"TotallyNotAVirus.app" would like to access the camera and spy on you. To protect your privacy, Apple introduced Transparency, Consent, and Control (TCC) framework that restricts access to sensitive personal resources: documents, camera, microphone, emails, and more. Granting such access requires authorization, and the mechanism's main design concern was clear user consent.
In this talk, we will share multiple techniques that allowed us to bypass this prompt, and as a malicious application, get access to protected resources without any additional privileges or user's consent. Together, we submitted over 40 vulnerabilities just to Apple through the past year, which allowed us to bypass some parts or the entire TCC. We also found numerous vulnerabilities in third-party apps (including Firefox, Signal, and others), which allowed us to avoid the OS restrictions by leveraging the targeted apps' privileges.
In the first part of the talk, we will give you an overview of the TCC framework, its building blocks, and how it limits application access to private data. We will explore the various databases it uses and discuss the difference between user consent and user intent.
Next, we will go through various techniques and specific vulnerabilities that we used to bypass TCC. We will cover how we can use techniques like process injection, mounting, application behavior, or simple file searches to find vulnerabilities and gain access to the protected resources.
The audience will leave with a solid understanding of the macOS privacy restrictions framework (TCC) and its weaknesses. We believe there is a need to raise awareness on why OS protections are not 100% effective, and in the end, users have to be careful with installing software on their machines. Moreover - as we're going to publish several exploits - red teams will also benefit from the talk.
macOS Vulnerabilities Hiding in Plain SightCsaba Fitzl
Sometimes when we publish details and writeups about vulnerabilities we are so focused on the actual bug, that we don’t notice others, which might be still hidden inside the details. The same can happen when we read these issues, but if we keep our eyes open we might find hidden gems.
In this talk I will cover three macOS vulnerabilities that I found while reading the writeup of other vulnerabilities, where some of them were public for over four years. I also only spotted them after multiple reads, and once found I realized that it was right there in front of us every single time.
In the 2017 pwn2own macOS exploit chain the authors found a privilege escalation vulnerability is the disk arbitration service. What I found that the same logic flaw was present in another part of he code segment (literally right next to the original), which allowed an attacker to perform a full sandbox escape.
In the pwn2own 2020 macOS exploit chain there was a vulnerability concerning the preferences daemon. The patch was presented later by the authors and after reading through the patch for the ~20st time, I spotted a new privilege escalation possibility.
In 2021, the macOS XCSSET malware used a TCC 0day bypass, which was later patched. Mickey Jin found a bypass for the patch and presented a new TCC bypass. While reading through his analysis for the n-th time, it hit me, that not only possible to bypass the new patch but there is an underlying fundamental issue with the TCC framework, which allowed us to generically bypass TCC.
20+ Ways To Bypass Your Macos Privacy MechanismsSecuRing
In this presentation, we showed multiple techniques that allowed us to bypass this prompt, and as a malicious application, get access to protected resources without any additional privileges or user’s consent.
Mitigating Exploits Using Apple's Endpoint SecurityCsaba Fitzl
I have spent the last two years finding logic vulnerabilities both in Apple's macOS operating system and in third-party apps running on macOS. One of the common ways to gain more privileges is by injecting code into a process that possesses various entitlements, which grants various rights to the process. Although Apple's own processes are well protected, the same is not the case for third-party apps. This has opened up the possibilities for plenty of privacy (TCC) related bypasses and privilege escalation to root through XPC services. Another common pattern is to attack the system and applications through symbolic links.
When Apple introduced the Endpoint Security framework, I decided to write an application to protect against such attacks, and to learn the framework myself. This application is free and open source.
In this talk I will introduce the basic concepts behind some of the logic attacks. I will talk about how they work, and what they make possible. Then we will discuss Apple's Endpoint Security framework, how it works, and how someone can use it.
Next I will talk about the development of the application, how the mitigations are implemented, and how it works in the background. I will go through several demonstrations showing its effectiveness against exploitation. I will also go through my experiences getting the Endpoint Security entitlement from Apple.
DerbyCon 2016
Nick Landers @monoxgas
External mail via Exchange is one of the most common services offered by organizations today. The Microsoft Office suite is even more prevalent making Outlook the most common mail client around. This talk focuses on the abuse of these two products for the purpose of gaining code execution inside remote networks. Subjects include E-Mail and password scraping, OWA/EWS brute forcing techniques, and new research into abusing Outlook mail rules for remote code execution. Learn about the capabilities of client side rules, the underlying Windows APIs, and how to modify these rule objects to make phishing attacks obsolete. Security Consultant at Silent Break Security. Professional Hacker for 2 years. Current work involves writing custom malware and researching unique attack vectors that abuse functionality in windows environments.
