2.0 -//Pentabarf//Schedule//EN PUBLISH 7HFFHD@@cfp.ringzer0.training -7HFFHD Compiler Backdooring For Beginners en en 20240223T183000 20240223T191500 004500

Compiler Backdooring For Beginners

Start of workshop: Download and build your own LLVM clone Introduction to compiler architecture - Frontends, Backends, and Intermediate Languages - Basic compiler passes - GCC and LLVM Clang in a nutshell Compiler plugins - Passes vs. plugins, pros and cons - Exercise: "Hello World" as a Clang pass Compiler mitigations walkthrough - How DOES a compiler build canaries? - (AddressSanitizer at 10.000ft if time allows) Lab: Homemade Backdoors Description: We'll be working on a specially crafted application, which contains a function reading data into a buffer in a safe way. The exercise will be to remove sanitization checks and to modify the buffer so that memory corruption becomes possible. Students will receive a skeleton Clang plugin, and will be walked through code constructs needed to locate the target function, the checks and the buffer, and to perform the requested modifications. The students themselves will complete the plugin and verify its efficacy. PUBLIC CONFIRMED Workshop https://cfp.ringzer0.training/ringzer0-bootstrap24-austin/talk/7HFFHD/ Bootloader 📍Under The Oaks Marion Marschalek PUBLISH 3KT8RD@@cfp.ringzer0.training -3KT8RD Best of the Worst: Misadventures in Bug Disclosure en en 20240223T193000 20240223T201500 004500

Best of the Worst: Misadventures in Bug Disclosure

Founded by TippingPoint in 2005, the Zero Day Initiative (ZDI) program rewards security researchers for responsibly disclosing vulnerabilities. Since that time, the ZDI has grown to be the world's largest vendor-agnostic bug bounty program. Being vendor agnostic means we purchase bug reports from independent security researchers around the world in Microsoft applications, Adobe, Cisco, Apple, IBM, Dell, Trend Micro, SCADA systems, etc... We don't buy every bug report submitted, but we buy a lot of bugs. Of course, this means we disclose a lot of bugs. And not every disclosure goes according to plan. This talk looks at some of the best of the worst examples of disclosing bugs to vendors. Disclosing bugs can get contentious. It can also be confusing when a vendor doesn't have a mature response process. Some reports are frustrating. Some reports are comical. And some are absolutely wild. All of them resulted in face palms at multiple levels. We'll go behind the scenes to show the sometimes gory details and laughable farces of bug disclosure. Finally, we'll offer some advice to those who may be on the receiving end of disclosure to help them ensure they don't end up in version 2.0 of this talk. Finding, disclosing, and fixing bugs are three different processes, and none of those processes are inconsequential. Here at the ZDI, we try to improve all three areas wherever we can. PUBLIC CONFIRMED Talk https://cfp.ringzer0.training/ringzer0-bootstrap24-austin/talk/3KT8RD/ Bootloader 📍Under The Oaks Brian Gorenc Dustin Childs PUBLISH EAXQYM@@cfp.ringzer0.training -EAXQYM Rust Won't Save Us: Finding and Exploiting 0-days in Security Appliances en en 20240223T203000 20240223T211500 004500

