Opening words by Sylvain Pasini, president of the Black Alps association, and general chair of #BlackAlps22.

Network printers have been featured for the first time at Pwn2Own competition in Austin 2021. Three popular LaserJet printers were included in the completion: HP, Lexmark and Canon. During the event, we (Synacktiv) managed to compromise all of them allowing us to win the whole competition. In this talk, we will focus on how we achieved code execution on the Canon printer.

One of the major challenges of embedded security analysis is the accurate extraction of arbitrary firmwares.

While binwalk has been the de-facto standard for firmware extraction since its early days, it proved to be limited in an environment where we needed to analyze heterogeneous firmwares from potentially malicious uploaders at scale.

In this talk we will introduce the audience to our specific use case, the limits of existing extraction tools, and how we overcame them by developing our very own firmware extraction framework, named unblob.

unblob is an accurate, fast, and easy-to-use extraction suite. unblob parses unknown binary blobs for more than 30 different archive, compression, and file-system formats, extracts their content recursively, and carves out unknown chunks that have not been accounted for. This turns unblob into the perfect companion for extracting, analyzing, and reverse engineering firmware images.

Similar to what HD Moore did 19 years ago when he started gathering exploit scripts in a single unifying framework with Metasploit, we’d like to provide reverse engineers with an easy to use and extensible framework to extract custom formats. Our hope is to provide a home to firmware reversers and help them not rewriting the same code every time they need to support a new vendor format.

Slides in PDF

Everyone and their dog is writing their own memory allocator, but nobody wrote any comprehensive benchmark to assess memory consumption, speed, security, … so this talk presents how we implemented one, as well as the associated challenges, details, anecdotes, notable allocators, and finally, the obtained results.

Slides in PDF

SM4 is a block cipher developed and standardized in China. It gets more and more traction as this algorithm becomes mandatory for certain applications. Even ARMv8.4 has SM4-specific instructions.
During this talk, we will present the SM4 algorithm, how it works and ways to attack it from the hardware implementation point of view. We will show how Correlation Power Analysis (CPA) and Differential Fault Analysis (DFA) can be applied on basic implementation and allow to recover the key. Of course, all these tools will be released after the talk.

Although PHP has always been deemed insecure, finding and remotely exploiting binary bugs in its core is not a well documented subject.
Through this talk, I will aim to (partially, at least) solve this problem, by describing the internals of the PHP allocator and unraveling reusable, generic exploitation techniques for PHP's heap. I'll illustrate these techniques through the exploitation of two remote code execution 0-days targeting PHP.

What happens when your home is “smart” before you even move in? More and more buildings are pre-installing smart devices that tenants didn’t ask for and may not want. These devices focus on comfort and convenience, an excellent focus as long as security is also considered. Given the deep integration these devices have, a vulnerable system could lead to devastating consequences like the loss of privacy and even unauthorized access. As a security researcher, these were my thoughts when I saw the tablet mounted on the wall of my new apartment.

In a short period, I discovered multiple vulnerabilities in the system. A concern for sure, considering the system allows for remote access and has integration with services in my apartment and the building. This talk will cover my path, my process, and coverage of the vulnerabilities I discovered.

Slides in PDF

Practical fault injection is a widely used technique which bypasses security measures (such as signature checks) and breaks cryptographic algorithms. Practical fault injection can be made by means of short power glitches, electromagnetic pulses, laser fault injection and other techniques. Those methods require physical access to a device, and so can be only applied after device manufacturing.
While companies perform security testing after production, there is a clear need to develop secure code during device manufacturing. This is especially true for ROM code (i.e. the hardcoded binary that can not be modified). In case any fault attack is found in the ROM code after the chip production, this vulnerability can be patched only in the following hardware revisions of the device.
To find fault attack vulnerabilities during the manufacturing phase, companies develop fault injection emulation. At first, public tools emulating faults were released to break white-box cryptography (i.e. software cryptographic algorithms masking all key operations). Those tools include Unicorn-based emulation, Qemu emulation, binary instrumentation with Intel Pin and Valgrind, and radare2 emulation. Later the tools were adapted to emulate faults in devices’ firmware, including ROM code.
The recent Ghidra reverse engineering tool offers code emulation. Ghidra code emulation can be used to simulate faults in the analysed binary. Those faults can be instruction skipping, operand modification, data modification, or more complex scenarios. In comparison with previous fault emulation tools, Ghidra is more user-friendly, and includes reverse engineering and emulation in the same environment. In addition, Ghidra supports many CPU architectures and any new CPU architecture can be added with SLEIGH language.
This talk will demonstrate how Ghidra emulation is used to simulate fault injection in some simple functions used during firmware execution and White-Box Cryptography. To illustrate the Ghidra efficiency, ARCv2 support was added (and will be publicly released during this talk).

