Offensive Conference day two
[Updated Analysis of PatchGuard on Windows RS4: Is the Mouse Finally Caught? by Luc Reginato](Updated Analysis of PatchGuard on Windows RS4: Is the Mouse Finally Caught? by Luc Reginato)
Kernel patch protection (no one calls it this way). His diagram is over-simplfied. There are able to use static analysis. This talk is very in-depth and out of my domain of experience.
PatchGuard consist of three components. It seems that there is only a 4% to occure. But it’s hard for me to make sense of this.
Dual boot in iOS. Using newer and older version of iOs or special flags. Apple has PKI that validates everything on the way. Has two ways for boot. Very complicated. Trustcache is a new thing in iOS 12. kernelcache holds the kernel and extensions. ramcache is not encrypted anymore. Trustchache aka Firmware.
Each commend is represented by a structure in iBoot. The menu is hidden by default. There are different attack vectors to attack the bootloader. kernel -> bootload for example.
Issues with the bootloader with Apples feature for KPP. Better way is to attack the bootloader from a bootloader. Modify the bootloader on the assembler level, allows to disable feature of the iOS kernel. You can’t disable KASLR, but use with zero slide.
Manual interaction takes a bit. Next level is using the XNU kernel with source. Apple seems to be very interesting to keep kernel features in place. There are feature within the MMU, that lock the kernel down. To prevent writing access to the kernel region. Some of the feature need to be patch out during the boot process. There goes a lot of work in there. Once it’s done you have a unprotected kernel where you can write things to.
A bug in the server for displaying stuff. Found by in-process fuzzing. Goal: To have a reliable exploit. There are quite some limitation to the bug. Including some null pointer that needs to be present here. Going to abuse some different infrastructure `mach port. We can overwrite a NULL pointer with a pointer.
Problem: Find a good QWORD that can be overwritten. Absuing the CFdictionary because it will free the Null pointer. Took a deep looker into the CoreFoundation interals. This finds a memory sample that fits to the buggy array from the CVE. Problem here is that we only can specify a negative index. However, they can abuses the Heap things in a smart way and make allocation before the heap that can be reference in a negative way.
But it’s quite difficult to trigger this with the default malloc of apple. Spamming the heap does not work when done by a different CPU. ASLR in Mac is weak. Still this is a impressiv exploit. The defeat of the ASLR is quite heavy. Took 18 days to get it going.
[Reverse Engineering of Error-Correcting Codes](Reverse Engineering of Error-Correcting Codes)
Missed the intro ;( .ECC is hardware in the CPU. ECC needs to be fixed fast. ECC is undocumented. Using cold-boot for RE. Flip a bit and see what ECC does. They used a shorttage to create faulty bits. But this did not scale that well. Problem here: BIOS is setting the memory to find it’s perfect parameter and does reset the memory.
By passing by using coreboot, the reseting code part was submitted to the coreboot project by AMD. ECCplout -> get the same hardware as your vicitem. Extract the ECC algor. than using RowHammer. They focused only on the ECC part.
note: The speakers were not a native speakers and it was diffcult to understand everyting correctly.
Attacking a car. The internal IVI based on Andorid, does also have a lot of vulnerabilities. To start research, you can get parts from ebay. Buy an old cars and start to extract the old items out of it.
Consider all parts like flash. T-Box: it has also a debug port. There are using eSIM. There is a token to control the car. That might all remote control of a car. Based on the service service architecture. Services are not exposed to the internet. We might are able to use the T-Box. It’s difficult to find the source of the attack.
You cann connect to the embeded devices thanks to linux default devices. Begin on the T-Box it’s possible to scan the ISV network. Might be hidden access for the ISVs? It’s possible to conect to the systems with re-wirring the cables. Also there is a USB connection that uses a HSB and can use adb to it. Tesla uses for example SD cards. Some of that cards are locked. But you can MitM with a logic anlayser and sniff out the password from the SD controller and the SD card.
Check the names from the ICs. For Tesla, they took of the emmc and put it onto a programmer to extract the firmware. It’s possible based on the data from the firmware to get the linux kernel that was used. An alternative is to use the an SPI programmer. (What’s the point about enumerating dumping firmware?)
- control the car via the APN network. All services are running in the local network
0.0.0.0:XXXX. You could access over the APN network.
- control the car via the TSP. There are stroing secret key in the service. Was able to control via the API the car? Because it’s authenticated via SMS?
- control the car via the IVI. Connecting via the serial debug port to the Android system. Sending via writing data to the char devicds
- Another way with IVI. Connecting into the CAN bus. it’s than possible to open the doors, start the enging or trigger the braking. It’s possible to change the postion of the wheel.
Personal note: Accessing the can bus seems senseful, CAN does not provide any authentiation.
Tool for adding protection for Windows. For most unknown.
He writes VBscript to bypass the ASR. Uses the task scheduler to bypass stuff. He creates a new task and stop it. New generated task have not the office process as parent. It’s based on a rules set in the kernel, that can be by-passed with ease.
- Source code
- Syntax Tree (AST)
- Byte code
His approach is to mutate the byte code (low level). He generates them via his fuzzer FuzzIL. After generating the byte code you can ‘Lifting’ them to JS. First thing it does is the input mutator. Next is the operations mutator, change global functions. another is insertion mutation. Last one is the splice mutator. It just copies one part and another to it, based on randomness.
Another problem is minimization. Adding guided by adding a feedback mechanic in a similar fashion like afl does. He has some things on his todo, for example adding custom JS code sample to mute from.
Ideas for improvements
- Starting at 08:00 ?
- Name tags: Help people that does not know each others to engage in conversations
- Improve the locations welcoming… it was quite harsh getting into the into hotel
- Maybe better organisation of the chairs and numbers (rows lines)
- Numbers for the tables out-side
- Better transition of talks
- Areas to drop stuff like bottles or dishes
- Provide the slides before the presentation begins
- Better positioning for the beamer screen. For the people in the back the bottom is often cut off…
- The coffee was medium…
- Places for talks with more ‘privacy’, we had to abuse some unused conference rooms…but that’s not always the soluton