Rust Won't Save Us: Finding and Exploiting 0-days in Security Appliances

- **Who Am I** (1 min) - Security researcher with many years of experience in vulnerability research, implant development, and attacker TTPs across the commercial and government sector.  - **Overview** (1 min) - **A Shift In Tactics** (2 min) - CISA KEV Breakdown - 2023’s Most Targeted Devices by Device Type - Initial Access via Border / Security Appliance - Why is this thing on the internet? - **The Vulnerabilities** (38 min) - Target Selection - Fortinet falls squarely in the type of device’s routinely targeted and exploited by threat actors in CISA KEV - Fortinet has many security devices that have not received recent CVEs - FortiSIEM was acquired via Fortinet acquiring a company, possibly meaning more room for error or a difference in security stack - Vulnerability Research Process - Attack Surface Analysis - Control Flow Analysis - Web Routing Framework - Unauthenticated and Authenticated Handlers - Non-Web Backed Services - Communication Protocol - Authentication - Business Logic - Controllable Inputs - Fortinet FortiSIEM - Appliance Overview - Discovering the Service - Fortinet FortiNAC variant analysis - developers often make the same mistakes - Investigating the license upload functionality in Web UI revealed it communicated with a “backend” service, phMonitor, via TCP socket - “Backend” service is listening on all interfaces - not so backend… - Developing a Service Client - Reversing the Java Web UI class reveals its a custom messaging scheme over TCP sockets with message format: - 1\. Command Type - The integer enum mapped to specific function handlers inside the phMonitor service - 2\. Payload Length - The length of the payload in the message - 3\. Send ID - An arbitrary integer value passed in the message - 4\. Sequence ID - The sequence number of this message - 5\. Payload - The specific data the function handler within phMonitor will operate on - Test client with “LicenseInfo” request returns success! - Reversing the Service - What is the phMonitor service? - At a high-level, it monitors different services across different roles, and exposes an API interface for performing many of the system functions that would be accomplished in the administrative web interface.  - It is the authoritative service when it comes to managing deployment configuration, licensing, and administrative functions of itself and remote roles. - With a working service client, now starts the process of analyzing control flow of the service, and any potential mistakes in command handlers - 100 different command handlers - Change storage configurations - Often calls to a utility “doSystem”, a system() wrapper - interesting! - Write system settings - Passwords, backup servers, etc - Initiate reverse SSH tunnels with integrated servers - FortiSIEM often deployed with SIEM in located in MSP and “Collectors” in client environments - Pivot into client environments! - Developing the Exploit - Determining the Expected XML Format - Command Injection in XML Field - Post-Exploitation possibilities - pivoting, reading integration secrets, clearing logs - Fortinet FortiWLM - Appliance Overview - Attack Surface - Web Service backed by Python and Perl - Django Authentication Middleware - Several Unauthenticated Endpoints - Command Injections - SQL Injections - File Reads - Fortinet FortiWeb Manager - Appliance Overview - Attack Surface - Web Service backed by Python - Authenticated Command Execution - Authenticated Arbitrary File Write - Authenticated Arbitrary File Read - Common Developer Pitfalls and Areas of Improvement - Focusing on the Happy Path - Developers, intuitively, focus most of their time and effort in validating the most common user journeys in their applications - Often, along a products lifetime, new features are added for customers - and sometimes in critical areas like authentication - Developing in a Vacuum - Applications and systems often reach enormous levels of complexity, hard to single engineers to know the in-and-outs to safely add a feature - Architecture and code reviews are necessary and critical to spot missteps - Paired programming with a senior can help juniors understand the design and security aspects of features to up-level them - Defense In Depth - Often, weaponized exploits combine several vulnerabilities to reach system compromise - Auditing the authenticated attack surface for simple primitives can limit the blast radius of these chains - Run services as least privilege - **Future Outlook** (1 min) - Security isn’t just for infosec - involve developers more in our community - “Memory-safe” languages like Rust won’t save us, but they can help - We and threat actors will continue to find vulnerabilities from the 90s, adjust security programs to be as wholistic as possible - **Q\&A** (2 min) - **References** - Fortinet PSIRTs - FortiSIEM -  ****<https://www.fortiguard.com/psirt/FG-IR-23-130> - FortiWLM - <https://www.fortiguard.com/psirt/FG-IR-23-140> - <https://www.fortiguard.com/psirt/FG-IR-23-143> - <https://www.fortiguard.com/psirt/FG-IR-23-142> - FortiWeb Manager - Awaiting patches PUBLIC CONFIRMED Talk https://cfp.ringzer0.training/ringzer0-bootstrap24-austin/talk/EAXQYM/ Bootloader 📍Under The Oaks Zach Hanley PUBLISH QQWFQU@@cfp.ringzer0.training -QQWFQU BlackHoodie Training: Introduction to Software Reverse Engineering en en 20240223T090000 20240223T170000 080000