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourSoroush Dalili
Although web application firewall (WAF) solutions are very useful to prevent common or automated attacks, most of them are based on blacklist approaches and are still far from perfect. This talk illustrates a number of creative techniques to smuggle and reshape HTTP requests using the strange behaviour of web servers and features such as request encoding or HTTP pipelining. These methods can come in handy when testing a website behind a WAF and can help penetration testers and bug bounty hunters to avoid drama and pain! Knowing these techniques is also beneficial for the defence team in order to design appropriate mitigation techniques. Additionally, it shows why developers should not solely rely on WAFs as the defence mechanism.
Finally, an open source Burp Suite extension will be introduced that can be used to assess or bypass a WAF solution using some of the techniques discussed in this talk. The plan is to keep improving this extension with the help of the http.ninja project.
macOS Vulnerabilities Hiding in Plain SightCsaba Fitzl
Sometimes when we publish details and writeups about vulnerabilities we are so focused on the actual bug, that we don’t notice others, which might be still hidden inside the details. The same can happen when we read these issues, but if we keep our eyes open we might find hidden gems.
In this talk I will cover three macOS vulnerabilities that I found while reading the writeup of other vulnerabilities, where some of them were public for over four years. I also only spotted them after multiple reads, and once found I realized that it was right there in front of us every single time.
In the 2017 pwn2own macOS exploit chain the authors found a privilege escalation vulnerability is the disk arbitration service. What I found that the same logic flaw was present in another part of he code segment (literally right next to the original), which allowed an attacker to perform a full sandbox escape.
In the pwn2own 2020 macOS exploit chain there was a vulnerability concerning the preferences daemon. The patch was presented later by the authors and after reading through the patch for the ~20st time, I spotted a new privilege escalation possibility.
In 2021, the macOS XCSSET malware used a TCC 0day bypass, which was later patched. Mickey Jin found a bypass for the patch and presented a new TCC bypass. While reading through his analysis for the n-th time, it hit me, that not only possible to bypass the new patch but there is an underlying fundamental issue with the TCC framework, which allowed us to generically bypass TCC.
20+ Ways To Bypass Your Macos Privacy MechanismsSecuRing
In this presentation, we showed multiple techniques that allowed us to bypass this prompt, and as a malicious application, get access to protected resources without any additional privileges or user’s consent.
Mitigating Exploits Using Apple's Endpoint SecurityCsaba Fitzl
I have spent the last two years finding logic vulnerabilities both in Apple's macOS operating system and in third-party apps running on macOS. One of the common ways to gain more privileges is by injecting code into a process that possesses various entitlements, which grants various rights to the process. Although Apple's own processes are well protected, the same is not the case for third-party apps. This has opened up the possibilities for plenty of privacy (TCC) related bypasses and privilege escalation to root through XPC services. Another common pattern is to attack the system and applications through symbolic links.
When Apple introduced the Endpoint Security framework, I decided to write an application to protect against such attacks, and to learn the framework myself. This application is free and open source.
In this talk I will introduce the basic concepts behind some of the logic attacks. I will talk about how they work, and what they make possible. Then we will discuss Apple's Endpoint Security framework, how it works, and how someone can use it.
Next I will talk about the development of the application, how the mitigations are implemented, and how it works in the background. I will go through several demonstrations showing its effectiveness against exploitation. I will also go through my experiences getting the Endpoint Security entitlement from Apple.
DerbyCon 2016
Nick Landers @monoxgas
External mail via Exchange is one of the most common services offered by organizations today. The Microsoft Office suite is even more prevalent making Outlook the most common mail client around. This talk focuses on the abuse of these two products for the purpose of gaining code execution inside remote networks. Subjects include E-Mail and password scraping, OWA/EWS brute forcing techniques, and new research into abusing Outlook mail rules for remote code execution. Learn about the capabilities of client side rules, the underlying Windows APIs, and how to modify these rule objects to make phishing attacks obsolete. Security Consultant at Silent Break Security. Professional Hacker for 2 years. Current work involves writing custom malware and researching unique attack vectors that abuse functionality in windows environments.
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourSoroush Dalili
Although web application firewall (WAF) solutions are very useful to prevent common or automated attacks, most of them are based on blacklist approaches and are still far from perfect. This talk illustrates a number of creative techniques to smuggle and reshape HTTP requests using the strange behaviour of web servers and features such as request encoding or HTTP pipelining. These methods can come in handy when testing a website behind a WAF and can help penetration testers and bug bounty hunters to avoid drama and pain! Knowing these techniques is also beneficial for the defence team in order to design appropriate mitigation techniques. Additionally, it shows why developers should not solely rely on WAFs as the defence mechanism.
