field devices, network protocols, RF communications, Human Machine Interfaces (HMIs), and various forms of master servers and their ICS applications. Skills you will learn in this course will apply directly to systems such as the Smart Grid, PLCs, RTUs, smart meters, building management, manufacturing, Home Area Networks (HAN), smart appliances, SCADA, substation automation, synchrophasors, and even IoT. This course is structured around the formal penetration testing methodology created by UtiliSec for the United States Department of Energy. Using this methodology and Control Things Pentest Platform (previously SamuraiSTFU), an open source Linux distribution for pentesting energy sector systems and other critical infrastructure, we will perform hands-on penetration testing tasks on user interfaces (on master servers and field device maintenance interfaces), control system protocols (modbus, DNP3, IEC 60870-5-104), RF communications (433MHz, 869MHz, 915MHz), and embedded circuit attacks (memory dumping, bus snooping, JTAG, and firmware analysis). We will tie these techniques and exercises back to control system devices that can be tested using these techniques. The course exercises will be performed on a mixture of real world and simulated devices to give students the most realistic experience as possible in a portable classroom setting. Advances in modern control systems such as the energy sector’s Smart Grid has brought great benefits for asset owners/operators and customers alike, however these benefits have often come at a cost from a security perspective. With increased functionality and addition inter-system communication, modern control systems bring a greater risk of compromise that vendors, asset owners/operators, and society in general must accept to realize the desired benefits. To minimize this risk, penetration testing in conjunction with other security assessment types must be performed to minimize vulnerabilities before attackers can exploit critical infrastructures that exist in all countries around the world. Ultimately, this is the goal of this course, to help you know how, when, and where this can be done safely in your control systems.

ادامه مطلب

In this four-day course, the attendees will walk through the Purple Team Exercise Framework, learning each role that plays a part in purple team engagements. Students will learn to collect Cyber Threat Intelligence (CTI), develop and conduct Adversary Emulation plans based on gathered intelligence, then dive into detection engineering to identify and resolve missed detection opportunities. Each day is a dive into one of the roles, and the course will conclude with a capstone that puts it all together in a purple team engagement. This intermediate-level course aims to broaden the students’ understanding of purple team engagements’ different roles and responsibilities and is geared towards red teamers, blue teamers, intelligence analysts, and managers looking to expand their purple team capabilities.

ادامه مطلب

This 4-day course cuts through the mystery of Cloud Services (including AWS, Azure, and G-Cloud) to uncover the vulnerabilities that lie beneath. We will cover a number of popular services and delve into both what makes them different, and what makes them the same, as compared to hacking and securing traditional network infrastructure. Whether you are an Architect, Developer, Pentester, Security or DevOps Engineer, or anyone with a need to understand and manage vulnerabilities in a Cloud environment, understanding relevant hacking techniques, and knowing how to protect yourself from them is critical. This course covers both the theory as well as a number of modern techniques that may be used to compromise various Cloud services and infrastructure. Prior pentest/security experience is not a strict requirement, however, some knowledge of Cloud Services and familiarity with common Unix command-line syntax will be beneficial.

ادامه مطلب

After a sold-out course last year at Blackhat, we are back with an updated version of our course with additional coverage of ARM64, mobile browser security, and more in-depth coverage of Mobile apps and operating system security. The class starts with a basic introduction to the ARM instruction set and calling conventions followed by some reverse engineering exercises.  We then learn how to write simple exploits for the ARM64 environment. Next, we move to Mobile browser security, understand some of the browser mitigations followed by writing some simple exploits for the mobile browser. We then cover iOS and Android internals in further detail. We then discuss some of the exploitation techniques using real-world vulnerabilities (e.g., voucher_swap, checkm8, etc) followed by a walkthrough of how jailbreaks are written. We also discuss some of the common vulnerability types (Heap Overflows, Use-after-free, Uninitialized Stack variable, Race conditions). We will also look at how to build the Android kernel, customize it using Kernel tunables and then use a 1-day vulnerability to gain kernel r/w access. The training then moves on to application security based on exploiting the Damn Vulnerable iOS app, Android-lnsecureBankv2, and lnsecurePass application written by the authors of this course in addition to a broad range of other real-world applications. We then cover a variety of mitigations deployed in real-world apps and discuss how to bypass them. Slides, videos and detailed documentation on the labs will be provided to the students for practice after the class. Corellium access will be provided to students during the duration of the training course.

Syllabus

  • Introduction to ARM64 and Mobile Browser Security [2 modules]
  • iOS Exploitation
  • Android Exploitation

Offensive Mobile Reversing And Exploitation (2021)

ادامه مطلب