ROOTCON 17 - Talks

A 3-Year Tale of Hacking a Pwn2Own Target: The Attacks, Vendor Evolution, and Lesson Learned
by: Orange Tsai

As an indispensable part of our modern life, Smart Speakers have become a crucial role of Home Automation Systems. With Sonos emerging as a leader in this space, they have prioritized security, resulting in its Sonos One Speaker becoming as a Pwn2Own target for 3 consecutive years. As the first team to successfully hack it, we will share our experiences, stories, and insights throughout our past 3-year research journey. Our talk will explore attacks on the hardware, firmware, and software levels, as well as discuss the evolution of defenses we have observed from Sonos. We will also recount the cat-and-mouse game we played with the Sonos security team: Why were they always able to kill our vulnerabilities so precisely right after we developed a working exploit? This forces us to exhaust 4 different types of 0day to conquer a single Pwn2Own target.

The saga begins with our amusing but failed attempt in the first year, followed by our strong comeback in the second year, where we successfully took over the target using an Integer Underflow. After the competition, we witnessed a significant leap in Sonos’s defense mechanisms, which made our struggle with the Sonos security team even more challenging in the third year. To provide a comprehensive overview of our research, we will cover hardware attacks such as leveraging DMA Attack to jailbreak and obtain a Local Shell; firmware analysis, from firmware decryption to vulnerability discovery in the firmware over-the-air (FOTA) mechanism; and of course, software-level attack surface analysis and vulnerability mining in different ways. We will detail the stories behind our successful exploitations, such as bypassing all protections to exploit the target, racing the Thread Stack to different primitives to exploit the Stack Clash, and leveraging different types of vulnerabilities to achieve RCEs. These stories are all essential parts of our journey to win the Pwn2Own Toronto 2022 championship trophy and at least $80K in rewards.




Active Directory Domination through Configuration Abuse and OPSEC
by: Mars Cheng & Dexter Chen

Enterprises use Active Directory (AD) to manage digital assets such as accounts, machines, and access rights. However, because compromising AD can give attackers control over an entire enterprise's network, it is a primary target for attackers. The blue team is aware that AD is a Tier-1 asset and has established several mechanisms to monitor and hunt attack activity. To evade detection by the blue team, attackers will use techniques such as leveraging privilege, configuration settings, or designed mechanisms called configuration abuse. They may also use operation security (OPSEC) processes to attack AD. This talk will discuss how attackers can abuse these configurations and OPSEC skills to compromise AD and achieve their objectives. We will demonstrate real AD attack paths that blend On-Premises and Azure AD, and dive into the AD attack techniques that abuse the AD configuration settings. We will also discuss the methodology, including enumeration, consideration of tactical goals, and how to evade blue team monitoring to succeed in the operation.




AI's Underbelly: The Zero-Day Goldmine
by: Dan McInerney

The sudden AI goldrush has lead to organizations speeding to deploy AI tools often foregoing the crucial step of rigorous security analysis in order to keep the pedal to the metal. We will dive deep into the vulnerabilities that hide within some of the industry's most popular AI tools. Drawing upon a series of 10 personal AI zero day discoveries, this talk reveals the patterns of flaws most often found in our race towards AI progression as well as practical tips, tricks, and targets to find them yourself. This includes a path to monetizing newly discovered vulnerabilities like the pickaxe salesmen of the California goldrush.




Azure Illuminati: Unveiling the Mysteries of Cloud Exploitation
by: Raunak Parmar

This talk focuses on offensive strategies, specifically on gaining initial access through the abuse of Azure services, OSINT, and web applications. It explores the potential misconfigurations in Azure Conditional Access Policies that can lead to Multi-Factor Authentication (MFA) bypass, such as improper Cloud app settings, and manipulation of User-Agent or authentication location. The talk also highlights how performing a Man-in-the-Middle (MITM) attack can grant clear text credentials and session cookies by exploiting invitation links, increasing the risk of phishing and bypassing the need for MFA.

The presentation covers various misconfigurations in Azure AD and Azure RM services, including function apps, Logic Apps, Storage Accounts, CI/CD pipelines, and Membership Rules. For instance, the use of a common storage account by multiple function apps can facilitate access to other function app files by leveraging the connection string stored as an environment variable with read/write permission.