BlackHoodie Training: Introduction to Software Reverse Engineering

Ever wanted to know what a binary looks like from the inside? Wonder no more, binary insides is all you will see in this class. We’ll go from 0 to yo there’s a bug in your application in just one day. This training is very busy, from file formats, loaders and process execution, disassemblers and debuggers, to bug hunting of the special kind. But don’t worry, we’ll arm you with all the necessary skills! The target will be x86-64 Linux ELF executables. PUBLIC CONFIRMED Workshop https://cfp.ringzer0.training/ringzer0-bootstrap24-austin/talk/QQWFQU/ BlackHoodie 📍Room 1.124 Marion Marschalek PUBLISH BJF77N@@cfp.ringzer0.training -BJF77N Revisiting 2017: AI and Security, 7 years later en en 20240224T090000 20240224T094500 004500

Revisiting 2017: AI and Security, 7 years later

In 2017, I gave a keynote at ZeroNights Moscow about the role of AI in security, both on the offensive and the defensive side. This keynote will revisit the topics of 2017, and discuss how the changing landscape of AI and security has affected and changed, and which parts remain unchanged. PUBLIC CONFIRMED Talk https://cfp.ringzer0.training/ringzer0-bootstrap24-austin/talk/BJF77N/ Track 1 📍 Auditorium 1.110 Thomas Dullien PUBLISH NXCUE3@@cfp.ringzer0.training -NXCUE3 Exploring the lay of the LLM detection landscape en en 20240224T100000 20240224T104500 004500

Exploring the lay of the LLM detection landscape

Are LLMs going to upend, or just end the world? Will malevolent AIs spread disinformation and FUD to enslave humanity in a world of fear? Will Roko's Basilisk come to pass? In order to help stay these dramatic end-times, LLM content detectors are here! We can build safe, AI-free zones to limit the digital "noise" that these models can blast out at scale, if only we can reliably detect and classify a content's origin. This talk does a deep dive into the leading LLM text detectors, both open-source and commercial, and compares them against a number of different datasets. Next, we throw into the mix ZipPy, a novel open-source detector based on code written in the mid-1980s that outperforms the state-of-the-art in a number of dimensions. ZipPy is simple (less than 200 lines of Python), and it codifies the intuition about a core difference between LLMs and humans that no additional amount of data or training cores can overcome--being unique! Using ZipPy we can walk through the features used to differentiate a text's origins and how with a simple, embedded detector we can build a human-centric world where LLMs are used only to help us rather than subvert us. PUBLIC CONFIRMED Talk https://cfp.ringzer0.training/ringzer0-bootstrap24-austin/talk/NXCUE3/ Track 1 📍 Auditorium 1.110 Jacob Torrey PUBLISH 8FM8V3@@cfp.ringzer0.training -8FM8V3 Glitching in 3D: Low Cost EMFI Attacks en en 20240224T113000 20240224T121500 004500