Finally, an open source Burp Suite extension will be introduced that can be used to assess or bypass a WAF solution using some of the techniques discussed in this talk. The plan is to keep improving this extension with the help of the http.ninja project.
Session on OWASP Top 10 Vulnerabilities presented by Aarti Bala and Saman Fatima. The session covered the below 4 vulnerabilities -
Injection,
Sensitive Data Exposure
Cross Site Scripting
Insufficient Logging and Monitoring
PSConfEU - Offensive Active Directory (With PowerShell!)Will Schroeder
This talk covers PowerShell for offensive Active Directory operations with PowerView. It was given on April 21, 2016 at the PowerShell Conference EU 2016.
Identifying privilege escalation paths within an Active Directory environment is crucial for a successful red team. Over the last few years, BloodHound has made it easier for red teamers to perform reconnaissance activities and identify these attacks paths. When evaluating BloodHound data, it is common to find ourselves having sufficient rights to modify a Group Policy Object (GPO). This level of access allows us to perform a number of attacks, targeting any computer or user object controlled by the vulnerable GPO.
In this talk we will present previous research related to GPO abuses and share a number of misconfigurations we have found in the wild. We will also present a tool that allows red teamers to target users and computers controlled by a vulnerable GPO in order to escalate privileges and move laterally within the environment.
With the big delays in the time it takes until an iOS jailbreak is public and stable, it is often not possible to test mobile apps in the latest iOS version. Occasionally customers might also provide builds that only work in iOS versions for which no jailbreak is available. On Android the situation is better, but there can also be problems to root certain phone models. These trends make security testing of mobile apps difficult. This talk will cover approaches to defeat common security mechanisms that must be bypassed in the absence of root/jailbreak.
A follow on to the Encyclopedia Of Windows Privilege Escalation published by InsomniaSec at Ruxcon 2011, this talk is aimed at detailing not just escalation from user to admin and admin to system, but persistence and forced authentication as well as a few other treats.
Windows privilege escalation by Dhruv ShahOWASP Delhi
Different scenarios leading to privilege escalation
Design issues , implementation flaws, untimely system updates , permission issues etc
We ain’t talking about overflows here , just logics and techniques
Conduct a few internal pen tests and you’re bound to come across Jenkins, the world’s most popular build automation server. When you encounter it, what do you do? Go beyond a 5-minute Google search and checking for open script consoles. This talk dives into various ways to exploit Jenkins and how to move laterally into sensitive systems.
Get hands-on with security features and best practices to protect your containerized services. Learn to push and verify signed images with Docker Content Trust, and collaborate with delegation roles. Intermediate to advanced level Docker experience recommended, participants will be building and pushing with Docker during the workshop.
Led By Docker Security Experts:
Riyaz Faizullabhoy
David Lawrence
Viktor Stanchev
Experience Level: Intermediate to advanced level Docker experience recommended
The slides of my ObjectiveByTheSea v4 conference talk.
Abstract
---------
In this talk we will dive into mount operation internals on macOS and discuss several vulnerabilities impacted the system.
In the first half we will introduce how mounting is happening, how the sandbox is tied to the mount operation. We will also discuss the diskarbitration service, which is also responsible some of the mounting which can be done by the user.
Next we will detail different bugs impacted macOS in the past, where mounting had a key role. These range from privilege escalation to complete privacy (TCC) bypasses.
Lastly we will review how we can use the mount command for our own advantage when exploiting third party applications.
Securing the Container Pipeline at Salesforce by Cem Gurkok Docker, Inc.
Customer trust and security is paramount for Salesforce. While containerization is great for DevOps due to flexibility, speed, isolation, transient existence, ease of management and patching, it becomes a challenging environment when the sensitivity level of the data traversing the environment increases. Monitoring systems, applications and network; performing disk, memory and network forensics in case of an incident; and vulnerability detection can easily become daunting tasks in such a volatile environment.
In this presentation we would like to discuss the infrastructure we have built to address these issues and to secure our Docker container platform while we rapidly containerize Salesforce. Our solutions focus on securing the container pipeline, building security into the architecture, monitoring, Docker forensics (disk, memory, network), and automation. We also would like to demonstrate some of our live memory analysis capabilities we leverage to assure container and application integrity during execution.
Session on OWASP Top 10 Vulnerabilities presented by Aarti Bala and Saman Fatima. The session covered the below 4 vulnerabilities -
Injection,
Sensitive Data Exposure
Cross Site Scripting
Insufficient Logging and Monitoring
PSConfEU - Offensive Active Directory (With PowerShell!)Will Schroeder
This talk covers PowerShell for offensive Active Directory operations with PowerView. It was given on April 21, 2016 at the PowerShell Conference EU 2016.
