DNS over VPN for Android

2 minute read

I’ve some issues with DNS in Android. It’s quite hard to teach Android to use a different DNS server than it’s default one. It seems like that is hard wired into the system. However, it’s possible to use a VPN tunnel to point to a custom DNS server instead. dns66 is a tool that allows to set custom servers. It should block traffic, but so far this did not work that well.

Nevertheless, I want to put an additional domain to it and use it to resolve a single IP for my VPN. But you can only run a single VPN endpoint. You can run only DNS66 or OpenVPN, not both…..

To fix this I installed a dnsmasq on my VPN Server. It is configured to listen only to the VPN Interface.

apt-get install dnsmasq dnsutils

The configuration consist of two lines:

listen-address= # IP of the tun0 interface

Afterward you have to ensure within iptables that the interface is allowed to access:

iptables -A INPUT -i tun0 -j ACCEPT

Here the lazy version. Afterwards, you create an additional file for the records in /etc/dnsmasq.d/vpn with the content:


A restart of dnsmasq and you can validate it with dig.

OpenVPN configuration

To make the Android OpenVPN use of this, deploy this as a special option to the client. I’ve updated the configuration of the certificate in the ccd folder of openvpn.

"dhcp-option DNS"

A restart of the openvpn service should do it. To be honest, I do not know if that works correctly. I’ve also defined the DNS server manual in the android OpenVPN side to point to it. My manual test from a console emulator always resolved against But the app that should find the record was able to find it.

I won’t bother about this further. It’s working.

best regards, akendo

Offensive Conference day two

7 minute read

Updated Analysis of PatchGuard on Windows RS4: Is the Mouse Finally Caught? by Luc Reginato

Kernel patch protection (no one calls it this way). His diagram is over-simplfied. There are able to use static analysis. This talk is very in-depth and out of my domain of experience.

PatchGuard consist of three components. It seems that there is only a 4% to occure. But it’s hard for me to make sense of this.

iOS Dual Booting Demystified by Max Bazaliy

Dual boot in iOS. Using newer and older version of iOs or special flags. Apple has PKI that validates everything on the way. Has two ways for boot. Very complicated. Trustcache is a new thing in iOS 12. kernelcache holds the kernel and extensions. ramcache is not encrypted anymore. Trustchache aka Firmware.

Each commend is represented by a structure in iBoot. The menu is hidden by default. There are different attack vectors to attack the bootloader. kernel -> bootload for example.

Issues with the bootloader with Apples feature for KPP. Better way is to attack the bootloader from a bootloader. Modify the bootloader on the assembler level, allows to disable feature of the iOS kernel. You can’t disable KASLR, but use with zero slide.

Manual interaction takes a bit. Next level is using the XNU kernel with source. Apple seems to be very interesting to keep kernel features in place. There are feature within the MMU, that lock the kernel down. To prevent writing access to the kernel region. Some of the feature need to be patch out during the boot process. There goes a lot of work in there. Once it’s done you have a unprotected kernel where you can write things to.

macOS: How to Gain Root with CVE-2018-4193 in < 10s by Eloi Benoist-Vanderbeken

A bug in the server for displaying stuff. Found by in-process fuzzing. Goal: To have a reliable exploit. There are quite some limitation to the bug. Including some null pointer that needs to be present here. Going to abuse some different infrastructure `mach port. We can overwrite a NULL pointer with a pointer.

Problem: Find a good QWORD that can be overwritten. Absuing the CFdictionary because it will free the Null pointer. Took a deep looker into the CoreFoundation interals. This finds a memory sample that fits to the buggy array from the CVE. Problem here is that we only can specify a negative index. However, they can abuses the Heap things in a smart way and make allocation before the heap that can be reference in a negative way.

But it’s quite difficult to trigger this with the default malloc of apple. Spamming the heap does not work when done by a different CPU. ASLR in Mac is weak. Still this is a impressiv exploit. The defeat of the ASLR is quite heavy. Took 18 days to get it going.