Glitching in 3D: Low Cost EMFI Attacks

This work describes the process of performing a new fault injection attack. We begin with the test firmware we used to dial in the physical glitch parameters such as location, placement, etc. After dialing in these glitch parameters for maximum consistency, we target the boot ROM of the STM32F4. To determine **where** to place the glitch, we review the power trace of the boot ROM and an extracted boot ROM in ghidra. The first section of the talk will focus on traditional voltage glitching and power trace analysis. After demonstrating that a readout protection bypass is possible via voltage glitching, we will discuss the risk of these attacks and how they can permanently damage devices. Given this risk, we attempted to trigger the same glitch with an EMP instead of a traditional voltage glitch. Performing an EMFI attack introduces new variables, probe shape, placement, and pulse shape, to name a few. While some tools exist to help instrument and perform EMFI attacks, they are prohibitively expensive and require bespoke training and extensive experience. We wanted to complete one of these attacks as cheaply as possible and utilize open-source hardware for the instrumentation of the EMP probe, leading us to use the PicoEMP to generate the EMP and a 3D printer to automate the positioning and placement of the probe. After 3D printing a custom bracket for the EMP and developing software to control the printer, we could automate glitch data collection while instrumenting the X/Y/Z coordinates of the probe. We determined the optimal probe placement for performing our previously discovered RDP bypass using the resulting data. A portion of this talk will review that data and some of the tools we developed to help visualize the data collection results to determine optimal probe placement. Using the probe placement data generated from our testing, we developed a consistent RDP bypass for the STM32F4 via a targeted EMP using the power trace analysis from our first glitch. This attack allowed for flash readout capabilities on locked STM32F4 processors. We also will discuss how we've used these tools and resulting workflows to target other microcontrollers, such as the Nuvoton M032 series. After this talk, we will release the Jupyter notebooks, libraries, tools used to instrument the 3D printer, and the ChipWhisperer Husky and PicoEMP. We will also publish a long-form write-up (blog post) describing the process. PUBLIC CONFIRMED Talk https://cfp.ringzer0.training/ringzer0-bootstrap24-austin/talk/8FM8V3/ Track 1 📍 Auditorium 1.110 Matthew Alt (wrongbaud) PUBLISH JEETKU@@cfp.ringzer0.training -JEETKU QEMU For Fuzz and Profit: Emulation & Fuzzing: Deep Dive into Cybersecurity Techniques en en 20240224T110000 20240224T123000 013000

QEMU For Fuzz and Profit: Emulation & Fuzzing: Deep Dive into Cybersecurity Techniques

"Emulation & Fuzzing: Deep Dive into Cybersecurity Techniques" Join us for a comprehensive 90-minute workshop where we delve into cutting-edge techniques of emulation and fuzzing, drawing insights from Fuzzing Against the Machine. This immersive session promises to equip you with both foundational knowledge and advanced practices in the realm of cybersecurity. Workshop Highlights: Setting the Stage: Get acquainted with the prerequisites and tools vital to grasp the nuances of this workshop, ensuring you can make the most of the content ahead. Journey Through Time: Embark on a historical exploration of emulation, understanding its evolution, nuances, and its paramount role in the ever-evolving landscape of cybersecurity. QEMU - The Emulator Spotlight: Get an in-depth understanding of QEMU - our system emulator of choice, learning about its internals, capabilities, and previous success stories. Fuzzing with QEMU: Dive into the intricacies of QEMU's execution modes and the dynamic world of fuzzing. Understand static versus dynamic fuzzing and their practical applications. Case Studies Galore: Relive the discovery of a 2011 vulnerability in VLC through the synergy of QEMU and AFL. Understand the real-world implications with a look into the vulnerability found in modern Samsung phones. Venture into full-system fuzzing with studies on OpenWRT, diving into nuances when targeting different architectures such as ARM. Witness the marvel of iOS full-system fuzzing, understanding the unique challenges and solutions involved. Explore the world of Android libraries and their vulnerabilities, leveraging the open-source project Sloth. Concluding Thoughts: Summarize the wealth of knowledge, emphasizing the significance of the research and future directions in this critical domain of cybersecurity. This workshop promises a holistic understanding, from basics to advanced techniques, ensuring participants can apply these insights to real-world challenges. Whether you're a novice in cybersecurity or a seasoned practitioner, this session has something valuable for everyone. Join us in this engaging journey, drawing from the extensive research and practical examples from Fuzzing Against the Machine. PUBLIC CONFIRMED Workshop https://cfp.ringzer0.training/ringzer0-bootstrap24-austin/talk/JEETKU/ Workshop Track 1 📍Room 1.124 Antonio Nappa PUBLISH 97FX9D@@cfp.ringzer0.training -97FX9D Fault Injection Characterization en en 20240224T133000 20240224T150000 013000

Fault Injection Characterization

In this Fault Injection workshop you will be doing the following: - Build a Fault Injection setup using NewAE Husky - Perform Fault Injection Characterization experiments - Describe the faults you are creating by injecting glitches Note, the activities performed in this workshop are also part of our 'The Art of Fault Injection' training. PUBLIC CONFIRMED Workshop https://cfp.ringzer0.training/ringzer0-bootstrap24-austin/talk/97FX9D/ Workshop Track 1 📍Room 1.124 tieknimmers PUBLISH 3XSPQZ@@cfp.ringzer0.training -3XSPQZ Patch Diffing In The Dark en en 20240224T153000 20240224T170000 013000