Identifying privilege escalation paths within an Active Directory environment is crucial for a successful red team. Over the last few years, BloodHound has made it easier for red teamers to perform reconnaissance activities and identify these attacks paths. When evaluating BloodHound data, it is common to find ourselves having sufficient rights to modify a Group Policy Object (GPO). This level of access allows us to perform a number of attacks, targeting any computer or user object controlled by the vulnerable GPO.
In this talk we will present previous research related to GPO abuses and share a number of misconfigurations we have found in the wild. We will also present a tool that allows red teamers to target users and computers controlled by a vulnerable GPO in order to escalate privileges and move laterally within the environment.
With the big delays in the time it takes until an iOS jailbreak is public and stable, it is often not possible to test mobile apps in the latest iOS version. Occasionally customers might also provide builds that only work in iOS versions for which no jailbreak is available. On Android the situation is better, but there can also be problems to root certain phone models. These trends make security testing of mobile apps difficult. This talk will cover approaches to defeat common security mechanisms that must be bypassed in the absence of root/jailbreak.
A follow on to the Encyclopedia Of Windows Privilege Escalation published by InsomniaSec at Ruxcon 2011, this talk is aimed at detailing not just escalation from user to admin and admin to system, but persistence and forced authentication as well as a few other treats.
Windows privilege escalation by Dhruv ShahOWASP Delhi
Different scenarios leading to privilege escalation
Design issues , implementation flaws, untimely system updates , permission issues etc
We ain’t talking about overflows here , just logics and techniques
Conduct a few internal pen tests and you’re bound to come across Jenkins, the world’s most popular build automation server. When you encounter it, what do you do? Go beyond a 5-minute Google search and checking for open script consoles. This talk dives into various ways to exploit Jenkins and how to move laterally into sensitive systems.
Get hands-on with security features and best practices to protect your containerized services. Learn to push and verify signed images with Docker Content Trust, and collaborate with delegation roles. Intermediate to advanced level Docker experience recommended, participants will be building and pushing with Docker during the workshop.
Led By Docker Security Experts:
Riyaz Faizullabhoy
David Lawrence
Viktor Stanchev
Experience Level: Intermediate to advanced level Docker experience recommended
The slides of my ObjectiveByTheSea v4 conference talk.
Abstract
---------
In this talk we will dive into mount operation internals on macOS and discuss several vulnerabilities impacted the system.
In the first half we will introduce how mounting is happening, how the sandbox is tied to the mount operation. We will also discuss the diskarbitration service, which is also responsible some of the mounting which can be done by the user.
Next we will detail different bugs impacted macOS in the past, where mounting had a key role. These range from privilege escalation to complete privacy (TCC) bypasses.
Lastly we will review how we can use the mount command for our own advantage when exploiting third party applications.
Securing the Container Pipeline at Salesforce by Cem Gurkok Docker, Inc.
Customer trust and security is paramount for Salesforce. While containerization is great for DevOps due to flexibility, speed, isolation, transient existence, ease of management and patching, it becomes a challenging environment when the sensitivity level of the data traversing the environment increases. Monitoring systems, applications and network; performing disk, memory and network forensics in case of an incident; and vulnerability detection can easily become daunting tasks in such a volatile environment.
In this presentation we would like to discuss the infrastructure we have built to address these issues and to secure our Docker container platform while we rapidly containerize Salesforce. Our solutions focus on securing the container pipeline, building security into the architecture, monitoring, Docker forensics (disk, memory, network), and automation. We also would like to demonstrate some of our live memory analysis capabilities we leverage to assure container and application integrity during execution.
DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016Chris Gates
In a follow-up to the duo’s offensive focused talk “DevOops, How I hacked you”, they discuss defensive countermeasures and real experiences in preventing attacks that target flaws in your DevOps environments. In this talk, Chris and Ken describe common ways in which DevOps environments fall prey to malicious actors with a focus on preventative steps. The team will present their recommended approach to hardening for teams using AWS, Continuous Integration, GitHub, and common DevOps tools and processes. More specifically, the following items will be demonstrated:
-AWS Hardening
-AWS Monitoring
-AWS Disaster Recovery
-GitHub Monitoring
-OPINT
-Software Development Practices/Processes
-Secure use of Jenkins/Hudson
-Developer laptop hardening (OS X)
DevOoops (Increase awareness around DevOps infra security)
DevOps is increasingly blending the work of both application and network security professionals. In a quest to move faster, organisations can end up creating security vulnerabilities using the tools and products meant to protect them. What happens when these tools are used insecurely or - even worse - they are just insecure? Technologies discussed will encompass AWS, Puppet, Hudson/Jenkins, Vagrant, Docker and much, much more. Everything from common misconfigurations to remote code execution.