Azure services that enable connections to on-prem servers or employee devices are discussed as potential attack vectors. Examples include abusing the Automation Account for gaining a reverse shell and exploiting Intune services to run scripts on users' devices, such as Windows, Android, macOS, and iOS, in order to extract Azure tokens or other data from the Azure profile folder.

Even a simple role like Reader can be valuable, as it provides users with access to source code that may contain hardcoded credentials like connection strings or service principal client IDs/secrets.

The talk concludes with several attack scenarios for lateral movement and privilege escalation. These scenarios involve exploiting vulnerable function apps to access different services, using DevOps agents to access on-prem machines, leveraging Dynamic group membership to impersonate a user, and obtaining access tokens for multiple users by abusing read/write permissions on a Storage Account.

This talk is cool because it dives into the offensive side of cybersecurity, exploring various techniques and strategies to gain initial access and escalate privileges within Azure environments. It covers practical examples of misconfigurations in Azure services and demonstrates how attackers can exploit these vulnerabilities to bypass MFA, access sensitive data, and perform lateral movement. The talk also highlights the potential risks associated with abusing Azure services, such as the Automation automation account and Intune services, to gain control over on-prem servers and employee devices. By showcasing real-world attack scenarios and sharing insights into the mindset of hackers, this talk offers a unique and engaging perspective on Azure security.




Breaking Barriers: Using XSS to Achieve RCE
by: Aden Yap, Ali Radzali, Azrul Zulkifli, Sheikh Rizan

Electron is a free and open-source software framework developed and maintained by OpenJS Foundation. The framework is designed to create desktop applications using web technologies that are rendered using a version of the Chromium browser engine and a back end using the Node.js runtime environment.

To mitigate the vulnerability, “NodeIntegration” function was set to default false on all Electron Frameworks starting from version 5.0.0, which means the renderer process does not have access to the Node.js APIs. Similarly, the “nodeIntegrationInWorker” option is also by default set to false, so that Electron Web Workers do not have access to the Node.js APIs. This helps prevent malicious code from executing in the renderer process and accessing sensitive system resource. If the developer still requires the “NodeIntegration” to be enabled, they will need to explicitly enable it in Electron Node.js configuration.

BAE Systems security researchers was able to identify dozens of misconfigured apps written using Electron framework that are publicly available on the Internet, these misconfigurations could potentially lead to RCE if a simple XSS vulnerability was present. BAE Systems security researchers will demonstrate techniques used to exploit these vulnerabilities to achieve RCE by chaining a simple XSS bug. Some of these vulnerabilities are Pre-auth (no authentication required), thus can be easily exploited in the wild without user interaction (zero-click).

At the time of writing, BAE Systems security researchers had found 3 0-days in popular apps hosted on Github, these apps are widely used on the Internet and are easily exploitable via our zero click exploit that we had developed. We had reported these vulnerabilities to their respective application owners and now awaiting their response. If the fix is available before we present this topic, we will provide full disclosure of the vulnerabilities during the conference.




Car Hacking Scene in the PH: How Far We've Come
by: Jay Turla (@shipcod3)

Car Hacking Village PH presents their first attempt on the main tracks for ROOTCON. This is a rundown of CHVPH's past security research to current research - from hacking infotainment systems to CAN Bus protocols and a summary of cars available in the Philippines which are susceptible to car thefts. Here is the complete rundown:

- Some of our infotainment hacks
- Car Hacking on a cheap
- Clusters you can fuzz
- The CHV PH repo
- Our mini car hacking test bench
- Tools of Trade
- CHV PH appearances in hacking cons
- canTot: quick and dirty canbus h4xing framework
- Vulnerability Disclosures related to automotive
- Understanding the Geely Hacks
- A summary of common vehicles in the Philippines affected by simple and recent key fob vulnerabilities
- Demystifying rollback attacks




Crashing Cars, not Systems: Navigating the New Terrain of Browser Fuzzing in Automotive Headunits
by: Ravi Rajput

The era of the connected car has brought with it a new landscape of potential security vulnerabilities. This presentation brings into focus one such emerging attack surface, browser fuzzing on automotive head units. Modern vehicles now feature Electronic Control Units (ECUs) equipped with ARM processors, essentially transforming these vehicles into sophisticated computing platforms. Coupled with the widespread adoption of Android Auto OS, an Android derivative designed specifically for vehicles, the risks and potential impact of exploitation are amplified.