Patch Diffing In The Dark

The workshop will cover the following topics: 1. Introduction (15 minutes) - Explain what patch diffing is and why it is useful for vulnerability research - Give an overview of both CVE vulnerabilities and their impact - Introduce the tools and data sets that will be used in the workshop (Ghidra, patched and unpatched binaries, updates files, etc.) - Exercise: - Check participants can run required tools and have access to provided resources 2. Patch Analysis (40 minutes) - Learn the different methods to obtain the binaries needed for patch diffing across Windows and Android - Demonstrate how to use Ghidra to compare the patched and unpatched binaries and identify the changes - Explain how to interpret the diff results and locate the vulnerable function - Exercise: - Have participants import and analyze binaries, and perform patch diff 3. Vulnerability Analysis (40 minutes) - Teach a method to determine how to reach the identified vulnerable function - Explain how the vulnerabilities can be triggered by sending a specially crafted input - Show how to use a debugger (WinDbg / adb) to attach to a process and set breakpoints on the vulnerable function - Demonstrate how to craft a malicious input to trigger the CVE - Exercise: - Have participants try to identify the vulnerable function and provide guidance. - Have participants step through the vulnerable function 4. Conclusion (15 minutes) - Summarize the main points and learning outcomes of the workshop - Provide some tips and resources for further learning and practice on patch diffing and vulnerability analysis - Answer any questions from the participants and collect feedback Requirements for the Workshop: - Laptop with Ghidra installed or ability to run workshop VM - Internet access to download workshop resources PUBLIC CONFIRMED Workshop https://cfp.ringzer0.training/ringzer0-bootstrap24-austin/talk/3XSPQZ/ Workshop Track 1 📍Room 1.124 John McIntosh PUBLISH HCTCHK@@cfp.ringzer0.training -HCTCHK Binary Reversing and Whole Firmware Diffing en en 20240224T133000 20240224T150000 013000

Binary Reversing and Whole Firmware Diffing

This workshop is targeting tech savy eager to know more about reverse-engineering up to experienced red teamers. Anyone will be able to take advantage of this workshop and to take away practical knowledge, get familiar with various tools and to get an overview of various use-cases where it can be applied. The outline of the workshop is given below. First, the workshop will recall basics about reverse-engineering, x86_64 assembly, ELF format, and how to get familiar with IDA Pro or Ghidra for analyzing programs at binary level. Once everyone is back on the same basis we will move to scripting some analyzes. Then, we will introduce the concept of binary exporters which aims at dumping the whole Ghidra/IDA Pro disassembly into a file that can then be manipulated without having to keep the disassembler open. We will present [python-binexport](https://github.com/quarkslab/python-binexport), a wrapper around Binexport (Google's exporter) to automated the export and the processing of exported files. Then we will present [Quokka](https://github.com/quarkslab/quokka) that we developed which is better than Binexport by being more exhaustive and more compact. From there, we will start manipulating executable files exported with binexport or quokka to start digging into the binary. Multiple exercises will be given to get familiar with the API, and to search for various information in the binary e.g: which function is using a specific string ? What are the parameters given to a specific function call. Various binaries will be used as examples including some malware code. We will also write scripts that can be batched on multiple executables. Thenafter, we will move to the binary diffing use-case and to show how to analyze an update by comparing the two programs in order to understand what has been patched. First, an introduction to [Bindiff](https://www.zynamics.com/bindiff.html) will be done to show how to do manual diffing. Then we will introduce [python-bindiff](https://github.com/quarkslab/python-bindiff/) to show how to automate the diffing process and how to manipulate the result seamlessly. No existing utilities or libraries enables manipulating a diff programatically to perform security analyzes. We will give a glimpse of how this can be done using our collection of tools with some exercises aiming at finding the key modifications between two binaries. We will conclude with a practical to perform a diff between two firmware versions used at Pwn2own 2022. The goal of the practical is identifying key changes in order to understand what has been updated by performing **whole firmware diffing**. This practical will also leverage another tool [Pyrrha](https://github.com/quarkslab/pyrrha) that we developped for firmware cartography. PUBLIC CONFIRMED Workshop https://cfp.ringzer0.training/ringzer0-bootstrap24-austin/talk/HCTCHK/ Workshop Track 2 📍Room 1.126 Robin David PUBLISH DNUPPY@@cfp.ringzer0.training -DNUPPY Mastering Offensive Hooking and Unhooking en en 20240224T153000 20240224T170000 013000