Talk given by Cem Gürkök, Lead InfoSec Engineer at Salesforce, at DockerCon 16 in June 2016
Customer trust and security is paramount for Salesforce. While containerization is great for DevOps due to flexibility, speed, isolation, transient existence, ease of management and patching, it becomes a challenging environment when the sensitivity level of the data traversing the environment increases. Monitoring systems, applications and network; performing disk, memory and network forensics in case of an incident; and vulnerability detection can easily become daunting tasks in such a volatile environment.
In this presentation we would like to discuss the infrastructure we have built to address these issues and to secure our Docker container platform while we rapidly containerize Salesforce. Our solutions focus on securing the container pipeline, building security into the architecture, monitoring, Docker forensics (disk, memory, network), and automation. We also would like to demonstrate some of our live memory analysis capabilities we leverage to assure container and application integrity during execution.
Project: Malware Analysis
CS 6262 Project 3
Agenda
• Part 1: Analyzing Windows Malware
• Part 2: Analyzing Android Malware
Scenario
• Analyzing Windows Malware
• You got a malware sample from the wild. Your task is to discover what
malware does by analyzing it
• How do you discover the malware’s behaviors?
• Static Analysis
• Manual Reverse Engineering
• Programming binary analysis
• Dynamic Analysis
• Network behavioral tracing
• Run-time system behavioral tracing(File/Process/Thread/Registry)
• Symbolic Execution
• Fuzzing
Scenario
• In our scenario, you are going to analyze the given malware with tools
that we provide.
• The tools help you to analyze the malware with static and dynamic
analysis.
• Objective
1. Find which server controls the malware (the command and control (C2)
server)
2. Discover how the malware communicates with the command and control
(C2) server
• URL and Payload
3. Discover what activities are done by the malware payload
• Attack Activities
Scenario
• Requirement
• Make sure that no malware traffic goes out from the virtual machine
• But, updating of malware (stage 2), and downloading payload (stage 3) are required to
be allowed (set as default option)
• The command and control server is dead. You need to reconstruct it
• Use tools to reconstruct the server, then reveal hidden behaviors of the malware
• Analyze network traffic on the host, and figure out the list of available
commands for the malware
• Analyze network traffic trace of the host, and figure out what malware does
• Write down your answer into assignment-questionnaire.txt
Project Structure
• A Virtual Machine for Malware analysis
• Please download and install the latest version or update your virtual box.
• https://www.virtualbox.org/wiki/Downloads
• Download the VM
• Download links
• http://ironhide.gtisc.gatech.edu/vm_2018.7z
• http://bombshell.gtisc.gatech.edu/vm_2018.7z
• Verify the md5 hash of the 7z file: 537e70c4cb4662d3e3b46af5d8223fd
• Please install 7zip or p7zip
• Windows, Linux and MacOs: http://www.7-zip.org/download.html
• Unarchive the 7z file
• Password: GTVM!
https://www.virtualbox.org/wiki/Downloads
http://ironhide.gtisc.gatech.edu/vm_2018.7z
http://bombshell.gtisc.gatech.edu/vm_2018.7z
http://www.7-zip.org/download.html
Project Structure
• Open VirtualBox
• Go to File->Import Appliance.
• Select the ova file and import it.
• For detailed information on how to import the VM, see:
• https://docs.oracle.com/cd/E26217_01/E26796/html/qs-import-vm.html
• VM user credentials
• Username: analysis
• Password: analysis
https://docs.oracle.com/cd/E26217_01/E26796/html/qs-import-vm.html
Project Structure
• In the Virtual Machine (VM)
• Files
• init.py
• This initializes the project environment
• Type your Georgia Tech username (same login name as Canvas) after running this
• update.sh
• This script updates the VM if any further update has been made by TA
• DO NOT execute the scri.
Exploiting Directory Permissions on macOSCsaba Fitzl
This talk covers how we can exploit applications on macOS (including macOS itself), where some of the directory / file permissions are incorrectly set. The incorrectness of these settings is not trivial at first sight because understanding these permissions are not intuitive. We will see bugs from simple arbitrary overwrites, to file disclosures and privilege escalation. The concepts applicable to *nix based system as well, however this talk focuses on macOS bugs only. We will also cover different techniques about how to control contents of files, to what we don’t have direct write access.
We will do a deep dive overview of the various r / w / x permissions, what do they mean in case of files, and more importantly in case of directories. We will also take a look at the additional settings, like ownership and the ‘lock’ flag and how do they affect the previous permissions. As part of this we will see how to find such bugs.
We will see a file information disclosure bug affecting macOS Mojave, where we can get read access to files which would normally be accessible only for root users. We will also cover 4 vulnerabilities that are caused due to our ability to control the location of certain files. As we have direct control over only the file location, but not the contents, we will explore tricky techniques how we can influence the contents of some of these files to our benefit.
