In this blog post, we are sharing summaries of talks from the Hack in the Box Conference in Amsterdam (HITBSecConf2023), the final HITB conference in Amsterdam. Before we do that, however, we would like to extend a heartfelt thank you to the organizers of the conference for putting together such an insightful and engaging event.
The talk by Bramwell Brizendine covered the topic of syscall usage in shell code. The general idea here is to hide from AV/EDR systems by not using APIs such as CreateProcessA
, which may be monitored, but to directly call into the corresponding kernel functions. This can be accomplished for example with the syscall CPU instruction (see 1, 2 and 3 for more information). While this technique is not perfectly stealthy and can still be detected (e.g., with a kernel driver), it circumvents at least inline-hooks in user space. Another downside is the effort of building shell code that directly uses syscalls. Besides more overhead in preparing everything for the syscall (for example manually creating appropriate structs), the correct syscall ID must be gathered, which can change between kernel versions.
In order to cope with these problems, Bramwell Brizendine presented his framework ShellWasp4, which helps and eases the creation of such shell code. He furthermore introduced (new) techniques for fingerprinting the OS resp. a new trick to get the PEB. One limitation of his approach, however, is that it only supports 32 bit shell code in WoW64 processes, since he uses WoW64 functionality in order to perform the syscalls. This brings us to another point: His approach does not seem to perform any syscall instruction itself, but leaves it up to the WoW64 functionality, which potentially leaves this approach vulnerable for detection by inline hooks in certain WoW64 APIs involved in the transition to kernel mode (in contrast to approaches that perform syscalls themselves).
This talk was about using OpenAI’s machine learning models to create polymorphic malware that is hard to detect by security products.
Polymorphic code is code that changes itself every time it runs while the logic of the code stays the same. This behavior makes it more difficult for antivirus software to detect the malware because it is harder to recognize patterns of malicious code. To create polymorphic malware the researchers built a program that contains a Python interpreter and is able to communicate with a command and control (C&C) server and the AI model. The models used by the researchers were both Generative AIs, specifically Generative Pre-trained Transformer (GPT) models. Generative AI is a type of Artificial Intelligence that is able to generate new and unique outputs based on learning patterns from existing data. One of the challenges were the content filters ChatGPT uses to block the output of illegal contents, such as malware code. As it did not have these moral concerns, they decided to go with the text-davinci-003 model instead. While the talk was not super technical, we found the idea to make use of GPT models to generate malware code on the fly very interesting.
The talk Your Not So Home Office – SOHO Hacking at Pwn2Own by Alex Plaskett and McCaulay Hudson immediately caught our attention with its intriguing insights. The presentation showcased their journey of hacking an entire Small Office, Home Office (SOHO) chain for the Pwn2Own Toronto 2022 competition, where they won third place.
Their journey began with gaining shell access to the router, which they achieved by design or through various means like exploiting a secret backdoor or physically manipulating the router hardware. Using this access, the team identified multiple vulnerabilities in several routers and typical smart home devices such as printers. Although the vulnerabilities were relatively simple, such as turned off SSL verification or improper parsing leading to command injection, almost all devices had one severe vulnerability. By combining some of these vulnerabilities, they created a sophisticated attack chain to pwn the entire SOHO chain.
What stood out to us was not only the impressive number of vulnerabilities they found, but the speakers’ insights into their team’s motivations and considerations while participating in the competition. They shared how they selected the appropriate attack chain to minimize the risk of collisions with other teams while finding a balance between maximizing their ranking and prize money. They also highlighted the different sources they used, like freely available firmware updates, to discover and exploit the vulnerabilities.
Overall, the biggest takeaway for us was the importance of having a versatile team with diverse skill sets and the ability to work together effectively. By incorporating the insights and considerations shared by the speakers in their talk, they really sparked our interest.
Who would not want the opportunity to acquire 40 billion dollars worth of cryptocurrency through a bug? Haoyu Yang, a senior security researcher at Tencent Security Xuanwu Lab, specializing in blockchain and application security. Presented such a bug in his talk XRP Raid Protector: Killing a Critical Bug Worth 40 Billion Dollars. The talk revealed a P2P-RCE vulnerability in the XRP Ledger that allowed an attacker to easily compromise an XRP node server and ideally steal crypto assets from any address on the XRP Ledger. The results of the talk demonstrated that an attacker could take control of the entire XRPL network. In our opinion, one particularly fascinating aspect of the talk was how it was possible to manipulate the node server to perform a remote code execution. The XRP Ledger communicates through a peer-to-peer network with various nodes connected to each other. Each node stores information about the other nodes it communicates with, including values such as the IP address and number of hops. These nodes are then stored in a linked list to perform transactions in the fastest way possible. To insert a new node, an IPv6/IPv4 address is passed through a TMEndpoint message along with the number of hops as an integer. However, it was discovered that the number of hops was cast from an unsigned int to a signed int. This made it possible to write outside the intended range throughout of bound operations. Although the hop was checked for an integer overflow, it was not checked for an integer underflow. This ultimately led to objects being created outside the intended range where the endpoints should be. Conveniently, this created the opportunity for the attacker to inject a fake object into the list of nodes using a method that was not consistency checked. Through this extension, the attacker could then use controlled payloads via heap spraying. Also, exciting was a demo at the end, demonstrating how the contents of a wallet were transferred to the attacker’s wallet. Finally, it was satisfying to see how the bug was fixed by adjusting the endpoint’s struct, now expecting an unsigned int instead of being cast to a signed int, and a default constructor was added to automatically initialize the hops to 0.