Mastering Offensive Hooking and Unhooking

Section 1 – The first section of the workshop will focus on basics concepts of Portable executable, PE file formats, introduction to windows APIs and foundation setting for advanced concepts and hands on in later sections. - PE basics - Students will understand the program execution lifecycle in windows, PE file structure - imports,exports etc - Windows API - Students will learn about inner working of windows and how various GUI components interact with the kernel via APIs and syscalls. This will include hands on labs that will require participants to use Windows APIs via code (C++) to perform simple operations like process creation, file creation etc. - NT API & Syscalls – Students will be introduced to NT APIs present in ntdll. These APIs will be later hooked to monitor API calls transitioning from user to kernel mode via syscalls Section 2 – Focus on this session will be to get started with hooking windows API, via manual methods as well as tools like Frida. Through these exercises, students will be made accustomed to hook windows application and monitor API arguments. - Introduction to hooking – Students will be introduced to basics of hooking. Both manual as well as automated hooking techniques (using tools like Frida, Detour) will be demonstrated - Hooking native windows and commercial applications - Students will be given live demonstration of hooking on few windows applications and how to identify correct APIs on which hooks need to be placed - Simple keylogger Section 3 – Focus of this section will be to demonstrate legitimate usage of hooking in windows systems by EDRs. Unhooking(removing existing hooks) as a concept will also be introduced as a means to bypass security controls present on a host - EDRs - Students will receive a primer on Endpoint Detection and Response systems and how they use hooks to gather telemetry and obtain visibility inside individual processes. Decisions to resume or kill the process are formulate based on the telemetry. - Introduction to unhooking (NTDLL/IAT) – Students will be introduced to IAT (Import Address Table) and NTDLL unhooking techniques as one of the means to evade EDR systems. Section 4 – The final section will focus on dissecting various unhooking techniques and how evolution of these techniques happened over time as and when EDR's caught up with them - Hells gate and Halos gate - Students will use the knowledge acquired in the previous section to understand different unhooking strategies employed in diverse scenarios to bypass EDR solutions - Review / Key Takeaways / Q&A – The workshop will wrap up with a review of the material covered, key takeaways and answer any student questions. In addition to the presentation material, students will be provided with a virtual machine (VM) that includes a fully functional development environment and all the necessary code samples for replicating the demonstrations showcased during the presentation. PUBLIC CONFIRMED Workshop https://cfp.ringzer0.training/ringzer0-bootstrap24-austin/talk/DNUPPY/ Workshop Track 2 📍Room 1.126 Soumyadeep Basu Arun Nair PUBLISH FYRSRA@@cfp.ringzer0.training -FYRSRA Hack Our Drone en en 20240224T133000 20240224T163000 030000

Hack Our Drone

This workshop is divided into three hands-on modules: 1. Ground Control System 2. Uncrewed Aerial Vehicle 3. Radio Communications Each module includes tasks involved in describing the component, collecting software, analyzing for security vulnerabilities, and demonstrating exploits against those vulnerabilities. These tasks are drawn from our real-world experiences as cyber professionals providing security analysis of Uncrewed Aerial Systems in both commercial and governmental sectors. PUBLIC CONFIRMED Workshop https://cfp.ringzer0.training/ringzer0-bootstrap24-austin/talk/FYRSRA/ Workshop Track 3 📍Under The Oaks Ronald Broberg