Our discussion will emphasize on the previously unexplored domain of ARM exploitation within the realm of automotive security. Utilizing the embedded browsers in Android Auto, we propose a new exploitation methodology, potentially allowing the delivery of malicious CAN packets that could manipulate vehicle functions.

We delve into the realm of fuzzing - a proven technique in computer security - and apply it to the new context of automotive head units. To substantiate the discussion, a live demonstration will illustrate a Document Object Model (DOM) fuzzing and Denial of Service (DOS) attack on a vehicle system.

While achieving full Remote Code Execution (RCE) may not be the endpoint in all cases, even a successful DOS attack could result in critical ECU failure, posing significant safety risks. As we venture into this innovative and potentially hazardous territory, our objective is to highlight the imminent need for robust security measures in automotive systems, ensuring passenger safety in the increasingly interconnected world of modern transportation.




Hacking Back Your Car
by: Kamel Ghali

Sophisticated vehicle thefts have been in the news lately due to some great research published by vehicle security experts that have been firsthand victims of said theft. Unlike classic hotwiring or carjacking attacks, the ""new"" way to steal vehicles is more technical and efficient. Vehicle thieves are connecting to the CAN networks inside vehicles and spoofing CAN messages to trick the car into thinking its key is present, disabling the immobilizer and allowing the car to be driven away.

In my talk, I'll discuss the origins of such attacks, how they've been used in different countries over the years, and explore the technical details of what makes such an attack possible. I'll perform a deep dive into the more ""hacker-y"" techniques used by vehicle thieves to target modern vehicles and the differences in the various techniques used over the years. I'll also cover potential mitigations against such attacks that can be applied by vehicle manufacturers and mitigations that you and I can implement today to keep our families safe.

This talk will be a great supplement to the Car Hacking Village planned to be at the event, hopefully increasing interest in vehicle security and car hacking, and giving the participants something to start their journey into vehicle security with.




Phish MOMUKAMO: Meticulously Outmaneuvering Malicious and Unscrupulous adversaries with Knowledge, Action, Mitigation, and Organization
by: Eric Reyata and IJ Puzon

This paper presents an in-depth examination of phishing kits, exploring opportunities for detection and enhancement of security measures for both organizations and individuals.

By emphasizing the crucial role of collaboration between public and private sectors, as well as law enforcement agencies, the study highlights the importance of a united front against cyber threats.

Through a thorough technical analysis of phishing kits, the paper delves into various aspects, including the phishing victim's experience, technical considerations, the interplay of HTTP client and server models, essential components of a phishing kit, and effective threat hunting methodologies.

In addition, the paper investigates statistical data on phishing victims and sheds light on the adversary's infrastructure and activities, providing valuable insights for combating such threats.

Conclusively, the paper presents well-rounded recommendations and strategies to bolster the fight against cyber adversaries and ensure the successful pursuit of phishing-related cases to their ultimate resolution.




Scarlet OT - OT adversary emulation for fun and profit
by: Vic Huang & Sol Yang

Since 2010 Stuxnet caused substantial damage to the nuclear program of Iran, ICS security issues have been raised. Lots of researchers dig into the hacking skills and path and those known attacks in the history and more malwares and events happened. Enterprises need an efficient way to find vulnerabilities but they might not have the budget for ICS pentesters , which need strong background knowledge , and all the fields they have. To solve this problem, we made a rare OT targeting , open source adversary emulation tool Scarlet OT as a plugin on MITRE open source tool - Caldera. Users can easily combine IT attacks with our OT adversaries and change steps of attacks or send manual commands in the process.

