I spent the last two days in Paris to attend Hexacon 2022. As usual when I write here about conferences I’ll summarize some talks & observations. I don’t go to many offensive security-only events (it’s well-known that I have thoughts on a certain scene and its [non-] ethics, but on the other hand a periodic reality check of such sentiments shouldn’t hurt either). Hexacon had caught my attention due to the superb speaker line-up, and I could reasonably expect to meet some old friends there.
Having been a conference organizer for a while in my life I can say that I was seriously impressed by what Renaud & team have put together (fair chance that the team did the vast majority of the real work ;-). Very well organized event, excellent talks (not a single rly weak one) and good community spirit. Great job, folks!
That said, let’s have a look at the talks. For time reasons I will only cover some of them, and slides/videos for quite a few have not been published yet (it’s announced though), hence let’s hope that my memory serves me correctly…
Luca Tedesco: Life and Death as an iOS attacker
Luca started with an overview of the fundamental pieces of the iOS security model & of recent advances both in the space of attack vectors and when it comes to protections:
He repeatedly emphasized the value of Lockdown Mode, assuming it might have taken a couple of afternoons to implement 😂. He summarized that ‘Apple is finally winning’ which, according to Shahar Tal, was met with ‘crowd silence‘ (I can confirm this).
Luca then provided some conclusions on the future business of iOS-oriented offensive security research which at the 1st glance can be summarized as follows:
– given the complexity of iOS and its security measures it’s very unlikely any individual can succeed alone. Some players will go out of business.
– to survive (in the business) access to significant amounts of private knowledge is needed as public information is years behind the mitigations.
– exploit-based public jailbreaks (JBs) are most likely over.
So far, so good. However an alternative reading of those statements could be this one:
– groups who have what he calls ‘private knowledge’ will still make the deals $$$.
– JBs won’t be released to the public (I’m not following that scene closely, but I think this has been already the case for a while now). They will instead be sold to the highest bidders.
– ofc the speaker and their company belong to the privileged as of the 1st statement.
To – maybe – support this reading Luca pulled a final trick by ending with a short video (which then again, from my limited perception, has been a common turn of such talks in the last years) which – maybe – showed a working JB against iOS 16.1. There was a comment on Twitter that a photo of that demo ‘misses context for those not in attendance’. I can confirm that it also missed context for some in attendance (incl. myself ;-), but this might (srsly) be attributed to my non-familiarity with the space.
Overall a solid technical talk (I learned quite a bit), together – maybe – with a pitch for services which – maybe – can only be offered by a privileged few.
Anaïs Gantet, Nicolas Devillers, Jean-Romain Garnier: The Unavoidable Pain Of Backups. Security Deep-Dive Into The Internals Of NetBackup
The team from the Airbus Security Lab has been doing very interesting research for many years, together with the release of results and tools. In this talk they discussed their findings from performing an in-depth assessment of NetBackup. NetBackup here being a perfect example of
– a piece of 3rd party software found in many large enterprises.
– which runs with high privileges and/or has access to highly sensitive data.
– is complex in itself, and may use old & complex standards (e.g. in this case CORBA).
I generally think it’s super-important to publicly discuss the results of such assessments (presumably well-funded actors look at enterprise tools, too, albeit without publishing the results…). Similar stuff from another research group can be found here or here.
The speakers started by laying our their methodology & research questions:
They then provided a detailed overview of the inner architecture of NetBackup, its daemons & processes, the ports those run on, and how those interact.
Finally, evidently, their findings were presented, incl. a very nice demo (pay close attention to the names of the phases of the demo, in the top left part of bottom pic):
Thomas Chauchefoin: You’ve got mail! And I’m root on your Zimbra server
Another talk dissecting (and pwning) a piece of enterprise software, in this case an e-mail & collaboration suite called Zimbra. This one being a perfect example of a commercial product which
– uses many OSS components, loosely coupled together + masked behind web frontends.
– undertakes more or less successful attempts to filter/sanitize input, which is then processed in the chain of those various, loosely coupled, components.
– does not rly use sandboxing of components or stripping-down of privileges.
What could go wrong with such a piece? – Right…
(btw, many parts of this talk reminded me of the days when Felix owned FireEye boxes)
Thomas discussed the inner workings of Zimbra and subsequently several vulnerabilities he found (incl. CVE-2022-27924), accompanied by some proper demos.
Generally there seem to be a lot of Zimbra vulns in 2022 😱, looking the list of their security advisories. This is his summary:
Overall an interesting presentation, and apparently quite timely as active exploitation of Zimbra seems to happen these days.
MS-RPC is a juicy target – it runs on every Windows machine, the endpoint mapper service listens on a fixed port (TCP 135), and vulnerabilities might be worm-able (Blaster used it, back in 2003). After Ophir laid out the general architecture and core terminology, Stiv explained how the interaction of authentication and caching of access information can lead to bypass attacks.
He went on detailing the steps needed to find CVE-2022-38034 which was patched on this month’s patch Tuesday (= three days before their Hexacon talk ;-). Overall another excellent technical presentation & very relevant research.
Slides can be found here.
Certainly one of the most anticipated talks of Hexacon, and they did not disappoint. To own the car they focused on the infotainment system (synecdoche used deliberately here as I seem to have missed the part in which they discussed the strong isolation between infotainment and CAN bus which Tesla uses, or not):
It runs Linux with some COTS components for embedded systems like ConnMan which turned out to be the path for (attacker 😉 ) interaction:
Some remarks they did made me feel that Tesla was not always super-cooperative during their research (and, afai understood they did not receive the pay-out which would have been appropriate for their findings, but I might recall that part incorrectly…). David & Vincent concluded their – excellent– talk with an important reminder of the value of persistence in the life of a security researcher:
This was one of the Hexacon talks I was most looking forward to as I closely worked with Felix for many years, and I know that he has vast skills both exploiting stuff and explaining how he did it ;-).
While in enterprise settings the SAML Identity Providers (IdPs) can be considered trusted from the Service Providers (SPs), this picture completely changes in cloud environments where the cloud provider has to interact with many potentially untrustworthy IdPs. When analyzing the attack surface in the space of XML signatures (which are used by SAML) Felix identified several vulnerabilities (CVE-2022-34716 External Entity Injection during XML signature verification, CVE-2022-29824 heap-buffer-overflow in xmlBufAdd, CVE-2022-34169 Integer Truncation in XSLTC). To quote from the Google P0 blog the latter “would allow for arbitrary code execution in software using Xalan-J for processing untrusted XSLT stylesheets. As Xalan-J is used for performing XSLT transformations during XML signature verification in OpenJDK, this bug potentially affects a large number of Java based SAML implementations”.
These are his conclusions:
Great talk in which I learned a lot about cloud trust models & modern attack surfaces based on old complex standards. (it seems IPv6 is not an exception here 😉 )
Slides can be found here.
Slides of talks which I did not discuss:
Hara-Kirin: Dissecting the Privileged Components of Huawei Mobile Devices – slides here
A journey of fuzzing Nvidia graphic driver leading to LPE exploitation – slides here
Toner Deaf – Printing your next persistence – slides here
Attacking Safari in 2022 – slides here