Reverse Engineering of Error-Correcting Codes

Missed the intro ;( .ECC is hardware in the CPU. ECC needs to be fixed fast. ECC is undocumented. Using cold-boot for RE. Flip a bit and see what ECC does. They used a shorttage to create faulty bits. But this did not scale that well. Problem here: BIOS is setting the memory to find it’s perfect parameter and does reset the memory.

By passing by using coreboot, the reseting code part was submitted to the coreboot project by AMD. ECCplout -> get the same hardware as your vicitem. Extract the ECC algor. than using RowHammer. They focused only on the ECC part.

Attack Surface of a Connected Vehicle by Minrui Yan

note: The speakers were not a native speakers and it was diffcult to understand everyting correctly.

Attacking a car. The internal IVI based on Andorid, does also have a lot of vulnerabilities. To start research, you can get parts from ebay. Buy an old cars and start to extract the old items out of it.

Consider all parts like flash. T-Box: it has also a debug port. There are using eSIM. There is a token to control the car. That might all remote control of a car. Based on the service service architecture. Services are not exposed to the internet. We might are able to use the T-Box. It’s difficult to find the source of the attack.

You cann connect to the embeded devices thanks to linux default devices. Begin on the T-Box it’s possible to scan the ISV network. Might be hidden access for the ISVs? It’s possible to conect to the systems with re-wirring the cables. Also there is a USB connection that uses a HSB and can use adb to it. Tesla uses for example SD cards. Some of that cards are locked. But you can MitM with a logic anlayser and sniff out the password from the SD controller and the SD card.

Check the names from the ICs. For Tesla, they took of the emmc and put it onto a programmer to extract the firmware. It’s possible based on the data from the firmware to get the linux kernel that was used. An alternative is to use the an SPI programmer. (What’s the point about enumerating dumping firmware?)

  • control the car via the APN network. All services are running in the local network You could access over the APN network.
  • control the car via the TSP. There are stroing secret key in the service. Was able to control via the API the car? Because it’s authenticated via SMS?
  • control the car via the IVI. Connecting via the serial debug port to the Android system. Sending via writing data to the char devicds
  • Another way with IVI. Connecting into the CAN bus. it’s than possible to open the doors, start the enging or trigger the braking. It’s possible to change the postion of the wheel.

Personal note: Accessing the can bus seems senseful, CAN does not provide any authentiation.

Bypass Windows Exploit Guard ASR

Tool for adding protection for Windows. For most unknown.

He writes VBscript to bypass the ASR. Uses the task scheduler to bypass stuff. He creates a new task and stop it. New generated task have not the office process as parent. It’s based on a rules set in the kernel, that can be by-passed with ease.

FuzzIL: Guided Fuzzing for JavaScript Engines by Samuel Groß

Finding flaws in JavaScript code that causing error at the engines. Classic fuzzing won’t work, because it would test the parser. Requirement one to always have validate JS code. You might generate validate code based on the grammatical rules. But this won’t really work and does not invoke issues with the JIT. Needs to be semantic correct too.

Mutation based approach. last requirements to have sensible mutation of the JavaScript that make sense. There are different levels of mutation

  • Source code
  • Syntax Tree (AST)
  • Byte code

His approach is to mutate the byte code (low level). He generates them via his fuzzer FuzzIL. After generating the byte code you can ‘Lifting’ them to JS. First thing it does is the input mutator. Next is the operations mutator, change global functions. another is insertion mutation. Last one is the splice mutator. It just copies one part and another to it, based on randomness.

Another problem is minimization. Adding guided by adding a feedback mechanic in a similar fashion like afl does. He has some things on his todo, for example adding custom JS code sample to mute from.

Ideas for improvements

  • Starting at 08:00 ?
  • Name tags: Help people that does not know each others to engage in conversations
  • Improve the locations welcoming… it was quite harsh getting into the into hotel
  • Maybe better organisation of the chairs and numbers (rows lines)
  • Numbers for the tables out-side
  • Better transition of talks
  • Areas to drop stuff like bottles or dishes
  • Provide the slides before the presentation begins
  • Better positioning for the beamer screen. For the people in the back the bottom is often cut off…
  • The coffee was medium…
  • Places for talks with more ‘privacy’, we had to abuse some unused conference rooms…but that’s not always the soluton