0-Day Up Your Sleeve - Attacking macOS EnvironmentsSecuRing
Do you have Macs in your company's infrastructure? Nowadays, I bet that in most cases the answer would be YES. Macs stopped being computers only used in startups. We can observe them even in huge legacy environments in banks and other corporations. The problem is that they are usually not symmetrically secured, compared to the rest of Windows stations. Macs are not immune, they can be insecurely configured and now...even Apple admits that malware is present on Macs.
In this presentation I will:
1. Introduce you to macOS security mechanisms
2. Perform step-by-step macOS infection based on my 0-day (live demo)
3. Show you post-exploitation techniques
4. Attack installed apps and collect data from them
5. Give recommendations on how to harden your Mac and macOS infrastructure
CI / CD / CS - Continuous Security in KubernetesSysdig
Continuous Delivery helps to keep your software and Docker images updated and deploy new versions in production easily. Microservices are great at reducing the attack vector and limiting the privileges or credentials access of each piece of your application. Containers provide an opportunity to implement better security, small, immutable, single process and purpose.
In this session, we will discover real use case examples on how to make your CI/CD pipeline interact with Docker security tools. But security doesn’t stop where your deployment pipeline ends. How can we prepare for 0-days and policy violations that happen at run-time? Can we make it part of the CI/CD process?
Rough presentation about the aspects and problems that you have to deal with when you build a system based on Docker. Presentation done for the Docker Amsterdam meetup.
EMBA - Firmware analysis - Black Hat Arsenal USA 2022MichaelM85042
IoT (Internet of Things) and OT (Operational Technology) are the current buzzwords for networked devices on which our modern society is based on. In this area, the used operating systems are summarized with the term firmware. The devices themselves, also called embedded devices, are essential in the private and industrial environments as well as in the so-called critical infrastructure.
Penetration testing of these systems is quite complex as we have to deal with different architectures, optimized operating systems and special protocols. EMBA is an open-source firmware analyzer with the goal to simplify and optimize the complex task of firmware security analysis. EMBA supports the penetration tester with the automated detection of 1-day vulnerabilities on binary level. This goes far beyond the plain CVE detection: With EMBA you always know which public exploits are available for the target firmware. Besides the detection of already known vulnerabilities, EMBA also supports the tester on the next 0-day. For this, EMBA identifies critical binary functions, protection mechanisms and services with network behavior on a binary level. There are many other features built into EMBA, such as fully automated firmware extraction, finding file system vulnerabilities, hard-coded credentials, and more.
EMBA is the open-source firmware scanner, created by penetration testers for penetration testers.
Project page: https://github.com/e-m-b-a/emba
Conference page: https://www.blackhat.com/us-22/arsenal/schedule/index.html#emba--open-source-firmware-security-testing-26596
Continuous Delivery helps to keep your software and Docker images updated and deploy new versions in production easily. Microservices are great reducing the attack vector and limiting the privileges or credentials access of each piece of your application. Containers provide an opportunity to implement better security, small, immutable, single process and purpose. In this session, we will discover real use case examples on how to make your CI/CD pipeline interact with Docker security tools. But security doesn’t stop where your deployment pipeline ends. How we can prepare for 0-days and policy violations that happen at run-time? Can we make it part of the CI/CD process?
Launch and Environment Constraints OverviewCsaba Fitzl
In this talk I will talk about two mitigations which Apple introduced in order to protect against many types of logic vulnerabilities. Launch Constraints was introduced in macOS Ventura, and they can control who can launch a built-in system application and how. Environment Constraints were introduced in Sonoma, and it's basically the extension of Launch Constraints for third party apps. These two features are probably the most impactful when it comes to exploitation. I will review them in detail, how they are set up, what they do exactly, and what kind of vulnerability classes they mitigate. I will also go through a couple of past vulnerabilities, which could not have been exploited with these constraints present. Finally I will walk through how various third party apps should be set up in order to be secure.
In this talk we will publish our research we conducted on 28 different AntiVirus products on macOS through 2020. Our focus was to assess the XPC services these products expose and if they presented any security vulnerabilities. We will talk about the typical issues, and demonstrate plenty of vulnerabilities, which typically led to full control of the given product or local privilege escalation on the system. At the end we will give advice to developers how to write secure XPC services.
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties – USA
Expansion of bot farms – how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks – Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
Generating a custom Ruby SDK for your web service or Rails API using Smithyg2nightmarescribd
Have you ever wanted a Ruby client API to communicate with your web service? Smithy is a protocol-agnostic language for defining services and SDKs. Smithy Ruby is an implementation of Smithy that generates a Ruby SDK using a Smithy model. In this talk, we will explore Smithy and Smithy Ruby to learn how to generate custom feature-rich SDKs that can communicate with any web service, such as a Rails JSON API.