We summarize the experience of reviewing over 20 factories traffic and analyzing 19 MITRE defined ICS malwares, PIPEDREAM/Incontroller in 2022. We found the main trend of ICS malwares changes from single protocol targeting to modulized , multiple protocols supporting. The actions in malwares can be summarized as a 4 stages attacking flow, We will explain it with the real attacks from malwares. We use the above conclusions to develop Scarlet OT.

Now Scarlet OT already supports 10 common protocols and over 23 techniques on the MITRE ICS matrix , which is able to reproduce over 80% of defined ICS malware actions in OT. We also follow the 4 stages conclusion to add some attacks havent been used by any malwares. We have tested Scarlet OT on real oil ,gas ,water, electric power factory devices , protocol simulations for SCADA developers and honeypot. We will have a demo in this presentation and also open source after the presentation.




Technical Surveillance Counter-Measure (TSCM) - "Unveiling the Unseen: Safeguarding Your Secrets from the Shadows"
by: JJ Giner

Discover the hidden world of Technical Surveillance Countermeasures (TSCM) in this captivating presentation. Join us as we unravel the tactics employed by eavesdroppers and delve into the cutting-edge countermeasures to protect your sensitive information.

In this eye-opening session, we'll explore real-life scenarios and demonstrate the latest state-of-the-art technologies used to detect and neutralize covert surveillance devices. Gain invaluable insights into the evolving landscape of corporate espionage and learn practical strategies to fortify your organization's security posture.

Whether you're a business executive, government official, or security professional, this presentation will empower you to stay one step ahead of the unseen threats lurking in the shadows. Don't miss this opportunity to safeguard your secrets and defend your privacy in an increasingly interconnected world.




The Creation of the Out-Of-Band Anti Virus Dock (OOBAVD)
by: Yu Pengfei and Tan Jing Zhi

USB-based attacks account for over 52% of all cybersecurity attacks on operational technology (OT) systems in the industrial control systems (ICS) industry. Stuxnet's discovery in 2015 showed the vulnerability of air-gapped systems, previously considered invulnerable. These systems are found in secure military organizations and SCADA systems. The societal impact of such attacks can be enormous, as evidenced by Stuxnet's impact on Iran's nuclear programs.

Air-gapped systems, while considered secure, mostly require mobile storage devices like USB sticks for updates and data transfers, which risks exposing them to malware. Adding peripherals like keyboards and mice will also render the systems vulnerable to BadUSB attacks. This all can be prevented by OOBAVD, which acts as an intermediary between air-gapped systems and USB devices, blocks malicious files from entering the air-gapped systems. OOBAVD being out of band also mitigates the risk of malware attacking the host's antivirus software.

So what exactly is OOBAVD and how does one take an anti-virus out of band?




Unleashing Cyber Chaos: Evolving Nexus Between Nation State and eCrime Adversaries
by: Scott Jarkoff and Aaron Ng

In this session the speakers will cover the latest attacks conducted by the big four nation state adversaries from China, Russia, North Korea, and Iran, as well as intrusions perpetrated by eCrime actors.

Act 1 of the presentation dives deep into the background of these adversaries, their motivations, and the latest tradecraft they leverage during their daily offensive cyber operations. The speakers will identify state actors, and the agencies they work on behalf of, and potential shared tactics, techniques, and procedures.

Act 2 shifts focus to the history of eCrime, the latest attack trends being used by adversaries intent on financial gain, with a strong spotlight on connecting and highlighting the broad eCrime ecosystem. This section will discuss the likes of Emotet, Trickbot, Conti, Lockbit, Hive, Alphv, and much more. The speakers will also discuss the highly interconnected and interdependent nature of modern eCrime operations compared to the “good old days” when a single adversary was responsible for all phases of an attack.

Finally, Act 3 demonstrates a distinct association, and blurring of the lines between nation state and eCrime adversaries. In many cases it is not easy to discern the difference between the state actor and a sophisticated criminal, in particular because of intent, but increasingly because of extremely specialized tradecraft.

This presentation is backed by observations from CrowdStrike threat intelligence, and the very real world attacks witnessed through highly specialized primary source intelligence collection, coupled with the speakers’s very extensive and thorough experience on these topics. The content will be delivered as a mixture of high level overview, technical deep dive, and case studies.