Slides in PDF

Netfilter is the well-known firewall available for Linux systems.
It is mainly known through its userland interface *iptables*, but most of its codebase resides in kernel land in order to perform hooks in the network stack.
Initially, to perform such operations, the user must have specific privileges.
Since unprivileged users are able to create new namespaces, they are able to perform new privileged operations, such as setting up a firewall.
Consequently, the attack surface on the Linux kernel is widely increased.
And, Netfilter is one of the targets for vulnerability research focusing on local privilege escalation.

The variant analysis is a recent technique that can be used to do vulnerability research on open source software.
Thanks to variant analysis, I was able to find bugs and vulnerabilities within the Netfilter subsystem of the Linux kernel.
The vulnerabilities allowed an attacker to get a privilege escalation on Ubuntu.

In this talk, I will explain how I used the variant analysis to discover two vulnerabilities, CVE-2022-1972 and CVE-2022-34918.
The techniques used to perform an information leak using CVE-2022-1972 and a privilege escalation on Ubuntu 22.04 exploiting the CVE-2022-34918.

Slides in PDF

The problem of publicly exposed secrets, such as API keys and other credentials, is a widespread weakness affecting organizations of all sizes. The scale of this problem was quantified in a year-long research study by GitGuardian which found 6 million secrets were leaked in public repositories on Github.com. The report also showed that nearly 5% of docker images contain at least one plain text secret.
This talk will examine why secrets are so frequent in public spaces despite being a highly valuable asset and how attackers discover these credentials. Building from this we break down three recent successful attacks which all used leaked credentials, CodeCov2021, Indian Government 2020 and the Lapsus breaches of 2022. Examining each different methodology used in these we will show the different techniques attackers used to harvest and exploit credentials. Finally, we break down the different methods and tools can be used to extract secrets from source code, reviewing the pros and cons of each.

As an attacker in a Windows environment, getting high privileges and access sensitive data often requires abusing Active Directory capabilities and its myriad of supported protocols. NTLM (New Technology Lan Manager) – the dinosaur of authentication protocols – still has many happy days ahead although there are significantly better alternatives available.

After years of abusing NTLM relay and with the rise of dedicated tools, several protocol issues have been addressed by Microsoft (PrivExchange, Drop the MIC 1 and 2, relaying to RPC, PetitPotam) and measures exist for services to enforce integrity checks and avoid relay attacks. However, due to backward compatibility and misconfigurations, this technique can be used to this day.

In this talk, we discuss vulnerabilities identified during the last two years (CVE-2020-1113 by myself and CVE-2021-26414 by another individual first) and review the remaining attack surface.

Special discount for this talk, you will learn about two related stories for the price of one!
The first one is about how the Jenkins Security team is including Content Security Policy (CSP) in the Jenkins project without breaking everything. We will explain why CSP is appealing in terms of security and how we are envisioning its introduction in an existing (very large) project.
The second part of the talk will be on a Cross-site scripting (XSS) vulnerability we have found on a very popular dating application. This vulnerability was particularly interesting as it had the possibility to spread like a virus within the social network and the impact could have been catastrophic. We will explain how we were able to bypass their incomplete CSP configuration.

Slides in PDF

Twice a year, ZDI organizes a computer hacking contest called Pwn2Own. It challenges security experts to exploit widely used hardware and software.

In November 2021, the contest was held in Austin and online. Synacktiv team succeeded its attacks on many devices, and won the competition.

This presentation describes the steps to gain code execution on one of the targeted device: the Sonos One Gen 2 smart speaker.

Slides in PDF

De nombreuses applications malicieuses sous Android sont "packées".
La façon la plus classique de les analyser consiste à les exécuter en instrumentant quelques hooks Frida aux endroits clés, comme le chargement dynamique de code ou la construction de requêtes HTTP.
Cependant, l'écriture de hooks Frida est tantôt mal aisée, tantôt lassante.

Par conséquent, dans cette présentation, nous allons explorer deux pistes différentes :

1. L'écriture d'unpacker statiques. Nous verrons qu'ils ont leurs avantages.
2. L'utilisation d'outils qui écrivent les hooks Frida pour nous :)

Mots clés: Android, packer, Frida, Medusa

PS. Frida, c'est top !
PPS. En fait, vous écrirez surement toujours encore des scripts Frida de temps en temps, le titre était une accroche ;P

Slides in PDF