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Ramesh Iyer
In today's fast-changing business world, Companies that adapt and embrace new ideas often need help to keep up with the competition. However, fostering a culture of innovation takes much work. It takes vision, leadership and willingness to take risks in the right proportion. Sachin Dev Duggal, co-founder of Builder.ai, has perfected the art of this balance, creating a company culture where creativity and growth are nurtured at each stage.
Transcript: Selling digital books in 2024: Insights from industry leaders - T...BookNet Canada
The publishing industry has been selling digital audiobooks and ebooks for over a decade and has found its groove. What’s changed? What has stayed the same? Where do we go from here? Join a group of leading sales peers from across the industry for a conversation about the lessons learned since the popularization of digital books, best practices, digital book supply chain management, and more.
Link to video recording: https://bnctechforum.ca/sessions/selling-digital-books-in-2024-insights-from-industry-leaders/
Presented by BookNet Canada on May 28, 2024, with support from the Department of Canadian Heritage.
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
Neuro-symbolic is not enough, we need neuro-*semantic*Frank van Harmelen
Neuro-symbolic (NeSy) AI is on the rise. However, simply machine learning on just any symbolic structure is not sufficient to really harvest the gains of NeSy. These will only be gained when the symbolic structures have an actual semantics. I give an operational definition of semantics as “predictable inference”.
All of this illustrated with link prediction over knowledge graphs, but the argument is general.
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Albert Hoitingh
In this session I delve into the encryption technology used in Microsoft 365 and Microsoft Purview. Including the concepts of Customer Key and Double Key Encryption.
UiPath Test Automation using UiPath Test Suite series, part 3DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 3. In this session, we will cover desktop automation along with UI automation.
Topics covered:
UI automation Introduction,
UI automation Sample
Desktop automation flow
Pradeep Chinnala, Senior Consultant Automation Developer @WonderBotz and UiPath MVP
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Key Trends Shaping the Future of Infrastructure.pdfCheryl Hung
Keynote at DIGIT West Expo, Glasgow on 29 May 2024.
Cheryl Hung, ochery.com
Sr Director, Infrastructure Ecosystem, Arm.
The key trends across hardware, cloud and open-source; exploring how these areas are likely to mature and develop over the short and long-term, and then considering how organisations can position themselves to adapt and thrive.
Key Trends Shaping the Future of Infrastructure.pdf
20+ ways to bypass your mac os privacy mechanisms
1. 20+ Ways to Bypass Your macOS
Privacy Mechanisms
Wojciech Reguła & Csaba Fitzl
#BHUSA @BlackHatEvents
2. #BHUSA @BlackHatEvents
Whoami - Csaba
• Author of “macOS Control Bypasses” training @
Offensive Security
• Developer of Shield.app – exploit protection for macOS
• Ex red and blue teamer
• Husband, father
• Hiking
3. #BHUSA @BlackHatEvents
Whoami - Wojciech
• Senior IT Security Consultant @ SecuRing
• Focused on iOS/macOS #appsec
• Blogger – https://wojciechregula.blog
• iOS Security Suite Creator
• macOS environments security
4. #BHUSA @BlackHatEvents
Agenda
1. Introduction to macOS Privacy
2. TCC bypasses through:
• plugins
• process injection
• mounting
• app behavior
• /usr/bin/grep
3. Our thoughts on the Apple Security Bounty
4. Conclusion
5. #BHUSA @BlackHatEvents
Intro – macOS Security Mechanisms
System Integrity Protection (SIP):
• Based on Sandbox kernel extension
• Restricts access to many directories on macOS
• Denies debugger attachments to processes signed directly by Apple
• Also known as rootless, because even root cannot do the above-mentioned
operations when the SIP is turned on
14. #BHUSA @BlackHatEvents
TCC bypasses through plugins
• TCCd validates entitlements held by the main executable
• Plugins execute code in the context of the main application
• So, plugins inherit the private tcc entitlements
16. System app with plugin TCC daemon
Kernel
I want to
access files
from Desktop
17. System app with plugin TCC daemon
Kernel
I want to
access files
from Desktop
Hey TCC, check the
permissions of the
requesting app
18. System app with plugin TCC daemon
Kernel
I want to
access files
from Desktop
Hey TCC, check the
permissions of the
requesting app
