Recently, I had pleasure to attend the ZeroNights 2012 security conference. ZeroNights 2012 is an international conference that covers the technical side of information security. The main scope of the conference is to distribute information about new attack methods, threats and defense tools.
This year’s conference took place last November 19-20 in Moscow, right in the middle of the city with both the Kremlin and the Moscow River nearby. I had some problems finding the venue as it was a bit hidden and it was rush hour, but I was (almost) on time and only missed the welcome coffee and the keynote.
The conference itself had four tracks, and I have to admit that I was lost at times due to the choices available and had to cast lots to decide which track to go for. I would like to highlight the three presentations that impressed me the most.
“No locked doors, no windows barred: hacking OpenAM infrastructure” by Andrey Petukhov, and Georgy Noseyevich
One of the main functional components of enterprise applications and Internet portals is an authentication and access control system (AuthC/Z). This presentation described a popular access control system called ForgeRock OpenAM.
During the presentation Andrey and his assistant Georg showed how it is possible to exploit Server Side Request Forgery and Local File Include vulnerabilities on the said access control system. Combining the two above vulnerabilities and an XML external entity vulnerability, they were able to read files and folders on the server side. Combining the 3 techniques, they wrote a simple fuse module to read files remotely. The fuse module cached files, and then with bash commands is easy to “ls” or “cat” or even “find” everything you need on the server side.
“How to hack all country transportation system” by Alberto Garcia Illera
Illera discussed how he used information booth machines to find information he used later for the intuitive hack. The machine had a touch screen and it was possible to access Internet Explorer with simple manipulations, but not all sites could be accessed due to the filter in place. He tried to load shell code from the “bad” sites unsuccessfully, but with more time I think it would be possible to do so. However, he still found possible hacks with the print function and was able to access the desktop and command line of these apparently closed systems.
“Dark and Bright Sides of iCloud (In)security” by Andrey Belenko, and Dmitry Sklyarov
This talk discussed the security of Apple’s iCloud, particularly its “Backup to iCloud” feature. First, however, the speakers had to be able to access the data on the phones themselves.
To read out the data from the iPhone 3GS and older, it was possible to just use an unsigned kernel and download all the content (which was protected with the owner’s username and passcode). However, from the iPhone 4 onwards, every kernel needs to be signed so this is no longer possible.
Since the iPhone 4, there have been various types of data stored on the phone, and the access rights are controlled by a “master class”. The “master class” uses the unique master key, which is generated on the first boot of the device. The presenters captured the traffic and reversed the backup protocol to dump and extract keys for reversing the protocol.
To do this, they had to jailbreak the iPhone and put an unsigned certificate on the phone. They were able to get the so-called Keybag which held the data on the phone. With a python tool, they were also able to access and decrypt the local copy of the files stored to iCloud.
The authors noted that Apple’s iCloud uses other cloud services like Amazon Web Services and Microsoft Azure for storage, although the data is encrypted before it is stored. In addition, they were able to effectively reverse engineer the protocol that is used between devices and the servers.
Overall, the technical quality of the presentations at this conference was high and the topics were hot enough to be discussed and marked for further analysis.