The presenter talked about a research project by Anvil Secure, in which they discovered several vulnerabilities in the Garmin Watch. With those vulnerabilities they were able to extract the OS’s firmware. Firstly, he gave an overview about the functionality of the Garmin Watch and how it works on the inside. It has a custom proprietary OS, which is mainly programmed in C, but also uses a custom language named MonkeyC. He mainly focused on the apps as the attack surface and investigated how app files are loaded, how permissions are implemented and what native functions are. In this research project, they reported a total of 14 vulnerabilities to Garmin, which were among other things multiple Buffer Overflows and Out-of-bound Writes. In the end there were over 100 affected models including fitness watches, outdoor handheld, and GPS for bikes. In our opinion the talk was very interesting, because he showed a lot of the code he was able to exploit and performed a live demo of the PoC, where he showed the actual byte code of the firmware displayed on the watch.
The talk from Tim Blazytko and Moritz Schloegel about Virtualization-based Obfuscators was one of our favorite talks. The authors, who also publish papers on the topic, gave a nice overview on the current state of virtualization-based obfuscators. Virtualization-based obfuscators are commonly used in commercial software protection solutions such as Themida or VMProtect to protect intellectual property and are the foundation of certain types of software, e.g., DRM and client-side anti-cheat solutions.
In the beginning of the talk, an overview of design and architecture of established approaches was given. The talk then introduced and a variety of deobfuscation attacks, such as compiler optimizations, symbolic execution and program synthesis, which allow deobfuscation of VM components and even reconstruction of the underlying code protected by the VM.
Followed by that, design principles for the next generation of virtual machines for obfuscation were presented, which are more resilient against deobfuscation, by abusing weaknesses of the analysis techniques. These new design principles focus on making the virtualized instructions harder to analyze by merging semantics of instruction handlers and adding complexity.
Another important concept presented was Mixed Boolean-Arithmetic (MBA) Synthesis. MBA describes an approach to encode expressions in a syntactically complex manner, by connecting arithmetic operations with bitwise operations. For Example x+y
can be substituted by the MBA expression (x|y)+(x&y)
. By using MBA Synthesis, instead of a small fixed set of substitution rules, which can be deobfuscated using pattern matching, large classes of expressions are precomputed and randomly combined.
The Authors build an academic prototype of a next-gen VM called LOKI and published a paper5 about it at USENIX Sec’22 which implemented said new design principles.
What made the talk special and set it apart from other talks at the conference, was that instead of presenting the discovery of yet another security vulnerability, the authors gave a conceptual overview and presented a variety of attacks and how obfuscation can be made more resilient against these attacks in the future, providing a view what to expect from software obfuscation in the future.
During the conference, Kaijern Lau delivered an informative talk on the Chinese government’s Great Firewall and methods for bypassing it. Lau discussed the Chinese government’s extensive control over network traffic, including their ability to block popular services such as Facebook, Google, YouTube, Wikipedia, and WhatsApp. It was fascinating to learn about the technical workings of this system and the impact it has on the flow of information in China. Simply using a VPN that tunnels all traffic cannot really solve the issue, because there are many alternatives to the blocked services that only work with a Chinese IP. Paying with your smartphone, which is the most widely used method in China would require you to turn off your VPN. Not only taking the inconvenience into account but the fact that using a VPN to bypass the firewall is illegal by law requires some new techniques. OpenClash is an open-source and free-to-use proxy client. It supports several proxy protocols like Shadowsocks and Trojan. It is highly customizable, and a client can configure which endpoint to use for which service. Kaijern Lau has designed a small cube-sized pc that basically functions as a router for all your connected devices. Acting as a central station it determines whether the request needs to be tunneled through one of many proxies, or not. You can tell that Kaijern Lau has experienced the cat-and-mouse game where people try to outsmart and bypass the firewall and the government tries to prevent them from doing so. All in all, the talk was well-structured and very entertaining.
If you’re hungry for more knowledge and more talks of cybersecurity experts, you’ll want to mark your calendar for the upcoming TROOPERS23 conference. TROOPERS23 will be held from June 26, to June 30, 2023. As always, we will offer you a high-quality selection of trainings and talks given by IT security practitioners from all over the world. TROOPERS is known for bringing together experts from around the world to share their experiences and knowledge, making it a great opportunity to network with peers in the industry.
Get your Ticket: https://troopers.de/
Cheers!
Frank Block, Florian Port, Kalle Macekas, Linus Bennin, Daniel Schlecht, Nicolas Giraud, Michael Helfrich, Sebastian Sartor, Julian Suleder
- https://outflank.nl/blog/2019/06/19/red-team-tactics-combining-direct-system-calls-and-srdi-to-bypass-av-edr/↩︎
- https://medium.com/@merasor07/av-edr-evasion-using-direct-system-calls-user-mode-vs-kernel-mode-fad2fdfed01a↩︎
- https://www.ired.team/offensive-security/defense-evasion/using-syscalls-directly-from-visual-studio-to-bypass-avs-edrs↩︎
- https://github.com/Bw3ll/ShellWasp↩︎
- Paper: Loki: Hardening Code Obfuscation Against Automated Attacks↩︎