Validate Code Signing requirement
19. System app with plugin TCC daemon
Kernel
I want to
access files
from Desktop
Hey TCC, check the
permissions of the
requesting app
Validate Code Signing requirement
Access Granted
20. System app with plugin TCC daemon
Kernel
I want to
access files
from Desktop
Hey TCC, check the
permissions of the
requesting app
Validate Code Signing requirement
Access Granted
Access Granted
22. System app with plugin TCC daemon
Kernel
I want to
access files
from Desktop
Hey TCC, check the
permissions of the
requesting app
Validate Code Signing requirement
Access Granted
Access Granted
29. #BHUSA @BlackHatEvents
TCC bypasses through plugins
Changing NFSHomeDirectory aka CVE-2020-27937
1. Copy Directory Utility to location not protected by the SIP
2. Inject a malicious plugin that will be executed with the Directory Utility’s
private TCC entitlements
3. Prepare a fake TCC SQLite3 database with fake permissions
4. Modify the NFSHomeDirectory
5. Restart TCCd, so it will load our fake database basing on the
NFSHomeDirectory
6. Full user TCC bypass achieved 😎
32. #BHUSA @BlackHatEvents
Full TCC bypass via coreaudiod aka CVE-2020-29621
1. Create a malicious macOS bundle with “.driver” extension
2. Plant it in /Library/Audio/Plug-Ins/HAL/
3. Restart the coreaudiod
4. We can now fully control TCCd 😎
TCC bypasses through plugins
35. #BHUSA @BlackHatEvents
TCC bypasses through process injection
Injecting to xsanctl aka CVE-2020-10006:
• We execute code again in the context of an entitled application
• However you cannot inject to Apple’s signed apps
• But there are exceptions… com.apple.security.get-task-allow 😎
36.
37. #BHUSA @BlackHatEvents
TCC bypasses through process injection
• 3rd party apps are especially vulnerable to this kind of attacks
• If you manually give the vulnerable app TCC permissions, malware can
abuse that app
• Electron apps are vulnerable by default 😅
• We have found such vulnerabilities in many apps including:
o Firefox (0day / won’t fix)
o StreamLabs OBS (0day / won’t fix)
o Signal (CVE-2020-24259, fixed)
o Snaglt (fixed)
39. #BHUSA @BlackHatEvents
TCC bypasses through mounting
CVE-2020-9771 - mount_apfs TCC bypass
• APFS supports snapshots
• Mount the snapshot in custom location
• Access all files (read-only)
• Mount with ”noowners” à access every user’s files
• FIX: requires Full Disk Access 😭
40. #BHUSA @BlackHatEvents
TCC bypasses through mounting
CVE-2021-1784 - TCC bypass via disk mounting
• User’s TCC DB file is protected
• But! We can mount over the directory
• Prepare a new TCC.db file, new disk image
• Mount over “~/Library/Application Support/com.apple.TCC”
• Profit 🤑
41.
42. #BHUSA @BlackHatEvents
TCC bypasses through app behavior
• Some apps can access private files
• Some apps move files when they do something
• Some apps can do both
44. Hi app! I see you can access XYZ
private files.
Yes! Why?
Could you move those files for me
to location ABC?
45. Of course! Here they are.
Thank you!
Anytime! It was my pleasure.
46. #BHUSA @BlackHatEvents
TCC bypasses through app behavior
CVE-2021-30751 – Notes.app
• Open files with notes -> auto attach to notes
• Notes are unprotected
48. #BHUSA @BlackHatEvents
TCC bypasses through app behavior
CVE-2021-XXXX – App translocation
• Makes NULLFS mount (not copy) when downloaded app first run
• Destination: $TMPDIR/AppTranslocation/d/d/Some.app
• Open source as part of Security.
• Library: libsecurity_translocate
• Binary: /usr/libexec/lsd
49. #BHUSA @BlackHatEvents
TCC bypasses through app behavior
CVE-2021-XXXX – App translocation
• Add Quarantine attribute to “Library”
• Call the com.apple.security.translocation XPC service
• (XPC client is also open source)
• Map Library to $TMPDIR/AppTranslocation/d/d/Library
• Access all files
52. #BHUSA @BlackHatEvents
TCC bypasses with /usr/bin/grep 😅
• Private info is everywhere
• Various DBs, caches, configuration files – keep / leak bits of info
• How to find them? grep to the rescue 🤣
56. #BHUSA @BlackHatEvents
Apple Security Bounty (ASB)
• Apple pays what promised
• Bug fixes are often slow – especially design issues
• Some reports will be fixed in Monterey only, although they were reported in
Catalina à 2 major OS versions!!
• Lack of communication, often no updates for months
• ASB eligibility decision timeline is unacceptable, often more than 6-7
months!!!
57. #BHUSA @BlackHatEvents
Conclusion
• We appreciate the effort
• Step in the right direction
• Other vendors should do the same
• Still lots of issues
1. Apple’s binaries have too many exceptions
2. Third parties are vulnerable to injection attacks
• ASB has to improve